Configure secure DLP Enforce Directory Connection with Oracle LDAP Server
search cancel

Configure secure DLP Enforce Directory Connection with Oracle LDAP Server

book

Article ID: 224131

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Importing an SSL certificate from Oracle LDAP to DLP Enforce

 

Environment

Release : 15.8.x, 16.x

Component : Enforce

Cause

Required if "Use Secure Connection (SSL)" is ticked on "Configure Directory Connection" on the Enforce console under System > Directory Connections > Configure Directory Connections

Resolution

1. Copy the certificate file from Oracle LDAP server you want to import to the Enforce Server.

Note: You must convert certificate file extension from .cer to .crt format or you may see red banner error as follows:

Enforce > System > Directory Connections > Configure Directory Connections

Error:
Could not connect to the directory server using the specified network parameters. There may be an error with the host name, port or encryption method.

2. Open command prompt on the Enforce Server

Change directory to:
<drive letter>:\SymantecDLP<ver>\jdk<ver>-jre\bin>keytool -importcert -alias new_endpointgroup_alias -keystore <drive letter>:\SymantecDLP<ver>\jdk<ver>-jre\lib\security\
cacerts -file <drive letter>:\SymantecDLP<ver>\jdk<ver>-jre\lib\security\certificatename.crt\

3. When prompted, enter the password for the keystore. By default, the password is changeit. If you want you can change the password when prompted.

To change the password, use: keytool -storepassword -alias new_endpointgroup_alias -keystore ..\lib\security\cacerts Enter keystore password: changeit

4. You should see when certificate imported successfully message: cert imported

5. Restart enforce services in the below order

Stop order:

  • SymantecDLPDetectionServerControllerService
  • SymantecDLPIncidentPersisterService
  • SymantecDLPManagerService
  • SymantecDLPNotifierService

Start order:

  • SymantecDLPNotifierService
  • SymantecDLPManagerService
  • SymantecDLPIncidentPersisterService
  • SymantecDLPDetectionServerControllerService

6. Open Enforce > System > Directory Connections > Configure Directory Connections and configure the directory connection

From Page 276 of 15.8 Admin guide

Symantec-Data-Loss-Prevention-Help-Center_15.8.pdf (broadcom.com)

Symantec Data Loss Prevention Help Center 16.0

Symantec Data Loss Prevention 16.0.1 Release Update (RU)

7. On Directory connection setup

Enforce > System > Directory Connections > Configure Directory Connections

Lookout for Authentication Errors - e.g.,

Error:

An error occurred trying to connect to the directory server. It may not support anonymous connections or other specified parameters, or could be a formatting error

Fully distinguished user name and domain (without spaces), for example worked best for Oracle LDAP setup and using port: 2636

Example:  Username: cn=username,cn=Users,dc=domain,dc=com 

8.     Test the connection, if successful will see green banner: 

Directory Connection Tested Successfully

Authentication error discussed in this KB:
Error "An error occurred trying to connect to the directory server" when changing the DLP directory connection to port 636 (broadcom.com)

Powered by Wolken Software