How Can We Help?
Search for answers or browse our knowledge base.
How to create, sign, and import an SSL certificate signed by a Trusted Certificate Authority
Keytool.exe location
- Windows:
- 14.x and 15.0:
<DRIVE>:SymantecDLPjrebin
- 15.1:
<DRIVE>:Program FilesSymantecData Loss PreventionServer JRE1.8.0_162bin
- 15.5:
<DRIVE>:Program FilesSymantecDataLossPreventionServerJRE1.8.0_181bin
- 14.x and 15.0:
- Linux:
- 14.x and 15.0:
/opt/SymantecDLP/jre/bin/
- 15.1:
/opt/Symantec/DataLossPrevention/Enforce Server/15.1/jre/bin/
- 15.5:
/opt/Symantec/DataLossPrevention/ServerJRE/1.8.0_181/bin
- 14.x and 15.0:
Note: On Linux, execute ./keytool
.keystore location
- Windows:
- 14.x and 15.0:
<DRIVE>:SymantecDLPProtecttomcatconf
- 15.1:
<DRIVE>:Program FilesSymantecData Loss PreventionEnforce Server15.1Protecttomcatconf
- 15.5
: <DRIVE>:Program FilesSymantecDataLossPreventionEnforceServer15.5Protecttomcatconf
- 14.x and 15.0:
- Linux:
- 14.x and 15.0:
/opt/SymantecDLP/Protect/tomcat/conf
- 15.1:
/opt/Symantec/DataLossPrevention/Enforce Server/Protect/tomcat/conf
- 15.5:
/opt/Symantec/DataLossPrevention/EnforceServer
/Protect/tomcat/conf
- 14.x and 15.0:
Notes:
- In Linux, all commands must be executed as root.
- In Windows, all commands need to be executed via CLI with Admin access.
- Command to see the hidden “.keystore” file: ls -la
- As per the DLP Admin Guide (p. 151 in 15.7 version), the Tomcat store uses a X.509 certificate must be provided in Distinguished Encoding Rules (DER) format – which is a .cer file.
- The instructions below involve chained certs, when the Root or Intermediate CAs are required – i.e., “the Signed” certificate. The format of using a .p7b file therefore applies in that instance – otherwise, the cert is unsigned, and one would simply import the .cer file.
Resolution
- Back up existing keystore.
- Windows command:
copy <14.x/15.0/15.1/15.5 file path>.keystore
<14.x/15.0/15.1/15.5 file path>keystore.bkup
- 14.x and 15.0:
C:Protecttomcatconf
- 15.1:
C:Program FilesSymantecData Loss PreventionEnforce Server15.1Protecttomcatconf
- 15.5:
C:Program FilesSymantecDataLossPreventionEnforceServer15.5Protecttomcatconf
- 14.x and 15.0:
- Linux command: cp <14.x15.015.115.5 file path>/.keystore <14.x15.015.115.5 file path>/keystore.bkup
- 14.x and 15.0:
/opt/SymantecDLP/protect/tomcat/conf
- 15.1:
/opt/Symantec/DataLossPrevention/Enforce Server/15.1/
Protect/tomcat/conf - 15.5:
/opt/Symantec/DataLossPrevention/EnforceServer/15.5/
Protect/tomcat/conf
- 14.x and 15.0:
- Windows command:
- Generate a new keystore file with the required parameters, and register the certificate.
- Windows command:
<14.x15.015.115.5 file path>keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -keystore SymantecDLPjrebin.keystore -validity 365 -storepass protect -dname "CN=SERVERNAME, OU=DLP, O=SYMANTEC, L=Cupertino, ST=California, C=US"
- 14.x and 15.0 keytool path:
C:SymantecDLPjrebin
- 15.1 keytool path:
C:Program FilesSymantecData Loss PreventionEnforce Server15.1jrebin
- 15.5 keytool path:
C:Program FilesSymantecDataLossPreventionServerJRE1.8.0_181bin
14.x and 15.0 .keystore path
- 14.x and 15.0 keytool path:
- Windows command:
- Generate a CSR file
SymantecDLPjrebinkeytool -certreq -alias tomcat -keyalg RSA -keystore .keystore -storepass protect -file "VontuEnforce.csr"
- Send VontuEnforce.csr to CA admin, so they can generate a chained cert file in the current format.
- Copy the VontuEnforce.p7b chained cert file to
SymantecDLPjrebin
. - Import the chained certificate.
SymantecDLPjrebinkeytool -import -alias tomcat -keystore SymantecDLPjrebin.keystore -trustcacerts -file SymantecDLPjrebinVontuEnforce.p7b
- Enter the keystore password.
- Top-level certificate in reply:
Owner: XXXXXX
Issuer: XXXXXX
Serial number: XXXXXX
Valid from: XXXXXX until: XXXXXX
Certificate fingerprints:
MD5: **Deleted**
SHA1: **Deleted**
… is not trusted. Install reply anyway? [no]:
- Top-level certificate in reply:
- Type Y or YES and press ENTER.
- Certificate reply was installed in keystore.
- Copy the .keystore file from the source to its final destination.
copy SymantecDLPjrebin.keystore Protecttomcatconf.keystore
- Restart the Vontu Manager (14.x and 15.0) or Symantec DLP Manager (15.1 and 15.5) service.
NOTE:
If you change the keystore password from the default, ‘protect’ when generating a new keystore, you must update the password values in the following two files:
-
- <InstallPath>SymantecDataLossPreventionEnforceServer15.5Protecttomcatconfserver.xml
- <Certificate certificateKeystoreFile=”${catalina.base}/conf/.keystore” certificateKeystorePassword=”protect”/>
- <InstallPath>SymantecDataLossPreventionEnforceServer15.5ProtectconfigProtect.properties
- # keystore password
com.vontu.manager.tomcat.keystore.password = protect
- # keystore password
- <InstallPath>SymantecDataLossPreventionEnforceServer15.5Protecttomcatconfserver.xml