April 2020
Broadcom has changed the process for completing the AD Single Sign On (SSO) integration in Symantec Data Loss Prevention (SDLP) 15.0 and greater. When upgrading SDLP, you will need to configure the AD Single Sign On (SSO) separately. This article is meant to provide the steps needed to configure the AD SSO.
Before upgrading SDLP, please read the INSIGHT DLP Admin Guide (specifically page 25, the Basic Configuration section), the Upgrading DLP guide, and the Broadcom article referencing Active Directory login for reference information on this AD configuration issue. Additionally, Broadcom provides information on authenticating users in the Enforce server.
Broadcom provided a new feature in SDLP 15.7 that allows for the user of AD groups to provide authentication to the Enforce Management Web Console. The image below contains information on this feature. A fix will be applied for this process to work with SDLP 15.7 and greater in the next IDACT release.
=======================================================================
Automated Process
In order to carry out the AD integration using Kerberos, watch this video and follow the steps concisely.
=======================================================================
Manual Process
Before beginning the manual integration process, you will need to confirm the DNS server and domain are accurate in order for the integration to be successful. The imagine below captures an example the relevant DNS and domain information needed.
Follow the steps below to manually carry out the integration process.
1. Log into Appliance web UI > Device List > Enforce server, then scroll down to "Kerberos Configuration". Input FQDN of all AD servers separated by new line and click "Update Kerberos Configuration"
a. The image below captures the configuration before being updated.
b. The image below captures the configuration after being updated.
2. SSH to enforce as appuser after upgrading.
3. Switch to protect user using the following:
a. sudo su - protect
b. Verify /etc/krb5.conf looks like image above
c. cat/etc/krb5.conf
4. Backup the old springSecurityContext.xml file. For each SDLP version, follow the information below:
a. SDLP 15.0 and older: mv /opt/SymantecDLP/Protect/tomcat/webapps/ProtectManager/WEB
INF/springSecurityContext.xml/opt/SymantecDLP/Protect/tomcat/webapps/ProtectManager/
WEB-INF/springSecurityContext.xml.BAK
b. SDLP 15.1: mv /opt/Symantec/DataLossPrevention/EnforceServer/15.1/Protect/tomcat/webapps/
ProtectManager/WEB-INF/springSecurityContext.xml/opt/Symantec/
DataLossPrevention/EnforceServer/15.1/Protect/tomcat/webapps/ProtectManager/
WEB-INF/springSecurityContext.xml.BAK
c. SDLP 15.5: mv /opt/Symantec/DataLossPrevention/EnforceServer/15.5/Protect/tomcat/webapps/
ProtectManager/WEB-INF/springSecurityContext.xml/opt/Symantec/
DataLossPrevention/EnforceServer/15.5/Protect/tomcat/webapps/ProtectManager/
WEB-INF/springSecurityContext.xml.BAK
d. SDLP 15.7: mv /opt/Symantec/DataLossPrevention/EnforceServer/15.7/Protect/tomcat/webapps/
ProtectManager/WEB-INF/springSecurityContext.xml/opt/Symantec/
DataLossPrevention/EnforceServer/15.7/Protect/tomcat/webapps/ProtectManager/
WEB-INF/springSecurityContext.xml.BAK
e. SDLP 15.8: mv /opt/Symantec/DataLossPrevention/EnforceServer/15.8.0000/Protect/tomcat/
webapps/ProtectManager/WEB-INF/springSecurityContext.xml/opt/Symantec/
DataLossPrevention/EnforceServer/15.8.0000/Protect/tomcat/webapps/ProtectManager/
WEB-INF/springSecurityContext.xml.BAK
5. Copy the sample springSecurityContext-Kerberos.xml into the working directory
a. SDLP 15.0 and older: cp /opt/SymantecDLP/Protect/tomcat/webapps/ProtectManager/
security/template/springSecurityContext-Kerberos.xml opt/SymantecDLP/Protect/tomcat/
webapps/ProtectManager/WEB-INF/springSecurityContext.xml
b. SDLP 15.1: cp /opt/Symantec/DataLossPrevention/Enforce\Server/15.1/Protect/tomcat/webapps/
ProtectManager/security/template/springSecurityContext-Kerberos.xml/opt/Symantec/
DataLossPrevention/EnforceServer/15.1/Protect/tomcat/webapps/ProtectManager/
WEB-INF/springSecurityContext.xml
c. SDLP 15.5: cp /opt/Symantec/DataLossPrevention/Enforce\Server/15.5/Protect/tomcat/webapps/
ProtectManager/security/template/springSecurityContext-Kerberos.xml/opt/Symantec/
DataLossPrevention/EnforceServer/15.5/Protect/tomcat/webapps/ProtectManager/
WEB-INF/springSecurityContext.xml
d. SDLP 15.7: cp /opt/Symantec/DataLossPrevention/Enforce\Server/15.7/Protect/tomcat/webapps/
ProtectManager/security/template/springSecurityContext-Kerberos.xml/opt/Symantec/
DataLossPrevention/EnforceServer/15.7/Protect/tomcat/webapps/ProtectManager/
WEB-INF/springSecurityContext.xml
c. SDLP 15.8: cp /opt/Symantec/DataLossPrevention/Enforce\Server/15.8.0000/Protect/tomcat/
webapps/ProtectManager/security/template/springSecurityContext-Kerberos.xml/opt/Symantec/
DataLossPrevention/EnforceServer/15.8.0000/Protect/tomcat/webapps/ProtectManager/WEB
INF/springSecurityContext.xml
6. Edit the new springSecurityContext.xml as follows:
a. SDLP 15.0 and older: cd /opt/SymantecDLP/Protect/tomcat/webapps/ProtectManager/WEB-INF/
b. SDLP 15.1: cd /opt/Symantec/DataLossPrevention/Enforce\Server/15.1/Protect/tomcat/webapps/
ProtectManager/WEB-INF/
c. SDLP 15.5: cd /opt/Symantec/DataLossPrevention/Enforce\Server/15.5/Protect/tomcat/webapps/
ProtectManager/WEB-INF/
d. SDLP 15.7: cd /opt/Symantec/DataLossPrevention/Enforce\Server/15.7/Protect/tomcat/webapps/
ProtectManager/WEB-INF/
e. SDLP 15.8: cd /opt/Symantec/DataLossPrevention/Enforce\Server/15.8.0000/Protect/tomcat/
webapps/ProtectManager/WEB-INF/
7. Edit the file as follows:
a. vi sprintSecurityContext.xml
8. To enable Active Directory authentication, replace the value for krbConfLocation with the path to your krb5.i.i file. An example is as such:
a. <property name="krbConfLocation"value="/etc/krb5.conf"/>
8. Verify and or Set ownership and permissions for springSecurityContext.xml. An example is as such:
a. chown protect:protect springSecurityContext.xml
b. chmod 750 springSecurityContext.xml
9. Restart VontuManager service, following the below depending on which version of SDLP is in use:
a. SDLP 15.0 and older: /etc/init.d/VontuManager restart, or as appuser, using sudo service
VontuManager restart
b. SDLP 15.1: As appuser, using sudo service SymantecDLPManager restart
c. SDLP 15.5 - 15.8: As appuser, using sudo service SymantecDLPManagerService restart
0 Comments