Configuring certificate revocation checks
When you enable certificate revocation checks,
Symantec Data Loss Prevention
uses a CRLDP to determine the revocation status.Follow this procedure to enable certificate revocation checks.
- To configure certificate revocation checks
- Ensure that the CRLDP is defined in the CRL distribution point field of each client certificate.
- Log on to the Enforce Server computer using the account that you created duringSymantec Data Loss Preventioninstallation.Do not change permissions or ownership on any configuration file from another root or Administrator account.
- Navigate to thec:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.00000\Protect\tomcat\conf\server.xml(Windows) or/opt/Symantec/DataLossPrevention/EnforceServer/16.0.00000/Protect/tomcat/conf/server.xml(Linux) directory and update therevocationEnabledvalue fromfalsetotrue.
- To enable revocation checking using a CRLDP, add or uncomment the following line in the file:wrapper.java.additional.22=-Dcom.sun.security.enableCRLDP=trueThis option is enabled by default for newSymantec Data Loss Preventioninstallations.
- If you use CRLDP revocation checks, optionally configure the cache lifetime using the property:wrapper.java.additional.22=-Dsun.security.certpath.ldap.cache.lifetime=30This parameter specifies the length of time, in seconds, to cache the revocation lists that are obtained from a CRL distribution point. After this time is reached, a lookup is performed to refresh the cache the next time there is an authentication request. The default cache lifetime 30 seconds. Specify 0 to disable the cache, or -1 to store cache results indefinitely.
- Stop and then restart the Symantec DLP Manager service to apply your changes.