Implementing a client certificate authentication for MIP Classification/Decryption profiles on Enforce
Article ID: 398677
Updated On:
Products
Data Loss Prevention
Data Loss Prevention Enforce
Issue/Introduction
You want to implement a client certificate authentication for MIP Classification/Decryption profiles on Enforce, which was introduced with 16.1.
Environment
16.1
Resolution
Note: this instruction covers the topic of implementing a self sign certificate. If your organization needs to use a certificate issued by your own CA, contact your PKI team in order to issue a valid certificate and use it in Azure Portal and Enforce UI accordingly.
- Configure an app for a classification profile Authorize Symantec Data Loss Prevention on the Microsoft Azure Portal and/or decryption profile Enabling MPIP on the Azure Portal for Detection Servers. You can skip the part about creating a client secret.
- On any host, open Powershell and create and export your public certificate (replace {certificateName} with your certificate name, e.g. Enforce):
$certname = "{certificateName}"$cert = New-SelfSignedCertificate -Subject "CN=$certname" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256 - Export your public certificate by running the below command (adjust FilePath location accordingly to your needs):
Export-Certificate -Cert $cert -FilePath "C:\Users\admin\Desktop\$certname.cer" - On Azure Portal, under the section Certificates & secrets of the app created in step 1, click on Certificates > Upload certificate and import a certificate exported in step 3.
- Go back to host with Powershell, and export your public certificate with its private key created in step 2. First, set the password (replace {myPassword} with your own password):
$mypwd = ConvertTo-SecureString -String "{myPassword}" -Force -AsPlainText
and export the certificate to PFX format (adjust FilePath location accordingly to your needs):Export-PfxCertificate -Cert $cert -FilePath "C:\Users\admin\Desktop\$certname.pfx" -Password $mypwd - Login to the Enforce console and navigate to System > Settings > MIP Credential Profiles.
- Start configuring your desired profile and when selecting Application Certificate option, use a PFX certificate created and a password from step 5 and save the profile.
Additional Information
Please refer also to Microsoft documentation about creating the certificate - Create a self-signed public certificate to authenticate your application - Microsoft identity platform | Microsoft Learn
Feedback
Yes
No
Powered by
