Creating new certificates for Data Center Security: Server
Data Center Security: Server
If your certificates are available to third parties for viewing, then you must generate new certificates and explicitly provide the Common Name (CN), Organizational Unit and Subject Alternative Name (SAN) record details. Some organizations may be required to use corporate-provided or Certificate Authority (CA)-provided certificates, in which case you would also need to customize the certificates after installation.
You may also want to check out https://support.symantec.com/en_US/article.TECH247999.html.
If you are not concerned with third parties reviewing/validating your certificates it is not necessary to create new certificates during/after Data Center Security: Server installation. However if you wish to have further control over the contents of the certificates you may wish to generate new certificates and provide explicitly provide the Common Name and Organizational Unit details, particularly if your certificates are to be viewed by third parties. Some organizations may be required to use corporate-provided or Certificate Authority (CA)-provided certificates, in which case you would also need to customize the certificates upon installation.
- To create new encryption keys (certs) forData Center Security: Server
- Save a backup copy ofserver.xmlavailable at:C:\Program Files (x86)\Symantec\Data Center Security Server\Server\tomcat\confIf you are upgrading from a previous version toData Center Security: Server6.6 and later, then theserver.xmlfile is available at:%programfiles%\Symantec\Critical System Protection\server\tomcat\conffrom theserver.xmlfile.
- Open theServer.xmlfile in a text editor from the following file location:C:\Program Files (x86)\Symantec\Data Center Security Server\Server\tomcat\conf\server.xml
- Search for port='4443’ to find the Console (port 4443) connector and SSL configuration, or search on port='443' for a new Agent (port 443) SSL configuration. Make a note of the keystoreFile path specified for the connector as this is the file you will be replacing.Make a backup of the keystoreFile(s) before proceeding.Record the value for storePass and keystorePass values. They will be an alphanumeric string of 40 characters and possibly the same value. Also make a note of the storetype.
- Edit the keystoreFile path(s) and change the keystoreFile name to a new keystore file “.ssl” extension. For a new Console (port 4443) certificate or a new Agent (port 443) certificate, you would want to name your new keystore accordingly.If you choose to update the Agent certificate, all agent certificates on all agents connecting to this management server must also be updated. You must consider this carefully before proceeding, as going forward with Agent connection changes may prevent all communications with existing or configured agents until each is updated accordingly.
- Save your edits to theserver.xmlfile.
- Update command line session file path to include JRE and tools directory. Add%programfiles%\Symantect\Data Center Security Server\Server\jreto the front of your environment PATH variable. Also add%programfiles%\Symantec\Data Center Security Server\toolsto the front of your environment PATH variable (this will only be a temporary change and you may need to close and restart command line sessions for your PATH variable update to take effect). Open a command line session and test that both thekeytool.exeandopenssl.execommands are available in your session’s PATH.
- Download and copy theopenssl.exeto the following location:%programfiles%\Symantec\Data Center Security Server\Server\tools\
- To generate new 2048-bit RSA keys for console and/or agent communications
- If you are reusing an existing keystore that was used for either the Agent (port 443) or Console (port 4443) connector, you must first delete the existing key in the keystore by referencing its alias:keytool.exe -delete -keystore [keystoreFile path] -alias sss -storepass [40 character alpha-numeric string found in server.xml] -storetype PKCS12
- Ensure that the Common Name (CN) should be the Hostname of the server if that hostname is DNS resolvable. Otherwise, you must use the servers IP address.
- Record the hostname of the management server, this will be used to fill in the OU parameter.
- Using the command line, enter the following:keytool.exe -genkey -keystore [keystoreFile path] -alias sss -validity 5000 –keyalg RSA -sigalg SHA256withRSA -keysize 2048 -storetype PKCS12 –storepass [40 character alpha-numeric string found in server.xml] –keypass [40 character alpha-numeric string found in server.xml] –dname "CN=[Management server hostname or IP address]" –ext "SAN=DNS:[Management server hostname],IP:[Management server IP address]"For both the “–dname” and “–ext” parameters, the string [management server hostname] should be replaced with a fully qualified domain name (FQDN). The FQDN should appear similar to as it appears when specified from a client program. If using the management server hostname (as opposed to a static IP address), please verify that the hostname is DNS-routable from the client program’s server. Also, if you are planning to use the key you are generating for CA-provided (for example, Verisign) certificates, you must also provide the –dname parameter with valid “C” country and “S” state values. Verisign or other CA-providers may have additional key generation requirements. Lastly, your keytool command should include the “-ext” parameter to allow compliance with RFC 6125, using the Subject Alternative Name (SAN) record (as in: -ext “SAN=DNS:www.purple.com”). For the “-ext” parameter, you can use a DNS or a static IP address, but not both.
- Using the command line, enter the following:keytool.exe -export -v -keystore [keystoreFile path] -alias sss -rfc -file exported-cert.crt -storepass[40 character alpha-numeric string found in server.xml]–storetype PKCS12
- Using the command line, enter the following from[DCS install path]\server\tools:openssl x509 -out exported-cert.der -outform DER -in exported-cert.crtWhen running this command, a WARNING message may be generated. You can ignore this message.
- Using the command line, enter the following:openssl x509 -in exported-cert.der -inform DER -text -out exported-cert.pem -outform PEM.When running this command, a WARNING message may be generated. You can ignore this message.
- For agent updates, renameexported-cert.pemtoagent-cert.ssl.
- Replacing Existing Certificates with new 2048-bit Certificates for Data Center Security: Server
- Stop the Symantec Data Center Security Server Manager service.
- Restart the Symantec Data Center Security Server Manager service.
- Replace the originalagent-cert.sslwith the renamed agent-cert.ssl created by openssl. Theagent-cert.sslis located at:%programfiles%\Symantec\Data Center Security Server\Server
- Restart the SCSP management service.Assumingserver.xmlis not changed, and the new keystore, cert and keystore passwords match what's already in theserver.xml, then the new certificate will automatically be used with the console and you should be asked at next console login to accept the new certificate. If not asked, then remove the siscerts file from the console's certificate store:[INSTALLDIR]\Console\certs\siscertswhich is usually:%programfiles%\Symantec\Data Center Security Server\Console\certs\siscerts.OpenUnified Management Consoleand accept the new certificate that you generated.
- Replacing Existing Certificates with new 2048-bit Certificates for Agent on Primary Data Center Security: Server
- Copy the newly created agent-cert.ssl to:%programfiles%\Symantec\Data Center Security Server\Server
- Update Agent to use new agent-cert.ssl with this command (forces use of new agent-cert.ssl file):sisipsconfig -c agent-cert.ssl
- Test connection from command prompt:sisipsconfig –tsisipsconfig works as follows:ON Windows systems, sisipsconfig works from:%programfiles%\Symantec\Data Center Security Server\agent, and on UNIX systems, sisipsconfig works from:/opt/Symantec/scspagent/ips