Overview for Securing Communications in DLP
search cancel

Overview for Securing Communications in DLP

book

Article ID: 209068

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

DLP allows for communication to be secured between a number of different server and client components, but uses a variety of different keystores and configuration processes to achieve it.

This article aims to provide an overview of these as well as links to pertinent documentation.

Environment

16.x

Resolution

Configuring certificates for secure server communication 

Describes how to: 

    • Replace the default certificates generated at installation for communications between Enforce and Detection Servers (recommended)
    • Secure communications between Enforce and Oracle DB (or Amazon RDS for Oracle)

 

Secure Communications Between DLP Agents and Endpoint Servers

    • Describes the secure communication mechanism between agents, load balancers and detection servers
    • Configurable with custom certificates since DLP 16.0 

 

Securing browser communications to the Enforce Console

    • Follow this article to create, sign, and import a signed SSL certificate for Symantec Data Loss Prevention (DLP) Enforce.
    • This will prevent you from seeing the 'untrusted' warning on the browser when accessing the DLP Enforce console.

 

Configuring a Secure ICAP connection for Network Prevent for Web

 

MTA Integration Architecture for Network Prevent for Email (NPE)

    • Use this guide for securing communications between Email servers and DLP NPE detection servers.

 

Securing communications with on-premise Optical Character Recognition Servers

  • Use this for setting up mandatory TLS server-side and optional client-side authentication for OCR servers

Additional Information


Adding the JRE folder to the environment variable path

When working with Java keystores, it's useful to put the path to the JRE in the Windows environment variables. This will save you from having to enter the complete path to the keytool.exe, followed by the complete path to the target keystore and certificate file.

The powershell script below will assist with this.

  • The default installation paths have been added, but if you've changed those in your installation you will need to modify them
  • These will add system level environment variables
  • You will need to open a new PowerShell window after the script has run to see the new entries using:
    • $env:java_home
    • $env:path 
### JRE Default Installation paths by DLP version ###
### CHANGE THESE IF YOU HAVE NOT USED THE DEFAULTS !! #####
$Java158 = "C:\Program Files\AdoptOpenJRE\jdk8u262-b10-jre"
$Java160_RU1 = "C:\Program Files\AdoptOpenJRE\jdk8u352-b08-jre"
$Java160_RU2 = "C:\Program Files\AdoptOpenJRE\jdk8u352-b08-jre"
$java161 = "C:\Program Files\AdoptOpenJRE\jdk8u422-b05-jre"

# Assign old and new paths here:
$oldJRE = $Java158
$newJRE = $Java161

[System.Environment]::SetEnvironmentVariable("JAVA_HOME","$newJRE" , [System.EnvironmentVariableTarget]::Machine)
$EnvPath = [System.Environment]::GetEnvironmentVariable("Path","Machine")
[System.Collections.ArrayList]$AddNewPathList = $EnvPath.split(";")

foreach ($epath in ($AddNewPathList))
{
    if($epath -like "$oldJRE\bin") {$AddNewPathList.Remove($epath)}

}
if (-not($AddNewPathList.Contains("$newJRE\bin"))){$AddNewPathList.Add("$newJRE\bin")}
$finalPath = $AddNewPathList -join ";"
[System.Environment]::SetEnvironmentVariable("Path",$finalPath,"Machine")

 

Once this is done you can just type the keytool.exe command without having to enter the full executable path.