Configuring Certificate Revocation Checks

When you enable certificate revocation checks,
Symantec Data Loss Prevention
uses a CRLDP to determine the revocation status.
Follow this procedure to enable certificate revocation checks.
  1. Ensure that the CRLDP is defined in the CRL distribution point field of each client certificate.
  2. Log on to the Enforce Server computer using the account that you created during
    Symantec Data Loss Prevention
    installation.
    Do not change permissions or ownership on any configuration file from another root or Administrator account.
  3. Navigate to the
    c:\Program Files\Symantec\DataLossPrevention\EnforceServer\
    16.0.20000
    \Protect\tomcat\conf\server.xml
    (Windows) or
    /opt/Symantec/DataLossPrevention/EnforceServer/
    16.0.20000
    /Protect/tomcat/conf/server.xml
    (Linux) directory and update the
    revocationEnabled
    value from
    false
    to
    true
    .
  4. To enable revocation checking using a CRLDP, add or uncomment the following line in the file:
    wrapper.java.additional.22=-Dcom.sun.security.enableCRLDP=true
    This option is enabled by default for new
    Symantec Data Loss Prevention
    installations.
  5. If you use CRLDP revocation checks, optionally configure the cache lifetime using the property:
    wrapper.java.additional.22=-Dsun.security.certpath.ldap.cache.lifetime=30
    This parameter specifies the length of time, in seconds, to cache the revocation lists that are obtained from a CRL distribution point. After this time is reached, a lookup is performed to refresh the cache the next time there is an authentication request. The default cache lifetime 30 seconds. Specify 0 to disable the cache, or -1 to store cache results indefinitely.
  6. Stop and then restart the Symantec DLP Manager service to apply your changes.