ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Create, sign, and import an SSL certificate signed by a Trusted Certificate Authority for the Enforce Console Certificate

book

Article ID: 160518

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention Data Loss Prevention Enterprise Suite Data Loss Prevention Core Package

Issue/Introduction

You need to create, sign, and import a signed SSL certificate for Symantec Data Loss Prevention (DLP) Enforce.

Cause

There are 2 main reasons one needs to import a certificate for use in the Enforce Console, as given below:

  1. You wish to import a CA-signed certificate to allow most current browsers to automatically trust the Enforce Server administration console. The complete instructions for setting that up are given in the Windows and Linux Install Guides, in the section "About browser certificates".
  2. You wish to enable certificate authentication that allows users to automatically log on to the Enforce Server administration console. The complete instructions for setting that up are given in the Admin Guide. v15.7, it is in Chapter 5, in the section "About certificate authentication configuration".

Environment

Keytool.exe location

  • Windows:
    • 15.7: <DRIVE>:\Program Files\Symantec\DataLossPrevention\ServerJRE\<version>\bin
      • 15.8: <DRIVE>:\Program Files\AdoptOpenJRE\jdk8u<version>-jre\bin
  • Linux:
    • 15.7: /opt/Symantec/DataLossPrevention/ServerJRE/<version>/bin
      • 15.8: /opt/AdoptOpenJRE/ jdk8u<version>-jre/bin

Note: On Linux, execute ./keytool

.keystore location

  • Windows:
    • <DRIVE>:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\protect\tomcat\conf\.keystore
  • Linux:
    • /opt/Symantec/DataLossPrevention/EnforceServer/<version>/protect/tomcat/conf​/.keystore

 

  • In Linux, all commands must be executed as root.
  • In Windows, all commands need to be executed via CMD with Admin access.
  • Command to see the hidden ".keystore" file on Linux: ls -la
  • As per the DLP Admin Guide (p. 151 in 15.7 version), the Tomcat store uses a X.509 certificate must be provided in Distinguished Encoding Rules (DER) format - which is a .cer file.
  • The instructions below involve chained certs, when the Root or Intermediate CAs are required - i.e., "the Signed" certificate. The format of using a .p7b file therefore applies in that instance - otherwise, the cert is unsigned, and one would simply import the .cer file.
  • Many CAs are issued in the form of chained certs, when the Root or Intermediate CAs are required in a chain that authenticates the signed certificate. Chained Cert format is a .p7b file extension. However, as noted above, current versions of Tomcat a file in DER format, extension of ".cer". In most cases, this means you have 3 .cer files, which can be imported one after the other into the Tomcat keystore file. You should import the higher level authority first (usually "root") , followed by all Intermediate CAs. Then import the signed certificate.

Resolution

  1. Back up existing keystore.
    • Windows command:  copy <filepath>\.keystore <filepath>\keystore.bkup
      • <DRIVE>:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\protect\tomcat\conf\.keystore
    • Linux command:  cp  <filepath>/.keystore <filepath>/keystore.bkup
      • /opt/Symantec/DataLossPrevention/EnforceServer/<version>/protect/tomcat/conf​/.keystore​
  2. Generate a new keystore file with the required parameters, and register the certificate.
    • Windows command: <DRIVE>:\Program Files\AdoptOpenJRE\jdk8u<version>-jre\bin\keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -validity 720 -dname "CN=<servername>, OU=DLP, O=SYMANTEC, L=Cupertino, ST=California, C=US" -ext SAN=DNS:<servername>,DNS:<domainname>,DNS:<FQDN>,IP:<IPAddress> -keystore <DRIVE>:\Program Files\AdoptOpenJRE\jdk8u<version>-jre\bin\.keystore -storepass protect ​
      • dname: this tells us who the certificate belongs to, feel free to change the information here as needed.
      • SAN: this tells us what servers this certificate matches. If the domain used to access the site does not match the DNS names listed here, then the certificate will be invalid.
      • keystore: the output path can be set to anywhere, but in this case it is creating a new keystore in your keytool directory.
  3. Generate a CSR file
    • <DRIVE>:\Program Files\AdoptOpenJRE\jdk8u<version>-jre\bin\keytool -certreq -alias tomcat -keyalg RSA -keysize 2048 -validity 720 -dname "CN=<servername>, OU=DLP, O=SYMANTEC, L=Cupertino, ST=California, C=US" -ext SAN=DNS:<servername>,DNS:<domainname>,DNS:<FQDN>,IP:<IPAddress> -keystore <DRIVE>:\Program Files\AdoptOpenJRE\jdk8u<version>-jre\bin\.keystore -storepass protect -file <DRIVE>:\Program Files\AdoptOpenJRE\jdk8u<version>-jre\bin\tomcat.csr
      • It is important to note that the CSR should have all of the same arguments defined as the creation command. If this information is not defined, then the certificate you get back from your CA may not be valid.
      • The tomcat.csr can be created anywhere, but in this case we are creating it in our keytool directory.
  4. Send tomcat.csr to CA admin, so they can generate a signed certificate file in the current format.
  5. Copy the tomcat.cer chained cert file to the keytool directory <DRIVE>:\Program Files\Symantec\DataLossPrevention\ServerJRE\<version>\bin\.
  6. Import the chained certificate.
    • <DRIVE>:\Program Files\AdoptOpenJRE\jdk8u<version>-jre\bin\keytool -import -alias tomcat -keystore <DRIVE>:\Program Files\AdoptOpenJRE\jdk8u<version>-jre\bin\.keystore -trustcacerts -file <DRIVE>:\Program Files\AdoptOpenJRE\jdk8u<version>-jre\bin\tomcat.cer
    • Enter the keystore password.
      • Top-level certificate in reply:
        Owner: XXXXXX
        Issuer: XXXXXX
        Serial number: XXXXXX
        Valid from: XXXXXX until: XXXXXX
        Certificate fingerprints:
                MD5:  **Deleted**
                SHA1: **Deleted**
        ... is not trusted. Install reply anyway? [no]:
    • Type Y or YES and press ENTER.
    • Certificate reply was installed in keystore.
  7. Copy the .keystore file from the source (keytool directory) to its final destination (.keystore location).
    • copy <DRIVE>:\Program Files\AdoptOpenJRE\jdk8u<version>-jre\bin\.keystore <DRIVE>:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\protect\tomcat\conf\.keystore​​ 
  8. Restart the Symantec DLP Manager Service in order for the new certificate to take effect.

Additional Information

NOTE:

If you change the keystore password from the default, 'protect' when generating a new keystore, you must update the password values in the following two files:

  1. <InstallPath>\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\tomcat\conf\server.xml
    •         <Certificate certificateKeystoreFile="${catalina.base}/conf/.keystore" certificateKeystorePassword="protect"/>
  2. <InstallPath>\Symantec\DataLossPrevention\EnforceServer\<verison>\Protect\config\Protect.properties
    • # keystore password
      com.vontu.manager.tomcat.keystore.password = protect
Powered by Wolken Software