Symantec Data Loss Prevention uses Secure Socket Layer/Transport Layer Security (SSL/TLS) to encrypt all data that is transmitted between servers. Symantec Data Loss Prevention also uses the SSL/TLS protocol for mutual authentication between servers. Servers implement authentication by the mandatory use of client and server-side certificates. By default, connections between servers use a single, self-signed certificate that is embedded securely inside the Symantec Data Loss Prevention software. All Symantec Data Loss Prevention installations at all customer sites use this same certificate.
Symantec recommends that you replace the default certificate with unique, self-signed certificates for your organization's installation. You store a certificate on the Enforce Server, and on each detection server that communicates with the Enforce Server. These certificates are generated with the sslkeytool utility.
Note: If you install a Network Prevent detection server in a hosted environment, you must generate unique certificates for your Symantec Data Loss Prevention servers. You cannot use the built-in certificate to communicate with a hosted Network Prevent server.
Note: Symantec recommends that you create dedicated certificates for communication with your Symantec Data Loss Prevention servers. When you configure the Enforce Server to use a generated certificate, all detection servers in your installation must also use generated certificates. You cannot use the built-in certificate with some detection servers and the built-in certificate with other servers.
About sslkeytool command line options :
sslkeytool is a command-line utility that generates a unique pair of SSL certificates (keystore files). sslkeytool is located in the \SymantecDLP\Protect\bin directory (Windows) or /opt/SymantecDLP/Protect/bin directory (Linux). It must run under the Symantec Data Loss Prevention operating system user account which, by default, is "protect." Also, you must run sslkeytool directly on the Enforce server computer.
The following command forms and options are available for sslkeytool:
-genkey [-dir=directory -alias=aliasFile]
Generates two unique certificates (keystore files) by default: one for the Enforce Server and one for other detection servers. The optional -dir argument specifies the directory where the keystore files are placed. The optional -alias argument generates additional keystore files for each alias specified in the aliasFile. You can use the alias file to generate unique certificates for each detection server in your system (rather than using a same certificate on each detection server). Use this command form the first time you generate unique certificates for your Symantec Data Loss Prevention installation.
-list=file
Lists the content of the specified keystore file.
-alias=aliasFile -enforce=enforceKeystoreFile [-dir=directory]
Generates multiple certificate files for detection servers using the aliases you define in aliasFile. You must specify an existing Enforce Server keystore file to use when generating the new detection server keystore files. The optional -dir argument specifies the directory where the keystore files are placed. If you specify the -dir argument, you must also place the Enforce Server keystore file in the specified directory. Use this command form to add new detection server certificates to an existing Symantec Data Loss Prevention installation.
For example, the command sslkeytool -genkey generates two files:
enforce.timestamp.sslKeyStore
monitor.timestamp.sslKeyStore
Unless you specified a different directory with the -dir argument, these two keystore files are created in the bin directory where the sslkeytool utility resides.
Using sslkeytool to generate new Enforce and detection server certificates :
After installing Symantec Data Loss Prevention, use the -genkey argument with sslkeytool to generate new certificates for the Enforce Server and detection servers. Symantec recommends that you replace the default certificate used to secure communication between servers with unique, self-signed certificates. The -genkey argument automatically generates two certificate files. You store one certificate on the Enforce Server, and the second certificate on each detection server. The optional -alias command lets you generate a unique certificate file for each detection server in your system. To use the -alias you must first create an alias file that lists the name of each alias create.
To generate unique certificates for Symantec Data Loss Prevention servers :
1] Log on to the Enforce Server computer using the "protect" user account you created during Symantec Data Loss Prevention installation.
2] From a command window, go to the c:\SymantecDLP\Protect\bin directory where the sslkeytool utility is stored.
3] If you want to create a dedicated certificate file for each detection server, first create a text file to list the alias names you want to create. Place each alias on a separate line. For example:
net_monitor01
protect01
endpoint01
smtp_prevent01
web_prevent01
classification01Note:
The -genkey argument automatically creates certificates for the "enforce" and "monitor" aliases. Do not add these aliases to your custom alias file.
4] Run the sslkeytool utility with the -genkey argument and optional -dir argument to specify the output directory. If you created a custom alias file, also specify the optional -alias argument, as in this example:
This generates new certificates (keystore files) in the specified directory. Two files are automatically generated with the -genkey argument:
enforce.timestamp.sslKeyStore
monitor.timestamp.sslKeyStore
sslkeytool also generates individual files for any aliases that are defined in the alias file. For example:
net_monitor01.timestamp.sslKeyStore
protect01.timestamp.sslKeyStore
endpoint01.timestamp.sslKeyStore
smtp_prevent01.timestamp.sslKeyStore
web_prevent01.timestamp.sslKeyStore
classification01.timestamp.sslKeyStore
5] Copy the certificate file whose name begins with enforce to the c:\SymantecDLP\Protect\keystore directory on the Enforce Server.
6] If you want to use the same certificate file with all detection servers, copy the certificate file whose name begins with monitor to the c:\SymantecDLP\Protect\keystore directory of each detection server in your system.
If you generated a unique certificate file for each detection server in your system, copy the appropriate certificate file to the keystore directory on each detection server computer.
7] Delete or secure any additional copies of the certificate files to prevent unauthorized access to the generated keys.
8] Restart the Vontu Monitor Controller service on the Enforce Server and the Vontu Monitor service on the detection servers.
When you install a Symantec Data Loss Prevention server, the installation program creates a default keystore in the keystore directory. When you copy a generated certificate file into this directory, the generated file overrides the default certificate. If you later remove the certificate file from the keystore directory, Symantec Data Loss Prevention reverts to the default keystore file embedded within the application. This behavior ensures that data traffic is always protected. Note, however, that you cannot use the built-in certificate with certain servers and a generated certificate with other servers. All servers in the Symantec Data Loss Prevention system must use either the built-in certificate or a custom certificate.
Note: If more than one keystore file is placed in the keystore directory, the server does not start.
Using sslkeytool to add new detection server certificates :
Use sslkeytool with the -alias argument to generate new certificate files for an existing Symantec Data Loss Prevention deployment. When you use this command form, you must provide the current Enforce Server keystore file, so that sslkeytool can embed the Enforce Server certificate in the new detection server certificate files that you generate.
To generate new detection server certificates :
1]Log on to the Enforce Server computer using the "protect" user account that you created during Symantec Data Loss Prevention installation.
2] From a command window, go to the c:\SymantecDLP\Protect\bin directory where the sslkeytool utility is stored.
3] Create a directory in which you will store the new detection server certificate files. For example:
mkdir new_certificates
4] Copy the Enforce Server certificate file to the new directory. For example:
5] Create a text file that lists the new server alias names that you want to create. Place each alias on a separate line. For example:
endpoint02
smtp_prevent02
6] Run the sslkeytool utility with the -alias argument and -dir argument to specify the output directory. Also specify the name of the Enforce Server certificate file that you copied into the certificate directory. For example:
This generates a new certificate file for each alias, and stores the new files in the specified directory. Each certificate file also includes the Enforce Server certificate from the Enforce keystore that you specify.
7] Copy each new certificate file to the c:\SymantecDLP\Protect\keystore directory on the appropriate detection server computer.
8] Delete or secure any additional copies of the certificate files to prevent unauthorized access to the generated keys.
9] Restart the Vontu Monitor service on each detection server to use the new certificate file.