Create a Password Update Plan

Set up a sync that matches the cadence of the password rotation. Create scheduled tasks to create the
EnforceResinstallationResources.zip
file and all the java keystore (
*.jks
) files in the JRE, Tomcat paths, and custom command and control certs.
You can confirm the cryptographic key rotation by reviewing log entries. For example, the log
manager_operational_X.log
may list the following log:
(MANAGER.2) The Manager is now running26/Apr/21:16:05:14:259-0400 [INFO] (MANAGER.805) Checking if cryptographic keys require rotation26/Apr/21:16:05:14:312-0400 [INFO] (MANAGER.806) The System cryptographic keystore has been rotated. Next rotation will occur in 30 days26/Apr/21:16:05:14:325-0400 [INFO] (MANAGER.807) The External cryptographic keystore has been rotated. Next rotation will occur in 30 days
Consider the scenarios listed in the following table when managing DLP passwords:
DLP password scenarios
If...
Do
You change the Endpoint and Network Discover communications password, a new
.jks
file is created (for example,
certificate_authority_v
#
.jks
, where
#
signifies the number of times the password is changed).
Sync the Endpoint and Network Discover communications password and all other keystore files at the following location (depending on your platform):
  • Windows:
    C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\
    vv.u
    \keystore\
  • Linux:
    /var/Symantec/DataLossPrevention/EnforceServer/
    vv.u
    /keystore/
You update the database password (when you run the
DBPasswordChanger.exe
utility.), the
DatabasePassword.properties
file is updated.
Sync the 
DatabasePassword.properties
file that is located in the
config
folder based on the server and platform:
  • Windows:
    • Enforce Server:
      C:\Program Files\Symantec\DataLossPrevention\ EnforceServer\
      vv.u
      \Protect\config\
    • Detection server:
      C:\Program Files\Symantec\DataLossPrevention\DetectionServer\
      vv.u
      \Protect\config\
  • Linux:
    • Enforce Server:
      /opt/Symantec/DataLossPrevention/EnforceServer/
      vv.u
      /Protect/config/
      Detection server:
      /opt/Symantec/DataLossPrevention/DetectionServer /
      vv.u
      /Protect/config/
Your organization uses an internal Certificate Authority.
Sync the
cacerts
file from the ServerJRE, or reinstall the root CA certificate for your organization. The file is at one of the following locations, depending on your platform and JRE type:
  • Windows:
    • OpenJRE:
      C:\Program Files\AdoptOpenJRE\jdk8u
      <version>
      -jre\lib\
      <version>
    • Symantec-provided:
      C:\Program Files\Symantec\DataLossPrevention\ServerJRE\
      <version>
      \lib\security
  • Linux:
    • OpenJRE:
      /opt/AdoptOpenJRE/jdk8u
      <version>
      -jre/lib/security/
    • Symantec-provided JRE:
      /opt/Symantec/DataLossPrevention/ServerJRE/
      <version>
      /lib/security/