NOTE: As always, ensure you have a recent backup and read the Symantec Data Loss Prevention documentation prior to changing your configuration.
Customers can use the Java keytool to create a CSR and send to a CA. If using certs from CA there shouldn't be a need to import the Prevent Email public certificate into Exchange; though it wouldn't hurt.
- Check the certificates present in the keystore file using following command
keytool -list -keystore C:\Vontu\Protect\keystore\prevent.ks
For verbose option, add “-v” in the command. - Stop the VontuMonitor service. Note: Email flow will be impacted.
- Copy the keystore file, prevent.ks, to prevent.ks.old. (This was done so we can have a fresh prevent.ks and not worry about the junk they had previously added)
- Create the keypair for SMTP Prevent Server using keytool.
keytool -genkeypair -alias < SMTPPreventHostName > -dname "CN=<SMTPPreventHostName>, OU=Corporate, O=companyname, L=city, S=state, C=US" -keyalg RSA -validity <NumberOfDays> -keysize 2048 -keystore /opt/SymantecDLP/Protect/keystore/prevent.ks
Notes:- Replace the SMTPPreventHostName with SMTP Prevent host’s FQDN. This value is also used in CN.
- Verify the -dname options with Standard Register. As an alternate, this field can be removed and entered manually on command prompt.
- Replace the NumberOfDays with actual number of days this key pair will be valid for.
- Make sure keystore and keypair passwords are same. The keystore password will be configured in the management console.
- Generate the certificate signature request ( prevent_csr_request.csr file) from the SMTP Prevent Server.
keytool -certreq -alias < SMTPPreventHostName >-file /opt/SymantecDLP/Protect/keystore/prevent_csr_request.csr -keystore /opt/SymantecDLP/Protect/keystore/prevent.ks - Use this prevent_csr_request.csr file to get the certificate issued by CA.
- Import the Issuing Root CA as trusted cert in keystore file.
keytool -importcert -trustcacerts -alias <TrustedCertAlias> -file /opt/SymantecDLP/Protect/keystore/<TrustedCert_File.cer> -keystore /opt/SymantecDLP/Protect/keystore/prevent.ks
Note: TrustedCert_File.cer is the file which contains trusted CA certificate. You might have to repeat this step if there are intermediate or sub-CAs in the certificate chain - Import the certificate issued to SMTP Prevent server in keystore file.
keytool -importcert -alias <SMTPPreventHostName> -file /opt/SymantecDLP/Protect/keystore/<Certificate_Issued.cer> -keystore /opt/SymantecDLP/Protect/keystore/prevent.ks - Import the next hop certificate in SMTP Prevent keystore file. The certificate can be retrieved using openssl.
keytool -importcert -trustcacerts -alias mail.messaging.microsoft.com -file /opt/SymantecDLP/Protect/keystore/<fope.cer> -keystore /opt/SymantecDLP/Protect/keystore/prevent.ks - Start the VontuMonitor service
0 Comments