Endpoint Protection

 View Only
  • 1.  SEPM 12.1.5 Web Console SSL Certificate

    Posted Aug 16, 2016 08:13 AM

    When you install SEPM, it creates a self-signed certificate that is used for the local Java console as well as the Web Console.
    per this information here:
    https://support.symantec.com/en_US/article.TECH210852.html
    You can see how things were divided up.
    So the self-signed certificate that the Web console uses, has a SHA-1 signature.  This is no longer PCI Compliant.
    So I had to replace this certificate, and there is no real easy way to do this or any documentation that I could find that would show how to do this for version 12.1.x
    So after doing some playing around, I kinda got it working with a new certificate that is SHA512.
    Would be glad if anyone could shed any more light on this but here is what I did

     

    *******************************************************************************************************************
    Updating SSL Certificate for SEPM Web Console
    It uses Tomcat to handle the Web Console instance.
    https://support.symantec.com/en_US/article.TECH210852.html

    First of all, backup your current keystores.
    I did both the Apache keystore and the tomcat keystore
    Tomcat -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc
    Apache -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\jre\bin

    In the Tomcat keystore, you will need to access it using the keytool.exe program located in the jre\bin folder (where the Apache keystore is)
    You will need the password to the Tomcat keystore, it is located at C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\conf\server.xml

    Stop the two services
    Symantec Endpoint Protection Manager
    Symantec Endpoint Protection Manager Webserver

    Delete the current certificate that is in the Tomcat keystore (if this is first time, then it is the self-signed cert with alias 'tomcat')
    keytool -delete -alias tomcat -keystore "C:\Program Files (x86)\Symantec\SymantecEndpoint Protection Manager\tomcat\etc\keystore.jks" -storepass <your keystore password>

    Generate the key for your CSR
    keytool -genkey -alias tomcat -keyalg RSA -keystore "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\keystore.jks" -storepass <your keystore password>

    Generate the CSR
    It will ask you questions, the first question will be your first and last name, I would go with the name of your server or the CN (common name)
    The other questions are your typical location, Dept., company questions.
    keytool -certreq -alias tomcat -keyalg RSA -file c:\ssl_request\tomcat_req.csr -keystore "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\keystore.jks" -storepass <your keystore password>

    Submit the CSR you just created to the CA
    Get the response and save it to file i.e. c:\ssl_request\tomcat_resp.crt

    Once you have it saved, you can now import into your keystore
    keytool -import -alias tomcat -keystore "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\keystore.jks" -trustcacerts -file c:\ssl_request\tomcat_resp.crt -storepass <your keystore password>

    Start the two services
    Symantec Endpoint Protection Manager
    Symantec Endpoint Protection Manager Webserver

    There is a .bat file called display-cert.bat, it is located in the tomcat\bin folder.
    It will access the tomcat keystore and show you the certs it sees and will use for the Web console.

    Now the problem I have run into and have yet to figure out, is that the certificate shows unknown...even though I imported the CA's Chain certificate into the store.
    And the web console, I can log into, but not all the screens work.....
    So I will have to figure that out.
    Maybe because the cert is done w/ RSA512, and the keystore is not able to undertsand that....not sure.

    *******************************************************************************************************************



  • 2.  RE: SEPM 12.1.5 Web Console SSL Certificate

    Trusted Advisor
    Posted Aug 17, 2016 11:23 AM

    I'm assuming you've seen this article as well?

    https://support.symantec.com/en_US/article.TECH123518.html



  • 3.  RE: SEPM 12.1.5 Web Console SSL Certificate

    Posted Aug 17, 2016 03:25 PM

    Follow up 
    Wound up doing this

     

    Backup your original .jks files and the Apache SSL files.
    Create a new keystore in a temp folder, make sure you use the same password that Symantec assigned to your current keystore (can find it in server.xml file)
    keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -sigalg sha256withRSA -validity 1875 -keystore c:\test\keystore.jks -storepass <password>

    Once created, export the self signed certificate
    keytool -export -v -rfc -alias tomcat -file C:\test\server.crt -keystore c:\test\keystore.jks -storepass <password>

    If you want, you can import the original self signed cert that Symantec created when you installed the software, not sure it is needed.
    But I imported it and gave it the alias tomcat2

    Then export the private key from your new keystore
    This will be an encrypted private key....
    keytool -v -importkeystore -srckeystore c:\test\keystore.jks -srcalias tomcat -destkeystore server.p12 -deststoretype PKCS12

    I took that .p12 file and converted it to a private key file, that was encrypted.
    openssl pkcs12 -in c:\test\server.p12 -out c:\test\server_orig.key

    So decrypted that:
    openssl rsa -in c:\test\server_orig.key  -out c:\test\server.key

    Now I had my .crt and my .key file....
    For the .crt file I had to strip out the
    -----BEGIN CERTIFICATE-----
    and
    -----END CERTIFICATE-----

    Stop the two Symantec Services
    Symantec Endpoint Protection Manager
    Symantec Endpoint Protection Manager Webserver

    Copy the server.crt and server.key files to
    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl
    Copy the keystore.jks to:
    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc
    and
    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\jre\bin

    Then start the two services above...
    Now the SEPM java console works fine once this is done, no issues....and client systems for me have all went green and online.
    The web console is not working quite as well, not sure why.
    But the first 3 (home, monitors and reports) do not show up.  The others do.



  • 4.  RE: SEPM 12.1.5 Web Console SSL Certificate

    Trusted Advisor
    Posted Aug 17, 2016 03:48 PM

    Very odd, it would appear something is holding back, maybe in tomcat/apache config or elsewhere... but it looks like you're almost there.



  • 5.  RE: SEPM 12.1.5 Web Console SSL Certificate

    Posted Aug 17, 2016 03:50 PM

    Yeah, I will tackle that later...
    I really don't use the Web Console, only the local Java console.
    I just needed a certificate on the web access (:8443) in order to satisfy PCI Compliance.
    They don't like SHA1 any more.



  • 6.  RE: SEPM 12.1.5 Web Console SSL Certificate

    Posted Aug 18, 2016 01:56 AM

    From what I've heard Symantec is moving to SHA5 in its next major release which is touted to be SEPM 12.2.



  • 7.  RE: SEPM 12.1.5 Web Console SSL Certificate

    Posted Aug 18, 2016 07:01 AM

    Thanks for the info.



  • 8.  RE: SEPM 12.1.5 Web Console SSL Certificate

    Posted Aug 18, 2016 12:48 PM

    Odd thing now....
    After yesterday afternoon, and the console showing them all green and online...
    Now the go up and down today.

    When I log onto a client server and look, it shows the Console server as Offline.
    So not sure why it is doing that now....
    I imported the Sylink.xml file that didn't help
    And communication is supposed to be unsecured between client and server, so not sure why the new certs on the Server are causing issue



  • 9.  RE: SEPM 12.1.5 Web Console SSL Certificate

    Posted Aug 22, 2016 04:34 PM

    Seth - Any progress on this? We are looking itno replacing the self issued certificate as well.