search cancel

Importing a Personal Information Exchange (.pfx) file to a Java keystore

book

Article ID: 184792

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

You have an existing certificate that you want to use to secure communication between your Enforce console and your web browser.

Environment

Symantec Data Loss Prevention (DLP) 15.x

Microsoft Windows Server 2012 R2, Redhat Enterprise Linux 6.x, 7.x

Resolution

You can import your existing .pfx file into a Java keystore file by following these steps.

First you need to identify the alias where the private key is stored using the following command  to print the alias (highlighted below):

keytool -list -keystore yourPrivateCertificate.pfx

The output should be similar to the following:

Enter keystore password:
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

253db30c3ad14553aebb0e5a0a5255d0_e5345748-fe48-42ac-81e7-b48cfb4610dd, Nov 25, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA1): A9:3B:80:3C:D9:63:0E:FF:91:72:AC:11:4B:45:99:14:9E:AD:EC:FB

Now you can import the .pfx file to a Java keystore using the following command. Note that the Enforce console is configured to use ".keystore" as the keystore file name and also to use the destination alias as "tomcat" (without the quotes).

keytool -importkeystore -srckeystore yourPrivateCertificate.pfx -destkeystore .keystore -srcalias 253db30c3ad14553aebb0e5a0a5255d0_e5345748-fe48-42ac-81e7-b48cfb4610dd -destalias tomcat -deststoretype pkcs12 -destkeypass protect

You should be prompted to enter the destination keystore password twice. The Enforce console is configured to use "protect" (without the quotes) as the default keystore password.

Importing keystore yourPrivateCertificate.pfx to .keystore...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:

You can validate new .keystore file using the following command line:

keytool -list -keystore .keystore -storepass protect

The new .keystore file should contain an alias named tomcat (highlighted below):

Enter keystore password:
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

tomcat, Nov 25, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA1): A9:3B:80:3C:D9:63:0E:FF:91:72:AC:11:4B:45:99:14:9E:AD:EC:FB

You should make a backup copy of the original .keystore file in case you want to revert to the original self-signed certificate created as part of the default installation. You should also make a copy of your newly created .keystore file to facilitate recovery.

Copy the .keystore file to its final destination depending on your version of DLP:

DLP 15.0 and above - Windows
C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\tomcat\conf

DLP 15.0 and above - Linux
/opt/Symantec/DataLossPrevention/DetectionServer/<version>/Protect/tomcat/conf

DLP 14.6 and earlier - Windows
C:\SymantecDLP\Protect\tomcat\conf

DLP 14.6 and earlier - Linux
/opt/SymantecDLP/Protect/tomcat/conf

Finally, restart the Symantec DLP Manager service (15.x versions) or Vontu Manager service (14.x and earlier).