Symantec Data Loss

Prevention 64-bit Server

Migration and Tuning Guide
Version 12.5

Symantec Data Loss Prevention 64-bit Server

Migration and Tuning Guide
Documentation version: 12.5a

Legal Notice
Copyright 2014 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered
trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other
names may be trademarks of their respective owners.
This Symantec product may contain third party software for which Symantec is required to
provide attribution to the third party (Third Party Programs). Some of the Third Party Programs
are available under open source or free software licenses. The License Agreement
accompanying the Software does not alter any rights or obligations you may have under those
open source or free software licenses. Please see the Third Party Legal Notice Appendix to
this Documentation or TPIP ReadMe File accompanying this Symantec product for more
information on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use, copying,
distribution, and decompilation/reverse engineering. No part of this document may be
reproduced in any form by any means without prior written authorization of Symantec
Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED
CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR
NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH
DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL
NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION
WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE
INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE
WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software
as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in
Commercial Computer Software or Commercial Computer Software Documentation", as
applicable, and any successor regulations. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S.
Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
http://www.symantec.com

Technical Support
Symantec Technical Support maintains support centers globally. Technical Supports
primary role is to respond to specific queries about product features and functionality.
The Technical Support group also creates content for our online Knowledge Base.
The Technical Support group works collaboratively with the other functional areas
within Symantec to answer your questions in a timely fashion. For example, the
Technical Support group works with Product Engineering and Symantec Security
Response to provide alerting services and virus definition updates.
Symantecs support offerings include the following:

A range of support options that give you the flexibility to select the right amount
of service for any size organization

Telephone and/or Web-based support that provides rapid response and

up-to-the-minute information

Upgrade assurance that delivers software upgrades

Global support purchased on a regional business hours or 24 hours a day, 7

days a week basis

Premium service offerings that include Account Management Services

For information about Symantecs support offerings, you can visit our website at
the following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreement
and the then-current enterprise technical support policy.

Contacting Technical Support

Customers with a current support agreement may access Technical Support
information at the following URL:
www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the system
requirements that are listed in your product documentation. Also, you should be at
the computer on which the problem occurred, in case it is necessary to replicate
the problem.
When you contact Technical Support, please have the following information
available:

Product release level

Hardware information

Available memory, disk space, and NIC information

Operating system

Version and patch level

Network topology

Router, gateway, and IP address information

Problem description:

Error messages and log files

Troubleshooting that was performed before contacting Symantec

Recent software configuration changes and network changes

Licensing and registration

If your Symantec product requires registration or a license key, access our technical
support Web page at the following URL:
www.symantec.com/business/support/

Customer service
Customer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as the
following types of issues:

Questions regarding product licensing or serialization

Product registration updates, such as address or name changes

General product information (features, language availability, local dealers)

Latest information about product updates and upgrades

Information about upgrade assurance and support contracts

Information about the Symantec Buying Programs

Advice about Symantec's technical support options

Nontechnical presales questions

Issues that are related to CD-ROMs, DVDs, or manuals

Support agreement resources

If you want to contact Symantec regarding an existing support agreement, please
contact the support agreement administration team for your region as follows:
Asia-Pacific and Japan

customercare_apac@symantec.com

Europe, Middle-East, and Africa

semea@symantec.com

North America and Latin America

supportsolutions@symantec.com

Contents

Technical Support ............................................................................................... 4

Chapter 1

Introducing 64-bit migration for Symantec Data

Loss Prevention ............................................................... 9
About Data Loss Prevention support for 64-bit operating systems ............ 9
About Data Loss Prevention support for 64-bit Oracle 11g
database .............................................................................. 10
About tuning detection servers for 64-bit systems ................................ 10
About plug-in support for 64-bit systems ............................................ 11
About using language packs after migrating to 64-bit servers ................. 11
About Network Discover standalone scanner support ........................... 12
Migration path for Data Loss Prevention on 64-bit systems ................... 13
Workflow for migrating Data Loss Prevention to 64-bit servers ............... 14

Chapter 2

Migrating the Oracle Database to a 64-bit

system .............................................................................
About migrating the Data Loss Prevention database to 64-bit
systems ................................................................................
Migrating from Oracle 10g 32-bit system to Oracle 11g 64-bit
system .................................................................................
Migrating 32-bit Oracle database files to 64-bit Oracle database
(Windows) ............................................................................
Migrating 32-bit Oracle database files to 64-bit Oracle database
(Linux) .................................................................................

Chapter 3

16
16
17
19
22

Migrating Symantec Data Loss Prevention Servers

to 64-bit systems .......................................................... 26
About migrating Symantec Data Loss Prevention to 64-bit
systems ................................................................................ 26
Migrating the Enforce Server to a 64-bit system .................................. 26
Migrating a detection server to a 64-bit system ................................... 29

Contents

Chapter 4

Tuning 64-bit detection servers ....................................... 32

General tuning recommendations for detection servers ........................
Recommended SMTP connections for Network Prevent for Email ..........
Network Prevent for Email examples ................................................
Other detection server examples .....................................................

32
33
34
35

Chapter

Introducing 64-bit
migration for Symantec
Data Loss Prevention
This chapter includes the following topics:

About Data Loss Prevention support for 64-bit operating systems

About Data Loss Prevention support for 64-bit Oracle 11g database

About tuning detection servers for 64-bit systems

About plug-in support for 64-bit systems

About using language packs after migrating to 64-bit servers

About Network Discover standalone scanner support

Migration path for Data Loss Prevention on 64-bit systems

Workflow for migrating Data Loss Prevention to 64-bit servers

About Data Loss Prevention support for 64-bit

operating systems
Over the past few years, 64-bit systems have become common as vendors have
released 64-bit versions of their operating systems and applications. 64-bit systems
have significant benefits over 32-bit systems, including performance, scalability,
and reliability. Although vendors continue to release 32-bit versions of their software,
32-bit platforms are based on a legacy architecture that is becoming less desirable
and supportable.

