You can use Transport Layer Security (TLS) to encrypt all data that is transmitted between the Enforce Server and the Oracle database hosted with Amazon RDS in a three-tier environment. This configuration is supported in both Symantec Data Loss Prevention 15.1 and 15.5.
These steps assume that you have already set up an AWS account that you can use to manage the Oracle database. See the Symantec Data Loss Prevention Deployment Guide for Amazon Web Services.
Complete the following to secure communications between the Enforce Server and the database:
You enable SSL encryption for an Oracle RDS database instance by adding the Oracle SSL option to the option group associated with an Oracle DB instance. You specify the port you want to communicate over using SSL.
Refer to "Oracle Secure Sockets Layer" located in AWS Oracle RDS documentation for steps to complete this process.
To set up an SSL connection over JDBC you download the Amazon RDS root CA certificate, convert the certificate format, then import the certificate into the keystore.
Refer to "Setting Up an SSL Connection Over JDBC" located in AWS Oracle RDS documentation for steps to complete this process.
After you configure the AWS Oracle RDS Option Group with SSL, you configure the Enforce Server JDBC driver and the server certificate. You configure the JDBC driver to use the Oracle RDS SSL/TLS connection and port, then you configure the server certificate.
To configure the server certificate on the Enforce Server:
Jdbc.propertiesfile located at the following location:
C:\Program Files\Symantec\Data Loss Prevention\Enforce Server\15.1\protect\config(for Windows)
/opt/Symantec/DataLossPrevention/Enforce Server/15.1/protect/config(for Linux)
jdbc.dbalias.oracle-thinline to use TCPS.
[email protected](description=(address=(host=[oracle host name])
Add the certificate to the
cacertsfile that is located on the Enforce Server by completing the following steps:
Copy the Oracle RDS certificate (
rds-ca-2015-root.der) file to one of the following locations:
c:\Program Files\Symantec\Data Loss Prevention\Server JRE\1.8.0_181\lib\security(for Windows)
/opt/Symantec/DataLossPrevention/Server JRE/1.8.0_181/lib/security(for Linux)
cd c:\Program Files\Symantec\Data Loss Prevention\Server JRE\1.8.0_181\lib\security\(for Windows)
cd /opt/Symantec/DataLossPrevention/Server JRE/1.8.0_181/lib/security/(for Linux)
cacertsfile by running the following command as an administrator (for Windows) or as a root user (for Linux):
keytool -import -alias oracleservercert -keystore cacerts -file rds-ca-2015-root.der
keytool -list -v -keystore c:\Program Files\Symantec\DataLossPrevention\ServerJRE\1.8.0_181\lib\security\cacerts -storepass changeit(for Windows)
keytool -list -v -keystore /opt/Symantec/DataLossPrevention/ServerJRE/1.8.0_181/lib/security/cacerts -storepass changeit(for Linux)
To confirm that certificates are configured correctly and the Enforce Server is communicating with the Oracle RDS database, log on to the Enforce Server administration console. If you can log on, the Enforce Server and database are communicating over a secure communication.
If you cannot log on, verify the SSL Java application connection of
Jdbc.properties. To confirm the SSL Java application connection, check the listener status on the Oracle RDS deployment. In the listener status, the TCPS protocol and port 2484 should be in use. If the listener status does not display these connection statuses, re-complete the process to enable Oracle RDS group with SSL.
For full details on how to configure SSL/TLS communication between Oracle RDS, and the Enforce Server, see the documentation for AWS Oracle RDS Option Group, available from the Amazon Relational Database Service User Guide.