Configuring the Server Certificate on the Enforce Server
After you configure the AWS Oracle RDS Option Group with SSL, you configure the Enforce Server JDBC driver and the server certificate. You import the AWS Oracle RDS certificatte into the Enforce Server Java keystore. Last, you configure the JDBC driver to use the Oracle RDS SSL/TLS connection and port.
The following process assumes that the SSL Option is configured with TCP port 2484.
- Locate theJdbc.propertiesfile at the following location(based on your platform):
- Windows:C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect\config
- Linux:/opt/Symantec/DataLossPrevention/EnforceServer/16.0.10000/protect/config
- Modify the following communication port and connection information:
- Update thejdbc.dbalias.oracle-thinline to use TCPS.
- Change the port number to2484.The updated communication port and connection information should display as follows:jdbc.dbalias.oracle-thin=@(description=(address=(host=[oracle host name]) (protocol=tcps)(port=2484))(connect_data=(service_name=protect)) (SSL_SERVER_CERT_DN="CN=oracleserver"))The following is an example of what the completed communication port and connection information might look like. The information you use differs based on your system. Using the following information as-is may cause the configuration to fail.The example uses "protect" for the database SID and "2484" for the TLS port.jdbc.dbalias.oracle-thin=@(description=(address=(host=oracle-rds-dns-name) (protocol=tcps)(port=2484))(connect_data=(service_name=protect) (SSL_SERVER_CERT_DN="C=US,ST=Washington,L=Seattle,O=Amazon.com,OU=RDS, CN=oracle-rds-dns-name")))The certificate details provided above are valid for rds-ca-2015-root and rds-ca-2019-root certificates, but you replace the port number with the number used for the SSL port in the option group.
- Add the certificate to thecacertsfile that is located on the Enforce Server by completing the following steps:Replace<version>with the OpenJRE version running on your system.
- Copy the Oracle RDS certificate (rds-ca-2015-root.derorrds-ca-2019-root.der) file to the following location(based on your platform):
- Windows:C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib\security
- Linux:opt/AdoptOpenJRE/jdk8u<version>-b10-jre/lib/security
- Change the directory by running the following command(based on your platform):
- Windows:cd C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib\security
- Linux:cd opt/AdoptOpenJRE/jdk8u<version>-b10-jre/lib/security
- Insert the certificate into thecacertsfile by running the following command asan administrator(on Windows) ora root user(on Linux):keytool -import -alias oracleservercert -keystore cacerts -file rds-ca-2015-root.derorkeytool -import -alias oracleservercert2019 -keystore cacerts -file rds-ca-2019-root.derEnter the default password when you are prompted:changeit.
- Confirm that the certificate was added by running the following command(based on your platform):
- Windows:keytool -list -v -keystore C:\Program Files\AdoptOpenJRE\jdk8u<version>-b10-jre\lib\security\cacerts -storepass changeit
- Linux:keytool -list -v -keystore opt/AdoptOpenJRE/jdk8u<version>-b10-jre/lib/security/cacerts -storepass changeit
- Restart all SymantecDLP services.