Do not use OpenSSL to create a truststore with the Data Loss Prevention REST Appliance

book

Article ID: 184776

calendar_today

Updated On:

Products

Data Loss Prevention API Detection for Developer Apps Virtual Appliance

Issue/Introduction

There is an issue with PKCS12 truststores for REST Appliance. When an appliance is configured with a truststore created using OpenSSL in PKCS12 format, the appliance
silently fails. The REST Appliance detection service does not correctly initialize fully and is therefore stuck in a waiting state. So all detection requests to the Appliance fail, since detection service is not actually running. When the appliance fails, an error is shown in Enforce system events, and on the REST Appliance.

Note: 

  • This Issue is only specific to PKCS12 truststores created using OpenSSL  There is no issue with keystores in any format created using OpenSSL or the Java KeyTool.      
  • The truststore configuration is currently only applicable for REST Appliances. It does not apply to SMTP or ICAP appliances.  The truststore configuration on a REST Appliance is optional. You will only encounter this issue when you configure a truststore. If the appliance is only configured with a keystore, there are no issues.

Resolution

Do not use OpenSSL to create a truststore with the Symantec Data Loss Prevention REST Appliance