Cisco Cisco Email Security Appliance C160 Mode D'Emploi
11-28
Cisco IronPort AsyncOS 7.6 for Email Configuration Guide
OL-25136-01
Chapter 11 Data Loss Prevention
Use the Security Services > RSA Email DLP page to see information on the latest DLP policy updates
from Enterprise Manager and the Mail Policies > DLP Policy Manager page to enable and disable
individual DLP policies for the Email Security appliance.
from Enterprise Manager and the Mail Policies > DLP Policy Manager page to enable and disable
individual DLP policies for the Email Security appliance.
The Email Security appliance will continue to use any existing local RSA Email DLP policies until it
receives its first package of DLP policies from Enterprise Manager.
receives its first package of DLP policies from Enterprise Manager.
Setting Up the Email Security Appliance for RSA Enterprise Manager DLP
There are a number of settings on the Email Security appliance that you need to configure in order for
Enterprise Manager to work with the Email Security appliance.
Enterprise Manager to work with the Email Security appliance.
Certificates
If you want to use an SSL connection between the Email Security appliance and Enterprise Manager,
you will need a one or more certificates and signing keys from a recognized certificate authority to use
for mutual authorization of the two machines. The common name of the certificates should be the
appliance’s hostname. Use the Email Security appliance’s Networks > Certificates page to manage the
certificates and add the certificate authority to the appliance’s list of recognized certificate authorities.
When configuring an SSL connection using the DLP Global Settings, the Enterprise Manager server is
the server and the Email Security appliance is the client.
you will need a one or more certificates and signing keys from a recognized certificate authority to use
for mutual authorization of the two machines. The common name of the certificates should be the
appliance’s hostname. Use the Email Security appliance’s Networks > Certificates page to manage the
certificates and add the certificate authority to the appliance’s list of recognized certificate authorities.
When configuring an SSL connection using the DLP Global Settings, the Enterprise Manager server is
the server and the Email Security appliance is the client.
RSA Enterprise Manager provides a certificate generation tool that you can use to generate a .p12 file
that you can use as both the server and client certificate for the connection. This tool can only generate
a single certificate. If you want to use different certificates for the appliance and the Enterprise Manager
server, you will have to get them from another source.
that you can use as both the server and client certificate for the connection. This tool can only generate
a single certificate. If you want to use different certificates for the appliance and the Enterprise Manager
server, you will have to get them from another source.
The directory on the Enterprise Manager server that contains the .p12 certificate file also has a .pem
certificate file. Import this file onto the Email Security appliance as a certificate authority if you want to
use the .p12 file.
certificate file. Import this file onto the Email Security appliance as a certificate authority if you want to
use the .p12 file.
Step 1
Open a command prompt.
Step 2
Change to
C:\Program Files\RSA\Enterprise Manager\etc
.
Step 3
Run the following command:
"%JAVA_HOME%/bin/java" -cp ./emcerttool.jar
com.rsa.dlp.tem.X509CertGenerator -clientservercasigned -cacn <NAME OF CAPROVIDED DURING
INSTALL> -cakeystore catem-keystore -castorepass <PASSWORD FOR CA PROVIDED DURING
INSTALL> -cn <DEVICE_CN> -storepass <DEVICE STORE PASSWORD> -keystore <NAME OF DEVICE
STORE>
A sample command may look like the following:
"%JAVA_HOME%/bin/java" -cp ./emcerttool.jar
com.rsa.dlp.tem.X509CertGenerator -clientservercasigned -cacn emc-cisco
-cakeystore catem-keystore -castorepass esaem -cn ironport -storepass esaem
-keystore device-store
This outputs the
device-store.p12
file in the same folder.
Step 4
<NAME OF DEVICE STORE>.p12
is the desired file. Please use this on Email Security appliance as its
certificate.