Introducing 64-bit migration for Symantec Data Loss Prevention

About Data Loss Prevention support for 64-bit Oracle 11g database

Symantec Data Loss Prevention began supporting 64-bit operating systems in

version 11.0. Adoption of the 64-bit platform has enabled Symantec Data Loss
Prevention to take advantage of the performance benefits inherent in 64-bit systems.
In version 12.x, Symantec Data Loss Prevention only supports 64-bit operating
systems for the server components, including the Enforce Server, detection servers,
and the Oracle database server. Dropping support for 32-bit systems enables
Symantec to focus Data Loss Prevention development, testing, and maintenance
efforts exclusively on 64-bit systems while continuing to leverage the benefits of
the 64-bit architecture.
DLP Agents are not affected by the change to exclusive support for 64-bit servers.
You can continue to deploy 32-bit and 64-bit DLP Agents in your enterprise.
Symantec recommends that you migrate your Data Loss Prevention servers to
64-bit systems as soon as possible. Migration will help improve the performance
of your Symantec Data Loss Prevention deployment, and will position you to upgrade
to future versions of Symantec Data Loss Prevention. This guide provides you with
the steps you need to take to migrate the Enforce Server, detection servers, and
the Oracle database server from 32-bit systems to 64-bit systems.

About Data Loss Prevention support for 64-bit Oracle

11g database
Symantec Data Loss Prevention began supporting the Oracle 11g 64-bit database
server in Symantec Data Loss Prevention version 11.0. You must migrate to the
Oracle 11g database on a 64-bit system to upgrade to Symantec Data Loss
Prevention version 12.
Refer to the Symantec Data Loss Prevention System Requirements and
Compatibility Guide for the Oracle database versions supported for each Data Loss
Prevention release.
See About migrating the Data Loss Prevention database to 64-bit systems
on page 16.

About tuning detection servers for 64-bit systems

When you deploy a detection server to a 64-bit system, the server settings are
generic and not necessarily tuned for any specific processor. While the default
settings are generally acceptable for many Symantec Data Loss Prevention
deployments, you can adjust certain settings to take advantage of the unique
characteristics of 64-bit systems. Although performance is related to a variety of
factors, and each detection server deployment may have unique performance

10

Introducing 64-bit migration for Symantec Data Loss Prevention

About plug-in support for 64-bit systems

requirements, this document provides guidelines and examples for tuning detection
servers on 64-bit systems after you migrate your Symantec Data Loss Prevention
installation to a 64-bit system.
See General tuning recommendations for detection servers on page 32.

About plug-in support for 64-bit systems

Symantec Data Loss Prevention provides several programming interfaces for
developing plug-ins that let you customize and extend Symantec Data Loss
Prevention functionality.

FlexResponse plug-ins are used to take custom actions in response to policy

violations.

Lookup plug-ins are used to retrieve custom incident data from external
resources.

In general, any plug-in that uses native code must be recompiled for use on the
64-bit server. Table 1-1 describes specific support for Data Loss Prevention plug-ins
on 64-bit systems.
Table 1-1

Plug-ins supported on 64-bit

Plug-in type

Description of 64-bit support

FlexResponse

Plug-ins that use the FlexResponse Java API do not need to be recompiled to run on a 64-bit
detection server.
Plug-ins that use the Python Script Bridge Plug-in cannot be deployed to 64-bit servers because
the Python Script Bridge FlexResponse Plug-in is only supported on 32-bit Windows operating
systems.

Lookup

Lookup plug-ins that use the legacy Java API do not need to be recompiled to run on a 64-bit
detection server. However, as of version 11.6 support for this API is deprecated. A plug-in that
uses this API should be migrated to one of the system-provided Lookup plug-ins, including Script,
LDAP, CSV, and Data Insight.

Note: The Data Insight server can still be installed on a 32-bit system.

About using language packs after migrating to 64-bit

servers
Language packs are not affected by the exclusive support of 64-bit servers. The
same language packs are supported for 32-bit and 64-bit servers. However, you
must reinstall the language pack after you migrate to 64-bit servers.

11

Introducing 64-bit migration for Symantec Data Loss Prevention

About Network Discover standalone scanner support

About Network Discover standalone scanner support

The typical approach for setting up Network Discover scans is to use the Discover
Target interface in the Enforce Server administration console. This method scans
the target data repository using a remote connection initiated from the Discover
Server. With this method, the processor type of the target repository host is irrelevant
because scanning is done remotely.
Sometimes, remote scanning is not available or preferable, due to network
limitations, security concerns, or other reasons. In such cases you may be able to
use a standalone scanner to help you scan data repositories locally. For such
situations, Symantec Data Loss Prevention provides several Network Discover
scanners as standalone installers, and you can write your own and use the Generic
connector interface.
Table 1-2 lists the supported platforms for the standalone Network Discover scanners
for Symantec Data Loss Prevention version 12.
Note: Standalone scanners for Microsoft Exchange and SharePoint (2003 and
2007) are not supported in Symantec Data Loss Prevention version 12. You can
scan these repositories using the Enforce Server administration console.

