Help Center

File Audit Endpoint Security File Analysis Risk Analysis Release Notes

Setting up File Audit

Dashboard

Reports

Alerts

Incidents

Advanced configurations

Setting up Endpoint Security

Reports

Advanced configurations

Setting up File Analysis

Dashboard

Reports

Incidents

Configuration

Setting up Data Risk Assessment

Dashboard

Reports

Advanced configuration

Quick Start File Audit Endpoint Security Risk Analysis File Analysis About DataSecurity Plus Release notes Contact us

2018

2017

2016

2015

Account Logon » Default Port Configuration

SSL configuration guide

Applying Secure Sockets Layer (SSL) certificates ensures that all data transfers between users’ web browsers and the DataSecurity Plus server remain secure. This guide explains the steps to enable SSL for DataSecurity Plus.

Steps for Enabling SSL:

Step 1: Define the SSL port

  • Start Data Security Plus. Go to Start > All Programs > Data Security Plus > Start Data Security Plus.
  • Log on to DataSecurity Plus with an account that has administrative privileges.
  • Navigate to Admin > General Settings > Connection.
  • Enable SSL by checking the box, then enter the port number [default: 8800] you plan on using for DataSecurity Plus, and save the changes.
  • Stop DataSecurity Plus. Go to Start > All Programs > DataSecurity Plus > Stop DataSecurity Plus.

Step 2: Create the keystore

A keystore is a repository that contains the public and private keys required for encryption and decryption of data once a connection is established between the client and the server. The below steps detail the procedure to create a keystore

  • Open Command Prompt from <installation_directory>\ManageEngine\ DataSecurity Plus\jre\bin.
  • Execute the following command in Command Prompt to create the Tomcat-specific certificate keystore file, which will be referred to as <domainName>.keystore in the rest of this document:

keytool -genkey -alias tomcat -keypass <your key password> -keyalg RSA -validity 1000 -keystore <domainName>.keystore

  • Replace <your key password> with a password of your choice and <domainName> with the name of your domain.
  • When prompted, type in your keystore password. To avoid any confusion, we recommend entering the same password as your keypass.
  • Provide information based on the following guidelines:
SNo Question Answer
1 What is the first and last name? The NetBIOS (if the DNS domain name is test.example.com, the NetBIOS domain name is test) or FQDN name (an FQDN for a hypothetical mail server might be mymail.example.com. The host name is mymail, and the host is located within the domain example.com) of the server on which DataSecurity Plus is running.
2 What is the name of your organizational unit? The department name that you want to appear in the certification.
3 What is the name of your organization? Provide the legal name of your organization.
4 What is the name of your city? Enter the city name in your organization’s registered address.
5 What is the name of your state/province? Enter the state/province in your organization’s registered address.
6 What is your country code? Provide the 2-letter code of the country your organization is located in.

Step 3: Generate and submit a certificate signing request (CSR) to your certificate authority (CA)

The following steps detail the procedure to create a .csr file , which will be further referred to as <domainName>.csr

  • Creating a certificate signing request (CSR)
  • To create a .csr file from the <installation directory>\ManageEngine\DataSecurity Plus\jre\bin, execute the following command in Command Prompt:
  • keytool -certreq -alias tomcat -keyalg RSA -keystore <domainName>.keystore -file <domainName>.csr

    or

  • To create a CSR with Subject Alternative Name (SAN), execute the following command in Command Prompt:

keytool -certreq -alias tomcat -keyalg RSA -ext
SAN=dns:server_name,dns:server_name.domain.com,dns:server_name.domain1.com -keystore <domainName>.keystore -file <domainName>.csr

Replace the <domainName> with the name of your domain, and provide the appropriate Subject Alternative Names.

  • Locate the CSR file at <installation directory>\ManageEngine\DataSecurity Plus\jre\bin and submit it to your CA.

Step 4: Request certificate signing from a CA:

4.1: From Microsoft Certificate Services (internal CA).

The below steps provide instructions on how to connect to an internal CA, submit the CSR, procure the SSL certificate, and import it.

  • Connect to Microsoft Certificate Services and click Request a certificate.
  • Click on Advanced certificate request, and then select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
  • Open the .csr file using a text editor, copy the content, and paste it under Saved Request. Then, select Web Serveras the Certificate Template, and clickSubmit.
  • Click on the Download Certificate Chain link to download the issued PKCS #7 Certificate types. The downloaded certificate will be in .p7b format.
  • Copy the .p7b certificate file to the <installation directory>\ManageEngine \DataSecurity Plus\jre\bin folder.
  • Click Home on the top right corner, and click Download a CA certificate to download and save the root certificate in .cer format.
  • Copy the .cer file to the <installation directory>\ManageEngine \DataSecurity Plus\jre\bin location.
  • Navigate to <installation directory>\ManageEngine\DataSecurity Plus\jre\bin using Command Prompt, and execute the below query to import the certificate into a .keystore file.
  • Keytool –import –trustcacerts –alias tomcat –file certnew.p7b –keystore <keystore_name>.keystore

    Replace <keystore_name> with the name of your keystore.

