Trend Micro Deep Security Manager 9 (or 8): Replacing the SSL Certificate

Trend Micro Deep Security Manager (DSM) is finicky when it comes to SSL. It uses the Tomcat web server, and its associated Java certificate keystore methodology (which I don’t understand very well), so it’s nontrivial to work with compared to most servers when it comes to adding or replacing a signed certificate.
 
With Deep Security Manager, to give domain users administration rights, you must replace the default self-signed cert with a CA-signed certificate. There’s not a lot of good documentation on the web that covers this process, so I decided to write this up after about the fifth time that I’ve grunted my way through the process. As always, I hope you find this helpful.
 
Assumption: Deep Security Manager is installed on a Windows server VM.
 
Step By Step
 
  1. Take a snapshot of the Deep Security manager VM and name it “Pre-SSL” or something similar.
  2. RDP into the Deep Security Manager VM. Open an elevated command prompt (Start > CMD > right-click and select Run as Administrator).
  3. Create a folder called c:\certs.
  4. Stop the Deep Security Manager service using the command: net stop “Trend Micro Deep Security Manager” and check to make sure that the service has stopped. It can take a full minute or more to stop.
  5. Change to the Deep Security Manager directory. The default is c:\Program Files\Trend Micro\Deep Security Manager.
  6. Determine the Java keystore password by issuing the command: installfiles\genkey.bat. The keystore password is the string immediately following the ‘-storepass’ parameter. Its format will be something like this: bEwzWtCe.
  7. In the following steps, replace “bEwzWtCe” with the password you captured in step 6.
  8. Issue the command: keytool -delete -storepass bEwzWtCe -alias tomcat -keystore .keystore
  9. Issue the command: keytool -genkey -storepass bEwzWtCe -alias tomcat -keyalg RSA -keystore .keystore
  10. In the dialog that follows, the first prompt is for your name. Don’t use your name—use the FQDN of the Deep Security Manager machine. For example: trend01.acme.local. Complete the other fields with the appropriate customer information. For OU, you can use “IT,” the customer’s full company name, or something else, if they have a preference.
  11. Issue the command: keytool -certreq -storepass bEwzWtCe -keyalg RSA -alias tomcat -file c:\certs\certreq.txt -keystore .keystore
  12. On a domain-joined machine, export the root certificate using the Certificates snap-in (for the Local Computer) in MMC. Export the cert using the default settings. Name it root.cer and copy it to the c:\certs directory on the Deep Security Manager machine.
  13. Issue the command: keytool -import -alias root -storepass bEwzWtCe -trustcacerts -file c:\certs\root.cer -keystore .keystore. When prompted, type “yes” to accept the certificate into the keystore.
  14. Generate the certificate for the Deep Security Manager, either using the customer’s Windows domain CA (preferred), or a trusted certificate authority. Use a web server template.
  15. Download the certificate chain (not just the cert) in DER (p7b) format. Save the file as dsmcertnew.p7b. Copy it to the c:\certs directory on the Deep Security Manager machine.
  16. Issue the command: keytool -import -alias tomcat -storepass bEwzWtCe -file c:\certs\dsmcertnew.p7b -keystore .keystore. When prompted, type “yes” to accept the certificate into the keystore.
  17. Start the Deep Security Manager service using the command: net start “Trend Micro Deep Security Manager”
  18. Check to make sure the service has started.
  19. Log into Deep Security Manager and verify that the signed certificate is in use. Use the FQDN of the Deep Security Manager when connecting to it with a browser. You shouldn’t receive a certificate error, and if you check the certificate chain (use the lock icon in the browser bar to get to it), you should see the certificate chain with the correct CA and the FQDN of the DSM.
  20. If all goes well, delete the snapshot you took in step 1. If not, revert to the snapshot and come back to it another time.
You can now go about the process of connecting the Deep Security Manager to your domain to import users under Administration > Users > Synchronize with Directory. Use TLS (port 636), unless it’s not enabled.
 

About virtualrush

CCIE #15025, VCP5, many certifications in Cisco, VMware, NetApp, Citrix, and others. I work for a midsize technology integrator.
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

7 Responses to Trend Micro Deep Security Manager 9 (or 8): Replacing the SSL Certificate

  1. Mohamed says:

    Great work Rus.

  2. Jon Overland says:

    Hi, thank you for your post. However, I have a question for you. We have a 3 tier PKI based on MS. How to you name the aliases in this case?
    Regards, Jon

  3. hermando says:

    Hi,
    Thank you for an useful post. How will you name the aliases when you have a 3 tier PKI?
    Regards Jon

  4. virtualrush says:

    I’m not sure, Jon, but you may find these links helpful. We have a customer with a two-tier PKI who provided these links after working on the DSM certificate issue for some time:
    http://vkumo.com/?p=230
    http://sourceforge.net/projects/keystore-explorer/?source=directory

    Trend Micro may have some additional documentation that is helpful also. Best of luck.

  5. MC says:

    Failed at the first hurdle. GENKEY.BAT is empty and therefore I am unable to retrieve the password. Lookes like this file was re-created when applying build 3177.

  6. mpking says:

    Similar question.

    We changed the IP of the box, and it appears the Self Sign Cert at install was set to the IP of the box at the time.

    Any idea on how to change it to the hostname, or even better, a CNAME we’ve designated?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s