Data Loss Prevention

Hi

I thought i might start using the connection between DI and DLP to get the full advantages from these products.

I went through the Symantec_DLP_11.5_Data_Insight_Implementation_Guide and got to the bit where the connection is setup.

I get the certificate and accept it and then try to set the user for DI login.

This is what i get when validating the credentials: The login credentials were rejected by the server.

I have tried most "normal" solutions but without any progress. 

Anybody have any idea why it is rejected?

Thanks in advance!

This was discussed here: https://www-secure.symantec.com/connect/forums/integrate-data-insight-enforce-server

Might help you out

Hi Lind,

During the installation of Data Insight, a window will appear to Configure a Product Administrator.  Enter the requested information as specified in the 'Symantec Data Insight Installation Guide':

■ Name of the user who can log in to Symantec Data Insight with Product Administrator privileges

■ Name of the domain to which the user belongs

Note: The product administrator must be a local user or must belong to the same domain as the Management Server.

Hi Lind,

The user must be a local user on the Data Insight manager or a domain user with logon privileges on the Data Insight manager.

The user is defined in the Data Insight UI. 

Data Insight's certificate was generated with the machine’s name. The Data Identifier’s server IP address was entered into DLP.  The CN of the certificate containing a name did not match with the IP provided.  Using IPs or DNS names on both will work correctly.

It has also been seen in at least one instance that the DI connection to DLP needed to use the Enforce Administrator user and password to connect.

Regards

Kishorilal

This seems to be a problem with the integration between between Data Insight and DLP, not a problem logging into the Data Insight server as the other posts seem to deal with.

Where do things stand w/ this issue?

Lind311 -

I have made a couple of assumptions.

1) you are in the DLP (Data Loss Prevention) console and completed the configuration to 'hook' SDI (Symantec DataInsght) to allow query of data from SDI  to be called from DLP.

2) you have no problems with the DLP side of the equation

3) you need to allow access into SDI from DLP for the plugin to work.

This works on the concept that SDI has the access data for the files in question and the DLP product contains the incident data for the individual files and they share between the applications.

You will require certain information to complete this on both sides as each application needs independent configuration to allow them to work in unison.

Correct anything that was not done on DLP in sequence:

• Login to console
• Roll-over System to get the window to popup the menu
• Click on Credentials
• Click on Add Credential
• Name the Credential
• Enter Credentials

             –Domain\username  * Note: these must exist on the SDI server and be a valid user

• Click Save

  Still on the same DLP console:

• Roll-over System to get the window to popup the menu
• Click on Data Insight
• Click on configure

• Enter Host Name
• Default port is 443
• Click Retrieve Certificate
• Verify Certificate Info.
• Click Yes to trust

In the bottom of the same page you need to add the credential to the SDI server. This must exist and be a valid user with proper permissions in SDI.

• Select the Data Insight Credential
• Click Test Connection
• Successful test message should return 

Did it return a successful message?

It should look like this (Note: newer version, old version is a popup)

Were there credentials in the drop down list for you to select?

If this was all correct then please let us know and we will move to the creation of the custom attributes (needed as place holders for the SDI data) and the configuration of the plugin (Plugins.properties file on the DLP Enforce server located in /Vontu/Protect/config) to allow the 'sharing' of the data between the applications.

Example custom attributes -

Data Owner
Data User
Data User Reads
Data User Writes
Last Access
Data User 2
Data User 3

The properties file is full of remarks by default and MUST be edited for configuration to be completed. Loading requires a restart and you should see an entry in your log (Default - \Vontu\Protect\logs\tomcat\localhost.yyyy-mm-dd.log) indicating the lookup for DataInsight was loaded. Scans must be completed after the configuration is complete for proper reporting.

Note: normally the Symantec Consultant or Technical Program Manager for your account would have completed these steps for you upon install but you inidicated this was a long standing installation and you were adding a configuration. Please post your versions of SDI and DLP upon your reply so the instructions can be geared to the applicable console clicks.

Note: the latest patch version of SDI is available for download here - https://sort.symantec.com/patch/detail/6546

I look forward to your reply and we can move you forward after we have confirmed the applications have the required interaction.

We can do this interactivey via Symantec Technical Support if you want to have a support case opened.

Rod

(Updated post test)

Lind311 -

I realized that I stated you must use a SDI user with proper permissions but did not define the term.

Reference: Administrator's guide chapter 7 page 97.

Before a user can log in to Symantec Data Insight, you must add an account for that user. The user can then use that account to log in to the Console. The user account can be any account that is valid on the Management Server system. This includes local system accounts as well as users belonging to the domain which the Management Server is a part of.
When  you create an user account, a role (set of access privileges) is associated with the account. Roles specify access privileges to the Symantec Data Insight system.

Use the administrator Role as in the

versus the 

Note: you can assign a user with a role and save the creds.

The user has to be able to access the server after being authenticated so just creating a credential will fail. As example looking in the log file C:\Program Files\Symantec\DataInsight\log\webserver0.0.log for an attempt at console access with a unauthorized domain\user would show:

SecurityUtils.authenticate] Authentication for user rod@whereas failed
 INFO: [LOGIN_FAILED@DImgtsvr@null] Tue Aug 07 12:45:17 PDT 2012 Login failed for rod@whereas (args: [rod@whereas]) (Obj: USER:rod@whereas)
 

Note:

UPDATE

Just tested this with user role instead of Administrator and it was successful with 'All Filers/Web Applications' selected. (Note combination of two sections and highlighted in the red box)

That will allow you some leeway in deciding the particular user to use. I created a new user, authorized him to use the SDI application with the user role

and used that from DLP when configuring the connection.

I created a stored credential in DLP -

And used it when choosing how to connect to SDI

Note: when you test the newly created user can login to the SDI console close all open tabs, especuially the ones to create your user or you will receive an error, since the permissions to dispaly the tab is not within the role.

Example:

You new header will be missing some options:

To configure the SDI --> DLP connection use:

Configuring Symantec Data Loss Prevention settings Data Insight pulls information about sensitive files in a storage environment from Symantec Data Loss Prevention (DLP). Data Insight uses this information when raising alerts in response to configured policies. You can retrieve a incident list that flags sensitive files in your storage environment and create a saved report using the Enforce Server Administration Console. Data Insight uses the DLP Reporting API Web Service to request a list of incident IDs by specifying a saved report ID.
Data Insight runs a job at 12:00 a.m. every night to retrieve a list of sensitive files from DLP.
You must configure the settings that allow Data Insight to communicate with Symantec Data Loss Prevention.
To configure Data Loss Prevention settings
1 In the Management Console, click Settings > Data Loss Prevention.
2 Click Edit, and enter the following details:
■ The hostname or IP address of the DLP server
■ The port through which Data Insight connects to the DLP server.
■ The username and password of the account used to access the DLP server.

Note: Ensure that the credentials belong to an existing DLP user assigned the Reporting API Client role.

■ The ID of the Saved Report

Which relates to the Symantec_DLP_11.1_Data_Insight_Implementation_Guide.pdf page 21 as detailed above from the DLP side.

Rod

Tore my hair a while there.

Tried all the solutions without any success. Rebooted the server to see if that worked but still no go.

Finally i added the latest hotfix that RodP linked to and viola!

The thing that didnt work before for me was to add a local user in the SDI. Gave me an error but i never really reflected on it until RodP mentioned it in the guide.

It's now working!

Thanks for allt eh replies and helt guys!