  • In the same location, execute the below query to add the internal CA's root certificate to the list of trusted CAs in the Java cacerts file.

keytool -import -alias <internal CA_name> -keystore ..\lib\security\cacerts -file certnew.cer

Note: Open the certnew.cer to get the internal CA name, and provide change it as the keystore password when prompted.

4.2: From an external CA.

The following steps describe how to request and import certificates signed by an external CA.

  • To request a certificate from an external CA, submit the CSR to that CA.
  • Unzip the certificates returned by your CA, and save them in the <installation directory> \ManageEngine\DataSecurity Plus\jre\bin folder.
  • Open Command Prompt and navigate to the <installation directory> \ManageEngine\DataSecurity Plus\jre\bin folder.
  • Run the commands listed under your CA:
    • For GoDaddy certificates
      • keytool -import -alias root -keystore <domainName>.keystore -trustcacerts -file gd_bundle.crt
      • keytool -import -alias cross -keystore <domainName>.keystore -trustcacerts -file gd_cross.crt
      • keytool -import -alias intermed -keystore <domainName>.keystore trustcacerts -file gd_intermed.crt
      • keytool -import -alias tomcat -keystore <domainName>.keystore -trustcacerts -file<domainName>.crt
    • For Verisign certificates
      • keytool -import -alias intermediateCA -keystore <domainName>.keystore -trustcacerts -file <your intermediate certificate.cer>
      • keytool -import -alias tomcat -keystore <domainName>.keystore trustcacerts -file <domainName> .cer
    • For Comodo certificates
      • keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystore <domainName>.keystore
      • keytool -import -trustcacerts -alias addtrust -file UTNAddTrustServerCA.crt -keystore <domainName>.keystore
      • keytool -import -trustcacerts -alias ComodoUTNServer -file ComodoUTNServerCA.crt - keystore <domainName>.keystore
      • keytool -import -trustcacerts -alias essentialSSL -file essentialSSLCA.crt -keystore <domainName>.keystore
    • For Entrust certificates
      • keytool -import -alias Entrust_L1C -keystore <keystore-name.keystore > -trustcacerts -file entrust_root.cer
      • keytool -import -alias Entrust_2048_chain -keystore <keystore-name.keystore > trustcacerts -file entrust_2048_ssl.cer
      • keytool -import -alias -keystore <keystore-name.keystore > -trustcacerts -file <domain-name.cer>
    • For Thawte certificates

      Purchased directly from Thawte

      • keytool -import -trustcacerts -alias tomcat -file<certificate-name.p7b>-keystore<keystore-name.keystore>

      Purchased through the Thawte reseller channel

      • keytool -import -trustcacerts -alias thawteca -file <SSL_PrimaryCA.cer > -keystore<keystore-name.keystore>
      • keytool -import -trustcacerts -alias tomcat -file <SSL_SecondaryCA.cer > trustcacerts -file entrust_2048_ssl.cer
      • keytool -import -alias -keystore <certificate-name.cer> --keystore<keystore-name.keystore>

Note: If you are receiving certificates from a CA not in the above list, contact your CA to get the commands required to add their certificates to the keystore.

Step 5: Bind the certificates to DataSecurity Plus

The below steps describe how to configure the Data Security Plus server to use the keystore with your SSL certificate.

  • Navigate to Admin > General Settings > Connection.
  • Select Enable SSL port [https], and enter the port number (default: 9163) you plan on using for DataSecurity Plus' SSL connection.
  • Click Save, and restart DataSecurity Plus.
  • Copy the <domainName>.keystore file from the <installation directory>\ManageEngine\DataSecurity Plus\jre\bin folder, and save it in the <installation directory>\ManageEngine\DataSecurity Plus\conf folder.
  • Open the server.xml file located in <installation directory>\ManageEngine \DataSecurity Plus\conf using a text editor, and navigate to the last connector tag.
  • Replace keystoreFile with ./conf/<domainName>.keystore and keystorePass with the password given during keystore creation.
  • Save the server.xml file, and close it.
  • Restart DataSecurity Plus (Start > All Programs > DataSecurity Plus > Start DataSecurity Plus) for the changes to take effect, and then launch the DataSecurity Plus client.
×

Thanks for your interest in DataSecurity Plus' Private Beta!

Please let us know your mail ID so we can send the beta download link.

Thanks! Kindly check your mailbox for the link.
  • Please enter a valid Business Email
    Please enter your Business Email
  • By clicking 'Send me the link', you agree to processing of personal data according to the Privacy Policy.