How does a Symantec Endpoint Protection Manager (SEPM) use encryption and certificates to secure communications between itself, other managers and its clients? What types of encryption are used?
About the Server Certificates
Each SEPM server generates its own self-signed certificate using a 2048 bit SHA256RSA key pair during its initial Management Server Configuration Wizard (MSCW) run. This certificate is stored in two locations and formats on the SEPM file system.
The certificate and private key are stored in Java Keystore as C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\keystore.jks
The certificate and private key are also stored separately in the Privacy Enhanced Mail (PEM) format as C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\server.crt and C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\server.key
Client to Manager Communications
Managers host client to server communications through the SEPM Apache server. By default, the Apache server listens on TCP port 443 for encrypted HTTPS connections, and TCP port 8014 for unencrypted HTTP connections.
As of SEPM 14, newly installed managers are configured to accept HTTPS connections by default. For SEPM 12.1 managers, or 12.1 to 14 migrations, the SEPM Apache server can be configured to accept TLS encrypted HTTPS connections by following the steps in Enable HTTPS client-server communications.
Manager to Manager Communications
Managers communicate with other managers through the SEPM Tomcat server over port 8443/HTTPS. The connection is secured using the server.crt and server.key files stored in C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl.
Console to Manager Communications
You can access the SEPM either through the local/remote Java console, or the Web console. The local and remote Java consoles are digitally signed by Symantec, using a code signing certificate issued by Symantec. The Web console is generated by the SEPM Tomcat server and is accessed over port 8443/HTTPS.
Reporting Server Communications
The SEPM Apache server hosts the Reporting Server site over port 8445/HTTPS. This site also provides the information in the Home, Monitors and Reports tabs of the SEPM Console.
Web Services Communications
The SEPM Tomcat server hosts the Web Services site over port 8446/HTTPS.
Ports, protocols, configuration files, and certificates used for SEPM communications
Managers digitally sign the policy files they host using the public key contained in the keystore.jks. Clients compare the digital signature on policy files to the certificate associated with the manager in their sylink.xml file.
Client Policy Encryption
Managers encrypt policies and content with the Twofish algorithm using the pre-shared key created with the first SEPM in the site. This password is not changed when a new certificate is imported into the SEPM using the Manage Server Certificate wizard. Clients decrypt the content using the kcs value in their sylink.xml file.
Imported Document ID: TECH210852
Subscribing will provide email updates when this Article is updated. Login is required.