About server security and SSL/TLS certificates
Symantec Data Loss Prevention
uses Secure Socket Layer/Transport Layer Security (SSL/TLS) to encrypt all data that is transmitted between servers. It also uses the SSL/TLS protocol for mutual authentication between servers. Servers implement authentication by the mandatory use of client and server-side certificates. The Enforce Server administration console web application enables users to view and manage incidents and policies and to configure
Symantec Data Loss Prevention
. You access this interface with a web browser. The Enforce Server and browser communicate through a secure SSL/TLS connection. To ensure confidentiality, all communication between the Enforce Server and the browser is encrypted using a symmetric key. During connection initiation, the Enforce Server and the browser negotiate the encryption algorithm. The negotiation includes the algorithm, key size, and encoding, as well as the encryption key itself.A "certificate" is a keystore file used with a keystore password. The terms "certificate" and "keystore file" are often used interchangeably. By default, all the connections between the
Symantec Data Loss Prevention
servers, and the Enforce Server and the browser, use a self-signed certificate. This certificate is securely embedded inside the Symantec Data Loss Prevention
software. By default, every Symantec Data Loss Prevention
server at every customer installation uses this same certificate.Although the existing default security meets stringent standards, Symantec provides the keytool and sslkeytool utilities to enhance your encryption security:
- Thekeytoolutility generates a new certificate to encrypt communication between your web browser and the Enforce Server. This certificate is unique to your installation.
- Thesslkeytoolutility generates new SSL server certificates to secure communications between your Enforce Server and your detection servers. These certificates are unique to your installation. The new certificates replace the single default certificate that comes with allSymantec Data Loss Preventioninstallations. You store one certificate on the Enforce Server, and one certificate on each detection server in your installation.Symantec recommends that you create dedicated certificates for communication with yourSymantec Data Loss Preventionservers. When you configure the Enforce Server to use a generated certificate, all detection servers in your installation must also use generated certificates. You cannot use the built-in certificate with some detection servers and the built-in certificate with other servers.If you install aNetwork Preventdetection server in a hosted environment, you must generate unique certificates for yourSymantec Data Loss Preventionservers. You cannot use the built-in certificate to communicate with a hostedNetwork Preventserver.
You may also need to secure communications between
Symantec Data Loss Prevention
servers and other servers such as those used by Active Directory or a Mail Transfer Agent (MTA).