Symantec Endpoint Encryption uses a MS SQL database on the backend. If there is some concern for this connection going over a non-encrypted connection, it is possible to enable TLS to ensure this information is encrypted. This article will go over the basic steps on how to do this.
Important Note: SQL Express is not officially supported, but should generally work for testing purposes. However, TLS Configurations require the full version of SQL Database to be used and these steps will not work for SQL Express.
For this example, the domain will be called "example.com" and the name of the server in question is called "seems".
Important Note: TLS 1.0/1.1 are no longer used on Symantec Endpoint Encryption. It is advised to disable TLS 1.0/1.1 on the Windows Servers where SEE Management Server resides.
to do so, open the SEEMS Configuration manager, go to the Web Server tab and check the box to disable TLS 1.0/1.1 and reboot the server.
First, you will want to create a certificate for the host "seems.example.com".
To do this, open your local certificate manager (certlm.msc) and open Personal.
Next, Right-click select All Tasks, and then "Request new Certificate..."
The Certificate Enrollment screen will be displayed:
Click Next on the following screen:
Check the box for "Computer", meaning the computer you are logged in as. Since this system we are logged in to is "server1", the certificate will be created for this system.
If you were creating the certificate on another system, ensure that the hostname for the certificate matches that of the server where SEE Management Server is installed.
The common name "seems.example.com" or the FQDN of the server is critical to assign this certificate properly.
TIP: You can click on the "Details" drop down on the following screen to see more granular options to generate the certificate.
Click Enroll to generate the certificate.
Then click finish:
The certificate will then be displayed in your certificate mmc:
Now double-click on the screen to ensure all the properties were set as you expected. What you are looking for is "Key Usage", which should have Digital signature, and Key Encipherment, then the "Subject", which should have the FQDN of your server, and Enhanced Key Usage, which should have Client and Server Authentication:
If the above attributes were not completed, you may need to check your work and create a new certificate. If you have an internal CA, which is the case for this example, you can check the Certification Path and this should also show that it was created by your internal CA:
In the example above, server1-EXAMPLE-CA is the proper certificate authority, so this looks good.
Next, you will want to assign the "Users" group permissions for this certificate. To do this right-click the new cert you just created, click All Tasks, and "Manage Private Keys...":
This will open the permissions for the certificate. Add the "Users" group to the list for all permissions:
Once this has been done, you should be able to assign the certificate to SQL and then restart SQL services.
To do this, open the SQL Server Configuration Manager. Expand "SQL Network Configuration", Right-click Protocols, and go to Properties:
This will open the following page (Click on the Certificates tab):
Click the certificate listed, and then click OK. You should get the following message (Click OK):
Next, Click on "SQL Server Services" in the SQL Server Configuration Manager. Right-click the SQL Server service (in this example it is called "SQL Server (SQLEXPRESS, but yours may be different), and click Restart:
Once the services restart, you should then be able to enable TLS in the SEEMS Configuration Manager.
Open the SEEMS Configuration Manager:
Notice in the above screenshot the "Database server name" is still the friendly name\SQL instance. Instead, change this to the FQDN of the server now that we have a cert configure for this hostname:
Once this has been configured, enter the password and click Save. Now all SQL interactions from the SEE Management Server should be encrypted. You can then do this for any of the other SEE Management Servers that you may have in your environment.