Connection settings

1. Connection settings

Under Connection settings, you can configure the connection type and session properties.

1.1.Connection type

By default, DataSecurity Plus uses the port 8800 for HTTP and port 9163 for HTTPS. To change these ports, enter the desired port number in the respective field, click Save, and restart the DataSecurity Plus server.

In both the trial and Free editions, you can choose either HTTP or HTTPS. However, in the Professional edition, it is mandatory to select HTTPS as the connection type to secure data transfers between the users’ web browser and the DataSecurity Plus server.

Configuring SSL

To enable HTTPS connection, you must enable and apply a Secure Sockets Layer (SSL) certificate. DataSecurity Plus provides a default SSL certificate. However, we strongly recommend uploading your own SSL certificate for maximum security.

The steps to apply an SSL certificate vary depending on whether you already have a signed SSL certificate.

• If you already have an SSL certificate, skip ahead to step C.
• If you do not have an SSL certificate yet, follow steps A, B, and C.

A. Generate a certificate signing request (CSR) from DataSecurity Plus

• Log in to the DataSecurity Plus web console with an account that has administrative privileges.
• Navigate to Admin Console > General Settings > Connection, and click the Connection Settings tab.
• Select DataSecurity Plus Portal (https) as the Connection Type and enter the port number you plan on using for DataSecurity Plus.
• Click Apply SSL Certificate next to Upload or Generate SSL Certificate.
• On the next page, select Generate Certificate.
• Provide the required details as follows:

  Parameter	Description
  Common Name	Enter the name of the server on which DataSecurity Plus is running.
  SANs	Enter the names of the additional hosts (sites, IP addresses, etc.) that are to be protected by the SSL certificate.
  Organizational Unit	Enter the department name that is to appear on the certificate.
  Organization	Enter the legal name of your organization.
  City	Enter the city name as shown in your organization’s registered address.
  State/Province	Enter the state/province as shown in your organization’s registered address.
  Country Code	Enter the two-letter code of the country in which your organization is located.
  Password	Enter a password that is at least six characters long.
  Validity (In Days)	Enter the number of days for which the certificate should be valid. If no value is provided, it will be set to 90 days.
  Public Key Length (In Bits)	Enter the public key length. The larger the size is, the stronger the key will be. The default size is 1,024 bits, and the size can be increased only in multiples of 64.

• Click Generate CSR.
  Note:

  • If you plan to use a self-signed certificate, click Generate and Apply Self-Signed Certificate. This will create the SSL certificate and bind it to DataSecurity Plus to finish enabling HTTPS. Otherwise, proceed to the next step.
  • For the steps to manually create a CSR file, refer to the manual SSL configuration guide.
• The generated CSR can be downloaded by clicking Download CSR on the pop-up. Alternatively, the created CSR file can be found in the following folder: <installation directory>\ManageEngine\DataSecurity Plus\jre\bin.

B. Submit it to your certificate authority (CA) for signing

If you are using an external CA, contact them to get the commands required to receive signed certificates. If you want it from Microsoft Certificate Services, follow the steps below:

• Connect to Microsoft Certificate Services by going to https://<servername>/certsrv.
• Click Request a certificate > advanced certificate request > Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
• Open the generated CSR file using a text editor, copy the content, and paste it under Saved Request.
• Select Web Server as the Certificate Template and click Submit.
• Click the Download certificate chain link and download the issued PKCS #7 Certificate file to the <installation directory>\ManageEngine\DataSecurity Plus\jre\bin folder. The downloaded certificate will be in P7B format.
• Click Home in the top-right corner and click Download a CA certificate, certificate chain, or CRL.
• Click Download CA certificate to download the root certificate in CER format.

C. Upload the signed certificate to DataSecurity Plus

• Log in to the DataSecurity Plus web console with an account that has administrative privileges.
• Navigate to Admin Console > General Settings > Connection, and click the Connection Settings tab.
• Select DataSecurity Plus Portal (https) as the Connection Type and enter the port number you plan on using for DataSecurity Plus.
• Click Apply SSL Certificate next to Upload or Generate SSL Certificate.
• On the next page, select Apply Certificate.
• There are two upload options you can choose from:
  • Option 1—ZIP Upload: If your CA has sent you a ZIP file, click ZIP Upload > Browse and select your target file. If your private key is password-protected, then enter the password in the Private Key Passphrase field.
  • Option 2—Individual Certificate: If your CA has sent you just one certificate file (PFX or PEM format), click Individual Certificate. Next to Upload Certificate, click Browse and select your certificate. Then, next to Upload CA Bundle, click Browse and select your CA bundle files. Finally, provide your Certificate Password.

