You need to create, sign, and import a signed SSL certificate for Symantec Data Loss Prevention (DLP) Enforce.

Keytool.exe location

• Windows:
  • <DRIVE>:\Program Files\AdoptOpenJRE\jdk8u<version>-jre\bin
• Linux:
  • /opt/AdoptOpenJRE/ jdk8u<version>-jre/bin

Note: On Linux, execute ./keytool

.keystore location

• Windows:
  • <DRIVE>:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\protect\tomcat\conf\.keystore
• Linux:
  • /opt/Symantec/DataLossPrevention/EnforceServer/<version>/protect/tomcat/conf​/.keystore

• In Linux, all commands must be executed as root.
• In Windows, all commands need to be executed via CMD with Admin access.
• Command to see the hidden ".keystore" file on Linux: ls -la
• The instructions below involve chained certs, when the Root or Intermediate CAs are required - i.e., "the Signed" certificate. The format of using a chained certificate file therefore applies in that instance - otherwise, the cert is unsigned, and one would simply import the .cer file.
• Many CAs are issued in the form of chained certs, when the Root or Intermediate CAs are required in a chain that authenticates the signed certificate. Chained cert format should be X509 compliant and presented as a .pem file extension to be used successfully in this particular keystore.  Other formats can also be used like p7b.

There are 2 main reasons one needs to import a certificate for use in the Enforce Console, as given below:

1. You wish to import a CA-signed certificate to allow most current browsers to automatically trust the Enforce Server administration console.
   • The complete instructions for setting that up are given in the "Install" help topic, in the section "About browser certificates": About browser certificates (broadcom.com)
2. You wish to enable certificate authentication that allows users to automatically log on to the Enforce Server administration console.
   • The complete instructions for setting that up are given in the About certificate authentication configuration article.

There are multiple methods to update the keystore to which a few are listed below. 

Method 1: Use a CSR and have your CA sign it, then import it into the keystore for use with DLP. That process is outlined below.

Method 2: Get a new certificate pair right from your CA in a .pfx keystore format and then import it into the a keystore for use with DLP. See the following article:

Import an SSL certificate created by a Trusted Certificate Authority for the Enforce Console Certificate (broadcom.com)

Note: All paths in the provided commands need to be enclosed in quotes if the path contains a space.

1. Back up existing keystore.
   • Windows command:  copy "<filepath>\.keystore" "<filepath>\keystore.bkup"
     • <DRIVE>:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\protect\tomcat\conf\.keystore
   • Linux command:  cp  <filepath>/.keystore <filepath>/keystore.bkup
     • /opt/Symantec/DataLossPrevention/EnforceServer/<version>/protect/tomcat/conf​/.keystore​
2. Generate a new keystore file with the required parameters, and register the certificate.
   • First create a directory called EnforceCert under root drive as we will place new keystore and all files in this directory.
   • Windows command: "<DRIVE>:\Program Files\AdoptOpenJRE\jdk8u<version>-jre\bin\keytool" -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -validity 730 -dname "CN=<servername>, OU=DLP, O=SYMANTEC, L=Cupertino, ST=California, C=US" -ext SAN=DNS:<servername>,DNS:<domainname>,DNS:<FQDN>,IP:<IPAddress> -keystore <DRIVE>:\EnforceCert\.keystore -storepass protect 
   • Linux command: /<path>/AdoptOpenJRE/jdk8u<version>-jre/bin/keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -validity 730 -dname "CN=<servername>, OU=DLP, O=SYMANTEC, L=Cupertino, ST=California, C=US" -ext SAN=DNS:<servername>,DNS:<domainname>,DNS:<FQDN>,IP:<IPAddress> -keystore /<path>/EnforceCert\.keystore -storepass protect
     
     
     • dname: this tells us who the certificate belongs to, feel free to change the information here as needed.
     • SAN: this tells us what servers this certificate matches. If the domain used to access the site does not match the DNS names listed here, then the certificate will be invalid.
     • keystore: the output path can be set to anywhere, but in this case it is creating a new keystore in your EnforceCert directory.
     • Note you can append -keypass <your password> to then end of the argument so you can see the password as you are typing it.
   • Example:
     