Note: Once you have migrated your Data Loss Prevention system to 64-bits, Lotus
Notes targets will only support DIIOP mode. Refer to the Symantec Data Loss
Prevention Administration Guide for more information.
Table 1-2

Standalone Network Discover scanners

Scanner

Windows
32-bit

Windows
64-bit

Linux 32-bit

Linux 64-bit

AIX 32-bit

Solaris 32-bit

File System

Yes

No

Yes

Yes

Yes

Yes

Web Server

Yes

No

Yes

No

No

No

Documentum

Yes

No

No

No

No

No

Live Link

Yes

No

No

No

No

No

12

Introducing 64-bit migration for Symantec Data Loss Prevention

Migration path for Data Loss Prevention on 64-bit systems

Migration path for Data Loss Prevention on 64-bit

systems
The following sections provide migration paths for each operating system supported
by Data Loss Prevention.
To upgrade from Data Loss Prevention version 10.x 32-bit systems to Data Loss
Prevention version 12.0, you must upgrade to Data Loss Prevention version 11.0
(32-bit) first, then migrate to the 64-bit operating system, then migrate to Data Loss
Prevention version 11.0 (64-bit). From there you can directly upgrade Data Loss
Prevention to version 12.0. Once you have migrated your operating system and
you have upgraded to version 12.0, you can upgrade to version 12.5.
Table 1-3 describes the migration path for Data Loss Prevention version 12.5.
Table 1-3

Migration path for Data Loss Prevention version 12.5

Component

Origin

Action

Target

DLP

Data Loss Prevention version 10.x

(32-bit)

Upgrade

Data Loss Prevention version 11.0

(32-bit)

DB

Oracle 10g database version

10.2.0.4 (32-bit)

Upgrade

Oracle 11g version 11.2.0.3 (32-bit)

OS

Windows or Linux Server (32-bit)

Migrate

Windows or Linux Server (64-bit)

DB

Oracle 11g version 11.2.0.3 (32-bit) Migrate

Oracle 11g version 11.2.0.3 (64-bit)

See About migrating the Data Loss
Prevention database to 64-bit
systems on page 16.

DLP

Data Loss Prevention version 11.0

(32-bit)

Migrate

Data Loss Prevention version 11.0

(64-bit)
See About migrating Symantec Data
Loss Prevention to 64-bit systems
on page 26.

DLP

Data Loss Prevention version 11.0

(64-bit)

Upgrade

Data Loss Prevention 12.0 (64-bit)

DLP

Data Loss Prevention 12.0 (64-bit)

Upgrade

Data Loss Prevention 12.5 (64-bit)

13

Introducing 64-bit migration for Symantec Data Loss Prevention

Workflow for migrating Data Loss Prevention to 64-bit servers

Workflow for migrating Data Loss Prevention to 64-bit

servers
Migrating Symantec Data Loss Prevention servers from a 32-bit operating system
to a 64-bit operating system is not an automated process. You must install new
64-bit Symantec Data Loss Prevention server software on a compatible 64-bit
operating system and then migrate supporting files from the 32-bit Symantec Data
Loss Prevention installation to the 64-bit installation. Migrating a server in place
is not supported. In addition, cross-platform migrations are not supported. For each
Symantec Data Loss Prevention server that you migrate, the target 64-bit operating
system must be of the same type as the existing 32-bit operating system. You
cannot migrate across platforms, for example from Windows 32-bit to Linux 64-bit.
See Migration path for Data Loss Prevention on 64-bit systems on page 13.
Table 1-4 describes the process to migrate an existing 32-bit Symantec Data Loss
Prevention server to a supported 64-bit operating system on a separate server
computer or virtual machine (if VM deployments are supported for the server).
Table 1-4

Workflow for migrating Data Loss Prevention to 64-bit servers

Step

Action

Description

Step 1

Prepare to migrate.

Stop all Network Discover scans before you begin migrating either the
Enforce Server or a Network Discover detection server to a 64-bit system.
See the topic "Managing Network Discover target scans" in the Symantec
Data Loss Prevention Administration Guide for details.
Update all Symantec DLP Agents on endpoint computers to include the IP
address of the new 64-bit server in their list of Endpoint Prevent servers.
Making this configuration change now ensures that endpoint computers can
automatically failover to the new 64-bit Endpoint Prevent server when it
becomes available. See the topic "About Endpoint Server redundancy" in
the Symantec Data Loss Prevention Administration Guide for information
about setting up backup Endpoint Server connectivity.

Step 2

Upgrade to Data Loss

Prevention version 11.0
(32-bit).

You must upgrade to version 11.0 for 32-bit because this is the first major
release where 64-bit was supported. See the Symantec Data Loss
Prevention Upgrade Guide for your platform.
If you are already running Data Loss Prevention version 11.0 or later, skip
this step.

Step 3

Upgrade the Data Loss

Prevention database to
Oracle 11g for 32-bit.

Before you upgrade to version 11.0 (32-bit), it is recommended that you

upgrade the Oracle database to Oracle 11g version 11.2.0.3 for 32-bit. This
version of the Oracle database is supported by all Data Loss Prevention
11.x and 10.0 versions. See the Symantec Data Loss Prevention Oracle
Installation and Upgrade Guide for that version for details.

14

Introducing 64-bit migration for Symantec Data Loss Prevention

Workflow for migrating Data Loss Prevention to 64-bit servers

Table 1-4

Workflow for migrating Data Loss Prevention to 64-bit servers

(continued)

Step

Action

Description

Step 4

Back up the Data Loss

Prevention database.

Before you migrate Data Loss Prevention to 64-bit servers, Symantec

recommends that you back up the Oracle database. This is true even if you
are already running Oracle 11g on a 64-bit system and you only need to
migrate the Enforce Server and detection servers to 64-bit systems
See the Symantec Data Loss Prevention System Maintenance Guide for
instructions on backing up the Oracle 11g database.

Step 5

Migrate the Data Loss

Prevention database to
64-bits.

Migrating the database preserves your policies, incidents, system metadata,

and other objects stored in Oracle.

Step 6

Migrate the Enforce

Server to 64-bits.

See Migrating the Enforce Server to a 64-bit system on page 26.

