Tuesday, April 1, 2014

Setting up Symantec DLP FlexResponse Plugin (Part 2)

Why am I writing this: 

  • The documentation is vague and all over the place. Much of it is for Linux based OSes.
  • The certificate-store-path variable in the plugin properties does not work, so that part of the documentation is wrong, and the trick (at least for Windows server) is to put the keystore on the C: root.
  • It's not obvious to a non-PGP user how to set multiple users or a group of users as "admin." 
  • Answers are hard to find, so my goal is to limit the trial-and-error approach 

In Part 1 (Setting up Symantec ERM Service Between DLP and PGP) I described what it took to setup the ERM service to communicate between DLP v.12 and PGP Universal Server 10.2.

Part 2: Configuring the Symantec DLP FlexResponse Plugin

So in Part 1 I established the ERM Service. Part 2 is all about configuring DLP to talk to that service.


Step 1 -  Install the PGP Plugin files on the DLP Enforce Server

Now on the DLP Enforce server:


From the extracted FlexResponse files (Platform download, FlexResponse_Plugins folder\PGP, "Symantec_DLP_Plugin_PGP_1.0.2.0.exe"), copy the plugin jar (PGPNSFlexResponsePlugin.jar) file and the plugin properties (PGPNSFlexResponsePlugin.properties) file into the Symantec DLP plugins folder, i.e. "C:\SymantecDLP\protect\plugins" (location may vary depending on OS or installation).
Make sure the local DLP "protect" user account has read/execute rights to these two files.


Register the plugin with the DLP Enforce server by editing the plugins.properties file located in the config folder in the DLP install folder.
  • <drive>:\SymantecDLP\Protect\config\Plugins.properties
Add the name of the plugin .jar file to the following attribute: com.symantec.dlpx.flexresponse.Plugin.plugins. The attribute may be commented out initially.
It may look something like this:
com.symantec.dlpx.flexresponse.Plugin.plugins = PGPNSFlexResponsePlugin.jar



Step 2 -  Configure SSL Communication on DLP

Still on the DLP Enforce server: 

Now, configure the SSL communication between the ERM service and DLP Enforce. This is required if the ERM service is not running on the Enforce server.

Find the keytool.exe program. This should be located in the DLP installation folder: <drive>:\SymantecDLP\jre\bin\keytool.exe.


Use these commands to generate, export, and import an SSL certificate. Document the private and public passphrases for future use. The private pass is sensitive and the public pass is non-sensitive.


Open up a command prompt as administrator:
Start, type "cmd", right-click on cmd.exe and "run as Administrator"

Then run each of these 3 commands separately in order.
 

Generate (the certificate and personal information exchange "pfx" file):
<drive>:\SymantecDLP\jre\bin>keytool.exe -genkeypair -alias ermservice -keystore ermservice.pfx -storetype pkcs12 -keyalg RSA -dname "CN=<yourERMServiceHostname>" -keypass <private passphrase> -storepass <private passphrase>

Export (the certificate "cer" file):

<drive>:\SymantecDLP\jre\bin>keytool -exportcert -alias ermservice -file ermservice.cer -keystore ermservice.pfx -storetype pkcs12 -storepass <private passphrase>

Import (certificate into the java keystore "jks" file):

<drive>:\SymantecDLP\jre\bin>keytool -importcert -keystore ermservice.jks -alias ermservice -file ermservice.cer -v -trustcacerts -noprompt -storepass <public passphrase>

After running these commands, there will be three new files located in the same location as the keytool.exe file. 
  • Ermservice.pfx (personal information exchange file)
  • Ermservice.cer (certificate)
  • Ermservice.jks (java keystore). 
As a side note: if you already had an existing .pfx and .cer, I believe you could generate the keystore file from those using different commands.
 

The .PFX file is used for importing the private/public key-pair into the ERM service on the ERM service host machine. Copy this file to the ERM Service host machine.
The .JKS file is the public key that must remain on the DLP Enforce server. Put this file in the root of the C: drive on the DLP Enforce server.
The .CER file is not needed for this task.



