Data Loss Prevention

 View Only
Back to Library

Symantec DLP Enforce GUI SSL Certificate: Create and Import 

Jul 26, 2017 09:06 AM

Note: The following is based on Symantec Data Loss Prevention v.14.6.01. Always backup your system before making any modifications.

 

Creating / Importing the New .Keystore, Certificate Signing Request and SSL Certificate

  1. On the Enforce server, backup entire contents of \SymantecDLP\Protect\tomcat\conf directory to a TEMP directory.
  2. On the Enforce server, open a Command Prompt with elevated privileges.
  3. Change current directory to \SymantecDLP\jre\bin\
  4. Delete any current .keystore file that may exist.
  5. From the command prompt, type this command: keytool –genkey –alias tomcat –keyalg RSA –keysize 2048 –keystore .keystore –validity 365 –storepass protect –dname “CN=<yourserverurl>, OU=<yourdepartment>, O=<yourcompany>, L=<yourcity>, ST=<yourstate>, C=<countrycode>” [PRESS ENTER]
  6. This should produce the .keystore file in the \SymantecDLP\jre\bin directory folder.
  7. From the same command prompt, type this command: keytool –certreq –alias tomcat –keyalg RSA –keystore .keystore –storepass protect –file “signingrequest.csr” [PRESS ENTER]
  8. This should produce the signingrequest.csr file. Send this file to your CA admin so they can generate the certificate file in PKCS#7 format. This is the format suitable for Tomcat. The file should have an extension of *.p7b.
    1. NOTE: If you plan on using Google Chrome v.58 or newer, you must include the extension SubjectAlternativeName when creating the certificate. Google Chrome deprecated the use of CN= and now relies on the extension. The CN= is needed though for IE. With both CN= and the extension SubjectAlternativeName, the certificate should work with both IE and Google Chrome. This is an example of the extension:

#8: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

                                DNSName: *.acme.com

                                DNSName: acme.com

                Also, if you are planning on using Google Chrome with DLP, you have to modify the manager.properties file located in the \SymantecDLP\Protect\config directory folder. Look for the entry com.vontu.manager.unsupported_browser_autentication = false

And change it to true. Save the file. This will allow the usage of Google Chrome and Apple Safari browsers.

  1. When you receive the *p7b file, copy it to the |Symantec\DLP\jre\bin directory folder on the Enforce server.
  2. On the Enforce server, open a Command Prompt with elevated privileges.
  3. Change current directory to \SymantecDLP\jre\bin\
  4. From the command prompt, type this command: keytool –import –alias tomcat –keystore .keystore –trustcacerts –file <filename>.p7b [PRESS ENTER]
  5. From the SymantecDLP\jre\bin directory folder, copy the .keystore file to the \SymantecDLP\Protect\tomcat\conf directory folder.
  6. Stop ALL Vontu services.
  7. Start ALL Vontu services.

Verify authenticity and working order of the certificate by accessing the Enforce GUI via your browser application.

Statistics
0 Favorited
9 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

MICHAEL LIPPO
Jun 13, 2018 10:44 AM

This command seems to work:

keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore .keystore

You'll have to enter a password and the OU information manually

Verify your .keystore

keytool -list -keystore .keystore -storepass <yourpass>

Then to create the CSR

keytool -certreq -keyalg RSA -alias tomcat -file dlp.csr -keystore .keystore

I used this to generate a .csr successfully.

 

Fix Err Spdy Protocol Error
Apr 06, 2018 12:59 AM

SSL is Secure Sockets Layer. It is basically for the secure transaction. It is an encrypted link between a web server and a browser in an online communication. But sometimes the error occurs in Chrome. Many more errors appear in chrome while using the browser. ERR_CACHE_MISS is one of them. To solve this issue visit Fix ERR CACHE MISS Error to the best solution.

DLPAdmin
Apr 03, 2018 10:32 AM

I am encountering the same issue as Fred.  Was anyone able to resolve this issue?

Fred Mangini
Jan 18, 2018 11:46 AM

Djacobs,

Thank you for this! i am trying to run the command you have on step 5. but it doesnt seem to like the command -genkey. i have attached a screen shot, any thoughts?

Related Entries and Links

No Related Resource entered.