Symantec DLP Enforce GUI SSL Certificate: Create and Import

Note: The following is based on Symantec Data Loss Prevention v.14.6.01. Always backup your system before making any modifications.

Creating / Importing the New .Keystore, Certificate Signing Request and SSL Certificate

1. On the Enforce server, backup entire contents of \SymantecDLP\Protect\tomcat\conf directory to a TEMP directory.
2. On the Enforce server, open a Command Prompt with elevated privileges.
3. Change current directory to \SymantecDLP\jre\bin\
4. Delete any current .keystore file that may exist.
5. From the command prompt, type this command: keytool –genkey –alias tomcat –keyalg RSA –keysize 2048 –keystore .keystore –validity 365 –storepass protect –dname “CN=<yourserverurl>, OU=<yourdepartment>, O=<yourcompany>, L=<yourcity>, ST=<yourstate>, C=<countrycode>” [PRESS ENTER]
6. This should produce the .keystore file in the \SymantecDLP\jre\bin directory folder.
7. From the same command prompt, type this command: keytool –certreq –alias tomcat –keyalg RSA –keystore .keystore –storepass protect –file “signingrequest.csr” [PRESS ENTER]
8. This should produce the signingrequest.csr file. Send this file to your CA admin so they can generate the certificate file in PKCS#7 format. This is the format suitable for Tomcat. The file should have an extension of *.p7b.
   
   1. NOTE: If you plan on using Google Chrome v.58 or newer, you must include the extension SubjectAlternativeName when creating the certificate. Google Chrome deprecated the use of CN= and now relies on the extension. The CN= is needed though for IE. With both CN= and the extension SubjectAlternativeName, the certificate should work with both IE and Google Chrome. This is an example of the extension:

#8: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

                                DNSName: *.acme.com

                                DNSName: acme.com

                Also, if you are planning on using Google Chrome with DLP, you have to modify the manager.properties file located in the \SymantecDLP\Protect\config directory folder. Look for the entry com.vontu.manager.unsupported_browser_autentication = false

And change it to true. Save the file. This will allow the usage of Google Chrome and Apple Safari browsers.

1. When you receive the *p7b file, copy it to the |Symantec\DLP\jre\bin directory folder on the Enforce server.
2. On the Enforce server, open a Command Prompt with elevated privileges.
3. Change current directory to \SymantecDLP\jre\bin\
4. From the command prompt, type this command: keytool –import –alias tomcat –keystore .keystore –trustcacerts –file <filename>.p7b [PRESS ENTER]
5. From the SymantecDLP\jre\bin directory folder, copy the .keystore file to the \SymantecDLP\Protect\tomcat\conf directory folder.
6. Stop ALL Vontu services.
7. Start ALL Vontu services.

Verify authenticity and working order of the certificate by accessing the Enforce GUI via your browser application.