Step 7

Migrate detection servers See Migrating a detection server to a 64-bit system on page 29.
to 64-bits.

Step 8

Upgrade to Data Loss

Prevention version 12.0.

See the Symantec Data Loss Prevention Upgrade Guide for your platform
for version 12.0.

Step 9

Upgrade to Data Loss

Prevention version 12.5.

See the Symantec Data Loss Prevention Upgrade Guide for your platform
for version 12.5.

See About migrating the Data Loss Prevention database to 64-bit systems
on page 16.

15

Chapter

Migrating the Oracle

Database to a 64-bit system
This chapter includes the following topics:

About migrating the Data Loss Prevention database to 64-bit systems

Migrating from Oracle 10g 32-bit system to Oracle 11g 64-bit system

Migrating 32-bit Oracle database files to 64-bit Oracle database (Windows)

Migrating 32-bit Oracle database files to 64-bit Oracle database (Linux)

About migrating the Data Loss Prevention database

to 64-bit systems
Migrating the Data Loss Prevention Oracle database from a 32-bit system to a
64-bit system requires that you use two separate server computers during the
migration process. You begin by using the existing 32-bit server computer, where
you install a 32-bit version of Oracle 11g and upgrade the Oracle 10g database
files. On the 64-bit server computer, you install Oracle 11g without creating a
dedicated Symantec Data Loss Prevention database. You complete the migration
process by copying the upgraded database files from the 32-bit computer to the
correct locations on the 64-bit computer.
The following topics provide steps for performing the Oracle database migration to
64-bit systems.
See Migrating from Oracle 10g 32-bit system to Oracle 11g 64-bit system
on page 17.
See Migrating 32-bit Oracle database files to 64-bit Oracle database (Windows)
on page 19.

Migrating the Oracle Database to a 64-bit system

Migrating from Oracle 10g 32-bit system to Oracle 11g 64-bit system

See Migrating 32-bit Oracle database files to 64-bit Oracle database (Linux)
on page 22.

Migrating from Oracle 10g 32-bit system to Oracle

11g 64-bit system
Complete the following steps to migrate your Oracle 32-bit database to a 64-bit
system. These steps are applicable to both Windows and Linux operating systems.
You must upgrade the database to the appropriate Oracle version for the Symantec
Data Loss Prevention you are migrating to before you migrate the Oracle database
to a 64-bit system.
Table 2-1

Migrating from Oracle 10g 32-bit system to Oracle 11g 64-bit system

Step

Action

Description

Step 1

Back up the database.

Symantec recommends that you perform a cold backup of the

Data Loss Prevention database before upgrading to a major
version or before migrating to a 64-bit system. When performing
the backup, include the listener settings in case creation of the
net service name on the new database instance does not work.
For more information, see the Symantec Data Loss Prevention
System Maintenance Guide.

Step 2

On the 32-bit server computer

where your existing Oracle
database is installed, upgrade
the database to a 32-bit Oracle
11g version; for example,
version 11.2.0.3.

You perform this upgrade on the same 32-bit server

computer that hosts your current Oracle database
installation. In this step you are not migrating Oracle to
64-bit but simply upgrading your existing 32-bit Oracle
database to the appropriate 32-bit Oracle 11g version
compatible with the Symantec Data Loss Prevention version
you are migrating to. See the Symantec Data Loss
Prevention Oracle Installation and Upgrade Guide for
upgrade instructions.
When you install Oracle 11g, make sure that you install
Oracle in its own, dedicated home directory. Accepting the
default Oracle 11g installation location creates an Oracle
home directory that is separate from the Oracle 10g home
directory.

17

Migrating the Oracle Database to a 64-bit system

Migrating from Oracle 10g 32-bit system to Oracle 11g 64-bit system

Table 2-1

Migrating from Oracle 10g 32-bit system to Oracle 11g 64-bit system
(continued)

Step

Action

Description

Step 3

Install Oracle 11g on the 64-bit

server computer.

On a separate 64-bit server computer, install the same

version of Oracle 11g that you upgraded to in the previous
step, except this time install the 64-bit edition of Oracle.
Refer to the Symantec Data Loss Prevention Oracle
Installation and Upgrade Guide for instructions on installing
Oracle 11g.
After the installation is complete, do not create the
Symantec Data Loss Prevention database.
In other words, skip the section in the Symantec Data Loss
Prevention Oracle Installation and Upgrade Guide entitled
"Creating the Symantec Data Loss Prevention database."
If you already installed Oracle 11g with a database on the
64-bit server computer, use the Oracle Database
Configuration Assistant to remove the database.

Step 4

Create the TNS listener on the Refer to the corresponding section in the Symantec Data Loss
64-bit server computer.
Prevention Oracle Installation and Upgrade Guide for
instructions.

Step 5

Migrate 32-bit database files to

the 64-bit server computer.

On the 32-bit server computer, generate an Oracle 11g

pfile from the spfile.
Copy all Oracle 11g database files from their locations on
the 32-bit server computer to the same locations on the
64-bit server computer.

To complete these steps, follow the instructions in the

appropriate section for your platform.
See Migrating 32-bit Oracle database files to 64-bit Oracle
database (Windows) on page 19.
See Migrating 32-bit Oracle database files to 64-bit Oracle
database (Linux) on page 22.
Step 6

Install the Oracle Critical Patch Refer to the Symantec Data Loss Prevention Oracle <version>
Update (CPU) on the 64-bit
<date> Critical Patch Update Guide or the Oracle
server computer.
documentation accompanying the CPU for details on applying
the latest CPU for the Oracle version you have upgraded and
migrated to.

