After configuring a new DLP API Detection for Developer Apps Virtual Appliance, you are unable to Telnet from REST client to DLP Appliance

DLP 16.x

Keystore was not configured on the Enforce console for the DLP appliance

Please follow the below steps to create, import the keystore on appliance and export cert from appliance and import it on REST client. 

1. Login to Enforce server and run the following command to generate a new self-signed certificate for the API detector:
keytool -genkey -keyalg RSA -alias my_selfsigned_cert -dname “CN=IP addresss of appliance” -keystore my_keystore.pkcs12 -validity 3650 -keysize 2048 -storepass password -keypass password -deststoretype pkcs12

Note:Keytool location is in OpenJRE folder under bin folder.The CN of the certificate has been set to the IP address of the API detector. Passwords were set to be the same for both the keystore and the key itself.

2.Log in to the Enforce console and navigate to the System -> Servers and Detectors -> Overview section, then select the API Appliance detector and click on Configure.
3. In the "Security Configuration" section of the configuration screen, use the "Upload keystore" option to upload the created my_keystore.pkcs12 keystore to the Appliance detector. Below, enter the Keystore password which has been configured in point 1. Then save the configuration.
4. Reboot the Appliance detection server to allow it to use the new certificate.
5. API detector appliance should start using this new cert now.
6. It is also required to export the new API detector's certificate from its keystore and import it into the Trusted Root Certificates store on the machine where your REST client is running - this is to allow REST client to be able to trust the new certificate used by the API detector. Otherwise the connection between the REST client and the detector will still failing. So first, export the certificate using the following command on the same machine where the keystore was generated:
keytool -export -alias my_selfsigned_cert -file server.pfx -keystore my_keystore.pkcs12

7. Then we copy the file server.pfx onto the machine where REST client is running, then import it at the required location.
8. Restart your REST API client to ensure that it reloads its certificate stores and is able to validate the new certificate of the API detector.
9. Then make sure that the Enable TLS client authentication option is unchecked in Appliance configuration in Enforce server and then test telnet.
10. Please follow the below steps to create, import the keystore on appliance and export cert from appliance and import it on REST client. 
Certificate import steps will be different for REST clients based on the Operating System or Platform(Ex. Docker). The import steps assume you are importing on Windows REST client.

a. Login to Enforce server and run the following command to generate a new self-signed certificate for the API detector:
keytool -genkey -keyalg RSA -alias my_selfsigned_cert -dname “CN=IP addresss of appliance” -keystore my_keystore.pkcs12 -validity 3650 -keysize 2048 -storepass password -keypass password -deststoretype pkcs12

Note: Keytool location is in OpenJRE folder under bin folder.
The CN of the certificate has been set to the IP address of the API detector. Passwords were set to be the same for both the keystore and the key itself.

b. Log in to the Enforce console and navigate to the System -> Servers and Detectors -> Overview section, then select the API Appliance detector and click on Configure.
c. In the "Security Configuration" section of the configuration screen, use the "Upload keystore" option to upload the created my_keystore.pkcs12 keystore to the Appliance detector. Below, enter the Keystore password which has been configured in point 1. Then save the configuration.
d. Reboot the Appliance detection server to allow it to use the new certificate.
e. API detector appliance should start using this new cert now.
f. It is also required to export the new API detector's certificate from its keystore and import it into the Trusted Root Certificates store on the machine where your REST client is running - this is to allow REST client to be able to trust the new certificate used by the API detector. Otherwise the connection between the REST client and the detector will still failing. So first, export the certificate using the following command on the same machine where the keystore was generated:
keytool -export -alias my_selfsigned_cert -file server.pfx -keystore my_keystore.pkcs12

g. Then copy the file server.pfx onto the machine where REST client is running. Open mmc.exe > File > Add\Remove Snap-in > Add Certificates console(Computer Account > local computer). 
h. Then navigate to Trusted Root Certification Authorities -> Certificates section, right-click on the certificate list and selected All Tasks -> Import.
i. In the import wizard, "Local Machine" should be selected, browse to the exported server.pfx file and click Next until we could click on Finish.
j. Restart your REST API client to ensure that it reloads its certificate stores and is able to validate the new certificate of the API detector.