Академический Документы
Профессиональный Документы
Культура Документы
Legal Notice
Copyright 2014 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered
trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other
names may be trademarks of their respective owners.
This Symantec product may contain third party software for which Symantec is required to
provide attribution to the third party (Third Party Programs). Some of the Third Party Programs
are available under open source or free software licenses. The License Agreement
accompanying the Software does not alter any rights or obligations you may have under those
open source or free software licenses. Please see the Third Party Legal Notice Appendix to
this Documentation or TPIP ReadMe File accompanying this Symantec product for more
information on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use, copying,
distribution, and decompilation/reverse engineering. No part of this document may be
reproduced in any form by any means without prior written authorization of Symantec
Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED
CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR
NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH
DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL
NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION
WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE
INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE
WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software
as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in
Commercial Computer Software or Commercial Computer Software Documentation", as
applicable, and any successor regulations. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S.
Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
http://www.symantec.com
Technical Support
Symantec Technical Support maintains support centers globally. Technical Supports
primary role is to respond to specific queries about product features and functionality.
The Technical Support group also creates content for our online Knowledge Base.
The Technical Support group works collaboratively with the other functional areas
within Symantec to answer your questions in a timely fashion. For example, the
Technical Support group works with Product Engineering and Symantec Security
Response to provide alerting services and virus definition updates.
Symantecs support offerings include the following:
A range of support options that give you the flexibility to select the right amount
of service for any size organization
For information about Symantecs support offerings, you can visit our website at
the following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreement
and the then-current enterprise technical support policy.
Hardware information
Operating system
Network topology
Problem description:
Customer service
Customer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as the
following types of issues:
customercare_apac@symantec.com
semea@symantec.com
supportsolutions@symantec.com
Contents
Chapter 2
Chapter 3
16
16
17
19
22
Contents
Chapter 4
32
33
34
35
Chapter
Introducing 64-bit
migration for Symantec
Data Loss Prevention
This chapter includes the following topics:
About Data Loss Prevention support for 64-bit Oracle 11g database
10
requirements, this document provides guidelines and examples for tuning detection
servers on 64-bit systems after you migrate your Symantec Data Loss Prevention
installation to a 64-bit system.
See General tuning recommendations for detection servers on page 32.
Lookup plug-ins are used to retrieve custom incident data from external
resources.
In general, any plug-in that uses native code must be recompiled for use on the
64-bit server. Table 1-1 describes specific support for Data Loss Prevention plug-ins
on 64-bit systems.
Table 1-1
Plug-in type
FlexResponse
Plug-ins that use the FlexResponse Java API do not need to be recompiled to run on a 64-bit
detection server.
Plug-ins that use the Python Script Bridge Plug-in cannot be deployed to 64-bit servers because
the Python Script Bridge FlexResponse Plug-in is only supported on 32-bit Windows operating
systems.
Lookup
Lookup plug-ins that use the legacy Java API do not need to be recompiled to run on a 64-bit
detection server. However, as of version 11.6 support for this API is deprecated. A plug-in that
uses this API should be migrated to one of the system-provided Lookup plug-ins, including Script,
LDAP, CSV, and Data Insight.
Note: The Data Insight server can still be installed on a 32-bit system.
11
Note: Once you have migrated your Data Loss Prevention system to 64-bits, Lotus
Notes targets will only support DIIOP mode. Refer to the Symantec Data Loss
Prevention Administration Guide for more information.
Table 1-2
Scanner
Windows
32-bit
Windows
64-bit
Linux 32-bit
Linux 64-bit
AIX 32-bit
Solaris 32-bit
File System
Yes
No
Yes
Yes
Yes
Yes
Web Server
Yes
No
Yes
No
No
No
Documentum
Yes
No
No
No
No
No
Live Link
Yes
No
No
No
No
No
12
Component
Origin
Action
Target
DLP
Upgrade
DB
Upgrade
OS
Migrate
DB
DLP
Migrate
DLP
Upgrade
DLP
Upgrade
13
Step
Action
Description
Step 1
Prepare to migrate.
Stop all Network Discover scans before you begin migrating either the
Enforce Server or a Network Discover detection server to a 64-bit system.
See the topic "Managing Network Discover target scans" in the Symantec
Data Loss Prevention Administration Guide for details.
