Using sslkeytool to add new detection server certificates

Use sslkeytool with the
-alias
argument to generate new certificate files for an existing
Symantec Data Loss Prevention
deployment. When you use this command form, you must provide the current Enforce Server keystore file, so that sslkeytool can embed the Enforce Server certificate in the new detection server certificate files that you generate.
Using sslkeytool to add new detection server certificates provides instructions for generating one or more new detection server certificates.
  1. To generate new detection server certificates
  2. Log on to the Enforce Server computer using the "SymantecDLP" user account that you created during
    Symantec Data Loss Prevention
    installation.
  3. From a command window, go to the bin directory where the sslkeytool utility is stored.
    • Windows:
      C:\Program Files\Symantec\DataLossPrevention\EnforceServer\
      15.8.00000
      \protect\bin
    • Linux:
      /opt/Symantec/DataLossPrevention/EnforceServer/
      15.8.00000
      /protect/bin
  4. Create a directory in which you will store the new detection server certificate files. For example:
    mkdir new_certificates
  5. Copy the Enforce Server certificate file to the new directory.
    Example commands based on platform are listed below:
    • Windows command:
      copy ..\keystore\enforce.Fri_Jun_12_11_24_20_PDT_2016.sslkeyStore .\new_certificates
    • Linux command:
      cp ../keystore/enforce.Fri_Jun_12_11_24_20_PDT_2016.sslkeyStore ./new_certificates
  6. Create a text file that lists the new server alias names that you want to create. Place each alias on a separate line. For example:
    network02 smtp_prevent02
  7. Run the sslkeytool utility with the
    -alias
    argument and
    -dir
    argument to specify the output directory. Also specify the name of the Enforce Server certificate file that you copied into the certificate directory.
    Example commands are listed below:
    • Windows command:
      sslkeytool -alias=.\aliases.txt -enforce=enforce.Fri_Jun_10_11_24_20_PDT_2016.sslkeyStore -dir=.\new_certificates
    • Linux command:
      sslkeytool -alias=./aliases.txt -enforce=enforce.Fri_Jun_10_11_24_20_PDT_2016.sslkeyStore -dir=./new_certificates
    The command generates a new certificate file for each alias, and stores the new files in the specified directory. Each certificate file also includes the Enforce Server certificate from the Enforce Server keystore that you specify.
  8. Copy each new certificate file to the keystore directory on the appropriate detection server computer.
    • Windows:
      c:\ProgramData\Symantec\DataLossPrevention\DetectionServer\
      15.8.00000
      \keystore
      .
    • Linux:
      /opt/Symantec/DataLossPrevention/EnforceServer/
      15.8.00000
      /keystore
      .
    After creating a new certificate for a detection server (
    monitor.date.sslkeystore
    ), the Enforce Server certificate file (
    enforce.date.sslkeystore
    ) is updated with the context of each new detection server. You need to copy and replace the updated Enforce Server certificate to the keystore directory and repeat the process for each new detection server certificate you generate.
  9. Delete or secure any additional copies of the certificate files to prevent unauthorized access to the generated keys.
  10. Restart the
    SymantecDLPDetectionServerService
    service on each detection server to use the new certificate file.