Enterprise Vault™ Classification using the Veritas Information Classifier
- About this guide
- Preparing Enterprise Vault for classification
- Setting up Veritas Information Classifier policies
- About policies
- About patterns
- About tags
- Defining and applying Enterprise Vault classification policies
- Defining classification policies
- Running classification in test mode
- Using classification with smart partitions
- Appendix A. Enterprise Vault properties for use in custom field searches
- Appendix B. PowerShell cmdlets for use with classification
- Appendix C. Classification cache folder
- Appendix D. Migrating from FCI classification to the Veritas Information Classifier
- Appendix E. Monitoring and troubleshooting
Configuring the Veritas Information Classifier for secure client connections
The Veritas Information Classifier engine is a Java application that is managed by Internet Information Services (IIS). By default in a new installation of Enterprise Vault 12.3 or later, client users access the Veritas Information Classifier using HTTPS on the configured port for the Enterprise Vault Web Access application, which is typically port 443. If a certificate does not exist, Enterprise Vault configures Secure Sockets Layer (SSL) in IIS using a self-signed certificate. We recommend that you replace this certificate as soon as possible with one obtained from a trusted certificate authority. The instructions in this section describe how to import and apply a new certificate.
If you have upgraded from a version of Enterprise Vault that is earlier than 12.3, then Enterprise Vault does not change the existing IIS configuration. If Enterprise Vault is configured to use HTTP over TCP port 80, we recommend that you strengthen the security of your Veritas Information Classifier deployment by configuring it to use HTTPS with SSL, as described in this section.
Note the following:
The following procedure secures the connections between client computers and IIS, but it does not secure the connections between IIS and the Veritas Information Classifier engine. However, as both IIS and the Veritas Information Classifier engine reside on the same server, this is unlikely to be a problem; there is no network traffic for a malicious user to intercept.
Implementing HTTPS with SSL for the Veritas Information Classifier also implements it for other Enterprise Vault features, such as Enterprise Vault Search.
To configure the Veritas Information Classifier for secure client connections
- In the Vault Administration Console, in the properties for your Enterprise Vault site, ensure that you have selected the option Use HTTPS on SSL Port.
The default port for HTTPS is 443, but you can choose an alternative port, if necessary.
- Create and submit an SSL certificate request. We recommend that you obtain a certificate from a trusted certificate authority.
- See the IIS documentation for more information on how to perform these two steps.
On the Enterprise Vault server, perform the following steps in IIS Manager:
Use the Server Certificates feature to install the new certificate.
In the site bindings for the Default Web Site, add a binding for the HTTPS protocol and link it to the new certificate.
- If your certificate has not come from a trusted certificate authority, import it into the Java Runtime Environment (JRE) keystore that is in the Enterprise Vault installation folder on your Enterprise Vault server (typically,
C:\Program Files (x86)\Enterprise Vault\Services\JRE\lib\security\cacerts).
You can use the Keytool utility to import the certificate. This utility is in the
\Services\JRE\binsubfolder of the Enterprise Vault installation folder. For instructions on how to run Keytool, see:
The Keytool command for importing certificates has the following form:
keytool -importcert -trustcacerts -alias alias_name -file path_to\certificate_file -keystore path_to\keystore_file -storepass keystore_password
keytool -importcert -trustcacerts -alias mydomain.cdb.local -file C:\MyKey.cer -keystore C:\Program Files (x86)\Enterprise Vault\Services\JRE\lib\security\cacerts -storepass changeit
Note the following:
The keystore password is the default password, changeit.
Each time you upgrade Enterprise Vault, it first makes a backup copy of the
cacertskeystore file and then replaces it with a new version of the file. So, you must import your SSL certificate into the keystore file again. For this reason, it is advisable to keep a copy of the certificate. Alternatively, you can export the certificate from the backup copy of the keystore file by following the instructions in this article:
- Confirm that you have successfully imported the certificate into the keystore by running a Keytool command like the following one:
keytool -list -keystore C:\Program Files (x86)\Enterprise Vault\Services\JRE\lib\security\cacerts