Move Enforce to new server on the same DLP version
search cancel

Move Enforce to new server on the same DLP version


Article ID: 262435


Updated On:


Data Loss Prevention Data Loss Prevention Enforce


You need to install Enforce on a new server, and you are not upgrading to a newer DLP version.


As a good practice before starting this change do a backup and do not shutdown the original server before moving to the new server will be completed successfully. 

Follow the steps below:

  1. Create file on current Enforce server
    1. For Windows:Program Files\Symantec\DataLossPrevention\EnforceServer\<DLP version>\Protect\bin>ReinstallationResourcesUtility.exe export "D:\Program Files\Symantec\DataLossPrevention\EnforceServer\<DLP version>\Protect" d
    2. For Linux: ./ReinstallationResourcesUtility export /opt/Symantec/DataLossPrevention/EnforceServer/<DLP version>/Protect/opt/
  2. Make copies of the license files (located at \ProgramData\Symantec\DataLossPrevention\EnforceServer\<version>\license)
  3. If you have set up Tomcat certificates, make a backup (located at \Program Files\Symantec\DataLossPrevention\EnforceServer\<version> \Protect\tomcat\conf\) .keystore, trustore.jks, and server.xml)
  4. Make backup of Active Directory integration files:
    1. – \Program Files\Symantec\DataLossPrevention\EnforceServer\<DLP Version>\Protect\tomcat\webapps\ProtectManager\WEB-INF\SpringSecurityContext.xml
    2. – \Program Files\Symantec\DataLossPrevention\EnforceServer\<DLP Version>\Protect\config\krb5.ini (This may be located in the Windows directory)
  5. Backup any plug-ins you may have created:
    1. :\Program Files\Symantec\DataLossPrevention\EnforceServer\<DLP Version>\Protect\plugins\
  6. Backup or re-index all Indexed content
    1. \ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\index\
  7. If you are performing Incremental Discover scans, backup the Derby Database:
    1. :\ProgramData\Symantec\DataLossPrevention\EnforceServer\Protect\<DLP Version>\scan\catalog\
  8. If you are using LOB Externalization:
    1. Ensure that both primary and secondary write to the same external storage. If writing to the same external storage is not possible, disable LOB externalization.
    2. Keep in mind this process is time consuming and difficult, especially if your environment has a large data set. Symantec recommends you implement an incremental backup strategy to cut down on overhead. Consider using RAID 5, 6, or 10 to store the backup.
    3. Several strategies exist for keeping a secondary LOB externalization backup. For example, you might use a high availability NAS with a built-in redundancy, run a scheduled rsync, maintain a Windows filesystem HA, use a block level mirrored storage replication, and so on.
  9. Backup the CA root certificate:
    1. Locate and change to the directory to where the CA root certificate file is located.
      1. \Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib\security\
    2. Run the following command to export the certificate in .crt format. keytool -exportcert -keystore CARoot.jks -alias [exampledomain].com -file CA.crt
    3. Import the .crt file into the cacerts file by completing the following steps.
      1. Run one of the following commands based on your server platform:
        1. Windows: cd: C:\Program Files\AdoptOpenJRE\jdk8u-b10-jre\lib\security keytool -importcert -alias [exampledomain].com -keystore cacerts -file \path\to\CA.crt
        2. Linux: cd /opt/AdoptOpenJRE\jdk8u-b10-jre/lib/security/ keytool -importcert -alias [exampledomain].com -keystore cacerts -file /path/to/CA.crt
      2. Enter the cacerts password: changeit.
    4. Locate the Intermediate.crt, root CA, and SSL cert files.
    5. Import the certificates into the cacerts by completing the following steps:
      1. Run one of the following commands based on your server platform:
        1. Windows: keytool -importcert -alias SSL -keystore cacerts -file \path\to\SSL.crt
        2. Linux: keytool -importcert -alias SSL -keystore cacerts -file /path/to/SSL.crt
      2. Enter the password for cacerts: changeit.
    6. Install the Oracle Client on the new Enforce Server (if Oracle is on a separate server than Enforce). Make sure the Administrator installation is used.
    7. Stop the DLP Services on the current Enforce server.
    8. Follow the 15.8 or 16.0 Installation instructions for installing the Enforce server on the new Windows server, adding the parameter to ”preserve” the database (look for parameter: INITIALIZE_DATABASE_OPTION) – this will request the EnforceReinstallationResources file you created in Step 1.
    9. Restore the files you backed up to the new Enforce server in the same location the newly installed files exist. Make sure file permissions are set to match the new installation.
    10. If your organization uses an internal Certificate Authority, sync the cacerts file from the ServerJRE, or reinstall the root CA certificate for your organization.
    11. Make sure you can login to the Enforce console as Administrator
    12. Install the license files in the Enforce console.
    13. Add your detection servers and create new SSL certificate between Enforce and detection servers.
      1. How to generate and add a new Detection Server certificates using SSLkeytool
    14. Verify Agents are reporting to Enforce console