Updated (April 2020)
SDLP recently change the process for completing the Single Sign on / AD integration in SDLP 15.0. Please read the Symantec DLP Upgrade Guide prior to upgrading DLP.
Refer to:
INSIGHT Admin guide - Page 25 - SECTION 9.4.1 BASIC CONFIGURATION: https://support.insightdlp.com/hc/en-us/articles/207232188-INSIGHT-DLP-Admin-Guide
Symantec DLP Admin guide - Page 111 - About authenticating users:
https://supportportal-east.norton.com/us/en/article.DOC9261.html
https://support.symantec.com/en_US/article.TECH248556.html
***New feature in SDLP 15.7, allows for the user of AD groups for authentication to Enforce Management Web Console
=======================================================================
***Prior to starting please read Symantec DLP Admin guide:
Symantec DLP Admin guide - Page 111 - About authenticating users:
https://supportportal-east.norton.com/us/en/article.DOC9261.html
***Prior to starting please obtain all AD server information from AD server team.
a. All FQDN and IP address for all AD servers in the same timezone as the Enforce server
b. Default realm(s)?
=======================================================================
***Please note this currently does not apply to SDLP 15.7. A fix will be applied for this process to work with SDLP 15.7 in the next IDACT release.
AUTOMATED PROCESS:
VIDEO WALK THROUGH: https://youtu.be/L3AjQiQDlPE
MANUAL PROCESS:
Note: Please confirm the DNS server and domain are accurate in order for this to work.
For example:
1. Log into Appliance web UI > Device List > Enforce server, then scroll down to "Kerberos Configuration". Input FQDN of all AD servers separated by new line and click "Update Kerberos Configuration"
Example before:
Example after:
2. SSH to enforce as appuser after upgrading to DLP 15.0 MP1
3. Switch to protect user
sudo su - protect
*Verify /etc/krb5.conf looks like the image above
cat /etc/krb5.conf
4. Backup the old springSecurityContext.xml file.
SDLP 15.0 and older:
mv /opt/SymantecDLP/Protect/tomcat/webapps/ProtectManager/WEB-INF/springSecurityContext.xml /opt/SymantecDLP/Protect/tomcat/webapps/ProtectManager/WEB-INF/springSecurityContext.xml.BAK
SDLP 15.1:
mv /opt/Symantec/DataLossPrevention/Enforce\ Server/15.1/Protect/tomcat/webapps/ProtectManager/WEB-INF/springSecurityContext.xml /opt/Symantec/DataLossPrevention/Enforce\ Server/15.1/Protect/tomcat/webapps/ProtectManager/WEB-INF/springSecurityContext.xml.BAK
SDLP 15.5:
mv /opt/Symantec/DataLossPrevention/EnforceServer/15.5/Protect/tomcat/webapps/ProtectManager/WEB-INF/springSecurityContext.xml /opt/Symantec/DataLossPrevention/EnforceServer/15.5/Protect/tomcat/webapps/ProtectManager/WEB-INF/springSecurityContext.xml.BAK
SDLP 15.7:
mv /opt/Symantec/DataLossPrevention/EnforceServer/15.7/Protect/tomcat/webapps/ProtectManager/WEB-INF/springSecurityContext.xml /opt/Symantec/DataLossPrevention/EnforceServer/15.7/Protect/tomcat/webapps/ProtectManager/WEB-INF/springSecurityContext.xml.BAK
SDLP 15.8:
mv /opt/Symantec/DataLossPrevention/EnforceServer/15.8.00000/Protect/tomcat/webapps/ProtectManager/WEB-INF/springSecurityContext.xml /opt/Symantec/DataLossPrevention/EnforceServer/15.8.00000/Protect/tomcat/webapps/ProtectManager/WEB-INF/springSecurityContext.xml.BAK
5. Copy the sample springSecurityContext-Kerberos.xml into the working directory
SDLP 15.0 and older:
cp /opt/SymantecDLP/Protect/tomcat/webapps/ProtectManager/security/template/springSecurityContext-Kerberos.xml /opt/SymantecDLP/Protect/tomcat/webapps/ProtectManager/WEB-INF/springSecurityContext.xml
SDLP 15.1:
cp /opt/Symantec/DataLossPrevention/Enforce\ Server/15.1/Protect/tomcat/webapps/ProtectManager/security/template/springSecurityContext-Kerberos.xml /opt/Symantec/DataLossPrevention/EnforceServer/15.1/Protect/tomcat/webapps/ProtectManager/WEB-INF/springSecurityContext.xml
SDLP 15.5:
cp /opt/Symantec/DataLossPrevention/EnforceServer/15.5/Protect/tomcat/webapps/ProtectManager/security/template/springSecurityContext-Kerberos.xml /opt/Symantec/DataLossPrevention/EnforceServer/15.5/Protect/tomcat/webapps/ProtectManager/WEB-INF/springSecurityContext.xml
SDLP 15.7:
cp /opt/Symantec/DataLossPrevention/EnforceServer/15.7/Protect/tomcat/webapps/ProtectManager/security/template/springSecurityContext-Kerberos.xml /opt/Symantec/DataLossPrevention/EnforceServer/15.7/Protect/tomcat/webapps/ProtectManager/WEB-INF/springSecurityContext.xml
SDLP 15.8:
cp /opt/Symantec/DataLossPrevention/EnforceServer/15.8.00000/Protect/tomcat/webapps/ProtectManager/security/template/springSecurityContext-Kerberos.xml /opt/Symantec/DataLossPrevention/EnforceServer/15.8.00000/Protect/tomcat/webapps/ProtectManager/WEB-INF/springSecurityContext.xml
6. Edit the new springSecurityContext.xml as follows:
SDLP 15.0 and older:
cd /opt/SymantecDLP/Protect/tomcat/webapps/ProtectManager/WEB-INF/
SDLP 15.1:
cd /opt/Symantec/DataLossPrevention/Enforce\ Server/15.1/Protect/tomcat/webapps/ProtectManager/WEB-INF/
SDLP 15.5:
cd /opt/Symantec/DataLossPrevention/EnforceServer/15.5/Protect/tomcat/webapps/ProtectManager/WEB-INF/
SDLP 15.7:
cd /opt/Symantec/DataLossPrevention/EnforceServer/15.7/Protect/tomcat/webapps/ProtectManager/WEB-INF/
SDLP 15.8:
cd /opt/Symantec/DataLossPrevention/EnforceServer/15.8.00000/Protect/tomcat/webapps/ProtectManager/WEB-INF/
7. Edit the file as follows:
vi springSecurityContext.xml
Active Directory: To enable Active Directory authentication, replace the value for
krbConfLocation with the path to your krb5.ini file.
example:
<property name="krbConfLocation" value="/etc/krb5.conf"/>
8. Verify and or Set ownership and permissions for springSecurityContext.xml
chown protect:protect springSecurityContext.xml
chmod 750 springSecurityContext.xml
9. Restart VontuManager service
SDLP 15.0 and older:
/etc/init.d/VontuManager restart
or as appuser
sudo service VontuManager restart
SDLP 15.1:
as appuser
sudo service SymantecDLPManager restart
SDLP 15.5/15.7/15.8:
as appuser
sudo service SymantecDLPManagerService restart
0 Comments