The Incident Persister will not remain up after upgrading Enforce from 16.0 to 16.1
search cancel

The Incident Persister will not remain up after upgrading Enforce from 16.0 to 16.1

book

Article ID: 422582

calendar_today

Updated On:

Products

Data Loss Prevention Data Loss Prevention API Detection Data Loss Prevention API Detection for Developer Apps Virtual Appliance Data Loss Prevention Cloud Detection Service Data Loss Prevention Cloud Detection Service for API Detection Data Loss Prevention Cloud Detection Service for Endpoint Data Loss Prevention Cloud Detection Service for ICAP Data Loss Prevention Cloud Detection Service for REST Data Loss Prevention Cloud Package Data Loss Prevention Cloud Prevent for Microsoft Office 365 Data Loss Prevention Cloud Service for Discovery/Connector Data Loss Prevention Cloud Service for Email Data Loss Prevention Cloud Storage Data Loss Prevention Core API Detection Data Loss Prevention Core Package Data Loss Prevention Data Access Governance Data Loss Prevention Discover Suite Data Loss Prevention Endpoint Discover Data Loss Prevention Endpoint Prevent Data Loss Prevention Enforce Data Loss Prevention Enterprise Suite Data Loss Prevention for Mobile Data Loss Prevention Form Recognition Data Loss Prevention Network Discover Data Loss Prevention Network Monitor Data Loss Prevention Network Monitor and Prevent for Email Data Loss Prevention Network Monitor and Prevent for Email and Web Data Loss Prevention Network Monitor and Prevent for Web Data Loss Prevention Network Prevent for Email Data Loss Prevention Network Prevent for Email Virtual Appliance Data Loss Prevention Network Prevent for Web Virtual Appliance Data Loss Prevention Network Protect Data Loss Prevention Oracle Standard Edition 2 Data Loss Prevention Plus Suite Data Loss Prevention Sensitive Image Recognition

Issue/Introduction

After upgrading the DLP Enforce server from 16.0 to 16.1, the Incident Persister service will try to start but it fails immediately.
The DLP system is using FIPS.
And a pop-up message appears indicating that there are permissions errors for FIPS.

Environment

DLP 16.x

DLP 25.1

Cause

The old Enforce and Database passwords did not meet the new FIPS 140-3 requirements that was introduced in DLP 16.1.

DLP 16.1 and 25.1 use FIPS 140-3.
DLP 16.0.x and prior use FIPS 140-2.

Resolution

Before you upgrade from 16.0 or earlier to either 16.1 or 25.1 and you have enabled FIPS, you must update all the DLP and Database passwords to meet the FIPS 140-3 requirements.

Update the following passwords: Oracle (protect), Enforce Administrator, DLP Services, and the sys dba.

With FIPS 140-3 support, you must implement strong passwords for the following secure connections:

  1. Connecting the Oracle database to the Enforce Server
  2. Running the EDM profile
  3. Resetting the administrator password
  4. Running the DBPasswordChanger utility
  5. Completing remote EDM indexing

 

If you use Kerberos authentication to log in to the Enforce Server, and Symantec Data Loss Prevention is configured for FIPS encryption, you must use a strong password for your Active Directory user.
In addition, user passwords for console access may need to be updated.

The password requirements in FIPS 140-3 have been updated to require the following:

When applying FIPS mode for Symantec Data Loss Prevention components, you must set a password that provides at least 112-bit entropy.

Create a password that includes at least one of the following character scenarios:

  1. 20 characters that are derived from the following pool of characters:
    1. Lowercase
    2. Uppercase
    3. Numerals
    4. Non-alphanumeric ASCII characters (for example, ~, !, or @)
  2. 24 uppercase characters
  3. 24 lowercase characters
  4. 20 uppercase and lowercase characters
  5. 20 mixed case characters with at least one uppercase, lowercase, and numeral

 

If you enable FIPS mode during the installation or upgrade process, and plan to use SAML authentication, you must update the SymantecDLPManager.conf file.

Complete the following steps to update the SymantecDLPManager.conf file.

  1. Locate SymantecDLPManager.conf for your platform: • Windows: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\Services • Linux: /opt/Symantec/DataLossPrevention/EnforceServer/Services
  2. Uncomment the key wrapper.java.additional.31 = -Dorg.bouncycastle.rsa.allow_sha1_sig=true.
  3. Save your changes.

Source documentation:

DLP 16.1: Creating a Strong Password for FIPS Mode

DLP 16.1: Using FIPS with SAML Authentication

DLP 25.1: Creating a Strong Password for FIPS Mode

DLP 25.1: Using FIPS with SAML Authentication

Additional Information

The password requirements for FIPS 140-2 are as follows:

  1. Must be at least seven (7) characters in length.
  2. Must include characters from at least three (3) of the following character classes:
    • ASCII digits,
    • lowercase ASCII,
    • uppercase ASCII,
    • non-alphanumeric ASCII, and
    • non-ASCII.

If the first character of the password is an uppercase ASCII letter, then it is not counted as an uppercase ASCII letter for restriction 2.
If the last character of the password is an ASCII digit, then it does not count as an ASCII digit for restriction 2.

Powered by Wolken Software