The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use, including Data Loss Prevention (DLP) hardware and virtual appliances.
Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. Before the older ABRCA root CA certificate expires, ensure that the new ABRCA root CA certificate is installed on your appliances. The new certificate will have an expiration date of Dec 31 00:04:16 2037 GMT.
WARNING: If you do not update your DLP appliance(s) before the root CA expires in December 2021, the information in this article is no longer applicable. Once the root CA expires, you will be forced to upgrade to a new build that contains the updated trust package.
If this CA certificate expires, certain appliance-to-back-end and appliance-to-appliance communications flows that use the birth certificate for authentication will fail. For example, the Enforce Server will fail to connect to the appliance, which will result in the inability to update policies or receive incidents.
In addition, for virtual appliances only, an intermediate CA (ICA) certificate must also be updated. The old ICA certificate will expire in November 2021. The hardware appliance does not need to be updated for the ICA certificate; only the root CA certificate needs to be updated.
This article provides instructions for updating the ABRCA root and intermediate CA certificates. The Enforce Server truststore must also be updated as part of the process, as described below.
Note: The following instructions are intended for customers using currently supported DLP versions. If you are using a version that has reached its end of service (EOS), Symantec strongly recommends that you update your DLP version. For a list of in-service versions and for EOS dates for all DLP versions, see the End of Service dates for Symantec Data Loss Prevention product advisory. If you have questions regarding EOS dates or versions, contact Symantec Support.
If it shows that the certificate will expire in November 2021, follow the subsequent steps.
If you are using DLP 15.5 or DLP 15.7, you must update the truststore on the Enforce Server. DLP 15.8 customers do not need to update the truststore.
On Windows: enforce_truststore.jks is located in C:\Program Files\Symantec\Data Loss Prevention\Enforce Server\15.7\Protect\keystore
On Linux: enforce_truststore.jks is located in /opt/Symantec/DataLossPrevention/Enforce Server/15.7/Protect/keystore