Add Certificate Chain to Endpoint Protection Manager

book

Article ID: 178864

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

 

Resolution

This document describes the process of manually importing the certificates necessary for a Symantec Endpoint Protection Manager (SEPM) to present the entire chain of trust for its TLS certificate to both Symantec Endpoint Protection (SEP) clients, the local and remote Java consoles, and Web console.

NOTE: This process is not supported, and customers should follow it at their own risk. The steps are written assuming that the reader understands how PKI works, and is familiar with the kinds of files and formats certificates and keys are normally found in. Before following this procedure, ensure you understand the concept of a Public Key infrastructure, and have already obtained a valid certificate from a Certificate Authority (CA) whose root certificate is included in the Windows Trusted Root Certification Authorities.

Import the certificate into SEPM site via the Manage Server Certificate Wizard

Import the certificate provided by your CA using the steps in http://www.symantec.com/docs/HOWTO81146.

Copy the certificate chain to the SEPM install folder

Your CA should provide you with a chain certificate in Privacy Enhanced Mail (PEM) format. This file will contain 1 or more Base64 encoded certificates one for each link in the chain of trust between your SEPM certificate, and the Root CA. If you did not obtain a copy of your CAs chain certificate, contact your CA for assistance in generating this file.

Rename your CA certificate chain file to server-ca.crt and copy it to C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl.

Add the certificate chain into Apache

Reporting Page

  1. Create a copy of C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\ssl.conf and open the original in a text editor.
  2. Remove the comment tag (#) from the beginning of the following line:
    #SSLCertificateChainFile "conf/ssl/server-ca.crt"
     
  3. Save ssl.conf.

Client-server Communications (SECARS) Page

  1. Create a copy of C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\sslForClients.conf and open the original in a text editor.
  2. Find the line that reads SSLCertificateFile "conf/ssl/server.crt"
  3. Add the following line below:
    SSLCertificateChainFile "conf/ssl/server-ca.crt"
     
  4. Save sslForClients.conf and restart the Symantec Endpoint Protection Manager Webserver service.

Add the certificate chain into Tomcat

  1. Create a copy of C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\conf\server.xml and open the original in a text editor.
  2. Add an SSLCertificateChainFile reference to the chain certificate on the Server <Connector> tag.
    For example:​

    <!-- Server -->
        SSLCertificateFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\..\apache\conf\ssl\server.crt" SSLCertificateKeyFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\..\apache\conf\ssl\server.key" SSLCipherSuite="HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!3DES:!RC4" SSLEnabled="true" SSLHonorCipherOrder="true" SSLProtocol="TLSv1.2" Server="SEPM" acceptCount="100" allowTrace="false" allowUnsafeLegacyRenegotiation="false" disableUploadTimeout="true" enableLookups="false" keystoreFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\keystore.jks" keystorePass="4346a6d61be046d7776f282641f8d014ce1ec7d3fe1a79bd2137de9a3f82bb33" maxHeaderCount="100" maxParameterCount="1000" maxPostSize="2097152" maxSavePostSize="4096" port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" scheme="https" secure="true" useBodyEncodingForURI="true" xpoweredBy="false"/>

    To:
    <!-- Server -->
        <Connector SSLCertificateChainFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\..\apache\conf\ssl\server-ca.crt" SSLCertificateFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\..\apache\conf\ssl\server.crt" SSLCertificateKeyFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\..\apache\conf\ssl\server.key" SSLCipherSuite="HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!3DES:!RC4" SSLEnabled="true" SSLHonorCipherOrder="true" SSLProtocol="TLSv1.2" Server="SEPM" acceptCount="100" allowTrace="false" allowUnsafeLegacyRenegotiation="false" disableUploadTimeout="true" enableLookups="false" keystoreFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\keystore.jks" keystorePass="4346a6d61be046d7776f282641f8d014ce1ec7d3fe1a79bd2137de9a3f82bb33" maxHeaderCount="100" maxParameterCount="1000" maxPostSize="2097152" maxSavePostSize="4096" port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" scheme="https" secure="true" useBodyEncodingForURI="true" xpoweredBy="false"/>

  3. Save server.xml and restart the Symantec Endpoint Protection Manager Service.
  4. Create a copy of C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\instances\sepm-api\conf\server.xml and open the original in a text editor.

  5. Add an SSLCertificateChainFile reference to the chain certificate on the WebService <Connector> tag.
    For example:​

    <Service name="WebService">
        <Connector SSLCertificateFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\..\apache\conf\ssl\server.crt" SSLCertificateKeyFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\..\apache\conf\ssl\server.key" SSLCipherSuite="HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!3DES:!RC4" SSLEnabled="true" SSLHonorCipherOrder="true" SSLProtocol="TLSv1.2" Server="SEPM" acceptCount="100" allowTrace="false" allowUnsafeLegacyRenegotiation="false" clientAuth="want" disableUploadTimeout="true" enableLookups="false" keystoreFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\keystore.jks" keystorePass="4346a6d61be046d7776f282641f8d014ce1ec7d3fe1a79bd2137de9a3f82bb33" maxHeaderCount="100" maxParameterCount="1000" maxPostSize="2097152" maxSavePostSize="4096" port="8446" protocol="org.apache.coyote.http11.Http11AprProtocol" scheme="https" secure="true" useBodyEncodingForURI="true" xpoweredBy="false"/>

    To:
    <Service name="WebService">
        <Connector SSLCertificateChainFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\..\apache\conf\ssl\server-ca.crt" SSLCertificateFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\..\apache\conf\ssl\server.crt" SSLCertificateKeyFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\..\apache\conf\ssl\server.key" SSLCipherSuite="HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!3DES:!RC4" SSLEnabled="true" SSLHonorCipherOrder="true" SSLProtocol="TLSv1.2" Server="SEPM" acceptCount="100" allowTrace="false" allowUnsafeLegacyRenegotiation="false" clientAuth="want" disableUploadTimeout="true" enableLookups="false" keystoreFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\keystore.jks" keystorePass="4346a6d61be046d7776f282641f8d014ce1ec7d3fe1a79bd2137de9a3f82bb33" maxHeaderCount="100" maxParameterCount="1000" maxPostSize="2097152" maxSavePostSize="4096" port="8446" protocol="org.apache.coyote.http11.Http11AprProtocol" scheme="https" secure="true" useBodyEncodingForURI="true" xpoweredBy="false"/>

  6. Save server.xml and restart the Symantec Endpoint Protection Manager API Service.

Note: In 12.1 there is only one instance of Tomcat so these connectors are combined into a single server.xml located in tomcat/conf.  

Additional Information

REFERENCE ID : : 3237594