Secure Communications Between DLP Agents and Endpoint Servers

Symantec Data Loss Prevention
uses SSL certificates and public-key encryption to authenticate and secure communications between DLP Agents and Endpoint Servers.
When you install or upgrade the Enforce Server, DLP sets up a root Certificate Authority (CA). DLP automatically generates the public certificates and the keys that are required to authenticate and secure communications between DLP Agents and Endpoint Servers. The certificates are signed by the Symantec Data Loss Prevention CA.
The public certificates and keys are securely stored in the Enforce Server database. The DLP Agent initiates connections to one of the Endpoint Prevent Servers or load balancer servers and authenticates the server certificate.
When you deploy an Endpoint Prevent Server, the system generates the server public-private key pair that is signed by the DLP root CA certificate. These files are versioned. When you generate the agent package, the system generates the agent public-private key pair and the agent certificate, also signed by the DLP root CA.
You can view which CA version is in use at the
System > Settings > General
screen. The password for the DLP root CA is randomly generated and used by the system. Changing the root CA password is reserved for internal use.

Support for custom certificates

You can use custom certificates to verify the identities of endpoints and Endpoint Prevent Servers. With custom certificates, you can integrate DLP with your Enterprise PKI (Public Key Infrastructure). Endpoint Prevent Servers also can check for revoked endpoint certificates.
On Windows and macOS endpoints, DLP Agent uses custom endpoint certificates that are provisioned in the operating system certificate store. The DLP Agent does not support custom endpoint certificates on Linux endpoints.
The certificate management feature enables you to add your own keystores to Endpoint Prevent Servers. You can also add your own truststores that endpoints and Endpoint Prevent Servers can use to verify each other's identity.
For instructions about configuring new and existing Endpoint Prevent Servers to use custom certificates, see Configuring Endpoint Prevent Servers to Use Custom Certificates.
For instructions about migrating endpoints from the default DLP Agent certificate to a custom certificate, see Configuring DLP Agents to Use Custom Certificates.
For information about the limitations of using custom certificates, see Limitations of DLP support for custom certificates.
Related links