search cancel

Update the ABRCA Root CA Certificate on Symantec Data Loss Prevention (DLP) Appliances

book

Article ID: 216067

calendar_today

Updated On:

Products

Data Loss Prevention API Detection for Developer Apps Virtual Appliance Data Loss Prevention API Detection Virtual Appliance Data Loss Prevention Network Prevent for Web Virtual Appliance DLP-S500

Issue/Introduction

The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use, including Data Loss Prevention (DLP) hardware and virtual appliances.  

Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. Before the older ABRCA root CA certificate expires, ensure that the new ABRCA root CA certificate is installed on your appliances. The new certificate will have an expiration date of Dec 31 00:04:16 2037 GMT.

WARNING: If you do not update your DLP appliance(s) before the root CA expires in December 2021, the information in this article is no longer applicable. Once the root CA expires, you will be forced to upgrade to a new build that contains the updated trust package.

If this CA certificate expires, certain appliance-to-back-end and appliance-to-appliance communications flows that use the birth certificate for authentication will fail. For example, the Enforce Server will fail to connect to the appliance, which will result in the inability to update policies or receive incidents.

In addition, for virtual appliances only, an intermediate CA (ICA) certificate must also be updated. The old ICA certificate will expire in November 2021. The hardware appliance does not need to be updated for the ICA certificate; only the root CA certificate needs to be updated.

This article provides instructions for updating the ABRCA root and intermediate CA certificates. The Enforce Server truststore must also be updated as part of the process, as described below. 

Note: The following instructions are intended for customers using currently supported DLP versions. If you are using a version that has reached its end of service (EOS), Symantec strongly recommends that you update your DLP version. For a list of in-service versions and for EOS dates for all DLP versions, see the End of Service dates for Symantec Data Loss Prevention product advisory. If you have questions regarding EOS dates or versions, contact Symantec Support.

Resolution

Checking and updating the Intermediate CA certificate

  1. Log in to the appliance CLI.
  2. View the intermediate CA certificate using this command:

    show ssl keyring bluecoat-appliance

    Information similar to the following appears:



If it shows that the certificate will expire in November 2021, follow the subsequent steps. 

  1. Go to the Broadcom Support Portal and click Symantec Enterprise Security, and then click My Entitlements, and search for your appliance information.
  2. Verify the start date of the new license (.bcl) is later than 12/18/2021
  3. Download the new license.
  4. Using the appliance CLI, run the command to update the license:

    licensing inline passphrase <password associated with the bcl file>

  5. Copy-paste the content of the .bcl file and press ctrl+D at the end. 
  6. Reboot the appliance using the restart command.
  7. After reboot, log in to CLI and run the licensing view status command. You will see the status as complete and the last update date as the date the new license is applied.
  8. The new license applied will update the intermediate certificate. Use the show ssl keyring bluecoat-appliance command to see and verify the validity dates. 

Checking and updating the ABRCA root CA certificate

  1. Log in to the appliance CLI.
  2. View the root CA certificate using this command:

    ssl view ca-certificate ABRCA_root

    Information similar to the following appears:



    If it shows that the certificate will expire in November 2021, follow the subsequent steps.
  1. Run the command to download the new ABRCA root CA cert via the appliance CLI:

    ssl trust-package download-now

    Note: The appliance will need outbound connectivity to port 80/tcp to download the new trust package. The download command will not work if the appliance does not have outbound connectivity.

  2. Run the ssl view ca-certificate ABRCA_root command to see and verify the ABRCA root certificate validity dates. 

Update the Enforce Server truststore

If you are using DLP 15.5 or DLP 15.7, you must update the truststore on the Enforce Server. DLP 15.8 customers do not need to update the truststore. 

  1. Download the ZIP file attached to this article.
  2. Verify the integrity of of the zip file with the following SHA2 checksum:

    4f760da5490971d6937f4ecc81a6feadd95604e4f87a27e4fe3e9d327d93da97

  3. Extract the enforce_truststore.jks file from the ZIP file.
  4. Stop the Symantec DLP Detection Server Controller service.
  5. Back up the existing enforce_truststore.jks file and save it to a separate directory on the Enforce Server. The location of the enforce_truststore.jks file is provided below; use your DLP version number instead of “15.7” as appropriate.
    • On Windows: enforce_truststore.jks is located in C:\Program Files\Symantec\Data Loss Prevention\Enforce Server\15.7\Protect\keystore

    • On Linux: enforce_truststore.jks is located in /opt/Symantec/DataLossPrevention/Enforce Server/15.7/Protect/keystore

  6. Replace the enforce_truststore.jks with the file extracted in step 1 above.
  7. Start the Symantec DLP Detection Server Controller service.

Validating the enforce_truststore.jks contains the expected CA certificate 

  1. Go to the folder where the keytool is located on the Enforce Server.

    • On Windows systems, the keytool is located at  \Program Files\Symantec\Data Loss Prevention\ServerJRE\1.8.0_181\bin\
    • On Linux systems, the keytool is located at /opt/Symantec/DataLossPrevention/ServerJRE/1.8.0_181/bin/

      Replace the JRE directory (1.8.0_181) with the JRE version shipped with your Symantec DLP release.

  2. Run the following keytool command; the path to the keystore directory where the keystore resides must be specified. The following example is for DLP 15.7 installed on a Windows server.

    keytool -v -list -alias bluecoat -keystore "C:\Program Files\Symantec\Data Loss Prevention\Enforce Server\15.7\Protect\keystore\enforce_truststore.jks"

    On Linux systems, the keystore directory is located in /opt/Symantec/DataLossPrevention/EnforceServer/15.7/Protect/keystore/

  3. When prompted for a password, press ENTER.
  4. If the switch was done correctly, you can see that the certificate with alias “bluecoat” is valid beyond December 2021. The serial number for this certificate is 86685b50f1046fad.

Attachments

1622132842813__enforce_truststore_May_2021.zip get_app