Step 3 - Configure the PGP Plugin


Still on the DLP Enforce server:

Edit the plugin properties file (PGPNSFlexResponsePlugin.properties) and pay attention to the following settings:
  • prot-svc-host="your ERM Service host machine name"
  • prot-svc-session-type=secured (if you're using SSL)
  • certificate-store-path=<path to jks file>
***The default value is "${system:dirs:common-app-data}\Symantec\SDLPERM\SCache\REST_SSL_Cert" but this path would not work for me. The documentation indicates that one should use "an appropriate path" on the server. This default folder structure does not exist on the DLP Enforce server. I tried many different paths, but the only path that ended up working was the root of the C: drive.
***So if the SSL fails to connect, put your JKS file in C: root "C:\whatever.jks" and use this as the variable: certificate-store-path=C:\whatever.jks

  • certificate-store-password=<public passphrase from certificate creation>
This following value will vary based on your needs. The users or groups assigned will have access to files encrypted by the plugin. The values can be a comma delimited list of PGP keys (I: prefix), user names (U: prefix), or group names (G: prefix). If no prefix is specified the plugin will assume "G:".

Examples:
  • I:0x######## (keyid of user or group)
  • U:John Doe (user name)
  • G:PGP Admin (group name)
For this to work, any user or group on this list must be manually imported into the ERM service account's keyring on the ERM service host machine (PGP Desktop) otherwise an error will be thrown by the plugin. 

PGP Universal Server web console -> Keys -> find user/group -> export public key -> save to file.
then
On ERM Service Host open PGP Desktop -> File -> Import -> select file.

I was unable to use the group "G:" and user name "U:" prefixes, but I could successfully use the keyids for the users and groups to achieve the same result. So in my case, I used the PGP Universal server's "Everyone" group keyid and the organizations adk (alternate decryption key). This ensures that any encryption done through the DLP Flex Response plugin will be visible to anyone who has the PGP Desktop enrolled with this organization.
  • target-protection-info-default=I:0x########,I:0x########
Keep in mind that this list is just user access. The "Admin" access is defined by the "signer" variable in the ERM service configuration.

Uncomment out (remove the pound symbol) the following lines in the properties file. These values will be placed into the DLP incident  record when the manual response rule is run.
  • #target-protection-info-attribute-name=PGP NetShare Target Keys
  • #result-status-attribute-name=PGP NetShare Protection Result
  • #result-protection-attribute-name=PGP NetShare Result Keys
Save the properties file and restart the vontu manager service (DLP Enforce server)


Step 4 - Configure SSL Communication on ERM

On the ERM Service host machine:

Now we need to import that .JKS file into the ERM service.
 

You should already have placed the .PFX file from the DLP Enforce server on this ERM service host machine.
 

Open up a command prompt as administrator:
Start, type "cmd", right-click on cmd.exe and "run as Administrator"
 

Change directory (cd) to the location of the DLP ERM Service, which includes the sdlperm_import.exe file
c:\Program Files (x86)\Symantec\DLP ERM Service\ (location may vary)
 

Run this command to import the .PFX file:
sdlperm_import.exe --ssl-cert-pfx --passphrase=<private passphrase> --user=<domain\erm service user account name> --password=<erm service user account password> --infile=<.PFX file path and name> I.e. c:\ermservice.pfx
Then restart the ERM service "Symantec Data Loss Prevention ERM Service"

This should completely enable SSL communication between the ERM service and DLP Enforce. 


Step 5 - Test PGP Netshare on the Command-Line

On the ERM Service host machine:

This is a test of the pgpnetshare.exe install without DLP just to make sure it works.

Open up a command prompt as administrator:
Start, type "cmd", right-click on cmd.exe and "run as Administrator".


Change directory to the pgpnetshare install folder: C:\Program Files (x86)\PGP Corporation\PGP Desktop (location may vary)
 

Run this command:
pgpnetshare.exe --verbose -e "\\<hostname>\<sharename>\<filename>" -s "<signer keyid>" --passphrase "<signer's keyring passphrase>" -r "<signer keyid>"

This will simply encrypt the specified file. The -e switch encrypts, -d decrypts. Type pgpnetshare.exe --help for a full list.

If that worked, you know the encryption piece if functional.
 


This completes the setup of the DLP Enforce Plugin, SSL communication between the ERM Service host and DLP Enforce, and testing basic encryption using the pgpnetshare command-line. Part 3 will focus on setting up the DLP Policy, the response rule, and testing.