Generating a unique browser certificate
By default, connections between the Enforce Server and the browser use a single, self-signed certificate. This certificate is embedded securely inside the
Symantec Data Loss Prevention
software. The keytool utility manages keys and certificates. This utility enables users to administer their own public and private key pairs and associated certificates for use in self-authentication.
- Collect the following information:
- Common Name: The fully qualified DNS name of the Enforce Server. This must be the actual name of the server accessible by all the clients.For example,https://.Server_name
- Organization Name: The name of your company or organization.For example, Acme, Inc.
- Organizational unit : The name of your division, department, unit, etc. (Optional)For example, Engineering
- City: The city, town, or area where you are located.For example, San Francisco
- State: The name of your state, province, or region.For example, California or CA
- Country: Your two-letter country code.For example, US
- Expiration: The certificate expiration time in number of days.For example: 90
- Stop all the Symantec DLP services on the Enforce Server.
- On the Enforce Server, go to theC:\Program Files\AdoptOpenJRE\[JRE version]\bin/opt/AdoptOpenJRE/directory.[JRE version]/binThekeytoolsoftware is located in this directory.
- Usekeytoolto create the self-signed certificate (keystore file). This keystore file can also be used to obtain a certificate from a certificate authority.From within thebindirectory, run the following command with the information collected earlier:If the/opt/AdoptOpenJRE/directory is not on your path, use[JRE version]./keytoolto run it from the current directory.keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 -keystore .keystore -validityNNN-storepassprotect-dname "cN=common_name, O=organization_name, Ou=organization_unit, L=city, S=state, C=XX"Where:
- The-aliasparameter specifies the name of this certificate key. This name is used to identify this certificate when you run other keytool commands. The value for the-aliasparameter must betomcat.
- The-keystoreparameter specifies the name and location of the keystore file which must be.keystorelocated in this directory. This is specified by using-keystore .keystore
- The-keyalgparameter specifies the algorithm to be used to generate the key pair. In this case, the algorithm to specify isRSA.
- The-keysizeparameter specifies the size of each key to be generated. For example,1024.
- The-validityparameter specifies the number of days the certificate is good for. For example,-validity 365specifies that the certificate is good for 365 days (or one year). The number of days you choose to specify for the-validityparameter is up to you. If a certificate is used for longer than the number of days specified by-validity, an "Expired" message appears by the browser when it accesses the Enforce Server administration console. The best practice is to replace an expired certificate with a new one.
- The-storepassparameter specifies the password used to protect the integrity of the keystore.If you opted to use a password other than "protect," enter it for the-storepassparameter. You must also modify the following to use the password:
- protect.propertieslocated at../Protect/configUpdate the line # keystore com.vontu.manager.tomcat.keystore.password =my_passwordto replacemy_passwordwith your password.
- server.xmllocated at../tomcat/confUpdate the line:# keystorePass =my_passwordto replacemy_passwordwith your password.
- Thednameparameter specifies the X.500 Distinguished Name to be associated with this alias. It is used as the issuer and subject fields in a self-signed certificate. The parameters that follow are the value of thednameparameter.
- The-CNparameter specifies your name. For example,CN=linda wu
- TheOparameter specifies your organization's name. For example,O=Acme Inc.
- TheOuparameter specifies your organization's unit or division name. For example,Ou=Engineering Department
- TheLparameter specifies your city. For example,L=San Francisco
- TheSparameter specifies your state or province. For example,S=California
- TheCparameter specifies the two-letter countrycode of your country. For example,C=US
- If you are asked for a keypass password, hit Return to make the keypass password the same as the storepass password.
An updated.keystorefile is generated. - (Optional) Rename or move the existing.keystorefile from the\Protect\tomcat\confprotect/tomcat/confdirectory.
- Copy the updated.keystorefile into theC:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.8.00000\protect\tomcat\conf/opt/Symantec/DataLossPrevention/EnforceServer/15.8.00000/protect/tomcat/confdirectory.
- Restart the Symantec DLP services on the Enforce Server.
As an alternative to using a self-signed certificate, you can use a certificate issued by an internal or external certificate authority (CA). Consult your certificate authority for instructions on how to obtain a CA-signed certificate. Certificate authorities provide a root certificate and a signed certificate. When using certificates signed by a CA, they need to be imported into the Enforce Server using the following commands:
keytool -import -alias root -keystore .keystore -trustcacerts -fileroot_certificatekeytool -import -alias tomcat -keystore .keystore -trustcacerts -filesigned_certificate