18

Migrating the Oracle Database to a 64-bit system

Migrating 32-bit Oracle database files to 64-bit Oracle database (Windows)

Migrating 32-bit Oracle database files to 64-bit Oracle

database (Windows)
Complete the following steps to migrate the necessary Oracle database files from
a 32-bit Oracle 11g installation to a 64-bit Oracle 11g installation on Windows.
To migrate 32-bit Oracle database files to 64-bit Oracle database on Windows

On the 32-bit server computer, open a command prompt and start SQL*Plus:
sqlplus /nolog

Log on as the SYS user:

SQL> connect sys/password as sysdba

Where password represents the SYS password.

Create a list of directories for migration by running the following command in

SQL*Plus:
SELECT SUBSTR(file_name, 1, INSTR(file_name, '\', -1, 1) - 1)
directory FROM dba_data_files;

Determine the directory for creating a new pfile by running the following
command in SQL*Plus:
SELECT SUBSTR(value, 1, INSTR(value, '\', -1, 1) - 1) directory
FROM v$parameter WHERE

name = 'spfile';

Create a pfile from the spfile by running the following commands:

SQL> create pfile='<path>\init.ora' from spfile;

Where <path> is the path returned by the command you ran in step 4.

Stop the Oracle service before copying the files. For more information on
stopping and starting Windows services see your Microsoft Windows
documentation.

19

Migrating the Oracle Database to a 64-bit system

Migrating 32-bit Oracle database files to 64-bit Oracle database (Windows)

Copy the Oracle database files from the 32-bit server computer to the 64-bit
server computer. Always ensure that you copy the files to the same directory
location on the 64-bit server destination. If the directories do not exist on the
destination server, create them.
Copy the following files and directories to the corresponding directory on the
64-bit server computer.

Location

Description

<path> where <path> is the path returned by the

command you ran in step 3.

Copy the contents of all directories returned by the

command you ran in step 3 to migrate database, log, and
control files.

%ORACLE_HOME%\database\PWDprotect.ora

Copy the remote password file.

<path> where <path> is the path returned by the

command you ran in step 4.

Copy the directory and pfile returned by the command

you ran in step 4.

flash_recovery_area\*

If you configured disk-based backup and recovery for

Oracle, copy the complete contents of the
flash_recovery_area\ directory.

If 64-bit server computer uses a different directory structure for the Oracle
installation, you must manually edit the init.ora file that your created to specify
the correct location for directories on the 64-bit server computer.
For example, if the 32-bit Oracle software was installed on the c:\ drive and
the 64-bit Oracle software was installed on the d:\ drive, edit
c:\oracle\product\11.2.0\db_1\admin\protect\pfile\init.ora and
change all drive references from c:\ to d:\.

On the 64-bit server computer, open a command prompt and set the
ORACLE_HOME and ORACLE_SID environment variables. For example:
set ORACLE_HOME=c:\oracle\product\11.2.0\db_1
set ORACLE_SID=protect

10 If you did not re-create the TNS listener on the 64-bit server computer, you
must do so now.
Refer to the Symantec Data Loss Prevention Oracle Installation and Upgrade
Guide for instructions on doing this.

20

Migrating the Oracle Database to a 64-bit system

Migrating 32-bit Oracle database files to 64-bit Oracle database (Windows)

11 Create a new Oracle service from the pfile that you migrated from the 32-bit
system. Open a command prompt and run the following commands:
cd %ORACLE_HOME%\database
oradim -new -sid protect -startmode auto -pfile init.ora

12 Start SQL*Plus and generate a spfile by running the following commands:

sqlplus /nolog
SQL> connect / as sysdba
SQL> create spfile from pfile= 'init.ora';

13 Shut down the database and start it in upgrade mode by running the following
commands:
SQL> shutdown immediate
SQL> startup upgrade

14 Run the following script:

SQL> @?\rdbms\admin\utlirp.sql

15 Configure the Oracle system memory for the 64-bit Oracle Database by running
the following commands:
SQL> alter system set memory_max_target = 3072m scope=spfile;
SQL> alter system set memory_target = 3072m scope=spfile;

16 Restart the database by running the following commands:

SQL> shutdown immediate
SQL> startup

17 Run the following script:

SQL> @?\rdbms\admin\utlrp.sql

18 Back up the database. For more information, see the Symantec Data Loss
Prevention System Maintenance Guide.

21

Migrating the Oracle Database to a 64-bit system

Migrating 32-bit Oracle database files to 64-bit Oracle database (Linux)

Migrating 32-bit Oracle database files to 64-bit Oracle

database (Linux)
Complete the following steps to migrate the necessary Oracle database files from
a 32-bit Oracle 11g installation to a 64-bit Oracle 11g installation on Linux.
To migrate 32-bit Oracle database files to 64-bit Oracle database on Linux

On the 32-bit server computer, open a command prompt and start SQL*Plus:
sqlplus /nolog

Log on as the SYS user:

SQL> connect sys/password as sysdba

Where password represents the SYS password.

Create a list of directories for migration by running the following command in

SQL*Plus:
SELECT SUBSTR(file_name, 1, INSTR(file_name, '/', -1, 1) - 1)
directory FROM dba_data_files;

Determine the directory for creating a new pfile by running the following
command in SQL*Plus:
SELECT SUBSTR(value, 1, INSTR(value, '/', -1, 1) - 1)
directory FROM v$parameter WHERE

name = 'spfile';

Create a pfile from the spfile.

SQL> create pfile='<path>/init.ora'
from spfile;

Where <path> is the path returned by the command you ran in step 4.

Shut down the Oracle database before copying the files:

SQL> shutdown immediate

Exit SQL*Plus:
SQL> exit

Copy the Oracle database files from the 32-bit server computer to the 64-bit
server computer. Always ensure that you copy the files to the same directory

22

Migrating the Oracle Database to a 64-bit system

Migrating 32-bit Oracle database files to 64-bit Oracle database (Linux)

location on the 64-bit server destination. If the directories do not exist on the
destination server, create them.
Copy the following files and directories to the corresponding directories on the
64-bit server computer:
Location

Description

<path> where <path> is the path returned by the

command you ran in step 3.

