Help Center
Quick Start
- Overview
- System requirements
- Minimum privileges required
- Default port configuration
- Installing DataSecurity Plus
- Uninstalling DataSecurity Plus
- Starting DataSecurity Plus
- Launching DataSecurity Plus
- Configuring your solution
- Licensing details
- Applying a license
File Auditing
- About File Auditing
- Domain configuration
- File server configuration
- Failover cluster configuration
- NetApp server configuration
- Workgroup configuration
Setting up File Audit
Dashboard
Reports
Alerts
Configuration
Storage Configuration
File Analysis
- About File Analysis
- On-Demand Reports
Setting up File Analysis
Dashboard
Reports
Alerts
Configuration
Data Risk Assessment
- About Data risk assessment
Setting up Data risk assessment
Dashboard
Reports
Ownership analysis
Configuration
Endpoint DLP
- About Endpoint DLP
Setting up Endpoint DLP
Reports
Alerts
Prevention policies
Configuration
Cloud Protection
- About Cloud Protection
- Gateway Server Configuration
- Certificate Authority Configuration
- Gateway Configuration in Endpoint
- Manage Certificate Trust Store
- Threat Analytics Database
- Manage Banned Applications
- Manage Authorized Applications
- Gateway Server Failover
- Two-way SSL configuration
- Global Insight
- Application Insight
- User Insight
- Shadow Application Insight
- Banned Application Insight
- Cloud App Discovery
- Cloud Access Reports
- Application Insights
- Shadow Cloud Application Reports
- Banned Cloud Application Reports
- File Upload & Download Reports
Setting up Cloud Protection
Dashboard
Reports
Control Policies
Storage Configuration
Administrative settings
- Technician configuration
- Notification filters
- Manage agent
- Agent settings
- SIEM integration
- Business hours configuration
- Two-factor authentication
- Workgroup configuration
- Security policy
Email configuration
General settings
- Connection
- Personalize
- DataSecurity Plus Server
- Privacy Settings
- Disk utilization
- Schedule Retention Policy
Policy Configuration
Release notes
2024
2023
2022
2021
2020
2019
2018
2017
2016
2015
Troubleshooting
- HTTP communication failure
- Dormant DataEngine
- Secure Gateway server failure
- RPC communication failure
- Known issues and limitations
- Known errors and solutions
Guides
- Agent document
- How to Migrate/Move DataSecurity Plus
- How to apply SSL certificate
- How to automate DataSecurity Plus database backup
- How to set alerts in DataSecurity Plus
- How to secure your DataSecurity Plus installation
SSL configuration guide
Note: Apply your SSL certificate from the product console by following the steps given in the Connection settings help page.
Applying Secure Sockets Layer (SSL) certificates to DataSecurity Plus ensures that all data transfers between users’ web browsers and the DataSecurity Plus server remain secure. This guide explains the steps to enable SSL for DataSecurity Plus.
Steps to enable SSL:
- Create a keystore file
- Create and submit a certificate signing request
- Request a signed certificate from a certificate authority
- Binding the SSL certificate to DataSecurity Plus
- Instructions for common certificate types
1. Create a keystore file
A keystore is a repository that contains the public and private keys required for encryption and decryption of data once a connection is established between the client and the server.
The steps below detail the procedure to create a keystore:
- Open Command Prompt from <installation_directory>\ManageEngine\ DataSecurity Plus\jre\bin.
- Then, execute either of the below commands in Command Prompt to create the Tomcat-specific certificate keystore file, which will be referred to as <domainName>.keystore in the rest of this document.
- Command 1: To create a keystore without a Subject Alternative Name (SAN):
- Command 2: Some browsers, like Google Chrome and Microsoft Edge, require a SAN. To create a keystore with SAN, execute the below command:
keytool -genkey -alias tomcat -keypass <your key password> -keyalg RSA -validity 1000 -keystore <domainName>.keystore
keytool -genkey -alias tomcat -keypass <your key password> -keyalg RSA -validity 1000 -keystore <domainName>.keystore -ext SAN=dns:servername.domainName
- Replace <your key password> with a password of your choice, and <domainName> with the name of your domain.
- When prompted, enter a password for the keystore.
