How Endpoint Protection uses encryption and certificates
Article ID: 158445
Updated On:
Products
Issue/Introduction
How does a Symantec Endpoint Protection Manager (SEPM) use encryption and certificates to secure communications between itself, other managers and its clients? What types of encryption are used?
Resolution
Each SEPM server generates its own self-signed certificate using a 2048 bit SHA256RSA key pair during its initial Management Server Configuration Wizard (MSCW) run. This certificate is stored in two locations and formats on the SEPM file system.
- The certificate and private key are stored in Java Keystore as C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\keystore.jks
- The certificate and private key are also stored separately in the Privacy Enhanced Mail (PEM) format as C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\server.crt and C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\server.key
Client to Manager Communications
Managers host client to server communications through the SEPM Apache server. By default, the Apache server listens on TCP port 443 for encrypted HTTPS connections, and TCP port 8014 for unencrypted HTTP connections.
As of SEPM 14, newly installed managers are configured to accept HTTPS connections by default.
Managers communicate with other managers through the SEPM Tomcat server over port 8443/HTTPS. The connection is secured using the server.crt and server.key files stored in C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl.
You can access the SEPM either through the local/remote Java console, or the Web console. The local and remote Java consoles are digitally signed by Symantec, using a code signing certificate issued by Symantec. The Web console is generated by the SEPM Tomcat server and is accessed over port 8443/HTTPS.
Reporting Server Communications
The SEPM Apache server hosts the Reporting Server site over port 8445/HTTPS. This site also provides the information in the Home, Monitors and Reports tabs of the SEPM Console.
Web Services Communications
The SEPM Tomcat server hosts the Web Services site over port 8446/HTTPS.
Communications Type |
Port/Protocol |
Server Technology |
Configuration File |
Certificate File(s) |
| Client-Manager communications (secars and secreg) | 443/HTTPS | Apache | C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\sslForClients.conf | server.crt, server.key |
| Manager-Manager and Console-Manager communications | 8443/HTTPS | Tomcat | C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\conf\server.xml | server.crt, server.key |
| Reporting Server | 8445/HTTPS | Apache | C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\ssl.conf | server.crt, server.key |
| Web Services | 8446/HTTPS | Tomcat | C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\instances\sepm-api\conf\server.xml | server.crt, server.key |
Managers digitally sign the policy files they host using the public key contained in the keystore.jks. Clients compare the digital signature on policy files to the certificate associated with the manager in their sylink.xml file.
Managers encrypt policies and content with the Twofish algorithm using the pre-shared key created with the first SEPM in the site. This password is not changed when a new certificate is imported into the SEPM using the Manage Server Certificate wizard. Clients decrypt the content using the kcs value in their sylink.xml file.
Feedback
