DCS 6.7/6.7 MP1 Replacing Self Signed Certificates with 2048 Encrypted Version Guide

book

Article ID: 178995

calendar_today

Updated On:

Products

Critical System Protection Data Center Security Monitoring Edition Data Center Security Server Data Center Security Server Advanced

Issue/Introduction

 

Resolution

Information:
There will be items to replace in commands given before running them:
[Path to keytool.exe] - Should be replaced with direct path to tool (Default path:C:\Program Files (x86)\Symantec\Data Center Security Server\Server\jre\bin\keytool.exe)
[DCSServer_Host_FQDN] - needs to be replaced with full FQDN of DCS Management Server
[DCS_Server_IP] - Needs to be replaced with IP of the DCS Management Server
[KeystorePass] - 40 character hash taken from server.xml

 

1) Backing up existing certificate files

1) Open up the server.xml (%\Program Files (x86)\Symantec\Data Center Security Server\Server\tomcat\conf) file in a text editor, and look for the "keystorePass=" and copy down the 40 key entry after that.
    Example: keystorePass=4LpqWf8LjrLx7x0fx4Bj5r1C9slak43Jp0Wttx3o

2) Stop the following services:
    Symantec Data Center Security Server Manager service
    Symantec UMC Credential Service
    Symantec UMC Telemetry Service

3) Copy the cacerts file located in "%\Program Files (x86)\Symantec\Data Center Security Server\Server\jre\lib\security\" into a temp folder (ex:C:\temp\), and make a backup elsewhere.

4) Backup the following files/folders:
    a)"%\Program Files (x86)\Symantec\Data Center Security Server\Server\umc\ssl\umcCA\certs" folder
    b)All .ssl files located in "%\Program Files (x86)\Symantec\Data Center Security Server\Server\" folder
 

2) Generate new rootkey in cacerts

1) Navigate to the temp folder created above with an Administrator privilaged command prompt

2) Remove old rootkey from CACerts:
"[Path to keytool.exe]" -delete -keystore cacerts -alias rootkey -storepass [KeystorePass]

3) Create the rootkey.ssl file:
"[Path to keytool.exe]" -genkeypair -alias rootkey -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 9165 -dname "CN=[DCSServer_Host_FQDN],OU=SDCS,O=Symantec,L=Mountain View,S=CA,C=US" -ext "SAN=DNS:[DCSServer_Host_FQDN],IP:[DCS_Server_IP]" -keystore "rootkey.ssl" -keypass [KeystorePass] -storetype PKCS12 -storepass [KeystorePass]

4) Create the rootkey.csr file
"[Path to keytool.exe]" -certreq -alias rootkey -sigalg SHA256withRSA -dname "CN=[DCSServer_Host_FQDN],OU=SDCS,O=Symantec,L=Mountain View,S=CA,C=US" -ext "SAN=DNS:[DCSServer_Host_FQDN],IP:[DCS_Server_IP]" -file "rootkey.csr" -keystore "rootkey.ssl" -keypass [KeystorePass] -storetype PKCS12 -storepass [KeystorePass]

5) Create the rootkey.cer
"[Path to keytool.exe]" -gencert -alias rootkey -sigalg SHA256withRSA -dname "CN=[DCSServer_Host_FQDN],OU=SDCS,O=Symantec,C=US,S=CA,L=Mountain View" -ext "SAN=DNS:[DCSServer_Host_FQDN],IP:[DCS_Server_IP]" -infile "rootkey.csr" -outfile "rootkey.cer" -validity 9165 -rfc -keystore "rootkey.ssl" -keypass [KeystorePass] -storetype PKCS12 -storepass [KeystorePass]

6) Import the rootkey.cer into the rootkey.ssl keystore:
"[Path to keytool.exe]" -importcert -trustcacerts -noprompt -alias rootkey -file "rootkey.cer" -keystore "rootkey.ssl" -keypass [KeystorePass] -storetype PKCS12 -storepass [KeystorePass]

7) Import rootkey into cacerts
"[Path to keytool.exe]" -importcert -trustcacerts -noprompt -alias rootkey -file "rootkey.cer" -keystore "cacerts" -keypass [KeystorePass] -storepass [KeystorePass]

8) Move & replace rootkey.cer into UMC certs folder, and delete the rootkey.csr file.
    "%\Program Files (x86)\Symantec\Data Center Security Server\Server\umc\ssl\umcCA\certs"

9) Move & replace rootkey.ssl into the DCS Server folder.
    "%\Program Files (x86)\Symantec\Data Center Security Server\Server\"
    
10) Leave the cacerts file in the temp folder, and continue to next steps.
 