Update all Symantec DLP Agents on endpoint computers to include the IP
address of the new 64-bit server in their list of Endpoint Prevent servers.
Making this configuration change now ensures that endpoint computers can
automatically failover to the new 64-bit Endpoint Prevent server when it
becomes available. See the topic "About Endpoint Server redundancy" in
the Symantec Data Loss Prevention Administration Guide for information
about setting up backup Endpoint Server connectivity.
Step 2
You must upgrade to version 11.0 for 32-bit because this is the first major
release where 64-bit was supported. See the Symantec Data Loss
Prevention Upgrade Guide for your platform.
If you are already running Data Loss Prevention version 11.0 or later, skip
this step.
Step 3
14
Table 1-4
Step
Action
Description
Step 4
Step 5
Step 6
Step 7
Migrate detection servers See Migrating a detection server to a 64-bit system on page 29.
to 64-bits.
Step 8
See the Symantec Data Loss Prevention Upgrade Guide for your platform
for version 12.0.
Step 9
See the Symantec Data Loss Prevention Upgrade Guide for your platform
for version 12.5.
See About migrating the Data Loss Prevention database to 64-bit systems
on page 16.
15
Chapter
Migrating from Oracle 10g 32-bit system to Oracle 11g 64-bit system
See Migrating 32-bit Oracle database files to 64-bit Oracle database (Linux)
on page 22.
Migrating from Oracle 10g 32-bit system to Oracle 11g 64-bit system
Step
Action
Description
Step 1
Step 2
17
Table 2-1
Migrating from Oracle 10g 32-bit system to Oracle 11g 64-bit system
(continued)
Step
Action
Description
Step 3
Step 4
Create the TNS listener on the Refer to the corresponding section in the Symantec Data Loss
64-bit server computer.
Prevention Oracle Installation and Upgrade Guide for
instructions.
Step 5
Install the Oracle Critical Patch Refer to the Symantec Data Loss Prevention Oracle <version>
Update (CPU) on the 64-bit
<date> Critical Patch Update Guide or the Oracle
server computer.
documentation accompanying the CPU for details on applying
the latest CPU for the Oracle version you have upgraded and
migrated to.
18
On the 32-bit server computer, open a command prompt and start SQL*Plus:
sqlplus /nolog
Determine the directory for creating a new pfile by running the following
command in SQL*Plus:
SELECT SUBSTR(value, 1, INSTR(value, '\', -1, 1) - 1) directory
FROM v$parameter WHERE
name = 'spfile';
Where <path> is the path returned by the command you ran in step 4.
Stop the Oracle service before copying the files. For more information on
stopping and starting Windows services see your Microsoft Windows
documentation.
19
Copy the Oracle database files from the 32-bit server computer to the 64-bit
server computer. Always ensure that you copy the files to the same directory
location on the 64-bit server destination. If the directories do not exist on the
destination server, create them.
Copy the following files and directories to the corresponding directory on the
64-bit server computer.
Location
Description
%ORACLE_HOME%\database\PWDprotect.ora
flash_recovery_area\*
If 64-bit server computer uses a different directory structure for the Oracle
installation, you must manually edit the init.ora file that your created to specify
the correct location for directories on the 64-bit server computer.
For example, if the 32-bit Oracle software was installed on the c:\ drive and
the 64-bit Oracle software was installed on the d:\ drive, edit
c:\oracle\product\11.2.0\db_1\admin\protect\pfile\init.ora and
change all drive references from c:\ to d:\.
On the 64-bit server computer, open a command prompt and set the
ORACLE_HOME and ORACLE_SID environment variables. For example:
set ORACLE_HOME=c:\oracle\product\11.2.0\db_1
set ORACLE_SID=protect
10 If you did not re-create the TNS listener on the 64-bit server computer, you
must do so now.
Refer to the Symantec Data Loss Prevention Oracle Installation and Upgrade
Guide for instructions on doing this.
20
11 Create a new Oracle service from the pfile that you migrated from the 32-bit
system. Open a command prompt and run the following commands:
cd %ORACLE_HOME%\database
oradim -new -sid protect -startmode auto -pfile init.ora
13 Shut down the database and start it in upgrade mode by running the following
commands:
SQL> shutdown immediate
SQL> startup upgrade
15 Configure the Oracle system memory for the 64-bit Oracle Database by running
the following commands:
SQL> alter system set memory_max_target = 3072m scope=spfile;
SQL> alter system set memory_target = 3072m scope=spfile;
18 Back up the database. For more information, see the Symantec Data Loss
Prevention System Maintenance Guide.
