Setting up DLP in a 3 tier environment

Setting up of 3 Tier DLP

**Please note that enforce is not supported on Centos and this was used for trial purposes. If you wish to use Centos in your live environment then this is at your own risk**

Environment –

Windows server 2012 64-bit

Centos 6.5

WinSCP – Free file transfer utility

Mobaxterm  - Used for SSH into clients and this also uses a built in Xterm. Ensure to configure Xterm to use 256 colours

Setting up Oracle Database on Windows for DLP

1. Install Oracle Database on windows platform using the Oracle_12.2.0.1.0_Server_Win64_1of2 & 2of2 files
2. Extract Both files (these files need extracting twice) E:\temp\database
3. After extracting file 2of2 copy the contents of database\stage\Components into the following - win64_12.2.0.1_database_1of2\database\stage\Components (THIS IS IMPORTANT AS THE SETUP WILL NOT WORK).
4. Extract 12.2.0.1_64_bit_Installation_Tools.zip to E:\temp\tools
5. Once you have completed the above steps you will need to run the following command as Administrator in command prompt and assuming your files are strored in the E: directory E:\temp\Oracle\database\setup.exe -noconfig -responsefile E:\temp\Oracle\tools\responsefiles\Oracle_12.1.0.2_Installation_WIN.rsp  Follow the oracle setup using the following guide https://symwisedownload.symantec.com//resources/sites/SYMWISE/content/live/DOCUMENTATION/9000/DOC9257/en_US/Symantec_DLP_15.0_Install_Guide_Win.pdf?__gda__=1523576506_fba9d902ef1488de6dda24316c082f4e

Centos Oracle Client install

1. Log into the server as root and run ‘yum update’
2. Install nano using ‘yum install nano’
3. Edit the ‘Selinux’ file ‘nano /etc/sysconfig/selinux’ – Edit the line that says SELINUX=enforced to SELINUX=disabled – Exit and save the file ‘ctrl+c’ followed by ‘y’
4. Reboot the server
5. Log back into the server using root
6. Install all dependencies  -  ‘yum install -y  apr apr-util binutils compat-libstdc++-33 expat libicu Xorg-x11 compat-openldap compat-db47 libpng12 compat-libtiff3 wireshark gcc cpp compat-libstdc++-296 compat-libstdc++-33 glibc-devel emacs Xorg-X11-Auth’
7. Reboot the server and login using root
8. Run the following command ‘service firewalld off’ **This turns off the system firewall** you can check the status of the Firewall by using the command ‘service firewalld status’
9. Using WinScp connect to your Centos instance. Navigate to ‘/<root> then double click opt. create a folder called temp
10. Navigate back to the opt folder and from within WinSCP right click on the fold and click ‘properties’ check the box Set group, owner and permissions recursively, followed by clicking the ‘ok’ button.
11. On your pc navigate to the required files – (If you can, unzip the media before you upload) copy and paste the files into the temp folder
12. Once the files have finished uploading execute the following command ‘sudo -u oracle /opt/temp/client/runInstaller -noconfig -responseFile /opt/temp/client/response/client_install.rsp’
13. Once you execute the above script a pop up box will appear. Follow the instructions on screen until setup has completed.
14. Use the following guide to help you complete your start at page 24 https://symwisedownload.symantec.com//resources/sites/SYMWISE/content/live/DOCUMENTATION/9000/DOC9257/en_US/Symantec_DLP_15.0_Install_Guide_Lin.pdf?__gda__=1524118694_cbfca973051ba9b66c31baec36938421