3) Generate the UMC certificate files

1) Create the umcserver.ssl keystore file:
"[Path to keytool.exe]" -genkeypair -alias umcserver -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 9165 -dname "CN=[DCSServer_Host_FQDN],OU=SDCS_Unified_Management_Console,O=Symantec,L=Mountain View,S=CA,C=US" -ext "SAN=DNS:[DCSServer_Host_FQDN],IP:[DCS_Server_IP]" -keystore "umcserver.ssl" -keypass [KeystorePass] -storetype PKCS12 -storepass [KeystorePass]
    
2) Create the umcserver.csr file:
"[Path to keytool.exe]" -certreq -alias umcserver -sigalg SHA256withRSA -dname "CN=[DCSServer_Host_FQDN],OU=SDCS_Unified_Management_Console,O=Symantec,L=Mountain View,S=CA,C=US" -ext "SAN=DNS:[DCSServer_Host_FQDN],IP:[DCS_Server_IP]" -file "umcserver.csr" -keystore "umcserver.ssl" -keypass [KeystorePass] -storetype PKCS12 -storepass [KeystorePass]

3) Create the umcserver_signed.cer file:
"[Path to keytool.exe]" -gencert -alias umcserver -sigalg SHA256withRSA -dname "CN=[DCSServer_Host_FQDN],OU=SDCS_Unified_Management_Console,O=Symantec,L=Mountain View,S=CA,C=US" -ext "SAN=DNS:[DCSServer_Host_FQDN],IP:[DCS_Server_IP]" -infile "umcserver.csr" -outfile "umcserver_signed.cer" -validity 9165 -rfc -keystore "umcserver.ssl" -keypass [KeystorePass] -storetype PKCS12 -storepass [KeystorePass]

4) Import the umcserver_signed.cer into the umcserver.ssl keystore:
"[Path to keytool.exe]" -importcert -trustcacerts -noprompt -alias umcserver -file "umcserver_signed.cer" -keystore "umcserver.ssl" -keypass [KeystorePass] -storetype PKCS12 -storepass [KeystorePass]

5) Import the umcserver certificate information into the cacerts keystore:
"[Path to keytool.exe]" -importcert -trustcacerts -noprompt -alias umcserver -file "umcserver_signed.cer" -keystore "cacerts" -keypass [KeystorePass] -storepass [KeystorePass]

6) Copy & replace umcserver.ssl into the DCS Server folder
    "%\Program Files (x86)\Symantec\Data Center Security Server\Server\"

7) Move & replace umcserver.csr, umcserver_signed.cer and umcserver.ssl into UMC certs folder
    "%\Program Files (x86)\Symantec\Data Center Security Server\Server\umc\ssl\umcCA\certs"

8) Leave the cacerts file in the temp folder, and continue to next steps.
 

4) Generate Management Server certificate files

1) Create the sss.ssl keystore file:
"[Path to keytool.exe]" -genkeypair -alias sss -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 9165 -dname "CN=[DCSServer_Host_FQDN],OU=SDCS_Unified_Management_Console,O=Symantec,L=Mountain View,S=CA,C=US" -ext "SAN=DNS:[DCSServer_Host_FQDN],IP:[DCS_Server_IP]" -ext bc:c -keystore "sss.ssl" -keypass [KeystorePass] -storetype PKCS12 -storepass [KeystorePass]

2) Create the sss.cer file:
"[Path to keytool.exe]" -exportcert -alias sss -file "sss.cer" -keystore "sss.ssl" -keypass [KeystorePass] -storetype PKCS12 -storepass [KeystorePass]

3) Import the sss.cer into the cacerts store:
"[Path to keytool.exe]" -importcert -trustcacerts -noprompt -alias sss -file "sss.cer" -keystore "cacerts" -keypass [KeystorePass] -storetype JKS -storepass [KeystorePass]

4) Move & replace sss.cer, and sss.ssl into the DCS Server folder.
    "%\Program Files (x86)\Symantec\Data Center Security Server\Server\"

5) Move & replace the cacerts file back into the \Server\jre\lib\security\ folder
    "%\Program Files (x86)\Symantec\Data Center Security Server\Server\jre\lib\security\"
 

5) Generate Agent to Manager certificate files

1) Create the server-cert.ssl file:
"[Path to keytool.exe]" -genkeypair -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 9165 -dname "CN=[DCSServer_Host_FQDN],OU=SDCSS_Management_Server" -ext "SAN=DNS:[DCSServer_Host_FQDN],IP:[DCS_Server_IP]" -keystore "server-cert.ssl" -storetype PKCS12 -alias "sss" -keypass [KeystorePass] -storepass [KeystorePass]

2) Create server-console-cert.ssl file:
"[Path to keytool.exe]" -genkeypair -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 9165 -dname "CN=[DCSServer_Host_FQDN],OU=SDCSS_Management_Server" -ext "SAN=DNS:[DCSServer_Host_FQDN],IP:[DCS_Server_IP]" -keystore "server-console-cert.ssl" -storetype PKCS12 -alias "sss" -keypass [KeystorePass] -storepass [KeystorePass]

3) Create the agent-cert.ssl file:
"[Path to keytool.exe]" -export -alias "sss" -rfc -storetype PKCS12 -keystore "server-cert.ssl" -storepass [KeystorePass] -file "agent-cert.ssl"

4) Move & replace server-cert.ssl, sever-console-cert.ssl and agent-cert.ssl into the DCS Server folder
    "%\Program Files (x86)\Symantec\Data Center Security Server\Server\"
    
5) Give a copy of the agent-cert.ssl file to agents and run the following command on the client system(s):
sisipsconfig -c [path to agent cert]

6) Start the following services:
    Symantec Data Center Security Server Manager service
    Symantec UMC Credential Service
    Symantec UMC Telemetry Service


6) Accept new certificates

1) Login to the UMC webserver. Export and import the new certificate (http://www.symantec.com/docs/HOWTO124635)

2) Navigate to https://[DCS_Server_IP]:4443/sis-ui/api/
-Export and import certificate for the api page as well

3) Close the browser completely and log into the UMC, verify all connections to DCS work.

--If the above doesn't work try and use an alternate browser, support recommends Google Chrome.