SMG and Enforce certificate exchange for Quarantine feature

This article assumes the following system requirements:

Email Quarantine Connect requires the following components:
■ Symantec Data Loss Prevention with a license for Network Prevent for Email
■ Symantec Messaging Gateway

 

Please review the following articles for added details:
Exporting a TLS and HTTPS certificate
Methods to add a Certificate Authority signed certificate
Importing a Certificate Authority signed certificate
Symantec Data Loss Prevention Email Quarantine Connect FlexResponse Implementation Guide

 

------------------------------------------------------------------------------------------------------

1. Generate Enforce server Keystore and client certificate as protect:

cd /opt/SymantecDLP/jre/bin

./keytool -genkeypair -alias client -keystore certstore.jks -keyalg RSA -validity 3650 -keysize 2048 -dname "CN=enforce_host, OU=organizational unit, O=organization, L=location, S=, C=country" -keypass <password> -storepass <password>

<password> is a password you create to control access to the keystore. Use the same password for both the -keypass and -storepass arguments. Do not lose this password. You use this password in a later step to configure an Enforce Server credential.

2. Export the Enforce server client cert
./keytool -exportcert -alias client -keystore certstore.jks -file client.crt -rfc -storepass <password>

3. IMPORT ENFORCE SERVER CLIENT CERT INTO SMG

4. EXPORT SMG SERVER CERTIFICATE
    generate new Self Signed cert in SMG and then copy it to the Enforce server /opt/SymantecDLP/jre/bin

5. Import SMG SSL Cert into Enforce
./keytool -importcert -alias server -keystore certstore.jks -file server.crt -storepass <password> -v -noprompt

6. Copy the certificate store file certstore.jks to /opt/SymantecDLP/Protect/plugins/EmailQuarantineConnect as protect user

7. Create a new "Credentials" on Enforce Management Console which references certstore.jks
System > Settings > Credentials > Add Credential

Credential Name: SMGQuarantineCert
Access Username: certstore.jks
Access Password: <password>


8. Updated the .properties files to point to new cert store certstore.jks

cd /opt/SymantecDLP/Protect/plugins/EmailQuarantineConnectApproved.properties
EmailQuarantineConnectRejected.properties

certificates-store.credential = certstores.jks

9. Restart VontuManager and VontuIncidentPersister services

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.