Configure AD integration for SDLP 15.x and greater

April 2020

Broadcom has changed the process for completing the AD Single Sign On (SSO) integration in Symantec Data Loss Prevention (SDLP) 15.0 and greater. When upgrading SDLP, you will need to configure the AD Single Sign On (SSO) separately. This article is meant to provide the steps needed to configure the AD SSO.

Before upgrading SDLP, please read the INSIGHT DLP Admin Guide (specifically page 25, the Basic Configuration section), the Upgrading DLP guide, and the Broadcom article referencing Active Directory login for reference information on this AD configuration issue. Additionally, Broadcom provides information on authenticating users in the Enforce server. 

Broadcom provided a new feature in SDLP 15.7 that allows for the user of AD groups to provide authentication to the Enforce Management Web Console. The image below contains information on this feature. A fix will be applied for this process to work with SDLP 15.7 and greater in the next IDACT release. 

mceclip0.png

=======================================================================

Automated Process

In order to carry out the AD integration using Kerberos, watch this video and follow the steps concisely. 

=======================================================================

Manual Process

Before beginning the manual integration process, you will need to confirm the DNS server and domain are accurate in order for the integration to be successful. The imagine below captures an example the relevant DNS and domain information needed. 

mceclip1.png

Follow the steps below to manually carry out the integration process.

1. Log into Appliance web UI > Device List > Enforce server, then scroll down to "Kerberos Configuration". Input FQDN of all AD servers separated by new line and click "Update Kerberos Configuration"

         a. The image below captures the configuration before being updated.

          b. The image below captures the configuration after being updated.

2. SSH to enforce as appuser after upgrading.

3. Switch to protect user using the following:

         a. sudo su - protect 

         b. Verify /etc/krb5.conf looks like image above

         c. cat/etc/krb5.conf 

4. Backup the old springSecurityContext.xml file. For each SDLP version, follow the information below:

         a. SDLP 15.0 and older: mv /opt/SymantecDLP/Protect/tomcat/webapps/ProtectManager/WEB

          INF/springSecurityContext.xml/opt/SymantecDLP/Protect/tomcat/webapps/ProtectManager/

          WEB-INF/springSecurityContext.xml.BAK

         b. SDLP 15.1: mv /opt/Symantec/DataLossPrevention/EnforceServer/15.1/Protect/tomcat/webapps/

          ProtectManager/WEB-INF/springSecurityContext.xml/opt/Symantec/

         DataLossPrevention/EnforceServer/15.1/Protect/tomcat/webapps/ProtectManager/

         WEB-INF/springSecurityContext.xml.BAK

         c. SDLP 15.5: mv /opt/Symantec/DataLossPrevention/EnforceServer/15.5/Protect/tomcat/webapps/

          ProtectManager/WEB-INF/springSecurityContext.xml/opt/Symantec/

         DataLossPrevention/EnforceServer/15.5/Protect/tomcat/webapps/ProtectManager/

         WEB-INF/springSecurityContext.xml.BAK

         d. SDLP 15.7: mv /opt/Symantec/DataLossPrevention/EnforceServer/15.7/Protect/tomcat/webapps/

          ProtectManager/WEB-INF/springSecurityContext.xml/opt/Symantec/

         DataLossPrevention/EnforceServer/15.7/Protect/tomcat/webapps/ProtectManager/

         WEB-INF/springSecurityContext.xml.BAK

         e. SDLP 15.8: mv /opt/Symantec/DataLossPrevention/EnforceServer/15.8.0000/Protect/tomcat/

          webapps/ProtectManager/WEB-INF/springSecurityContext.xml/opt/Symantec/

         DataLossPrevention/EnforceServer/15.8.0000/Protect/tomcat/webapps/ProtectManager/

         WEB-INF/springSecurityContext.xml.BAK

5. Copy the sample springSecurityContext-Kerberos.xml into the working directory

         a. SDLP 15.0 and older: cp /opt/SymantecDLP/Protect/tomcat/webapps/ProtectManager/

          security/template/springSecurityContext-Kerberos.xml opt/SymantecDLP/Protect/tomcat/

          webapps/ProtectManager/WEB-INF/springSecurityContext.xml

         b. SDLP 15.1: cp /opt/Symantec/DataLossPrevention/Enforce\Server/15.1/Protect/tomcat/webapps/

         ProtectManager/security/template/springSecurityContext-Kerberos.xml/opt/Symantec/

         DataLossPrevention/EnforceServer/15.1/Protect/tomcat/webapps/ProtectManager/

         WEB-INF/springSecurityContext.xml

        c. SDLP 15.5: cp /opt/Symantec/DataLossPrevention/Enforce\Server/15.5/Protect/tomcat/webapps/

         ProtectManager/security/template/springSecurityContext-Kerberos.xml/opt/Symantec/

         DataLossPrevention/EnforceServer/15.5/Protect/tomcat/webapps/ProtectManager/

         WEB-INF/springSecurityContext.xml

        d. SDLP 15.7: cp /opt/Symantec/DataLossPrevention/Enforce\Server/15.7/Protect/tomcat/webapps/

         ProtectManager/security/template/springSecurityContext-Kerberos.xml/opt/Symantec/

         DataLossPrevention/EnforceServer/15.7/Protect/tomcat/webapps/ProtectManager/

         WEB-INF/springSecurityContext.xml

        c. SDLP 15.8: cp /opt/Symantec/DataLossPrevention/Enforce\Server/15.8.0000/Protect/tomcat/

         webapps/ProtectManager/security/template/springSecurityContext-Kerberos.xml/opt/Symantec/

         DataLossPrevention/EnforceServer/15.8.0000/Protect/tomcat/webapps/ProtectManager/WEB

         INF/springSecurityContext.xml

6. Edit the new springSecurityContext.xml as follows:

         a. SDLP 15.0 and older: cd /opt/SymantecDLP/Protect/tomcat/webapps/ProtectManager/WEB-INF/

         b. SDLP 15.1: cd /opt/Symantec/DataLossPrevention/Enforce\Server/15.1/Protect/tomcat/webapps/

          ProtectManager/WEB-INF/

         c. SDLP 15.5: cd /opt/Symantec/DataLossPrevention/Enforce\Server/15.5/Protect/tomcat/webapps/

          ProtectManager/WEB-INF/

         d. SDLP 15.7: cd /opt/Symantec/DataLossPrevention/Enforce\Server/15.7/Protect/tomcat/webapps/

          ProtectManager/WEB-INF/

         e. SDLP 15.8: cd /opt/Symantec/DataLossPrevention/Enforce\Server/15.8.0000/Protect/tomcat/

         webapps/ProtectManager/WEB-INF/

7. Edit the file as follows:

         a. vi sprintSecurityContext.xml

8. To enable Active Directory authentication, replace the value for krbConfLocation with the path to your krb5.i.i file. An example is as such: 

         a. <property name="krbConfLocation"value="/etc/krb5.conf"/>

8. Verify and or Set ownership and permissions for springSecurityContext.xml. An example is as such:  

         a. chown protect:protect springSecurityContext.xml 

         b. chmod 750 springSecurityContext.xml

9. Restart VontuManager service, following the below depending on which version of SDLP is in use:

         a. SDLP 15.0 and older: /etc/init.d/VontuManager restart, or  as appuser, using sudo service

         VontuManager restart

         b. SDLP 15.1: As appuser, using sudo service SymantecDLPManager restart

         c. SDLP 15.5 - 15.8: As appuser, using sudo service SymantecDLPManagerService restart

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.