SecureZIP for DLP FAQ

1. I just installed SecureZIP for DLP and I don’t see how to access it!

   SecureZIP for DLP is designed to integrate within your existing DLP product and it does not have a program icon or an interactive user interface. If you are using the pre-configured integration for Symantec DLP, you will see SecureZIP for DLP available within the response rule configuration forms. Further, with Symantec DLP integration, a configuration utility is available from the Windows Start menu to assist with configuring your initial use of SecureZIP for DLP. To use SecureZIP for DLP for other environments, you access the API functions it provides from within your development IDE (such as Eclipse).

2. I’ve installed SecureZIP for DLP on 2003 Server and I can’t run the configuration utility!

   SecureZIP for DLP includes ready-to-use integration with Symantec DLP on Windows Server 2008. A configuration utility is available from the Windows Start menu to assist with configuring your initial use of SecureZIP for DLP. If you are running SecureZIP for DLP on an older Windows 2003 server, you will need a version of the configuration utility that is designed for Windows 2003. You should contact PKWARE Product Support for information on where to download the Windows 2003 version of the configuration utility.

3. Which DLP products can I use with SecureZIP for DLP?

   SecureZIP for DLP supports DLP integration needs for any platform running Java 6 or later where your DLP product supports running Java applications for remediation actions. Out-of-the-box integration is provided for Symantec DLP V11.1 or higher.

4. Where does SecureZIP for DLP operate?

   SecureZIP for DLP can operate on server or endpoint systems. Where you will place SecureZIP for DLP will depend on the capabilities of your DLP product and where you can run remediation actions on your data. If you are using the out-of-the-box integration with Symantec DLP, the SecureZIP for DLP software will be installed and run on your Symantec Enforce server.

5. I can’t seem to get SecureZIP for DLP to encrypt my files!

   SecureZIP for DLP requires at least one public key associated with an X.509 V3 Digital Certificate in order to encrypt a file reported by your DLP software as requiring encryption. The encryption key must belong to the user matching to the owner of the file as reported by your DLP software. The public key for this user must be available to SecureZIP for DLP from your Active Directory. Additional keys for this user’s manager can be configured to be included when encrypting, however these additional keys must also be available from your Active Directory. You can configure multiple manager levels using the SecureZIP for DLP configuration program.

6. Can I use a contingency key when encrypting files with SecureZIP for DLP

   Yes, SecureZIP for DLP is designed to support using one or more contingency keys when encrypting files to ensure you will always have a means to access your protected files. The out-of-the-box integration with Symantec DLP includes a configuration program that provides a form to set which contingency keys will be used by SecureZIP for DLP.

7. What does the error report of "unable to find valid certification path to request file" mean?

   You may see this error report if you require SecureZIP for DLP to authenticate to your Active Directory server using SSL. This message typically indicates that the SSL connection requires access to the “trusted root” for your SSL certificate. You can resolve this issue by importing your trusted root certificate (.cer file) into the Java certificate store located in the file called “cacerts”. This file is typically found in the jre\lib\security folder associate with your active Java runtime. Your trusted root certificate can be imported to the cacerts file using the “keytool” program included with your Java software. After providing appropriate backup and recovery precautions for your current cacerts file, you can use the following sample command to complete this change:

   keytool –importcert –alias <"CN value"> -file <file.cer> -keystore cacerts –storepass <your password> -storetype JKS –noprompt

   The default password provided with Java (unless you have changed it) is "changeit".

8. What does the error "KDC has no support for encryption type (14)" mean?

   When using SecureZIP for DLP you may see this error report if your network requires Kerberos when authenticating to Active Directory. This error indicates you are not able to use AES encryption when authenticating using Kerberos. In this instance your internal network is most likely using another encryption algorithm (such as RC4). To resolve this you will need to create, or edit a KRB5.INI file to contain the following settings:

   [libdefaults]
   default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac arcfour-hmac arcfour-hmac-md5

9. How do I determine the Base DN for accessing public keys from Active Directory?

   When configuring SecureZIP for DLP, you will need to configure the settings needed to retrieve user public keys from your Active Directory. In addition to valid User ID and password credentials, you will need to provide SecureZIP for DLP with a Base DN value. This value identifies for SecureZIP for DLP where to find public keys within your Active Directory. This value will depend on how your Active Directory is setup. Typically, the best way to find this setting is to ask your Active Directory administrator. Alternatively, if you have a program that allows you to query your Active Directory, you can use it to help you determine this setting. Several examples of programs that you can use are the Softerra LDAP Brower, or the LDP.EXE or DSQUERY programs from Microsoft. Check with your Systems Administrator for the availability of these programs on your machine.

   Example: To locate the Base DN for your Active Directory, use dsquery to search for a known user.

   dsquery user –name user1

   The value for this Base DN is highlighted below, your values will differ.

   "CN=user1,OU=prodman,DC=itlab,DC=local"

10. How do I open files encrypted using SecureZIP for DLP?

    SecureZIP for DLP provides features to protect your sensitive information using encryption when activated from your DLP software. SecureZIP for DLP does not include capabilities to open/decrypt encrypted files it creates. It protects your files using one of the most commonly used file packaging formats, ZIP. With ZIP, you can open files protected by SecureZIP for DLP on almost any platform using ZIP-compatible application software that supports the ZIP encryption features. All PKWARE products that can open ZIP files can be used to decrypt your protected files.

11. What does the error “Logon failure: unknown username or bad password” mean?

    This error may appear when you are using SecureZIP for DLP with the out-of-the-box integration with Symantec DLP. The cause for this error typically is due to user access permissions for the user credential configured as the Protect Credential on the Symantec Protect tab for your Discover target. This credential must be allowed to read and write the files in your configured scan locations. You should also make sure that no network restrictions such antivirus, IDS, or other firewall settings are blocking access to your scan targets for this configured user.

12. Will the SecureZIP for DLP configuration program work with DLP software other than Symantec DLP?

    Yes, the SecureZIP for DLP configuration program will create an XML file that can be used as a parameter when integrating using the API. You will need to provide the path to the XML file when used in this manner.

13. Can SecureZIP for DLP retrieve user public keys from any LDAP-compliant directory?

    At this time, SecureZIP for DLP can only retrieve user public keys from Active Directory.

14. How can I view success or failure conditions for SecureZIP for DLP?

    A successful outcome for an incident file protected using SecureZIP for DLP is that the file is placed into a secure ZIP file that will replace the original file. If you are using the out-of-the box integration with Symantec DLP, information can be viewed for an incident using the History tab available within the Symantec administrative UI. This tab will report any errors detected by SecureZIP for DLP. Additionally, you may also view the Symantec log files for information tha may help diagnose a problem. Within the Symantec “logs” folder, you can find additional information by viewing the “incidentpersister_operational_0.log” or the “manager_operational_0.log” files.

15. Why do I see the message “Unable to locate domain: XXXXXXX”?

    SecureZIP for DLP must be able to access appropriate domain information for each file owner. Make sure you have correctly joined your DLP system to your domain and that you have properly configured DNS. Also, for each domain for which file owners may be reported, make sure you have setup the LDAP Properties using the SecureZIP for DLP configuration program. The “Name” field for each entry must match to the domain name.

• Quick Links
• FAQs