- Provide information based on the following guidelines:
SNo | Question | Answer |
1 | What is the first and last name? | Provide the NetBIOS (if the DNS domain name is test.example.com, the NetBIOS domain name is test) or FQDN name (an FQDN for a hypothetical mail server might be mymail.example.com. The host name is mymail, and the host is located within the domain example.com) of the server on which DataSecurity Plus is running. |
2 | What is the name of your organizational unit? | Enter the department name that you want to appear in the certification. |
3 | What is the name of your organization? | Provide the legal name of your organization. |
4 | What is the name of your city? | Enter the city name in your organization’s registered address. |
5 | What is the name of your state/province? | Enter the state or province in your organization’s registered address. |
6 | What is your country code? | Provide the two-letter code of the country your organization is located in. |
2. Create and submit a certificate signing request
The .csr file is temporary and should be submitted to a certificate authority (CA) to receive CA-signed certificate files. The following steps detail the procedure to create a .csr file.
2.1 Creating a certificate signing request (CSR)There are two methods to create a CSR.
Method 1: Creating a .csr file from the installation location:
- Open Command Prompt.
- From the location <installation directory>\ManageEngine\DataSecurity Plus\jre\bin, execute the following command:
keytool -certreq -alias tomcat -keyalg RSA -keystore <domainName>.keystore -file <domainName>.csr
Method 2: If you use Google Chrome, Microsoft Edge, or other browsers that require a CSR with an SAN, follow the steps below:
- Open Command Prompt.
- Execute the following command:
keytool -certreq -alias tomcat -keyalg RSA -ext SAN=dns:server_name,dns:server_name.domain.com,dns:server_name.domain1.com -keystore <domainName>.keystore -file <domainName>.csr
In the above commands, replace <domainName> with the name of your domain, and provide the appropriate Subject Alternative Names.
2.2 Submitting the CSR to your CAThe created CSR file can be found at <installation directory>\ManageEngine\DataSecurity Plus\jre\bin. Submit this file to your CA.
3. Request a signed certificate from a certificate authority
The steps below provide instructions on how to connect to a CA, submit the CSR, procure the SSL certificate, and import it.
3.1 From Microsoft Certificate Services (internal CA)For an internal CA:
- Connect to Microsoft Certificate Services, and click Request a certificate.
- Click Advanced certificate request, and then select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
- Open the .csr file using a text editor, copy the content, and paste it under Saved Request. Then, select Web Server as the Certificate Template, and click Submit.
- Click the Download Certificate Chain link to download the issued PKCS #7 Certificate types the <installation directory>\ManageEngine \DataSecurity Plus\jre\bin folder. The downloaded certificate will be in .p7b format.
- Click Home in the top-right corner, and click Download a CA certificate, chain certificate or CRL.
- Click Download CA certificate to download and save the root certificate in .cer format
- Copy the .cer file to the <installation directory>\ManageEngine \DataSecurity Plus\jre\bin location.
- Navigate to <installation directory>\ManageEngine\DataSecurity Plus\jre\bin using Command Prompt, and execute the below query to import the certificate into your .keystore file:
Keytool –import –trustcacerts –alias tomcat –file certnew.p7b –keystore <keystore_name> .keystore
- Replace <keystore_name> with the name of your keystore.
- In the same location, execute the below query to add the internal CA's root certificate to the list of trusted CAs in the Java cacerts file:
keytool -import -alias <internal CA_name> -keystore ..\lib\security\cacerts -file certnew.cer
Note: Open the certnew.cer to get the internal CA name, and provide changeit as the keystore password when prompted.
3.2 From an external CAThe following steps describe how to request and import certificates signed by some common vendors.
- To request a certificate from an external CA, submit the CSR to that CA.
- Unzip the certificates returned by your CA, and save them in the <installation directory> \ManageEngine\DataSecurity Plus\jre\bin folder.
- Open Command Prompt and navigate to the <installation directory> \ManageEngine\DataSecurity Plus\jre\bin folder.