Copy the contents of all directories returned by the

command you ran in step 3 to migrate database, log, and
control files.

$ORACLE_HOME/dbs/orapwprotect

Copy the remote password file.

<path> where <path> is the path returned by the

command you ran in step 4.

Copy the directory and pfile returned by the command

you ran in step 4.

flash_recovery_area/*

If you configured disk-based backup and recovery for

Oracle, copy the complete contents of the
flash_recovery_area/ directory.

Make sure that the copied files have the same permissions as the source files,
and that they are owned by the same oracle user and oinstall group as the
source files.
Use text editor to open the init.ora file that you created and copied from the
32-bit system in step 5. Make sure the directories specified by the following
parameters are present on your 64-bit system. Create any missing directories
and make sure that these directories have the same permissions as the source
files. Also make sure that the files are owned by the same oracle user and
oinstall group as the source files.

audit_file_dest

core_dump_dest

diagnostic_test

If the 64-bit server computer uses a different directory structure for the Oracle
installation, you must manually edit the init.ora file that your created to specify
the correct location for directories on the 64-bit server computer.

10 On the 64-bit server computer, open a command prompt or terminal window

and set the ORACLE_HOME and ORACLE_SID environment variables using the
following commands:
export ORACLE_HOME=/opt/oracle/product/11.2.0/db_1
export ORACLE_SID=protect

23

Migrating the Oracle Database to a 64-bit system

Migrating 32-bit Oracle database files to 64-bit Oracle database (Linux)

11 Export the PATH environment variable using the following command:

export PATH=$PATH:$ORACLE_HOME/bin

12 If you did not re-create the TNS listener on the 64-bit server computer, you
must do so now.
Refer to the Symantec Data Loss Prevention Oracle Installation and Upgrade
Guide for instructions on doing this.

13 Create an Oracle instance from the migrated database files by running the
following commands:
cd <ORACLE_HOME>/dbs
sqlplus /nolog
SQL> connect / as sysdba

14 Start the 64-bit Oracle database by running the following command:

SQL> startup upgrade pfile=init.ora

15 Run the following command to invalidate all of the PL/SQL modules:

SQL> @?/rdbms/admin/utlirp.sql

16 Restart the 64-bit Oracle Database by running the following commands:

SQL> shutdown immediate;
SQL> startup pfile=init.ora

17 Revalidate the existing PL/SQL modules to make sure that they are in the
format required by the 64-bit Oracle Database by running the following
command:
SQL> @?/rdbms/admin/utlrp.sql

18 Create an spfile and restart the Oracle Database using the spfile by running
the following commands:
SQL> create spfile from pfile= 'init.ora';
SQL> shutdown immediate;
SQL> startup

19 Configure the Oracle system memory for the 64-bit database by running the
following commands:
SQL> alter system set memory_max_target = 3072m scope=spfile;
SQL> alter system set memory_target = 3072m scope=spfile;

24

Migrating the Oracle Database to a 64-bit system

Migrating 32-bit Oracle database files to 64-bit Oracle database (Linux)

20 Restart the database by running the following commands:

SQL> shutdown immediate
SQL> startup

21 Back up the database. For more information, see the Symantec Data Loss
Prevention System Maintenance Guide.

25

Chapter

Migrating Symantec Data

Loss Prevention Servers to
64-bit systems
This chapter includes the following topics:

About migrating Symantec Data Loss Prevention to 64-bit systems

Migrating the Enforce Server to a 64-bit system

Migrating a detection server to a 64-bit system

About migrating Symantec Data Loss Prevention to

64-bit systems
This section provides instructions for migrating the Symantec Data Loss Prevention
Enforce Server and detection servers to 64-bit systems.
Note: This section assumes you have already migrated the Oracle database server
to 64-bit. If you have not, you must migrate the Oracle database before you migrate
the Enforce Server. See About migrating the Data Loss Prevention database to
64-bit systems on page 16.

Migrating the Enforce Server to a 64-bit system

Migrating the Enforce Server to a 64-bit operating system requires that you deploy
a 64-bit system and install a 64-bit Enforce Server to that system. During the
installation of the 64-bit Enforce Server, you should preserve the existing Oracle

Migrating Symantec Data Loss Prevention Servers to 64-bit systems

Migrating the Enforce Server to a 64-bit system

database. Use the following procedure to migrate the Enforce Server to a 64-bit
system and ensure that all configuration data is preserved. The steps assume you
have already migrated the Oracle database server to a 64-bit system.
See About migrating the Data Loss Prevention database to 64-bit systems
on page 16.
Warning: Do not initialize the Enforce Server database when you install the new
64-bit Enforce Server database. You must preserve the existing database to ensure
that all configuration, policy, and incident data is carried over to the new system.
To migrate the Enforce Server to a 64-bit operating system

Shut down and disable the Vontu services on the 32-bit Enforce Server host.
See the chapter "Managing Enforce Server services and settings" in the
Symantec Data Loss Prevention Administration Guide.

After you have verified that the services have stopped, disable the services to
prevent them from automatically starting when the server computer restarts.
See the chapter "Managing Enforce Server services and settings" in the
Symantec Data Loss Prevention Administration Guide.

Install the Enforce Server for your new 64-bit platform by following the steps
in the Symantec Data Loss Prevention Installation Guide.
Adhere to the following deviations in the installation steps when installing the
Enforce Server for migration purposes.

Action

Description

Select the
CryptoMasterKey.
properties file.

