Create a Password Update Plan
Set up a sync that matches the cadence of the password rotation. Create scheduled tasks to create the
EnforceResinstallationResources.zip
file and all the java keystore (*.jks
) files in the JRE, Tomcat paths, and custom command and control certs.You can confirm the cryptographic key rotation by reviewing log entries. For example, the log
manager_operational_X.log
may list the following log:(MANAGER.2) The Manager is now running26/Apr/21:16:05:14:259-0400 [INFO] (MANAGER.805) Checking if cryptographic keys require rotation26/Apr/21:16:05:14:312-0400 [INFO] (MANAGER.806) The System cryptographic keystore has been rotated. Next rotation will occur in 30 days26/Apr/21:16:05:14:325-0400 [INFO] (MANAGER.807) The External cryptographic keystore has been rotated. Next rotation will occur in 30 days
Consider the scenarios listed in the following table when managing DLP passwords:
If... | Do |
|---|---|
You change the Endpoint and Network Discover communications password, a new .jks file is created (for example, certificate_authority_v , where # .jks# signifies the number of times the password is changed). | Sync the Endpoint and Network Discover communications password and all other keystore files at the following location (depending on your platform):
|
You update the database password (when you run the DBPasswordChanger.exe utility.), the DatabasePassword.properties file is updated. | Sync the DatabasePassword.properties file that is located in the config folder based on the server and platform:
|
Your organization uses an internal Certificate Authority. | Sync the cacerts file from the ServerJRE, or reinstall the root CA certificate for your organization. The file is at one of the following locations, depending on your platform and JRE type:
|