- Run the commands listed under your CA:
- For GoDaddy certificates
- keytool -import -alias root -keystore <domainName>.keystore -trustcacerts -file gd_bundle.crt
- keytool -import -alias cross -keystore <domainName>.keystore -trustcacerts -file gd_cross.crt
- keytool -import -alias intermed -keystore <domainName>.keystore trustcacerts -file gd_intermed.crt
- keytool -import -alias tomcat -keystore <domainName>.keystore -trustcacerts -file<domainName>.crt
- For Verisign certificates
- keytool -import -alias intermediateCA -keystore <domainName>.keystore -trustcacerts -file <your intermediate certificate.cer>
- keytool -import -alias tomcat -keystore <domainName>.keystore trustcacerts -file <domainName> .cer
- For Comodo certificates
- keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystore <domainName>.keystore
- keytool -import -trustcacerts -alias addtrust -file UTNAddTrustServerCA.crt -keystore <domainName>.keystore
- keytool -import -trustcacerts -alias ComodoUTNServer -file ComodoUTNServerCA.crt - keystore <domainName>.keystore
- keytool -import -trustcacerts -alias essentialSSL -file essentialSSLCA.crt -keystore <domainName>.keystore
- For Entrust certificates
- keytool -import -alias Entrust_L1C -keystore <keystore-name.keystore > -trustcacerts -file entrust_root.cer
- keytool -import -alias Entrust_2048_chain -keystore <keystore-name.keystore > trustcacerts -file entrust_2048_ssl.cer
- keytool -import -alias -keystore <keystore-name.keystore > -trustcacerts -file <domain-name.cer>
- For Thawte certificates
Purchased directly from Thawte
- keytool -import -trustcacerts -alias tomcat -file<certificate-name.p7b>-keystore<keystore-name.keystore>
Purchased through the Thawte reseller channel
- keytool -import -trustcacerts -alias thawteca -file <SSL_PrimaryCA.cer > -keystore<keystore-name.keystore>
- keytool -import -trustcacerts -alias tomcat -file <SSL_SecondaryCA.cer > trustcacerts -file entrust_2048_ssl.cer
- keytool -import -trustcacerts -alias tomcat -file <certificate-name.cer> -keystore <keystore-name.keystore>
- For GoDaddy certificates
Note: These instructions might change depending on the certificates issued by the CA. If you are receiving certificates from a CA not listed above, contact your CA to get the commands required to add their certificates to the keystore.
4. Binding the SSL certificate with DataSecurity Plus
The steps below describe how to configure the DataSecurity Plus server to use the keystore with your SSL certificate.
4.1 Define the SSL port in the DataSecurity Plus consoleFollow the steps below to define the HTTPS port that will be used by DataSecurity Plus:
- Log in to the DataSecurity Plus console with an account that has administrative privileges.
- From the applications drop-down menu, select Admin and navigate to General Settings > Connection.
- Select DataSecurity Plus Portal (HTTPS) as the Connection Type. Then, enter the chosen port number you plan on using for DataSecurity Plus, and save the changes.
Note: 9163 is the default HTTPS port number used by DataSecurity Plus.
- Restart DataSecurity Plus.
Follow the steps below to install the SSL certificate:
- Copy the <domainName>.keystore file from the <installation directory> \ManageEngine\DataSecurity Plus\jre\bin folder, and save it to the <installation directory>\ManageEngine\DataSecurity Plus\conf folder.
- Open the server.xml file located in <installation directory>\ManageEngine \DataSecurity Plus\conf using a text editor, and navigate to the last connector tag.
- Replace keystoreFile with ./conf/<domainName>.keystore and keystorePass with the password given during keystore creation.
- Save the server.xml file, and close it.
- Restart DataSecurity Plus (Start > All Programs > DataSecurity Plus > Start DataSecurity Plus) for the changes to take effect, then launch the DataSecurity Plus client.
5. Instructions for common certificate types
This section provides the steps to configure SSL using .p7b and .pfx certificate file types.
5.1 Installing a .p7b certificateMost CAs will provide certificates with the extension .p7b. To install this type of file, follow the steps below:
- Double-click this file to open a console that will list all the required certificates.
- Right-click the certificates and navigate to All tasks > Export.
- The Certificate Export Wizard dialog will pop up. Click Next.
- Select the export file format as Base-64 encoded X.509 (.cer). Click Next.
- Specify the name of the file you want to export. Click Next.
- Review your settings, and click Finish. Then, click OK.
- Add this certificate file to the keystore using the steps and commands provided by your CA.
- Continue to Section 4.
Once you've executed section 4.1, follow the below steps to install a certificate with the extension .pfx:
- Stop the DataSecurity Plus service.
- Copy the .pfx file to the <installation directory>\ManageEngine\DataSecurity Plus\conf folder.
- Open the server.xml file located in <installation directory>\ManageEngine \DataSecurity Plus\conf using a text editor, and navigate to the last connector tag.
- Replace keystoreFile with the .pfx file's name and enter keystoreType="pkcs12" after the file name. Replace keystorePass with the password for the .pfx file.
- Save the server.xml file, and close it.
- Restart DataSecurity Plus (Start > All Programs > DataSecurity Plus > Start DataSecurity Plus) for the changes to take effect, then launch the DataSecurity Plus client.