During the installation of the Enforce Server, the installation wizard asks for a
CryptoMasterKey.properties file. You can elect to bypass the request and not
add the file, or you can add the properties file by following the instructions in the wizard.
The file is located in directory \SymantecDLP\Protect\config.

Do not initialize the existing

Enforce Server database.

During the installation process, make sure you reuse (do not initialize) the existing
Enforce Server database by following these steps:

On the Oracle Database Server Information and Oracle Database User

Configuration panels, enter the connectivity information and credentials for the
new 64-bit Enforce Server database.
On the Final Confirmation panel, deselect the Initialize Enforce Data check box.

Do not start the "Vontu" protect After the installation completes, deselect the Start Services check box.
services.

27

Migrating Symantec Data Loss Prevention Servers to 64-bit systems

Migrating the Enforce Server to a 64-bit system

After installing the new 64-bit server, manually copy the following additional
configuration files from the 32-bit server to the same directories on the 64-bit
host.
Note: As of Symantec Data Loss Prevention version 11.6, SymantecDLP is the
default name for the installation directory for Data Loss Prevention files.

Note: On Linux systems, ensure that you preserve the same file permissions
and ownership attributes when copying files between systems.
Directory

Description

\SymantecDLP\Protect\plugins

Copy the entire contents of the plugins directory if you

use custom plug-ins, or if you have configured native scan
options with Network Discover.

or
/opt/SymantecDLP/Protect/plugins

If any plug-ins require resources that reside outside of the

plugins directory, copy those resources as well.

Note: Any plug-ins that use native code must be

recompiled for use on the 64-bit Enforce Server computer
or virtual machine. Do not copy 32-bit native plug-ins to
the new server.
\SymantecDLP\Protect\config
or
/opt/SymantecDLP/Protect/config

If you manually edited a Symantec Data Loss Prevention

properties file (.properties extension) other than
jdbc.properties, copy that file to the same location
on the 64-bit Enforce Server computer or virtual machine.

Note: Do not copy the jdbc.properties file to the new

server computer or virtual machine. Do not copy any
configuration files (.conf extension) to the new computer.
Many of the properties in these files define directory and
file locations. If you copy a properties file to the 64-bit
computer, also edit the file in its new location to ensure
that all paths are valid. For example, if you installed the
32-bit Enforce Server on the c:\ drive and the 64-bit
server on the d:\ drive, edit any copied properties files to
specify d:\ as the root drive.
\SymantecDLP\Protect\scan\incremental_index If you configured Network Discover incremental scans,
copy the entire incremental_index directory to the
or
64-bit Enforce Server installation to preserve the index
/var/SymantecDLP/scan/incremental_index
data.

28

Migrating Symantec Data Loss Prevention Servers to 64-bit systems

Migrating a detection server to a 64-bit system

Reinstall any language packs that you used on the 32-bit Enforce Server.
See the Symantec Data Loss Prevention Installation Guide.

Import any custom certificates that are necessary to communicate with installed
detection servers, Active Directory connections, or FlexResponse plug-ins.
See details about configuring certificates in the Symantec Data Loss Prevention
Installation Guide for your platform.

Start the 64-bit Enforce Server after copying all configuration files.
See the chapter "Managing Enforce Server services and settings" in the
Symantec Data Loss Prevention Administration Guide.

Migrating a detection server to a 64-bit system

To migrate a Symantec Data Loss Prevention 32-bit detection server to a 64-bit
detection server, follow these steps in order:
To migrate a detection server to a 64-bit operating system

Ensure that the 64-bit detection server system contains all of the third-party
software for the detection server you are migrating.
For example, if you are migrating a 32-bit Network Discover detection server,
you may also require a 64-bit version of Outlook 2010 on the server computer.

Install the 64-bit detection server software on the designated server computer
or virtual machine (if the detection server supports virtual machine deployment).
See the Symantec Data Loss Prevention Installation Guide for your platform.

29

Migrating Symantec Data Loss Prevention Servers to 64-bit systems

Migrating a detection server to a 64-bit system

After installing the new 64-bit server, manually copy the following additional
configuration files from the 32-bit server to the same directories on the 64-bit
computer or virtual machine:

Directory

Description

\SymantecDLP\Protect\plugins

Copy the entire contents of the plugins directory if you

use custom plug-ins.

or
/opt/SymantecDLP/Protect/plugins

If any plug-ins require resources that reside outside of the

plugins directory, copy those resources as well.

Note: Any plug-ins that use native code must be

recompiled for use on the 64-bit detection server computer
or virtual machine. Do not copy 32-bit native plug-ins to
the new server. See About plug-in support for 64-bit
systems on page 11.
\SymantecDLP\Protect\config
or
/opt/SymantecDLP/Protect/config

If you manually edited a Symantec Data Loss Prevention

properties file (.properties extension) other than
jdbc.properties, copy that file to the same location
on the 64-bit detection server computer or virtual machine.

Note: Do not copy any configuration files (.conf

extension) to the new computer.
Many of the properties in these files define directory and
file locations. If you copy a properties file to the 64-bit
computer, also edit the file in its new location to ensure
that all paths are valid. For example, if you installed the
32-bit Enforce Server on the c:\ drive and the 64-bit
server on the d:\ drive, edit any copied properties files to
specify d:\ as the root drive.
\SymantecDLP\Protect\scan\incremental_index If you configured Network Discover incremental scans,
copy the entire incremental_index directory to the
or
64-bit Enforce Server installation to preserve the index
/var/Vontu/scan/incremental_index
data.
\SymantecDLP\Protect\lib\jdbc
or

If you added a JDBC driver to the 32-bit detection server,

copy the driver to the 64-bit detection server computer or
add a 64-bit version of the driver to the 64-bit server

/opt/SymantecDLP/Protect/lib/jdbc

Note: On Linux systems, ensure that you preserve the same file permissions
and ownership attributes when copying files between systems.

