Trend Micro Deep Security Manager (DSM) is finicky when it comes to SSL. It uses the Tomcat web server, and its associated Java certificate keystore methodology (which I don’t understand very well), so it’s nontrivial to work with compared to most servers when it comes to adding or replacing a signed certificate.
With Deep Security Manager, to give domain users administration rights, you must replace the default self-signed cert with a CA-signed certificate. There’s not a lot of good documentation on the web that covers this process, so I decided to write this up after about the fifth time that I’ve grunted my way through the process. As always, I hope you find this helpful.
Assumption: Deep Security Manager is installed on a Windows server VM.
Step By Step
- Take a snapshot of the Deep Security manager VM and name it “Pre-SSL” or something similar.
- RDP into the Deep Security Manager VM. Open an elevated command prompt (Start > CMD > right-click and select Run as Administrator).
- Create a folder called c:\certs.
- Stop the Deep Security Manager service using the command: net stop “Trend Micro Deep Security Manager” and check to make sure that the service has stopped. It can take a full minute or more to stop.
- Change to the Deep Security Manager directory. The default is c:\Program Files\Trend Micro\Deep Security Manager.
- Determine the Java keystore password by issuing the command: installfiles\genkey.bat. The keystore password is the string immediately following the ‘-storepass’ parameter. Its format will be something like this: bEwzWtCe.
- In the following steps, replace “bEwzWtCe” with the password you captured in step 6.
- Issue the command: keytool -delete -storepass bEwzWtCe -alias tomcat -keystore .keystore
- Issue the command: keytool -genkey -storepass bEwzWtCe -alias tomcat -keyalg RSA -keystore .keystore
- In the dialog that follows, the first prompt is for your name. Don’t use your name—use the FQDN of the Deep Security Manager machine. For example: trend01.acme.local. Complete the other fields with the appropriate customer information. For OU, you can use “IT,” the customer’s full company name, or something else, if they have a preference.
- Issue the command: keytool -certreq -storepass bEwzWtCe -keyalg RSA -alias tomcat -file c:\certs\certreq.txt -keystore .keystore
- On a domain-joined machine, export the root certificate using the Certificates snap-in (for the Local Computer) in MMC. Export the cert using the default settings. Name it root.cer and copy it to the c:\certs directory on the Deep Security Manager machine.
- Issue the command: keytool -import -alias root -storepass bEwzWtCe -trustcacerts -file c:\certs\root.cer -keystore .keystore. When prompted, type “yes” to accept the certificate into the keystore.
- Generate the certificate for the Deep Security Manager, either using the customer’s Windows domain CA (preferred), or a trusted certificate authority. Use a web server template.
- Download the certificate chain (not just the cert) in DER (p7b) format. Save the file as dsmcertnew.p7b. Copy it to the c:\certs directory on the Deep Security Manager machine.
- Issue the command: keytool -import -alias tomcat -storepass bEwzWtCe -file c:\certs\dsmcertnew.p7b -keystore .keystore. When prompted, type “yes” to accept the certificate into the keystore.
- Start the Deep Security Manager service using the command: net start “Trend Micro Deep Security Manager”
- Check to make sure the service has started.
- Log into Deep Security Manager and verify that the signed certificate is in use. Use the FQDN of the Deep Security Manager when connecting to it with a browser. You shouldn’t receive a certificate error, and if you check the certificate chain (use the lock icon in the browser bar to get to it), you should see the certificate chain with the correct CA and the FQDN of the DSM.
- If all goes well, delete the snapshot you took in step 1. If not, revert to the snapshot and come back to it another time.
You can now go about the process of connecting the Deep Security Manager to your domain to import users under Administration > Users > Synchronize with Directory. Use TLS (port 636), unless it’s not enabled.