You need to upgrade the JRE version on DLP Enforce and Detection servers.

DLP 15.8 and above.

Enforce/Detection servers.

Older versions of Java are out-of-date or have reported vulnerabilities.

PREREQUISITE

Back up the cacerts file when updating the JRE on Enforce or any detection server.

Additional information related to backing up cacerts file can be found in the appropriate Upgrade Guide for your DLP version of software.

1. Check the supported JRE

Check that the JRE you intend installing is supported. 

For DLP 16.0.1 (aka "16 RU1"):

Required third-party software - DLP 16.0.1

For DLP 16.0:

Required third-party software - DLP 16.0

For DLP 15.8 refer to the information available in the document linked below:

Required third-party software - DLP 15.8

2. Download and install JRE

Download the relevant binary version of JRE from AdoptOpenJDK

Windows/Linux

As local administrator, download the ZIP file and then extract it to the location of where you want to host the JRE. For example, C:\Program Files\AdoptOpenJDK\jre-8.0.275.1-hotspot.

Please note that we do not recommend to install the JRE using the MSI file, instead it's recommended to obtain the standalone ZIP file which can be just extracted into the target directory. 

3. Obtain and install the JRE Migration Utility

Windows

In order to install the JRE in a Windows environment, you will need the ServerJREMigrationUtility.exe utility which is in the JREMigrationUtility.zip file.

JREMigrationUtility.zip is contained within the DLP Platform zip file. Broadcom recommends that you download the latest DLP Platform zip file to obtain it. For example, within Symantec_DLP_16.0.1_Platform_Win-IN_16.0.10000.60631.zip it is in the DLP\16.0.1\Tools\JREMigrationUtility folder.

To install the utility:

• As a local administrator, create a directory called C:\JREMigrationUtility.
• Move the JREMigrationUtility.zip file to the C:\JREMigrationUtility directory.
• Unzip the JREMigrationUtility.zip file. Sub directories called Migrator and install are created.

Linux

In order to install the JRE in a Linux environment, you will need the ServerJREMigrationUtility utility which is in the JREMigrationUtility.zip file.

JREMigrationUtility.zip is contained within the DLP Platform zip file. Broadcom recommends that you download the latest DLP Platform zip file to obtain it. For example, within the Symantec_DLP_16.0.1_Platform_Lin-IN_16.0.10000.60678.zip it is in the DLP\16.0.1\Tools folder.

To install the utility:

• As root, create a directory called /JREMigrationUtility.
• Move the JREMigrationUtility.zip file to the /JREMigrationUtility directory.
• Unzip the JREMigrationUtility.zip file. Subdirectories called Migrator and install are created.

4. Allow DLP Agents to connect to Endpoint Detection Servers

Note that the information below is also contained in the Installing the OpenJRE and Updating the JRE sections of the upgrade guides for specific versions:

16.0.1: Upgrading to a new release and Upgrading Symantec Data Loss Prevention (broadcom.com) (this topic includes jump points to specific Windows and Linux upgrades, with install and migration details required for our DLP software and the required JRE)

16.0: DLP 16.0 Upgrade Guide for Windows and the DLP 16.0 Upgrade Guide for Linux.

15.8: DLP 15.8 Upgrade Guide for Windows and the DLP 15.8 Upgrade Guide for Linux.

Complete the following steps for Endpoint Detection Servers, otherwise Endpoint Agents will not be able to connect to the Endpoint Detection Server once you have updated JRE:

• In the Enforce console, go to System / Servers and Detectors / Overview.
• Click on the name of a Detection server to open the Server / Detector Detail page.
• Click the Server Settings button.
• Locate the BoxMonitor.EndpointServerMemory setting and append a space followed by the following string:

  -Djdk.security.allowNonCaAnchor=true

• Save your changes.
• Restart the Endpoint Detection Server.

5. Update the server with the new JRE

Pre-requisite: Assure the ORACLE_HOME is appropriately set as an environment variable on the server.

Windows

Open a command prompt as a local administrator and change to the directory containing ServerJREMigrationUtility.exe. For example:

c:
cd \JREMigrationUtility\Migrator

Run the following command to update silently:

ServerJREMigrationUtility -silent -sourceVersion=<DLP version to be updated> -jreDirectory=<path to JRE folder>

For example:

ServerJREMigrationUtility -silent -sourceVersion=16.0.00000 -jreDirectory="C:\Program Files\AdoptOpenJRE\jdk8u322-b06-jre"

Alternatively, run the following command to update interactively. You will be prompted for the DLP version:

ServerJREMigrationUtility -jreDirectory=<path to JRE folder>

For example:

ServerJREMigrationUtility -jreDirectory="C:\Program Files\AdoptOpenJRE\jdk8u322-b06-jre"

Check the MigrationUtility.log file.

Linux

As root, change to the directory containing JREMigrationUtility. For example:

cd /JREMigrationUtility/Migrator

Run the following command to update silently:

./ServerJREMigrationUtility -silent -sourceVersion=<DLP version to be updated> -jreDirectory=<path to JRE folder>

For example:

./ServerJREMigrationUtility -silent -sourceVersion=16.0.00000 -jreDirectory=/opt/AdoptOpenJRE/jdk8u322-b06-jre

Alternatively, run the following command to update interactively. You will be prompted for the DLP version:

./ServerJREMigrationUtility -jreDirectory=<path to JRE folder>

For example:

./ServerJREMigrationUtility -jreDirectory=/opt/AdoptOpenJRE/jdk8u322-b06-jre

Check the MigrationUtility.log file.

6. Check Active Directory connectivity

As described in the upgrade guides, updating the JRE may cause SSL connections to Active Directory to fail. If this occurs, add the following key to the SymantecDLPManager.conf file, then restart the Enforce Server:

wrapper.java.additional.30 =-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true