Replacing the Cloud Services Enforce Truststore prior to migration of DLP Cloud Service to Google Cloud Platform

book

Article ID: 197205

calendar_today

Updated On:

Products

Data Loss Prevention Cloud Service for Email Data Loss Prevention Cloud Detection Service Data Loss Prevention Cloud Detection Service for ICAP Data Loss Prevention Cloud Detection Service for REST

Issue/Introduction

As part of a migration of Symantec Information Security products to the Google Cloud Platform, some customers using the DLP Cloud Services need to update the Truststore file for the on-prem Enforce Management Console.

For more information about this migration, please see the Product Advisory on the topic.

Cause

For customers using Enforce versions prior to 15.1 MP1, the existing Truststore will no longer recognize the Cloud Service as having a valid certificate.

Environment

Enforce versions prior to 15.1 MP1, accessing the DLP Cloud Services:

  • Cloud Service for Email
  • Cloud Detection Service (REST + ICAP)

Resolution

  1. Extract the enforce_truststore.jks file from the archive attached to this KB.
  2. Stop the Symantec DLP Detection Server Controller service (in version 15.0 and earlier, this service was named the MonitorController service).
  3. Back up the existing enforce_truststore.jks, and save it to a separate directory on the server.
  4. For version 15.0 or older:
    • On Windows: enforce_truststore.jks is located in C:\SymantecDLP\Protect\keystore
    • On Linux: enforce_truststore.jks is located in /opt/SymantecDLP/Protect/keystore
  5. For 15.1:
    • On Windows: enforce_truststore.jks is located in C:\Program Files\Symantec\Data Loss Prevention\Enforce Server\15.1\Protect\keystore
    • On Linux: enforce_truststore.jks is located in /opt/Symantec/DataLossPrevention/Enforce Server/15.1/Protect/keystore
  6. Replace the enforce_truststore.jks with the file extracted in step 1 above.
  7. Start the Symantec DLP Detection Server Controller service (in version 15.0 and earlier, this service was named the MonitorController service).

Note: The keystore directory also contains another file, similarly named: enforce_keystore.jks.

This file contains the certificate required by Enforce to access the Cloud Service Gateway, and should not be removed or deleted in any of the steps outlined above. If the enforce_keystore.jks file has been deleted or lost, it will be recreated by a restart of the Enforce DetectionServerController service, but the recreated keystore will not contain the original bundle certificate and connectivity from Enforce to the Cloud Service Gateway will not be possible. To restore connectivity at this point, you would need to open a case with Technical Support.

Additional Information

Validating the enforce_truststore.jks contains the expected CA
  1. Go to the corresponding folder containing the Enforce Management server JRE.
  2. Run the following command - note that the path to the keystore directory where the keystore resides must be specified*. This example is for Enforce v15.1, installed on a Windows server:
    • keytool -list -keystore "C:\Program Files\Symantec\Data Loss Prevention\Enforce Server\15.1\Protect\keystore\enforce_truststore.jks"
  3. When prompted for a password, please press ENTER.
  4. Multiple entries should be displayed including a few that mention DigiCert. If DigiCert is listed, then the change has been correctly applied. If DigiCert is not listed, please redo the steps given in the "resolution" section of this article
  5. Alternatively, as per the screenshot below, the command may be launched from within the keystore directory. In this case, it calls upon keytool by specifying its location within the ServerJRE:

Note that the example given in the screenshot above is for DLP 15.5, but the path to the Keytool binary will vary depending on the version of DLP and the OS.

For 15.1:

  • On a Windows installation:
    • The keytool binary is located in \Program Files\Symantec\Data Loss Prevention\ServerJRE\1.8.0_181\bin\
    • The keystore directory is located in Program Files\Symantec\Data Loss Prevention\EnforceServer\15.1\Protect\keystore\
  • On a default Linux installation:
    • Keytool is located in /opt/Symantec/DataLossPrevention/ServerJRE/1.8.0_181/bin/
    • The keystore directory is located in /opt/Symantec/DataLossPrevention/EnforceServer/15.1/Protect/keystore/

For version 15.0 or older:

  • On a Windows installation:
    • The keytool binary is located in \SymantecDLP\JRE\bin\
    • The keystore directory is located in \SymantecDLP\Protect\keystore\
  • On a default Linux installation:
    • Keytool is located in /opt/SymantecDLP/JRE/bin/
    • The keystore directory is located in /opt/SymantecDLP/Protect/keystore/

 

Attachments

1597276580807__enforce_truststore.zip get_app