CentosEnforce & Detection install

1. Log into the server as root
2. Copy the ProtectInstaller64_15.0.sh file to /opt/temp/
3. Go to cd /opt/temp/
4. Run chmod a+x ProtectInstaller64_15.0.sh
5. Then type ./ ProtectInstaller64_15.0.sh
6. Select which service you want to install, in this instance we want to install the Enforce server. To install detection servers on a Centos or RHEL system use steps 1 - 9
7. Follow the rest of the setup steps
8. When you arrive at step 7 use the following for directories Base directory=/home/oracle Home Directory=/home/oracle/app/oracle/product/12.2.0/client_XX XX represents your client number
9. For step 8 enter the IP address of where your Oracle Database is installed
10. Once the Enforce has been installed try connecting to the web portal in either I.E or Firefox (Chrome is not supported) using the IP address of the server I.e https://10.10.100.102
11. When you land on the Web portal you will need to log in as Administrator (This is case sensitive) and use the password you supplied during the enforce setup.
12. The 1st thing you should do is create a DLP group, you can find this under System -> Login Management -> Roles
13. Once you have created a role you will need to create a user. To do this go to System -> Login Management -> DLP Users. Create your user with the same username that is specified in the Active Directory. This helps keep the Active Directory integration working.
14. We now need to create a Directory Connection go to System -> Settings -> Directory Connections, and add the details of your domain here
15. Next we need to create a Data Source. We need to navigate to System -> Users -> Data Sources. Click on the Add button and select AD User Source give the User Source a name and then press submit.
16. Select the Data Source that you have just created and then press the import button. Once it has finished check on the status this should say if anything was imported
17. We now need to add Domain Authentication to the enforce server. The easiest way to do this is to use WinSCP. Open WInSCP and navigate to the /opt/ directory. Right click on the SymantecDLP and click download, this ensure that we have a backup of the directory should something go wrong.
18. Once you have download the directory in the step above proceed to creating the krb5.conf file. If you navigate to /opt/SymantecDLP/Protect/config you will find a krb.ini file, open this up and replace the text to uppercase text with your Domain and Domain Controller details(**as we are doing this on a Linux Server you must ensure you specify your details in uppercase:

[libdefaults]

           default_realm = YOURDOMAIN.COM

[realms]

           NAMEOFYOURDC1.YOURDOMAIN.COM = {

                           kdc = NAMEOFYOURDC1.YOURDOMAIN.COM

                        }

           NAMEOFYOURDC2.YOURDOMAIN.COM = {

                           kdc = NAMEOFYOURDC2.YOURDOMAIN.COM

                        }

1. If you only have one domain controller then delete the lines below it
2. Once you have added in your domain realm and domain controllers save the file and rename it from krb5.ini to krb5.conf
3. Copy the file from (either use cp – copy or mv – move) /opt/SymantecDLP/Protect/conf/krb5.conf to /etc/krb5.conf
4. To test the configuration use the following command to test you can talk to your AD kinit yourloginname@YOURDOMAIN.COM press enter and you will be prompted to enter your domain password
5. We now need to edit the springSecurityContext.xml file, this is located in /opt/SymantecDLP/Protect/tomcat/webapps/ProtectManager/WEB-INF. As we have downloaded the directory already we do not need to make a copy. Open the springSecurityContext.xml and paste the following over what is already in the file:  

<?xml version="1.0" encoding="UTF-8" ?>

<!--

 Copyright (c) 2017 Symantec Corporation. All rights reserved.

 THIS SOFTWARE CONTAINS CONFIDENTIAL INFORMATION AND TRADE SECRETS OF SYMANTEC

 CORPORATION.  USE, DISCLOSURE OR REPRODUCTION IS PROHIBITED WITHOUT THE PRIOR

 EXPRESS WRITTEN PERMISSION OF SYMANTEC CORPORATION.

 The Licensed Software and Documentation are deemed to be commercial computer

 software as defined in FAR 12.212 and subject to restricted rights as defined

 in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights"

 and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial

 Computer Software Documentation", as applicable, and any successor

 regulations.  Any use, modification, reproduction release, performance,

 display or disclosure of the Licensed Software and Documentation by the U.S.

 Government shall be solely in accordance with the terms of this Agreement.

-->

<beans xmlns="http://www.springframework.org/schema/beans"

        xmlns:security="http://www.springframework.org/schema/security"

        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"

        xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring...

              http://www.springframework.org/schema/securityhttp://www.springframework.org/schema/security/spr...http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">

        <!-- Enable auto-wiring -->

        <context:annotation-config />

        <!--security:debug /-->

        <!-- Unsecured resources -->

        <security:http security="none" pattern="/browsercss/**" />

        <security:http security="none" pattern="/graphics/**" />

        <security:http security="none" pattern="/help/**" />

        <security:http security="none" pattern="/pagecss/**" />

        <security:http security="none" pattern="/yui3/**" />

        <security:http security="none" pattern="/widgetcss/**" />

        <security:http security="none" pattern="/js/**" />

        <security:http security="none" pattern="/*.css" />

        <security:http security="none" pattern="/servlet/l10n/css/**" />

        <security:http security="none" pattern="/GlobalDialog*" />     

        <security:http security="none" request-matcher="regex" pattern="\/services\/v2011\/incidents\?(?i)(wsdl|xsd=[1-5])$" />