     Note: If you see the error ''The System cannot find the file specified" then the command was likely not entered in properly. Verify all of the arguments are populated and no < or > (less than or greater than) symbols are used.
3. Generate a CSR file
   • Windows commad: "<DRIVE>:\Program Files\AdoptOpenJRE\jdk8u<version>-jre\bin\keytool" -certreq -alias tomcat -keyalg RSA -keysize 2048 -validity 730 -dname "CN=<servername>, OU=DLP, O=SYMANTEC, L=Cupertino, ST=California, C=US" -ext SAN="DNS:<servername>,DNS:<domainname>,DNS:<FQDN>,IP:<IPAddress>" -keystore <DRIVE>:\EnforceCert\.keystore -storepass protect -file <DRIVE>:\EnforceCert\tomcat.csr
   • Linux command: /<path>/AdoptOpenJRE/jdk8u<version>-jre/bin/keytool -certreq -alias tomcat -keyalg RSA -keysize 2048 -validity 730 -dname "CN=<servername>, OU=DLP, O=SYMANTEC, L=Cupertino, ST=California, C=US" -ext "SAN=DNS:<servername>,DNS:<domainname>,DNS:<FQDN>,IP:<IPAddress>" -keystore /<path>/EnforceCert/.keystore -storepass protect -file /<path>/tomcat.csr
      
     • It is important to note that the CSR should have all of the same arguments defined as the creation command. If this information is not defined, then the certificate you get back from your CA may not be valid.
     • The tomcat.csr can be created anywhere, but in this case we are creating it in our EnforceCert directory.
4. Send tomcat.csr to CA admin, so they can generate a signed certificate file in the current format. You should request an X509 compliant, chained certificate which contains the CA certs as well.
5. Copy the provided chained cert file (lets call it tomcat.p7b) to the EnforceCert directory <DRIVE>:\EnforceCert\ or /<path>/EnforceCert/
   
   • Note that the certificate can be many different extensions such as .pem, .cer, .crt, .der, .p7b, .pfx, etc...
     • Note that a .pfx certificate is considered a keystore and must be imported as a keystore, not as a certificate.
6. Import the chained certificate.
   • Note that the following string is one command:
     Windows : "<DRIVE>:\Program Files\AdoptOpenJRE\jdk8u<version>-jre\bin\keytool" -importcert -alias tomcat -keystore <DRIVE>:\EnforceCert\.keystore -trustcacerts -file <DRIVE>:\EnforceCert\tomcat.p7b
     Linux : /<path>/AdoptOpenJRE/jdk8u<version>-jre/bin/keytool -importcert -alias tomcat -keystore /<path>/EnforceCert/.keystore -trustcacerts -file /<path>/EnforceCert/tomcat.p7b
     
     
   • Note that the certificate password and the keystore password MUST match (Default: protect), if this does not match the login page will fail to load.
   • Enter the keystore password.
     • Top-level certificate in reply:
       Owner: XXXXXX
       Issuer: XXXXXX
       Serial number: XXXXXX
       Valid from: XXXXXX until: XXXXXX
       Certificate fingerprints:
               MD5:  **Deleted**
               SHA1: **Deleted**
       ... is not trusted. Install reply anyway? [no]:
   • Type Y or YES and press ENTER.
   • Certificate reply was installed in keystore.
   • Sometimes, while importing p7b certificate, it gives error like - "keytool error: java.lang.Exception: Input not an X.509 certificate". To fix this, try importing certificate in CER format and certificate will be imported successfully.
7. Copy the .keystore file from the source (EnforceCert directory) to its final destination (.keystore location).
   • Windows: copy <DRIVE>:\EnforceCert\.keystore "<DRIVE>:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\protect\tomcat\conf\.keystore​​" 
   • Linux: cp /<path>/EnforceCert/.keystore /opt/Symantec/DataLossPrevention/EnforceServer/<version>/protect/tomcat/conf/.keystore
     
     
8. Restart the Symantec DLP Manager Service in order for the new certificate to take effect.

Method 3:  If you have the option to download a java keystore from your CA, you can try the following:

1. First always backup the existing keystore.  You can follow Step 1 from Method 2 for this.
2. Download the java keystore from your CA.  When you download the signed certificates you have an option to download the java keystore.  This can be named anything and will most likely require a password.  Set it to protect if possible and if not set it to a strong password (note you will need to update the server.xml and protect.properties with the new password).  Keep all passwords the same.
3. Make sure to include the chain so this java keystore contains the certs for any intermediate and root CA.
4. Once download and saved on the enforce server, navigate to this directory from CMD and rename it to ".keystore" without the quotes.  You will need to do this through the command line as windows always wants a filename.extension format and in this case its just .extension.
5. Next follow Step 7 and 8 from Method 2 to complete the process.  Keep in mind that if the password could not be kept as protect, follow the steps to update the password from the additional notes below and then restart services.

Troubleshooting:

If there are any errors they should be located in the localhost log file.

Related KBs

Example Script to automate keytool commands