Move Enforce to new server on the same DLP version
search cancel

Move Enforce to new server on the same DLP version

book

Article ID: 262435

calendar_today

Updated On:

Products

Data Loss Prevention Data Loss Prevention Enforce

Issue/Introduction

You need to install Enforce on a new server, and you are not upgrading to a newer DLP version.

Cause

 

Resolution

  1. As a good practice before starting this change do a backup and do not shutdown the original server before moving to the new server will be completed successfully. 

    Follow the steps below:

    1. Create EnforceReinstallationResources.zip file on current Enforce server
      1. For Windows:Program Files\Symantec\DataLossPrevention\EnforceServer\<DLP version>\Protect\bin>ReinstallationResourcesUtility.exe export "D:\Program Files\Symantec\DataLossPrevention\EnforceServer\<DLP version>\Protect" d EnforceReinstallationResources.zip
      2. For Linux: ./ReinstallationResourcesUtility export /opt/Symantec/DataLossPrevention/EnforceServer/<DLP version>/Protect/opt/EnforceReinstallationResources.zip
    2. Make copies of the license files (located at \ProgramData\Symantec\DataLossPrevention\EnforceServer\<version>\license)
    3. If you have set up Tomcat certificates, make a backup (located at \Program Files\Symantec\DataLossPrevention\EnforceServer\<version> \Protect\tomcat\conf\) .keystore, trustore.jks, and server.xml)
    4. Make backup of Active Directory integration files:
      1. – \Program Files\Symantec\DataLossPrevention\EnforceServer\<DLP Version>\Protect\tomcat\webapps\ProtectManager\WEB-INF\SpringSecurityContext.xml
      2. – \Program Files\Symantec\DataLossPrevention\EnforceServer\<DLP Version>\Protect\config\krb5.ini (This may be located in the Windows directory)
    5. Backup any plug-ins you may have created:
      1. :\Program Files\Symantec\DataLossPrevention\EnforceServer\<DLP Version>\Protect\plugins\
    6. Backup or re-index all Indexed content
      1. :\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\index\
    7. If you are performing Incremental Discover scans, backup the Derby Database:
      1. :\ProgramData\Symantec\DataLossPrevention\EnforceServer\Protect\<DLP Version>\scan\catalog\
    8. If you are using LOB Externalization:
      1. Ensure that both primary and secondary write to the same external storage. If writing to the same external storage is not possible, disable LOB externalization.
      2. Keep in mind this process is time consuming and difficult, especially if your environment has a large data set. Symantec recommends you implement an incremental backup strategy to cut down on overhead. Consider using RAID 5, 6, or 10 to store the backup.
      3. Several strategies exist for keeping a secondary LOB externalization backup. For example, you might use a high availability NAS with a built-in redundancy, run a scheduled rsync, maintain a Windows filesystem HA, use a block level mirrored storage replication, and so on.
    9. Backup the cacerts certificate:
      1. Locate and change to the directory to where the cacerts certificate file is located.
        1. \Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib\security\
      2. Run the following command to export the certificate in .crt format. keytool -exportcert -keystore cacerts -alias [exampledomain.com] -file [exampledomain.com].crt
      3. Import the .crt file into the cacerts file by completing the following steps.
        1. Run one of the following commands based on your server platform:
          1. Windows: cd: C:\Program Files\AdoptOpenJRE\jdk8u-b10-jre\lib\security keytool -importcert -alias [exampledomain].com -keystore cacerts -file \path\to\[exampledomain.com].crt
          2. Linux: cd /opt/AdoptOpenJRE\jdk8u-b10-jre/lib/security/ keytool -importcert -alias [exampledomain.com] -keystore cacerts -file /path/to/[exampledomain.com].crt
        2. Enter the cacerts password: changeit.
      4. Locate the Intermediate.crt, CA, and SSL cert files.
      5. Import the certificates into the cacerts by completing the following steps:
        1. Run one of the following commands based on your server platform:
          1. Windows: keytool -importcert -alias [exampledomain.com] -keystore cacerts -file \path\to\[exampledomain.com].crt
          2. Linux: keytool -importcert -alias [exampledomain.com] -keystore cacerts -file /path/to/[exampledomain.com].crt
        2. Enter the password for cacerts: changeit.
    10. Install the Oracle Client on the new Enforce Server (if Oracle is on a separate server than Enforce). Make sure the Administrator installation is used.
    11. Stop the DLP Services on the old Enforce server.
    12. Disable the DLP Services on the old Enforce server. 
    13. Follow the 15.8 or 16.0 Installation instructions for installing the Enforce server on the new Windows server, adding the parameter to ”preserve” the database (look for parameter: INITIALIZE_DATABASE_OPTION) – this will request the EnforceReinstallationResources file you created in Step 1.
    14. Restore the files you backed up to the new Enforce server in the same location the newly installed files exist. Make sure file permissions are set to match the new installation.
    15. If your organization uses an internal Certificate Authority, sync the cacerts file from the ServerJRE, or reinstall the CA certificate for your organization.
    16. Make sure you can login to the Enforce console as Administrator
    17. Install the license files in the Enforce console.
    18. Add your detection servers and create new SSL certificate between Enforce and detection servers.
      1. How to generate and add a new Detection Server certificates using SSLkeytool
    19. Verify Agents are reporting to Enforce console
Powered by Wolken Software