Configuring the Server Certificate on the Enforce Server

After you configure the AWS Oracle RDS Option Group with SSL, you configure the Enforce Server JDBC driver and the server certificate. You import the AWS Oracle RDS certificatte into the Enforce Server Java keystore. Last, you configure the JDBC driver to use the Oracle RDS SSL/TLS connection and port.
The following process assumes that the SSL Option is configured with TCP port 2484.
  1. Locate the
    Jdbc.properties
    file at the following location
    (based on your platform)
    :
    • Windows:
      C:\Program Files\Symantec\DataLossPrevention\EnforceServer\
      16.0.10000
      \Protect\config
    • Linux:
      /opt/Symantec/DataLossPrevention/EnforceServer/
      16.0.10000
      /protect/config
  2. Modify the following communication port and connection information:
    • Update the
      jdbc.dbalias.oracle-thin
      line to use TCPS.
    • Change the port number to
      2484
      .
      The updated communication port and connection information should display as follows:
      jdbc.dbalias.oracle-thin=@(description=(address=(host=[oracle host name]) (protocol=tcps)(port=2484))(connect_data=(service_name=protect)) (SSL_SERVER_CERT_DN="CN=oracleserver"))
      The following is an example of what the completed communication port and connection information might look like. The information you use differs based on your system. Using the following information as-is may cause the configuration to fail.
      The example uses "protect" for the database SID and "2484" for the TLS port.
      jdbc.dbalias.oracle-thin=@(description=(address=(host=oracle-rds-dns-name) (protocol=tcps)(port=2484))(connect_data=(service_name=protect) (SSL_SERVER_CERT_DN="C=US,ST=Washington,L=Seattle,O=Amazon.com,OU=RDS, CN=oracle-rds-dns-name")))
      The certificate details provided above are valid for rds-ca-2015-root and rds-ca-2019-root certificates, but you replace the port number with the number used for the SSL port in the option group.
  3. Add the certificate to the
    cacerts
    file that is located on the Enforce Server by completing the following steps:
    Replace
    <version>
    with the OpenJRE version running on your system.
    1. Copy the Oracle RDS certificate (
      rds-ca-2015-root.der
      or
      rds-ca-2019-root.der
      ) file to the following location
      (based on your platform)
      :
      • Windows:
        C:\Program Files\AdoptOpenJRE\jdk8u
        <version>
        -b10-jre\lib\security
      • Linux:
        opt/AdoptOpenJRE/jdk8u
        <version>
        -b10-jre/lib/security
    2. Change the directory by running the following command
      (based on your platform)
      :
      • Windows:
        cd C:\Program Files\AdoptOpenJRE\jdk8u
        <version>
        -b10-jre\lib\security
      • Linux:
        cd opt/AdoptOpenJRE/jdk8u
        <version>
        -b10-jre/lib/security
    3. Insert the certificate into the
      cacerts
      file by running the following command as
      an administrator
      (on Windows) or
      a root user
      (on Linux)
      :
      keytool -import -alias oracleservercert -keystore cacerts -file rds-ca-2015-root.der
      or
      keytool -import -alias oracleservercert2019 -keystore cacerts -file rds-ca-2019-root.der
      Enter the default password when you are prompted:
      changeit
      .
    4. Confirm that the certificate was added by running the following command
      (based on your platform)
      :
      • Windows:
        keytool -list -v -keystore C:\Program Files\AdoptOpenJRE\jdk8u
        <version>
        -b10-jre\lib\security\cacerts -storepass changeit
      • Linux:
        keytool -list -v -keystore opt/AdoptOpenJRE/jdk8u
        <version>
        -b10-jre/lib/security/cacerts -storepass changeit
  4. Restart all SymantecDLP services.