Data Loss Prevention

Hi everybody

I am posting this because the generation and implementation of custom certificates is puzzling me.

Following situation:
There is an existing, productive DLP installation hosting the roles Enforce and Endpoint Prevent on one server. No custom certificate has been generated so far.
Around 200 DLP agents have been rolled out and are reporting to this server.

Now, a new remotely located detection server is added to the DLP environment. The server was added, is communicating and running properly so far. No agents have been deployed to this server yet.
Since I do not want to leave the servers communicating with the built-in certificate, there needs to be added a custom certificate for the servers.

After consulting the documentation, I am now quite a bit unsure about the process of doing so:

• I only want one certificate to be generated, not various certificates. This certificate I want to use for as many future detection servers there will be. Is this possible?
• After generating this custom certificate, do the already installed DLP agents need to be re-installed? I absolutely do not want to do this.
• As the new detection server has been added to the configuration, a new monitor*_truststore.jks and monitor*_keystore.jks file have been generated in the keystore folder - I do not really understand why.
• What happens to the *.jks-files after implementing a custom certificate? It's clear that the certificat_authority.jks will not be touched.
• To install DLP agents connecting to the new detection server, do I need to customize more than the endpoint server? The *.pem-files will be generated automatically for the correlating detection server?

If somebody could help me claryfing this, I'd be greatful :)

Alright, so I actually generated a custom key pair.

As stated in the documentation, they have been generated with "sslkeytool -genkey".
The enforce. and monitor. have been placed in the keystore directory on the server that hosts the Enforce and Detection server.
Vontu Monitor Controller service has been restarted.

Still, the server uses the built-in certificate.

I did not delete or move the already existing .jks files in the keystore directory.

Did I miss something there?

The enforce. and monitor. have been placed in the keystore directory on the server that hosts the Enforce and Detection server.

Are Enforce and Endpoint installed on the same server?

If you have separate servers, sounds right since you were running with built-in certificates from the start. On Enforce and detection servers, generated certificates are copied to \SymantecDLP\Protect\keystore. Restart the Vontu Monitor Controller on the Enforce server and the Vontu Monitor service on the detection servers. Or, just reboot the servers once the new certificates are in place. After the reboots, or service restarts, check for event code 2710 in System, Events.

There is one server which is running the Enforce and Endpoint.
The both certificates have been copied to the keystore folder on this server.
My posting above was referring to this server. It's still running with built-in certificates, even with a cycle of the Vontu Monitor Controller service.

The other server which I want to add to the environment is running a Detection server only and did not even come up after copying the monitor.*.sslKeyStore to the keystore directory and cycling Vontu Monitor service.

If I am reading that correctly, you have the Enforce.sslkeystore and Monitor.sslkeystore files in \SymanteDLP\Protect\keystore folder on the server that is running Enforce and Endpoint. If that's so, remove the Monitor certificate. Restart the Vontu Monitor Contoller service for good meaure. Over on the detection server you are adding, you should only have the Monitor certificate in the keystore folder. Couldn't hurt to restart the Vontu Monitor service on this server as well.

Alright, I will try as soon as possible to do so. I thought it would be logical to also place the Monitor.sslkeystore to the server hosting both roles since the Endpoint is also running on there. I will keep you updated on this.

Hi Ethan,

This has worked for me.
Placing the Enforce.sslkleystore only into the keystore of the Enforce and the Monitor.sslkeystore into the keystore of the Endpoint Monitor.

Thanks and cheers