About securing communications between the Enforce Server and Amazon RDS for Oracle
Last Updated July 10, 2019
You can use Transport Layer Security (TLS) to encrypt all data that is transmitted between the Enforce Server and the Oracle database hosted with Amazon RDS in a three-tier environment. This configuration is supported in both Symantec Data Loss Prevention 15.1 and 15.5.
Complete the following to secure communications between the Enforce Server and the database:
Configure the AWS Oracle RDS Transport Layer Security (TLS) connector.
Configure the AWS Oracle RDS for Secure Sockets Layer (SSL) connection over JDBC.
Configure the server certificate on the Enforce Server.
Verify the AWS Oracle RDS certificate usage.
Configuring Oracle RDS Option Group with SSL
You enable SSL encryption for an Oracle RDS database instance by adding the Oracle SSL option to the option group associated with an Oracle DB instance. You specify the port you want to communicate over using SSL.
Configuring the server certificate on the Enforce Server
After you configure the AWS Oracle RDS Option Group with SSL, you configure the Enforce Server JDBC driver and the server certificate. You configure the JDBC driver to use the Oracle RDS SSL/TLS connection and port, then you configure the server certificate.
Note: The following process assumes that the SSL Option is configured with TCP port 2484.
To configure the server certificate on the Enforce Server:
Locate the Jdbc.properties file located at the following location:
C:\Program Files\Symantec\Data Loss Prevention\Enforce Server\15.1\protect\config (for Windows)
Modify the following communication port and connection information:
Update the jdbc.dbalias.oracle-thin line to use TCPS.
Change the port number to 2484. The updated communication port and connection information should display as follows: jdbc.dbalias.oracle-thin=@(description=(address=(host=[oracle host name]) (protocol=tcps)(port=2484))(connect_data=(sid=protect)) (SSL_SERVER_CERT_DN="CN=oracleserver")) The following is an example of what the completed communication port and connection information might look like. The information you use differs based on your system. Using the following information as-is may cause the configuration to fail. Note: The example uses "protect" for the database SID and 2484 for the TLS port. jdbc.dbalias.oracle-thin=@(description=(address=(host=oracle-rds-dns-name) (protocol=tcps)(port=2484))(connect_data=(sid=protect) (SSL_SERVER_CERT_DN="C=US,ST=Washington,L=Seattle,O=Amazon.com,OU=RDS, CN=oracle-rds-dns-name")))
Add the certificate to the cacerts file that is located on the Enforce Server by completing the following steps:
Copy the Oracle RDS certificate (rds-ca-2015-root.der) file to one of the following locations:
c:\Program Files\Symantec\Data Loss Prevention\Server JRE\1.8.0_181\lib\security (for Windows)
Change the directory by running the following command (based on your OS)
cd c:\Program Files\Symantec\Data Loss Prevention\Server JRE\1.8.0_181\lib\security\ (for Windows)
cd /opt/Symantec/DataLossPrevention/Server JRE/1.8.0_181/lib/security/ (for Linux)
Insert the certificate into the cacerts file by running the following command as an administrator (for Windows) or as a root user (for Linux): keytool -import -alias oracleservercert -keystore cacerts -file rds-ca-2015-root.der Enter the default password when you are prompted: changeit
Confirm that the certificate was added by running the following command (based on your OS):
Verifying the Enforce Server-Oracle RDS database certificate usage
To confirm that certificates are configured correctly and the Enforce Server is communicating with the Oracle RDS database, log on to the Enforce Server administration console. If you can log on, the Enforce Server and database are communicating over a secure communication.
If you cannot log on, verify the SSL Java application connection of Jdbc.properties. To confirm the SSL Java application connection, check the listener status on the Oracle RDS deployment. In the listener status, the TCPS protocol and port 2484 should be in use. If the listener status does not display these connection statuses, re-complete the process to enable Oracle RDS group with SSL.