Note: If your CA has sent the certificate content, paste the content in a text editor and save it in a CER, CRT, or PEM format. Then, upload the file by following the steps for Option 2.

• Click Apply.
• Restart the DataSecurity Plus server for the changes to take effect.

Note: You can enable the Encrypt Keystore Password option and enter the password that you used to install the SSL certificate to prevent the password from being stored in clear text format in the server.xml file.

Configuring TLS versions and cipher suites

Once the SSL certificate is applied, you can modify the TLS versions and cipher suites by following these steps:

• Click Advanced Settings.
• Select the desired TLS versions from the TLS Versions drop-down menu. DataSecurity Plus supports TLSv1, TLSv1.1, and TLSv1.2.
• Select your desired cipher suites from the Cipher Suites drop-down menu. DataSecurity Plus supports the following cipher suites:
  • TLS_AES_256_GCM_SHA384
  • TLS_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA384
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA

1.2. Session properties

This setting allows administrators to define how long a user's session can be inactive in their browser before they are automatically logged out of the DataSecurity Plus web console. By default, sessions will time out after 30 minutes of inactivity. Any changes to this duration will be reflected only after the DataSecurity Plus server is restarted.

2. Proxy settings

To configure DataSecurity Plus to use a proxy server for connecting to the internet, follow the steps below:

• Login to the DataSecurity Plus web console.
• Go to Admin Console > Admin > General Settings > Connection, and click the Proxy Settings tab.
• Enable the Proxy Server Settings checkbox.
• Specify the Server Name or IP Address of your proxy server.
• If your environment has an authentication-enabled proxy setup, check Authentication and type in the Username and Password.
• Click the Save button.

3. NAT settings

When endpoint devices need to access the DataSecurity Plus central server through the internet, you can configure a network address translation (NAT) device. This will map your internal IP address to a public IP address or fully qualified domain name (FQDN), which the devices can use to access the central server.

Configure the NAT device by following the steps below:

• Log in to the DataSecurity Plus web console.
• Navigate to Admin Console > General Settings > Connection, and click the NAT tab.
• The details of DataSecurity Plus' Central Server (Private IP Address and Ports) are prefilled based on your current configuration.
• Enter the public FQDN and port number of the NAT device under NAT Device (Public FQDN and Ports).
• Click Save.

4. Secure Gateway Server settings

A Secure Gateway Server provides an additional layer of security when handling communications between your central server and endpoint devices. It prevents the central server from being exposed directly to the internet by acting as an intermediary between the central server and the endpoint devices. When the agent tries to contact the central server, the Secure Gateway Server receives all the communications and redirects it to the central server.

Note: NAT settings need to be configured to enable Secure Gateway Server.

Installing the proxy server application

• Download and install the DataSecurity Plus proxy server application.
• Enter the central server name and port number in the pop-up tab that opens after installation.
• Provide the required details for local or AD authentication.
• Click Validate.
• Wait until the server certificates are installed.
• Click Finish to close the window.

The Secure Gateway Server will start running. Check the status of the connection by following these steps:

• Log in to the DataSecurity Plus web console.
• Navigate to Admin Console > General Settings > Connection, and click the Secure Gateway Server tab.

Changing the port number of the Secure Gateway Server

Follow the steps below to change the port number of the Secure Gateway Server:

• Log in to the DataSecurity Plus web console.
• Navigate to Admin Console > General Settings > Connection, and click the NAT tab.
• Change the port number of the NAT Device to your required value.
• Navigate to the installation folder of the DataSecurity Plus proxy server application and go the conf folder.
• Open the websettings.conf file in notepad.
• Find fs.https.port within the file and change the port number here as well. Double-check to ensure that the port numbers match.
• Save and close the file.
• Restart the DataSecurity Plus proxy server to apply the changes.
• Go to the Secure Gateway Server tab and click Test Connection to check whether the connection is successful.