Create, sign, and import an SSL certificate signed by a Trusted Certificate Authority

book

Article ID: 160518

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

You need to create, sign, and import a signed SSL certificate for Symantec Data Loss Prevention (DLP) Enforce.

Cause

There are 2 main reasons one needs to import a certificate into the Tomcat keystore, as given below:

  1. You wish to import a CA-signed certificate to allow most current browsers to automatically trust the Enforce Server administration console. The complete instructions for setting that up are given in the Windows and Linux Install Guides, in the section "About browser certificates".
  2. You wish to enable certificate authentication that allows users to automatically log on to the Enforce Server administration console. The complete instructions for setting that up are given in the Admin Guide. v15.7, it is in Chapter 5, in the section "About certificate authentication configuration".

Environment

Keytool.exe location

  • Windows:
    • 14.x and 15.0: <DRIVE>:\SymantecDLP\jre\bin
    • 15.1: <DRIVE>:\Program Files\Symantec\Data Loss Prevention\Server JRE\1.8.0_162\bin\
    • 15.5: <DRIVE>:\Program Files\Symantec\DataLossPrevention\ServerJRE\1.8.0_181​\bin\
  • Linux:
    • 14.x and 15.0: /opt/SymantecDLP/jre/bin/
    • 15.1: ​/opt/Symantec/DataLossPrevention/Enforce Server/15.1/jre/bin/
    • 15.5: /opt/Symantec/DataLossPrevention/ServerJRE/1.8.0_181/bin

Note: On Linux, execute ./keytool

.keystore location

  • Windows:
    • 14.x and 15.0: <DRIVE>:​\SymantecDLP\Protect\tomcat\conf\
    • 15.1: <DRIVE>:\Program Files\Symantec\Data Loss Prevention\Enforce Server\15.1\Protect\tomcat\conf\
    • 15.5: <DRIVE>:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.5\Protect\tomcat\conf\
  • Linux:
    • 14.x and 15.0: /opt/SymantecDLP/Protect/tomcat/conf
    • 15.1: ​/opt/Symantec/DataLossPrevention/Enforce Server/Protect/tomcat/conf
    • 15.5: /opt/Symantec/DataLossPrevention/EnforceServer/Protect/tomcat/conf

Notes:

  • In Linux, all commands must be executed as root.
  • In Windows, all commands need to be executed via CLI with Admin access.
  • Command to see the hidden ".keystore" file: ls -la
  • As per the DLP Admin Guide (p. 151 in 15.7 version), the Tomcat store uses a X.509 certificate must be provided in Distinguished Encoding Rules (DER) format - which is a .cer file.
  • The instructions below involve chained certs, when the Root or Intermediate CAs are required - i.e., "the Signed" certificate. The format of using a .p7b file therefore applies in that instance - otherwise, the cert is unsigned, and one would simply import the .cer file.

Resolution

  1. Back up existing keystore.
    • Windows command:  copy <14.x/15.0/15.1/15.5 file path>\.keystore <14.x/15.0/15.1/15.5 file path>\keystore.bkup
      • 14.x and 15.0: C:\Protect\tomcat\conf
      • 15.1: ​C:\Program Files\Symantec\Data Loss Prevention\Enforce Server\15.1\Protect\tomcat\conf
      • 15.5: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.5\Protect\tomcat\conf
    • Linux command:  cp  <14.x\15.0\15.1\15.5 file path>/.keystore <14.x\15.0\15.1\15.5 file path>/keystore.bkup
      • 14.x and 15.0: /opt/SymantecDLP/protect/tomcat/conf
      • 15.1: /opt/Symantec/DataLossPrevention/Enforce Server/15.1/Protect/tomcat/conf
      • 15.5: /opt/Symantec/DataLossPrevention/EnforceServer/15.5/Protect/tomcat/conf
  2. Generate a new keystore file with the required parameters, and register the certificate.
    • Windows command: <14.x\15.0\15.1\15.5 file path>\keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -keystore \SymantecDLP\jre\bin\.keystore -validity 365 -storepass protect -dname "CN=SERVERNAME, OU=DLP, O=SYMANTEC, L=Cupertino, ST=California, C=US"​
      • 14.x and 15.0 keytool path: C:\SymantecDLP\jre\bin
      • 15.1 keytool path: C:\Program Files\Symantec\Data Loss Prevention\Enforce Server\15.1\jre\bin
      • 15.5 keytool path: C:\Program Files\Symantec\DataLossPrevention\ServerJRE\1.8.0_181\bin​
      • 14.x and 15.0 .keystore path
  3. Generate a CSR file
    • \SymantecDLP\jre\bin\keytool -certreq -alias tomcat -keyalg RSA -keystore .keystore -storepass protect -file "VontuEnforce.csr"
  4. Send VontuEnforce.csr to CA admin, so they can generate a chained cert file in the current format.
  5. Copy the VontuEnforce.p7b chained cert file to \SymantecDLP\jre\bin\.
  6. Import the chained certificate.
    • \SymantecDLP\jre\bin\keytool -import -alias tomcat -keystore \SymantecDLP\jre\bin\.keystore -trustcacerts -file \SymantecDLP\jre\bin\VontuEnforce.p7b
    • Enter the keystore password.
      • Top-level certificate in reply:
        Owner: XXXXXX
        Issuer: XXXXXX
        Serial number: XXXXXX
        Valid from: XXXXXX until: XXXXXX
        Certificate fingerprints:
                MD5:  **Deleted**
                SHA1: **Deleted**
        ... is not trusted. Install reply anyway? [no]:
    • Type Y or YES and press ENTER.
    • Certificate reply was installed in keystore.
  7. Copy the .keystore file from the source to its final destination.
    • copy \SymantecDLP\jre\bin\.keystore \Protect\tomcat\conf\.keystore​​ 
  8. Restart the Vontu Manager (14.x and 15.0) or Symantec DLP Manager (15.1 and 15.5) service.

Additional Information

NOTE:

If you change the keystore password from the default, 'protect' when generating a new keystore, you must update the password values in the following two files:

  1. <InstallPath>\Symantec\DataLossPrevention\EnforceServer\15.5\Protect\tomcat\conf\server.xml
    •         <Certificate certificateKeystoreFile="${catalina.base}/conf/.keystore" certificateKeystorePassword="protect"/>
  2. <InstallPath>\Symantec\DataLossPrevention\EnforceServer\15.5\Protect\config\Protect.properties
    • # keystore password
      com.vontu.manager.tomcat.keystore.password = protect