Configuring encrypted communication between Symantec Endpoint Protection Manager and Microsoft SQL Server

Symantec Endpoint Protection Manager uses a certificate to authenticate communications between the
Symantec Endpoint Protection
(SEPM) and the Microsoft SQL Server Express or SQL Server databases. You must generate the certificate and import it into the
Symantec Endpoint Protection Manager
computer for SEPM to connect to either SQL Server database. If the certificate does not exist, is expired, or is about to expire, the connection between SEPM and the database fails.
You can install or upgrade the management server and either SQL Server database if you have not imported the certificate. However, the Management Server Configuration Wizard detects whether the certificate is already expired or expires within the next 30 days. SEPM sends a notification every day until the 30 days is over to remind the administrator to import the certificate. You may see the following message:
Within the next 30 days, Symantec Endpoint Protection Manager will no longer be able to connect to the Microsoft SQL Server database because SQL Server uses a certificate that is about to expire.
Step 1: Generate a self-signed certificate
If your organization does not already have a Certificate Authority (CA) signed certificate, you must generate one. This step describes how to generate and replace the default self-signed
Symantec Endpoint Protection Manager
(SEPM) certificate with a CA-signed certificate. See:
Step 2: Configure a permanent certificate for SQL Server
You must enable encrypted connections for an instance of the SQL Server Database Engine and must use SQL Server Configuration Manager to specify the certificate. See "Configure the SQL Server" at:
Step 3: Import the SQL Server certificate into Windows on the
Symantec Endpoint Protection Manager
computer
The management server computer must have the SQL Server public certificate provisioned. To provision the certificate on the management server computer, you import it into Windows. The server computer must be set up to trust the certificate's root authority.
  1. On the Windows Server where SEPM is installed, right click the certificate.
  2. In the Certificate Import Wizard, follow the steps to import the certificate.
    • Under
      Store Location
      , select
      Local Machine
      :
    • Select
      Place all certificates in the following store
      , click
      Browse
      , and in the Select Certificate Store dialog box, click
      Trusted Root Certification Authorities
      :
  3. Click
    OK
    , and then click
    Next
    .
Step 4: Configure permissions for the
jre11
folder
If your SQL Server is configured using a domain admin with Windows authentication, the domain admin needs to have
Read & execute
,
List folder contents
, and
Read
permissions for the
jre11
folder on the
Symantec Endpoint Protection Manager
server.
  1. On the Symantec Endpoint Protection Manager server, go to
    \...\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager
    folder, right-click the
    jre11
    folder, and click
    Properties
    .
  2. In the file properties window, on the
    Security
    tab, click
    Advanced
    .
  3. In the
    Advanced Security Settings
    window, on the
    Permissions
    tab, click
    Add
    .
  4. In the
    Permissions Entry
    window, click
    Select a principal
    .
  5. In the
    Select User, Computer, Service Account, or Group
    window, add the
    domainadmin
    user, and click
    OK
    .
  6. In the
    Permissions Entry
    window, click
    OK
    .
  7. In the
    Advanced Security Settings
    window, on the
    Permissions
    tab, select
    domainadmin
    , and click
    Change
    .
  8. In the
    Select User, Computer, Service Account, or Group
    window, add the
    domainadmin
    user again, and click
    OK
    .
  9. In the
    Advanced Security Settings
    window, check
    Replace owner on subcontainers and objects
    , check
    Replace all child object permission entries with inheritable permission entries from this object
    , click
    Enable inheritance
    , and click
    Apply
    .
  10. Click
    Yes
    and
    OK
    to confirm.
  11. In the file properties window, make sure that the
    domainadmin
    user has now all required permissions, and click
    OK
    .
Step 5: Open the Management Server Configuration Wizard and complete the Server Configuration with
Windows Authentication
option
To open the wizard, go to
\...\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin
folder, and double-click
sca.exe
file.
Step 6: Check if the communication is encrypted and using the SQL Server certificate
  1. On the management server, open the following file:
    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\conf\Catalina\localhost\root.xml
    and make sure that
    encrypt=true
    and
    trustServerCertificate=false
    .
  2. On the SQL Server, open
    Protocols for MSSQLSERVER Properties
    , and check if
    Force Encryption=Yes
    .
  3. On the SQL Server, run the following query, to check if the connection between
    Symantec Endpoint Protection Manager
    and SQL Server is encrypted:
    SELECT session_id, connect_time, net_transport, encrypt_option, auth_scheme, client_net_address FROM sys.dm_exec_connections
    Check if
    encrypt_option=TRUE
    .