21
On the 32-bit server computer, open a command prompt and start SQL*Plus:
sqlplus /nolog
Determine the directory for creating a new pfile by running the following
command in SQL*Plus:
SELECT SUBSTR(value, 1, INSTR(value, '/', -1, 1) - 1)
directory FROM v$parameter WHERE
name = 'spfile';
Where <path> is the path returned by the command you ran in step 4.
Exit SQL*Plus:
SQL> exit
Copy the Oracle database files from the 32-bit server computer to the 64-bit
server computer. Always ensure that you copy the files to the same directory
22
location on the 64-bit server destination. If the directories do not exist on the
destination server, create them.
Copy the following files and directories to the corresponding directories on the
64-bit server computer:
Location
Description
$ORACLE_HOME/dbs/orapwprotect
flash_recovery_area/*
Make sure that the copied files have the same permissions as the source files,
and that they are owned by the same oracle user and oinstall group as the
source files.
Use text editor to open the init.ora file that you created and copied from the
32-bit system in step 5. Make sure the directories specified by the following
parameters are present on your 64-bit system. Create any missing directories
and make sure that these directories have the same permissions as the source
files. Also make sure that the files are owned by the same oracle user and
oinstall group as the source files.
audit_file_dest
core_dump_dest
diagnostic_test
If the 64-bit server computer uses a different directory structure for the Oracle
installation, you must manually edit the init.ora file that your created to specify
the correct location for directories on the 64-bit server computer.
23
12 If you did not re-create the TNS listener on the 64-bit server computer, you
must do so now.
Refer to the Symantec Data Loss Prevention Oracle Installation and Upgrade
Guide for instructions on doing this.
13 Create an Oracle instance from the migrated database files by running the
following commands:
cd <ORACLE_HOME>/dbs
sqlplus /nolog
SQL> connect / as sysdba
17 Revalidate the existing PL/SQL modules to make sure that they are in the
format required by the 64-bit Oracle Database by running the following
command:
SQL> @?/rdbms/admin/utlrp.sql
18 Create an spfile and restart the Oracle Database using the spfile by running
the following commands:
SQL> create spfile from pfile= 'init.ora';
SQL> shutdown immediate;
SQL> startup
19 Configure the Oracle system memory for the 64-bit database by running the
following commands:
SQL> alter system set memory_max_target = 3072m scope=spfile;
SQL> alter system set memory_target = 3072m scope=spfile;
24
21 Back up the database. For more information, see the Symantec Data Loss
Prevention System Maintenance Guide.
25
Chapter
database. Use the following procedure to migrate the Enforce Server to a 64-bit
system and ensure that all configuration data is preserved. The steps assume you
have already migrated the Oracle database server to a 64-bit system.
See About migrating the Data Loss Prevention database to 64-bit systems
on page 16.
Warning: Do not initialize the Enforce Server database when you install the new
64-bit Enforce Server database. You must preserve the existing database to ensure
that all configuration, policy, and incident data is carried over to the new system.
To migrate the Enforce Server to a 64-bit operating system
Shut down and disable the Vontu services on the 32-bit Enforce Server host.
See the chapter "Managing Enforce Server services and settings" in the
Symantec Data Loss Prevention Administration Guide.
After you have verified that the services have stopped, disable the services to
prevent them from automatically starting when the server computer restarts.
See the chapter "Managing Enforce Server services and settings" in the
Symantec Data Loss Prevention Administration Guide.
Install the Enforce Server for your new 64-bit platform by following the steps
in the Symantec Data Loss Prevention Installation Guide.
Adhere to the following deviations in the installation steps when installing the
Enforce Server for migration purposes.
Action
Description
Select the
CryptoMasterKey.
properties file.
During the installation of the Enforce Server, the installation wizard asks for a
CryptoMasterKey.properties file. You can elect to bypass the request and not
add the file, or you can add the properties file by following the instructions in the wizard.
The file is located in directory \SymantecDLP\Protect\config.
During the installation process, make sure you reuse (do not initialize) the existing
Enforce Server database by following these steps:
Do not start the "Vontu" protect After the installation completes, deselect the Start Services check box.
services.
