Create, sign, and import an SSL certificate signed by a Trusted Certificate Authority
book
Article ID: 160518
calendar_today
Updated On:
Products
Data Loss Prevention Enforce
Issue/Introduction
You need to create, sign, and import a signed SSL certificate for Symantec Data Loss Prevention (DLP) Enforce.
Cause
There are 2 main reasons one needs to import a certificate into the Tomcat keystore, as given below:
You wish to import a CA-signed certificate to allow most current browsers to automatically trust the Enforce Server administration console. The complete instructions for setting that up are given in the Windows and Linux Install Guides, in the section "About browser certificates".
You wish to enable certificate authentication that allows users to automatically log on to the Enforce Server administration console. The complete instructions for setting that up are given in the Admin Guide. v15.7, it is in Chapter 5, in the section "About certificate authentication configuration".
Environment
Keytool.exe location
Windows:
14.x and 15.0: <DRIVE>:\SymantecDLP\jre\bin
15.1:<DRIVE>:\Program Files\Symantec\Data Loss Prevention\Server JRE\1.8.0_162\bin\
In Windows, all commands need to be executed via CLI with Admin access.
Command to see the hidden ".keystore" file: ls -la
As per the DLP Admin Guide (p. 151 in 15.7 version), the Tomcat store uses a X.509 certificate must be provided in Distinguished Encoding Rules (DER) format - which is a .cer file.
The instructions below involve chained certs, when the Root or Intermediate CAs are required - i.e., "the Signed" certificate. The format of using a .p7b file therefore applies in that instance - otherwise, the cert is unsigned, and one would simply import the .cer file.
Resolution
Back up existing keystore.
Windows command: copy <14.x/15.0/15.1/15.5 file path>\.keystore<14.x/15.0/15.1/15.5 file path>\keystore.bkup
14.x and 15.0: C:\Protect\tomcat\conf
15.1: C:\Program Files\Symantec\Data Loss Prevention\Enforce Server\15.1\Protect\tomcat\conf
Restart the Vontu Manager (14.x and 15.0) or Symantec DLP Manager (15.1 and 15.5) service.
Additional Information
NOTE:
If you change the keystore password from the default, 'protect' when generating a new keystore, you must update the password values in the following two files: