Using sslkeytool to generate new Enforce Server and detection server certificates

After installing
Symantec Data Loss Prevention
, use the
-genkey
argument with sslkeytool to generate new certificates for the Enforce Server and detection servers. Symantec recommends that you replace the default certificate used to secure communication between servers with unique, self-signed certificates. The
-genkey
argument automatically generates two certificate files. You store one certificate on the Enforce Server, and the second certificate on each detection server. The optional
-alias
command lets you generate a unique certificate file for each detection server in your system. To use the
-alias
you must first create an alias file that lists the name of each alias create.
The steps that follow are for generating unique certificates for the Enforce Server and detection servers at the same time. If you need to generate one or more detection server certificates after the Enforce Server certificate is generated, the procedure is different. Using sslkeytool to add new detection server certificates
  1. Log on to the Enforce Server computer using the "SymantecDLP" user account you created during
    Symantec Data Loss Prevention
    installation.
  2. From a command window, go to the directory where the sslkeytool utility is stored:
    On Windows this directory is
    c:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.8.00000\Protect\bin
    .
    On Linux this directory is
    /opt/Symantec/DataLossPrevention/EnforceServer/
    15.8.00000
    /protect/bin
    .
  3. If you want to create a dedicated certificate file for each detection server, first create a text file to list the alias names you want to create. Place each alias on a separate line. For example:
    net_monitor01 protect01 endpoint01 smtp_prevent01 web_prevent01
    The
    -genkey
    argument automatically creates certificates for the "enforce" and "monitor" aliases. Do not add these aliases to your custom alias file.
  4. Run the sslkeytool utility with the
    -genkey
    argument and optional
    -dir
    argument to specify the output directory. If you created a custom alias file, also specify the optional
    -alias
    argument, as in the following example:
    • Windows:
      sslkeytool -genkey -alias=.\aliases.txt -dir=.\generated_keys
    • Linux:
      sslkeytool -genkey -alias=./aliases.txt -dir=./generated_keys
    This generates new certificates (keystore files) in the specified directory. Two files are automatically generated with the
    -genkey
    argument:
    • enforce.
      timestamp
      .sslKeyStore
    • monitor.
      timestamp
      .sslKeyStore
    The
    sslkeytool
    also generates individual files for any aliases that are defined in the alias file. For example:
    • net_monitor01.
      timestamp
      .sslKeyStore
    • protect01.
      timestamp
      .sslKeyStore
    • endpoint01.
      timestamp
      .sslKeyStore
    • smtp_prevent01.
      timestamp
      .sslKeyStore
    • web_prevent01.
      timestamp
      .sslKeyStore
  5. Copy the certificate file whose name begins with
    enforce
    to the following directory on the Enforce Server, based on your platform:
    • Windows:
      c:\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.8.00000\keystore
    • Linux:
      /var/Symantec/DataLossPrevention/EnforceServer/
      15.8.00000
      /keystore
  6. If you want to use the same certificate file with all detection servers, copy the certificate file whose name begins with
    monitor
    to the
    keystore
    directory of each detection server in your system.
    Copy the file to the directory based on your platform:
    • Windows:
      c:\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.8.00000\keystore
    • Linux:
      /var/Symantec/DataLossPrevention/EnforceServer/
      15.8.00000
      /keystore
    If you generated a unique certificate file for each detection server in your system, copy the appropriate certificate file to the
    keystore
    directory on each detection server computer.
  7. Delete or secure any additional copies of the certificate files to prevent unauthorized access to the generated keys.
  8. Restart the
    SymantecDLPDetectionServerControllerService
    service on the Enforce Server and the
    SymantecDLPDetectionServerService
    service on the detection servers.
When you install a
Symantec Data Loss Prevention
server, the installation program creates a default keystore in the
keystore
directory. When you copy a generated certificate file into this directory, the generated file overrides the default certificate. If you later remove the certificate file from the
keystore
directory,
Symantec Data Loss Prevention
reverts to the default keystore file embedded within the application. This behavior ensures that data traffic is always protected. Note, however, that you cannot use the built-in certificate with certain servers and a generated certificate with other servers. All servers in the
Symantec Data Loss Prevention
system must use either the built-in certificate or a custom certificate.
If more than one keystore file is placed in the
keystore
directory, the server does not start.