Configuring encrypted communication between Symantec Endpoint Protection Manager and Microsoft SQL Server
Symantec Endpoint Protection Manager uses a certificate to authenticate communications between the
Symantec Endpoint Protection
(SEPM) and the Microsoft SQL Server Express or SQL Server databases. You must generate the certificate and import it into the Symantec Endpoint Protection Manager
computer for SEPM to connect to either SQL Server database. If the certificate does not exist, is expired, or is about to expire, the connection between SEPM and the database fails.You can install or upgrade the management server and either SQL Server database if you have not imported the certificate. However, the Management Server Configuration Wizard detects whether the certificate is already expired or expires within the next 30 days. SEPM sends a notification every day until the 30 days is over to remind the administrator to import the certificate. You may see the following message:
Within the next 30 days, Symantec Endpoint Protection Manager will no longer be able to connect to the Microsoft SQL Server database because SQL Server uses a certificate that is about to expire.
Step 1: Generate a self-signed certificate
If your organization does not already have a Certificate Authority (CA) signed certificate, you must generate one. This step describes how to generate and replace the default self-signed
Symantec Endpoint Protection Manager
(SEPM) certificate with a CA-signed certificate.Step 2: Configure a permanent certificate for SQL Server
You must enable encrypted connections for an instance of the SQL Server Database Engine and must use SQL Server Configuration Manager to specify the certificate. See "Configure the SQL Server" at: Enable encrypted connections to the Database Engine
Step 3: Import the SQL Server certificate into Windows on the
Symantec Endpoint Protection Manager
computer The management server computer must have the SQL Server public certificate provisioned. To provision the certificate on the management server computer, you import it into Windows. The server computer must be set up to trust the certificate's root authority.
- On the Windows Server where SEPM is installed, right click the certificate.
- In the Certificate Import Wizard, follow the steps to import the certificate.UnderStore Location, selectLocal Machine:SelectPlace all certificates in the following store, clickBrowse, and in the Select Certificate Store dialog box, clickTrusted Root Certification Authorities:
- ClickOK, and then clickNext.
Step 4: Configure permissions for the
jre11
folderIf your SQL Server is configured using a domain admin with Windows authentication, the domain admin needs to have
Read & execute
, List folder contents
, and Read
permissions for the jre11
folder on the Symantec Endpoint Protection Manager
server.- On the Symantec Endpoint Protection Manager server, go to\...\Program Files (x86)\Symantec\Symantec Endpoint Protection Managerfolder, right-click thejre11folder, and clickProperties.
- In the file properties window, on theSecuritytab, clickAdvanced.
- In theAdvanced Security Settingswindow, on thePermissionstab, clickAdd.
- In thePermissions Entrywindow, clickSelect a principal.
- In theSelect User, Computer, Service Account, or Groupwindow, add thedomainadminuser, and clickOK.
- In thePermissions Entrywindow, clickOK.
- In theAdvanced Security Settingswindow, on thePermissionstab, selectdomainadmin, and clickChange.
- In theSelect User, Computer, Service Account, or Groupwindow, add thedomainadminuser again, and clickOK.
- In theAdvanced Security Settingswindow, checkReplace owner on subcontainers and objects, checkReplace all child object permission entries with inheritable permission entries from this object, clickEnable inheritance, and clickApply.
- ClickYesandOKto confirm.
- In the file properties window, make sure that thedomainadminuser has now all required permissions, and clickOK.
Step 5: Open the Management Server Configuration Wizard and complete the Server Configuration with
Windows Authentication
optionTo open the wizard, go to
\...\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin
folder, and double-click sca.exe
file.
Step 6: Check if the communication is encrypted and using the SQL Server certificate
- On the management server, open the following file:C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\conf\Catalina\localhost\root.xmland make sure thatencrypt=trueandtrustServerCertificate=false.
- On the SQL Server, openProtocols for MSSQLSERVER Properties, and check ifForce Encryption=Yes.
- On the SQL Server, run the following query, to check if the connection betweenSymantec Endpoint Protection Managerand SQL Server is encrypted:SELECT session_id, connect_time, net_transport, encrypt_option, auth_scheme, client_net_address FROM sys.dm_exec_connectionsCheck ifencrypt_option=TRUE.