ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Overview for Securing Communications in DLP

book

Article ID: 209068

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

DLP allows for communication to be secured between a number of different server and client components, but uses a variety of different keystores and configuration processes to achieve it.

This article aims to provide an overview of these as well as links to pertinent documentation.

Environment

15.x

Resolution

Symantec Data Loss Prevention Installation Guide Windows/Linux 

Section: Configuring certificates for secure server communication describes how to:

    • Replace the default certificates generated at installation for communications between Enforce and Detection Servers (recommended)
    • Secure communications between Enforce and Oracle DB (or Amazon RDS for Oracle)

 

Section: About secure communications between DLP Agents and Endpoint Servers

    • Describes the secure communication mechanism between agents, load balancers and detection servers (reference only, not configurable)

 

Securing browser communications to the Enforce Console

  • Follow this article to create, sign, and import a signed SSL certificate for Symantec Data Loss Prevention (DLP) Enforce.
  • This will prevent you from seeing the 'untrusted' warning on the browser when accessing the DLP Enforce console.

 

Configuring a Secure ICAP connection for Network Prevent for Web

 

MTA Integration Guide for Network Prevent for Email

 

 

Additional Information

 

Adding the JRE folder to the environment variable path

When working with Java keystores, it's useful to put the path to the JRE in the Windows environment variables. This will save you from having to enter the complete path to the keytool.exe, followed by the complete path to the target keystore and certificate file.

The powershell script below will assist with this.

  • The default installation paths have been added, but if you've changed those in your installation you will need to modify them
  • These will add system level environment variables
  • You will need to open a new PowerShell window after the script has run to see the new entries using:
    • $env:java_home
    • $env:path 
### JRE Default Installation paths by DLP version ###
### CHANGE THESE IF YOU HAVE NOT USED THE DEFAULTS !! #####
$Java155 = "C:\Program Files\Symantec\DataLossPrevention\ServerJRE\1.8.0_181"
$Java157 = "C:\Program Files\Symantec\DataLossPrevention\ServerJRE\1.8.0_202"
$Java158 = "C:\Program Files\AdoptOpenJRE\jdk8u262-b10-jre"

# Assign old and new paths here:
$oldJRE = $Java155
$newJRE = $Java158

[System.Environment]::SetEnvironmentVariable("JAVA_HOME","$newJRE" , [System.EnvironmentVariableTarget]::Machine)
$EnvPath = [System.Environment]::GetEnvironmentVariable("Path","Machine")
[System.Collections.ArrayList]$AddNewPathList = $EnvPath.split(";")

foreach ($epath in ($AddNewPathList))
{
    if($epath -like "$oldJRE\bin") {$AddNewPathList.Remove($epath)}

}
if (-not($AddNewPathList.Contains("$newJRE\bin"))){$AddNewPathList.Add("$newJRE\bin")}
$finalPath = $AddNewPathList -join ";"
[System.Environment]::SetEnvironmentVariable("Path",$finalPath,"Machine")

 

Once this is done you can just type the keytool.exe command without having to enter the full executable path.

 

 

Attachments