How to upgrade JRE (Java Runtime Environment) on DLP 15.5/15.7

book

Article ID: 207478

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

You need to upgrade the JRE version on DLP Enforce and Detection servers.

Cause

Older versions of Java are out-of-date or have reported vulnerabilities.

Environment

DLP 15.5 and above.

Enforce/Detection servers.

Resolution

1. Check the supported JRE

Check that the JRE you intend installing is supported. For example, for release 15.7, check the updates to Symantec Data Loss Prevention system requirements for OpenJRE.

2. Download and install JRE

Download the relevant version of JRE from AdoptOpenJDK. For example:

Windows

OpenJRE 8 262

OpenJRE 8 275

As local administrator, run the MSI file to install the JRE to its default location. For example, C:\Program Files\AdoptOpenJDK\jre-8.0.275.1-hotspot.

Linux

OpenJRE 8 262

3. Obtain and install the JRE Migration Utility

Windows

In order to install the JRE in a Windows environment you will need the ServerJREMigrationUtility.exe utility which is in the JREMigrationUtility.zip file.

JREMigrationUtility.zip is contained within the DLP Platform zip file. Broadcom recommends that you download the latest DLP Platform zip file to obtain it. For example, within Symantec_DLP_15.8_Platform_Win-IN_15.8.00000.19012.zip it is in the DLP\15.8\Tools folder.

To install the utility:

  • As a local administrator, create a directory called C:\JREMigrationUtility.
  • Move the JREMigrationUtility.zip file to the C:\JREMigrationUtility directory.
  • Unzip the JREMigrationUtility.zip file. Sub directories called Migrator and install are created.
Linux

In order to install the JRE in a Linux environment you will need the ServerJREMigrationUtility utility which is in the JREMigrationUtility.zip file.

JREMigrationUtility.zip is contained within the DLP Platform zip file. Broadcom recommends that you download the latest DLP Platform zip file to obtain it. For example, within the Symantec_DLP_15.8_Platform_Lin-IN_15.8.00000.19012.zip it is in the DLP\15.8\Tools folder.

To install the utility:

  • As root, create a directory called /JREMigrationUtility.
  • Move the JREMigrationUtility.zip file to the /JREMigrationUtility directory.
  • Unzip the JREMigrationUtility.zip file. Sub directories called Migrator and install are created.

4. Allow DLP Agents to connect to Endpoint Detection Servers

Note that the information below is also contained in the Installing the OpenJRE and Updating the JRE sections of the DLP 15.7 Upgrade Guide for Windows and the DLP 15.7 Upgrade Guide for Linux.

Complete the following steps for Endpoint Detection Servers, otherwise Endpoint Agents will not be able to connect to the Endpoint Detection Server once you have updated JRE:

  • In the Enforce console, go to System / Servers and Detectors / Overview.
  • Click on the name of a Detection server to open the Server / Detector Detail page.
  • Click the Server Settings button.
  • Locate the BoxMonitor.EndpointServerMemory setting and append a space followed by the following string:
    -Djdk.security.allowNonCaAnchor=true
  • Save your changes.
  • Restart the Endpoint Detection Server.

5. Update the server with the new JRE

Windows

Open a command prompt as a local administrator and change to the directory containing ServerJREMigrationUtility.exe. For example:

c:
cd \JREMigrationUtility\Migrator

Run the following command to update silently:

ServerJREMigrationUtility -silent -sourceVersion=<DLP version to be updated> -jreDirectory=<path to JRE folder>

For example:

ServerJREMigrationUtility -silent -sourceVersion=15.7 -jreDirectory="C:\Program Files\AdoptOpenJDK\jre-8.0.275.1-hotspot"

Alternatively, run the following command to update interactively. You will be prompted for the DLP version:

ServerJREMigrationUtility -jreDirectory=<path to JRE folder>

For example:

ServerJREMigrationUtility -jreDirectory="C:\Program Files\AdoptOpenJDK\jre-8.0.275.1-hotspot"

Check the MigrationUtility.log file.


Linux

As root, change to the directory containing JREMigrationUtility. For example:

cd /JREMigrationUtility/Migrator

Run the following command to update silently:

./ServerJREMigrationUtility -silent -sourceVersion=<DLP version to be updated> -jreDirectory=<path to JRE folder>

For example:

./ServerJREMigrationUtility -silent -sourceVersion=15.7 -jreDirectory=/usr/lib/jvm/adoptopenjdk-8-hotspot-jre

Alternatively, run the following command to update interactively. You will be prompted for the DLP version:

./ServerJREMigrationUtility -jreDirectory=<path to JRE folder>

For example:

./ServerJREMigrationUtility -jreDirectory=/usr/lib/jvm/adoptopenjdk-8-hotspot-jre

Check the MigrationUtility.log file.

6. Check Active Directory connectivity

As described in the DLP 15.7 Upgrade Guide for Windows and the DLP 15.7 Upgrade Guide for Linux, updating the JRE may cause SSL connections to Active Directory to fail. If this occurs, add the following key to the SymantecDLPManager.conf file, then restart the Enforce Server:

wrapper.java.additional.30 =-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true