30

Migrating Symantec Data Loss Prevention Servers to 64-bit systems

Migrating a detection server to a 64-bit system

Import any custom certificates that are necessary to communicate with the
Enforce Server and any other network component. For example, you may need
to reimport certificates on a Network Prevent for Email server to support TLS
communication with MTAs.
See details about configuring certificates in the Symantec Data Loss Prevention
Installation Guide for your platform.
See Configuring keys and certificates for TLS in the Symantec Data Loss
Prevention MTA Integration Guide for Network Prevent for Email.

Start the 64-bit detection server if it is not already running.

See the chapter "Managing Enforce Server services and settings" in the
Symantec Data Loss Prevention Administration Guide.

Log in to the Enforce Server administration console for the deployment.

Select System > Servers > Overview.

Click the name of the 32-bit detection server that you are migrating.

Click Configure.

10 Edit the Host and Port fields to point to the new 64-bit server computer or
virtual machine.

11 Click Save.
12 Click Done.
13 Shut down the 32-bit detection server that you migrated.
See the chapter "Managing Enforce Server services and settings" in the
Symantec Data Loss Prevention Administration Guide.

31

Chapter

Tuning 64-bit detection

servers
This chapter includes the following topics:

General tuning recommendations for detection servers

Recommended SMTP connections for Network Prevent for Email

Network Prevent for Email examples

Other detection server examples

General tuning recommendations for detection

servers
By default Symantec Data Loss Prevention servers are configured for the minimum
hardware requirements. If the specifications for your servers are higher, you may
get better performance and scale by changing the settings as described in this
section of the guide.
Note: See the Symantec Data Loss Prevention System Requirements Guide for
details on the minimum hardware requirements.

Tuning 64-bit detection servers

Recommended SMTP connections for Network Prevent for Email

To tune a detection server for higher performance

In the Enforce Server administration console, navigate to the System > Servers
> Overview > Server Detail - Advanced Server Settings screen for the
detection server you want to tune
Note: You must have Server Administrator role privileges to access this screen.

Edit the default settings to match the recommended 64-bit settings.

See Table 4-1 on page 33.

Restart the File Reader process.

To do this, refer to the topics "Enabling Advanced Process Control" and "Server
Controls" in the Symantec Data Loss Prevention Administration Guide and
online Help.

Table 4-1

General performance tuning recommendations for detection servers

Parameter

Default setting

Recommended setting

MessageChain.

4 (typically) or 8 (for some

detection servers)

Up to 2 times the number of This setting establishes the

physical cores with
number of parallel
hyper-threading.
messages that the File
Reader process can handle.
1 times the number of
physical cores if no
hyper-threading.

4 or 8

Set this value equal to the This setting limits the

MessageChain.NumChains number of messages that
value.
can be queued for
processing by the message
chains. This setting should
not exceed the number of
message chains.

NumChains

MessageChain.
CacheSize

Remarks

Recommended SMTP connections for Network

Prevent for Email
To improve the performance of the Network Prevent for Email version 12.x detection
server, increase the number of simultaneous SMTP connections that the server
can accommodate.

33

Tuning 64-bit detection servers

Network Prevent for Email examples

To edit the number of SMTP connections

In the Enforce Server administration console, navigate to the System > Servers
> Overview > Configure Server screen for the Network Prevent for Email
detection server you want to tune for 64-bit performance.
Note: You must have Server Administrator role privileges to access this screen.

Edit the default setting to match the recommended 64-bit setting.

See Table 4-2 on page 34.

Restart the Vontu Monitor process.

To do this, refer to the topic "Server Controls" in the Symantec Data Loss
Prevention Administration Guide and online Help.

Table 4-2

Recommended SMTP connections for Network Prevent for Email

Parameter

Default setting

Recommended setting

Remarks

Number of Connections

12

3 SMTP connections for

This recommended ratio
each message chain (3 to 1 applies to both
ratio).
hyper-threaded (HT) and
non-HT 64-bit systems.

Network Prevent for Email examples

The following set of examples are specific to the Network Prevent for Email version
12.x or later detection server.
Table 4-3

Network Prevent for Email example settings for 64-bit detection

servers

Detection server setting Example 1

Example 2

Example 3

Host hardware

8 physical cores

12 physical cores

12 physical cores

24 GB RAM

48 GB RAM

Hyper-threaded

16 GB JVM

16 GB JVM

48 GB RAM
16 GB JVM

MessageChain.
NumChains

8 (1 x physical cores no HT) 12 (1 x physical cores no

HT)

24 (up to 2 x physical cores

with HT)

34

Tuning 64-bit detection servers

Other detection server examples

Table 4-3

Network Prevent for Email example settings for 64-bit detection

servers (continued)

Detection server setting Example 1

Example 2

Example 3

MessageChain.

12 (same as chains)

24 (same as chains)

36 (3 x message chains)

72 (3 x message chains)

8 (same as chains)

CacheSize
Maximum Number of SMTP 24 (3 x message chains)
Connections for Network
Prevent for Email

Other detection server examples

The following set of examples demonstrate 64-bit settings for other types of version
12.x or later detection servers, including Network Prevent for Web, Network Monitor,
and Network Discover.
Table 4-4

Other 64-bit detection server examples

Detection server setting Network Prevent for Web Network Monitor

Network Discover

Host hardware

MessageChain.
NumChains
MessageChain.
CacheSize

12 physical cores

16 physical cores

16 physical cores

Hyper-threaded

64 GB RAM

Hyper-threaded

48 GB RAM

20 GB JVM

64 GB RAM

16 GB JVM

20 GB JVM

24 (up to 2 x physical cores 16 (1 x physical cores no

with HT)
HT)

32 (up to 2 x physical cores

with HT)

24

32

16

35