        <!-- Web service security filter: HTTP basic authentication -->

        <security:http pattern="/webservices/**" use-expressions="false" create-session="never" authentication-manager-ref="basicAuthManager">

                <security:intercept-url pattern="/webservices/**" access="ROLE_manager_user" />

                <security:http-basic entry-point-ref="basicAuthEntryPoint"/>

                <security:csrf disabled="true" />

        </security:http>

        <security:http pattern="/services/**" use-expressions="false" create-session="stateless" authentication-manager-ref="basicAuthManager">

                <security:intercept-url pattern="/services/**" access="ROLE_manager_user" />

                <security:http-basic entry-point-ref="basicAuthEntryPoint"/>

                <security:csrf disabled="true" />

        </security:http>

        <!-- Web portal security filter: AD/Kerberos authentication -->

        <security:http use-expressions="false" authentication-manager-ref="kerberosAuthManager">

                <security:intercept-url pattern="/Logon*" access="IS_AUTHENTICATED_ANONYMOUSLY" />

                <security:intercept-url pattern="/**" access="ROLE_manager_user" />

                <security:form-login login-page="/Logon"

                        default-target-url="/" authentication-failure-url="/GlobalDialog?type=LOGON_ERROR"

                        username-parameter="j_username" password-parameter="j_password"

                        login-processing-url="/j_security_check" />

                <security:logout logout-success-url="/GlobalDialog" />

                <security:csrf disabled="true" />

        </security:http>

        <!-- Web service authentication manager -->

        <security:authentication-manager id="basicAuthManager">

            <!-- Enable user name and password authentication through Enforce DB  -->

            <security:authentication-provider ref="formAuthenticationProvider" />

            <!-- Enable AD/Kerberos authentication -->

            <security:authentication-provider ref="kerberosAuthenticationProvider" />         

        </security:authentication-manager>

        <!-- Web portal user authentication manager -->

        <security:authentication-manager id="kerberosAuthManager">

            <!-- Enable AD/Kerberos authentication -->

            <security:authentication-provider ref="kerberosAuthenticationProvider" />

        </security:authentication-manager>

        <!-- Kerberos authentication provider -->

        <bean id="kerberosAuthenticationProvider"  class="com.vontu.login.spring.VontuKerberosAuthenticationProvider">

                <property name="kerberosClient">

                        <bean class="org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient">

                        </bean>

                </property>

                <property name="userDetailsService" ref="userLookupService"/>

        </bean>

        <bean id="userLookupService"   class="com.vontu.login.spring.VontuKerberosUserDetailsService" />

        <!-- Set krbConfLocation in System properties -->

        <bean class="org.springframework.security.kerberos.authentication.sun.GlobalSunJaasKerberosConfig">

                <!-- krb5 configuration file location.

                For example C:\SymantecDLP\Protect\config\krb5.ini on Windows or /opt/Vontu/Protect/config/krb5.conf on Linux

                -->

                <property name="krbConfLocation"value="/etc/krb5.conf"/>

        </bean>

        <!-- Form authentication provider -->

        <bean id="formAuthenticationProvider" class="com.vontu.login.spring.VontuFormAuthenticationProvider" />

        <!-- Web service basic authentication entry point that returns error code 401 (i.e. SC_UNAUTHORIZED) -->

        <bean id="basicAuthEntryPoint" class="com.vontu.login.spring.WebServiceAuthenticationEntryPoint">

                <property name="realmName" value="Webservices" />

        </bean>

</beans>

1. The above script is telling the tomcat server to look for the krb5.conf file in /etc/ which has been highlighted in bold. Once you have pasted the text into this file save and close it.
2. You will now need to reboot your server. Once the server has been rebooted open the web app and you should now see your domain name in the login screen. Login in using the Active Directory user you created in step 12 and use your domain password to login.
3. Once you have logged in you have successfully added your AD integration. Proceed to the DLP Admin guide for adding detection servers to your enforce server.