27
After installing the new 64-bit server, manually copy the following additional
configuration files from the 32-bit server to the same directories on the 64-bit
host.
Note: As of Symantec Data Loss Prevention version 11.6, SymantecDLP is the
default name for the installation directory for Data Loss Prevention files.
Note: On Linux systems, ensure that you preserve the same file permissions
and ownership attributes when copying files between systems.
Directory
Description
\SymantecDLP\Protect\plugins
or
/opt/SymantecDLP/Protect/plugins
28
Reinstall any language packs that you used on the 32-bit Enforce Server.
See the Symantec Data Loss Prevention Installation Guide.
Import any custom certificates that are necessary to communicate with installed
detection servers, Active Directory connections, or FlexResponse plug-ins.
See details about configuring certificates in the Symantec Data Loss Prevention
Installation Guide for your platform.
Start the 64-bit Enforce Server after copying all configuration files.
See the chapter "Managing Enforce Server services and settings" in the
Symantec Data Loss Prevention Administration Guide.
Ensure that the 64-bit detection server system contains all of the third-party
software for the detection server you are migrating.
For example, if you are migrating a 32-bit Network Discover detection server,
you may also require a 64-bit version of Outlook 2010 on the server computer.
Install the 64-bit detection server software on the designated server computer
or virtual machine (if the detection server supports virtual machine deployment).
See the Symantec Data Loss Prevention Installation Guide for your platform.
29
After installing the new 64-bit server, manually copy the following additional
configuration files from the 32-bit server to the same directories on the 64-bit
computer or virtual machine:
Directory
Description
\SymantecDLP\Protect\plugins
or
/opt/SymantecDLP/Protect/plugins
/opt/SymantecDLP/Protect/lib/jdbc
Note: On Linux systems, ensure that you preserve the same file permissions
and ownership attributes when copying files between systems.
30
Import any custom certificates that are necessary to communicate with the
Enforce Server and any other network component. For example, you may need
to reimport certificates on a Network Prevent for Email server to support TLS
communication with MTAs.
See details about configuring certificates in the Symantec Data Loss Prevention
Installation Guide for your platform.
See Configuring keys and certificates for TLS in the Symantec Data Loss
Prevention MTA Integration Guide for Network Prevent for Email.
Click the name of the 32-bit detection server that you are migrating.
Click Configure.
10 Edit the Host and Port fields to point to the new 64-bit server computer or
virtual machine.
11 Click Save.
12 Click Done.
13 Shut down the 32-bit detection server that you migrated.
See the chapter "Managing Enforce Server services and settings" in the
Symantec Data Loss Prevention Administration Guide.
31
Chapter
In the Enforce Server administration console, navigate to the System > Servers
> Overview > Server Detail - Advanced Server Settings screen for the
detection server you want to tune
Note: You must have Server Administrator role privileges to access this screen.
Table 4-1
Parameter
Default setting
Recommended setting
MessageChain.
4 or 8
NumChains
MessageChain.
CacheSize
Remarks
33
In the Enforce Server administration console, navigate to the System > Servers
> Overview > Configure Server screen for the Network Prevent for Email
detection server you want to tune for 64-bit performance.
Note: You must have Server Administrator role privileges to access this screen.
Table 4-2
Parameter
Default setting
Recommended setting
Remarks
Number of Connections
12
Example 2
Example 3
Host hardware
8 physical cores
12 physical cores
12 physical cores
24 GB RAM
48 GB RAM
Hyper-threaded
16 GB JVM
16 GB JVM
48 GB RAM
16 GB JVM
MessageChain.
NumChains
34
Table 4-3
Example 2
Example 3
MessageChain.
12 (same as chains)
24 (same as chains)
36 (3 x message chains)
72 (3 x message chains)
8 (same as chains)
CacheSize
Maximum Number of SMTP 24 (3 x message chains)
Connections for Network
Prevent for Email
Network Discover
Host hardware
MessageChain.
NumChains
MessageChain.
CacheSize
12 physical cores
16 physical cores
16 physical cores
Hyper-threaded
64 GB RAM
Hyper-threaded
48 GB RAM
20 GB JVM
64 GB RAM
16 GB JVM
20 GB JVM
24
32
16
35