Data Loss Prevention

Create, sign, and import an SSL certificate signed by a trusted Certificate Authority DLP 15.1/15.5

Purpose

 The purpose of this document is to help others use a custom signed Certificate, issues by a CA. As of now I have only been able to find documentation that refers to doing this prior to 15.1, and from the looks of how the structure is this has now changed from previous versions.

Steps

1. The keytool required to create, sign and import an ssl certificate is in this location C:\Program Files\Symantec\DataLossPrevention\ServerJRE\1.8.0_181\bin (Assuming DLP is installed on the c:\)  

   

2. Open CMD as Administrator and navigate to C:\Program Files\Symantec\DataLossPrevention\ServerJRE\1.8.0_181\bin 

   

3. Once you have navigated to the location of the keytool you need to run the following command keytool -alias tomcat -keyalg RSA -keysize 2048 -validity 365 -storepass protect -dname “CN=YOURCOMPUTERNAMEHERE, OU=ORGANIZATIONALUNIT, O=ORGANIZATION, L=YOURCITY, ST=YOURSTATE, C=COUNTRYCODE” (you will need to copy and paste this command into notepad so the the “ are correct in cmd prompt)

   

4. Make a note of where the .keystore file gets saved, in my case this stores the file in c:\users\administrators.keystore
5. We now need to create the certificate request file to do this we run this command keytool -certreq -alias tomcat -keyalg RSA -keystore output of where your .keystore saved  -storepass protect -file "Enforce.csr" 

   

6. The CSR file should be stored in the following location C:\Program Files\Symantec\DataLossPrevention\ServerJRE\1.8.0_181\bin 

   

7. Once the .csr has been created you need to send this to your CA admin
8. Once you have received your certificate back from your CA admin copy the file to C:\Program Files\Symantec\DataLossPrevention\ServerJRE\1.8.0_181\bin your CA Admin will also need to send you the Root certificate(s) (these need to be x.509 to add to the keystore.
9. now need to import the Root Cert and the server Cert, to do this we open CMD as Administrator and navigate to C:\Program Files\Symantec\DataLossPrevention\ServerJRE\1.8.0_181\bin to import the Root Cert run keytool -importcert -alias root -keystore .KEYSTOREFILELOCATION -trustcacerts -file Root .cer once you have installed the root we will need to import the intermediate ca to do this use this command keytool -importcert -alias intermediateca -keystore .KEYSTOREFILELOCATION -trustcacerts -file intermediateca.cer, we can now import the server Cert keytool -importcert -alias tomcat -keystore .KEYSTOREFILELOCATION -trustcacerts -file YOURCERTNAME.p7b
10. We now need to copy the .keystore file from the location of where your output file is (C;\users\administrator) to C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.5\Protect\tomcat\conf ****Important Note – Ensure to backup your original .keystore file incase the newly created one does not work!*****
11. Once you have copied thenew file into the location you will need to restart the Symantec DLP services, you may need to reboot the server in order for the certificates to kick in
12. Once the services have restarted you should now be able to open the Enforce console in internet explorer without being prompted to accept the Certificate.

Hopefully this helps with using CA certs in your DLP Environment!

Thanks for reading!