Overview for Securing Communications in DLP


Article ID: 209068


Updated On:


Data Loss Prevention


DLP allows for communication to be secured between a number of different server and client components, but uses a variety of different keystores and configuration processes to achieve it.

This article aims to provide an overview of these as well as links to pertinent documentation.




Symantec Data Loss Prevention Installation Guide Windows/Linux 

Section: Configuring certificates for secure server communication describes how to:

    • Replace the default certificates generated at installation for communications between Enforce and Detection Servers (recommended)
    • Secure communications between Enforce and Oracle DB (or Amazon RDS for Oracle)


Section: About secure communications between DLP Agents and Endpoint Servers

    • Describes the secure communication mechanism between agents, load balancers and detection servers (reference only, not configurable)


Securing browser communications to the Enforce Console

  • Follow this article to create, sign, and import a signed SSL certificate for Symantec Data Loss Prevention (DLP) Enforce.
  • This will prevent you from seeing the 'untrusted' warning on the browser when accessing the DLP Enforce console.


Configuring a Secure ICAP connection for Network Prevent for Web


MTA Integration Guide for Network Prevent for Email



Additional Information


Adding the JRE folder to the environment variable path

When working with Java keystores, it's useful to put the path to the JRE in the Windows environment variables. This will save you from having to enter the complete path to the keytool.exe, followed by the complete path to the target keystore and certificate file.

The powershell script below will assist with this.

  • The default installation paths have been added, but if you've changed those in your installation you will need to modify them
  • These will add system level environment variables
  • You will need to open a new PowerShell window after the script has run to see the new entries using:
    • $env:java_home
    • $env:path 
### JRE Default Installation paths by DLP version ###
$Java155 = "C:\Program Files\Symantec\DataLossPrevention\ServerJRE\1.8.0_181"
$Java157 = "C:\Program Files\Symantec\DataLossPrevention\ServerJRE\1.8.0_202"
$Java158 = "C:\Program Files\AdoptOpenJRE\jdk8u262-b10-jre"

# Assign old and new paths here:
$oldJRE = $Java155
$newJRE = $Java158

[System.Environment]::SetEnvironmentVariable("JAVA_HOME","$newJRE" , [System.EnvironmentVariableTarget]::Machine)
$EnvPath = [System.Environment]::GetEnvironmentVariable("Path","Machine")
[System.Collections.ArrayList]$AddNewPathList = $EnvPath.split(";")

foreach ($epath in ($AddNewPathList))
    if($epath -like "$oldJRE\bin") {$AddNewPathList.Remove($epath)}

if (-not($AddNewPathList.Contains("$newJRE\bin"))){$AddNewPathList.Add("$newJRE\bin")}
$finalPath = $AddNewPathList -join ";"


Once this is done you can just type the keytool.exe command without having to enter the full executable path eg.