After upgrading your DLP Detection Servers to version 16.1, vulnerability scanners may start reporting issues on port 8100 due to the use of self-signed certificates.

DLP 16.1

As of version 16.1, we have added support for third-party certificates for communication between the Enforce Server and Detection Servers. As a result, Detection Servers now use a self-signed certificate by default for TLS communications on port 8100.

In previous versions, the certificate was also self-signed, but in earlier builds, the certificate was not exposed during the TLS handshake, which prevented scanners from identifying it. With DLP 16.1 and the new UDS (Universal Detection Server) architecture, the DLP Detection Servers now properly present the certificate chain during the handshake, making it visible to external scanners.

These certificates are self-signed by Symantec DLP system. Although they may appear as untrusted by external systems because they are not signed by a public Certificate Authority (CA), this does not represent a security vulnerability. The self-signed certificates still ensure that traffic is encrypted and secure. The only difference from CA-signed certificates is that self-signed certificates are not trusted by default by external systems.

If you would like to replace the default certificate, you can refer to our documentation for instructions on creating custom keystores or integrating third-party certificates.

Support for Third-party Certificate Communication Between the Enforce Server and Detection Servers 

Secure Communications between the Enforce Server and Detection Servers Using Third-Party Certificates