Using sslkeytool to generate new Enforce Server and detection server certificates
After installing
Symantec Data Loss Prevention
, use the -genkey
argument with sslkeytool to generate new certificates for the Enforce Server and detection servers. Symantec recommends that you replace the default certificate used to secure communication between servers with unique, self-signed certificates. The -genkey
argument automatically generates two certificate files. You store one certificate on the Enforce Server, and the second certificate on each detection server. The optional -alias
command lets you generate a unique certificate file for each detection server in your system. To use the -alias
you must first create an alias file that lists the name of each alias create.The steps that follow are for generating unique certificates for the Enforce Server and detection servers at the same time. If you need to generate one or more detection server certificates after the Enforce Server certificate is generated, the procedure is different. Using sslkeytool to add new detection server certificates
- Log on to the Enforce Server computer using the "SymantecDLP" user account you created duringSymantec Data Loss Preventioninstallation.
- From a command window, go to the directory where the sslkeytool utility is stored:On Windows this directory isc:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.8.00000\Protect\bin.On Linux this directory is/opt/Symantec/DataLossPrevention/EnforceServer/.15.8.00000/protect/bin
- If you want to create a dedicated certificate file for each detection server, first create a text file to list the alias names you want to create. Place each alias on a separate line. For example:net_monitor01 protect01 endpoint01 smtp_prevent01 web_prevent01The-genkeyargument automatically creates certificates for the "enforce" and "monitor" aliases. Do not add these aliases to your custom alias file.
- Run the sslkeytool utility with the-genkeyargument and optional-dirargument to specify the output directory. If you created a custom alias file, also specify the optional-aliasargument, as in the following example:
- Windows:sslkeytool -genkey -alias=.\aliases.txt -dir=.\generated_keys
- Linux:sslkeytool -genkey -alias=./aliases.txt -dir=./generated_keys
This generates new certificates (keystore files) in the specified directory. Two files are automatically generated with the-genkeyargument:- enforce.timestamp.sslKeyStore
- monitor.timestamp.sslKeyStore
Thesslkeytoolalso generates individual files for any aliases that are defined in the alias file. For example:- net_monitor01.timestamp.sslKeyStore
- protect01.timestamp.sslKeyStore
- endpoint01.timestamp.sslKeyStore
- smtp_prevent01.timestamp.sslKeyStore
- web_prevent01.timestamp.sslKeyStore
- Copy the certificate file whose name begins withenforceto the following directory on the Enforce Server, based on your platform:
- Windows:c:\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.8.00000\keystore
- Linux:/var/Symantec/DataLossPrevention/EnforceServer/15.8.00000/keystore
- If you want to use the same certificate file with all detection servers, copy the certificate file whose name begins withmonitorto thekeystoredirectory of each detection server in your system.Copy the file to the directory based on your platform:
- Windows:c:\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.8.00000\keystore
- Linux:/var/Symantec/DataLossPrevention/EnforceServer/15.8.00000/keystore
If you generated a unique certificate file for each detection server in your system, copy the appropriate certificate file to thekeystoredirectory on each detection server computer. - Delete or secure any additional copies of the certificate files to prevent unauthorized access to the generated keys.
- Restart theSymantecDLPDetectionServerControllerServiceservice on the Enforce Server and theSymantecDLPDetectionServerServiceservice on the detection servers.
When you install a
Symantec Data Loss Prevention
server, the installation program creates a default keystore in the keystore
directory. When you copy a generated certificate file into this directory, the generated file overrides the default certificate. If you later remove the certificate file from the keystore
directory, Symantec Data Loss Prevention
reverts to the default keystore file embedded within the application. This behavior ensures that data traffic is always protected. Note, however, that you cannot use the built-in certificate with certain servers and a generated certificate with other servers. All servers in the Symantec Data Loss Prevention
system must use either the built-in certificate or a custom certificate.If more than one keystore file is placed in the
keystore
directory, the server does not start.