Generating a unique browser certificate

By default, connections between the Enforce Server and the browser use a single, self-signed certificate. This certificate is embedded securely inside the
Symantec Data Loss Prevention
software.
The keytool utility manages keys and certificates. This utility enables users to administer their own public and private key pairs and associated certificates for use in self-authentication.
  1. Collect the following information:
    • Common Name: The fully qualified DNS name of the Enforce Server. This must be the actual name of the server accessible by all the clients.
      For example,
      https://
      Server_name
      .
    • Organization Name: The name of your company or organization.
      For example, Acme, Inc.
    • Organizational unit : The name of your division, department, unit, etc. (Optional)
      For example, Engineering
    • City: The city, town, or area where you are located.
      For example, San Francisco
    • State: The name of your state, province, or region.
      For example, California or CA
    • Country: Your two-letter country code.
      For example, US
    • Expiration: The certificate expiration time in number of days.
      For example: 90
  2. Stop all the Symantec DLP services on the Enforce Server.
  3. On the Enforce Server, go to a directory based on your platform:
    • Windows:
    • Linux:
    The
    keytool
    software is located in this directory.
  4. Use
    keytool
    to create the self-signed certificate (keystore file). This keystore file can also be used to obtain a certificate from a certificate authority.
    From within the
    bin
    directory, run the following command with the information collected earlier:
    keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 -keystore .keystore -validity
    NNN
    -storepass
    protect
    -dname "cN=
    common_name
    , O=
    organization_name
    , Ou=
    organization_unit
    , L=
    city
    , S=
    state
    , C=
    XX
    "
    Where:
    • The
      -alias
      parameter specifies the name of this certificate key. This name is used to identify this certificate when you run other keytool commands. The value for the
      -alias
      parameter must be
      tomcat
      .
    • The
      -keystore
      parameter specifies the name and location of the keystore file which must be
      .keystore
      located in this directory. This is specified by using
      -keystore .keystore
    • The
      -keyalg
      parameter specifies the algorithm to be used to generate the key pair. In this case, the algorithm to specify is
      RSA
      .
    • The
      -keysize
      parameter specifies the size of each key to be generated. For example,
      1024
      .
    • The
      -validity
      parameter specifies the number of days the certificate is good for. For example,
      -validity 365
      specifies that the certificate is good for 365 days (or one year). The number of days you choose to specify for the
      -validity
      parameter is up to you. If a certificate is used for longer than the number of days specified by
      -validity
      , an "Expired" message appears by the browser when it accesses the Enforce Server administration console. The best practice is to replace an expired certificate with a new one.
    • The
      -storepass
      parameter specifies the password used to protect the integrity of the keystore.
      If you opted to use a password other than "protect," enter it for the
      -storepass
      parameter. You must also modify the following to use the password:
      • protect.properties
        located at
        ../Protect/config
        Update the line # keystore com.vontu.manager.tomcat.keystore.password =
        my_password
        to replace
        my_password
        with your password.
      • server.xml
        located at
        ../tomcat/conf
        Update the line:# keystorePass =
        my_password
        to replace
        my_password
        with your password.
    • The
      dname
      parameter specifies the X.500 Distinguished Name to be associated with this alias. It is used as the issuer and subject fields in a self-signed certificate. The parameters that follow are the value of the
      dname
      parameter.
    • The
      -CN
      parameter specifies your name. For example,
      CN=linda wu
    • The
      O
      parameter specifies your organization's name. For example,
      O=Acme Inc.
    • The
      Ou
      parameter specifies your organization's unit or division name. For example,
      Ou=Engineering Department
    • The
      L
      parameter specifies your city. For example,
      L=San Francisco
    • The
      S
      parameter specifies your state or province. For example,
      S=California
    • The
      C
      parameter specifies the two-letter countrycode of your country. For example,
      C=US
    • If you are asked for a keypass password, hit Return to make the keypass password the same as the storepass password.
    An updated
    .keystore
    file is generated.
  5. (Optional) Rename or move the existing
    .keystore
    file from the
    conf
    ( for Windows or for Linux) directory.
  6. Copy the updated
    .keystore
    file into a directory based on your platform:  directory.
    • Windows:
    • Linux:
  7. Restart the Symantec DLP services on the Enforce Server.
As an alternative to using a self-signed certificate, you can use a certificate issued by an internal or external certificate authority (CA). Consult your certificate authority for instructions on how to obtain a CA-signed certificate. Certificate authorities provide a root certificate and a signed certificate. When using certificates signed by a CA, they need to be imported into the Enforce Server using the following commands:
keytool -import -alias root -keystore .keystore -trustcacerts -file
root_certificate
keytool -import -alias tomcat -keystore .keystore -trustcacerts -file
signed_certificate