Upgrade the Deep Security cryptographic algorithm

Deep Security 9.6 SP1 and earlier use RSA-1024 and SHA-1 to secure communication between the Deep Security Manager and Deep Security Agents. By default, Deep Security 10.0 or later uses RSA-2048 and DSA-256, which are more secure algorithms.

A new installation of Deep Security 10.0 or later will use RSA-2048 and DSA-256 but if you upgrade from an earlier version to Deep Security 10.0 or later, it will continue to use the earlier cryptographic algorithms unless you upgrade them separately.

This article describes how to upgrade the algorithms after upgrading to Deep Security 10.0 or later. After you change the settings as described in this article, the Deep Security Manager generates new certificates for itself and all managed agents. When agents connect to the Deep Security Manager again, the manager sends new certificates to the agents.

Upgrade the algorithm on Windows

  1. Use the Services window of the Microsoft Management Console to stop the "Trend Micro Deep Security Manager" service.
  2. In the Windows command line, go to the Deep Security Manager's working folder, for example, C:\Program Files\Trend Micro\Deep Security Manager.
  3. Use the dsm_c command with parameters to change to the new settings. For example:

    dsm_c -action changesetting -name settings.security.defaultSignatureAlg -value "SHA256withRSA"

    dsm_c -action changesetting -name settings.security.defaultKeyLength -value "2048"

    dsm_c -action changesetting -name settings.security.forceCertificateUpdate -value "true"

  4. If you don't see any errors, restart the Trend Micro Deep Security Manager service.

Upgrade the algorithm on Linux

  1. At the command line, go to the directory where the Deep Security Manager service is running and stop the service by entering:

    service dsm_s stop

  2. In the Linux command line, go to the Deep Security Manager's working folder, for example, /opt/dsm.
  3. Use the dsm_c command with parameters to change to the new settings. For example:

    ./dsm_c -action changesetting -name settings.security.defaultSignatureAlg -value "SHA256withRSA"

    ./dsm_c -action changesetting -name settings.security.defaultKeyLength -value "2048"

    ./dsm_c -action changesetting -name settings.security.forceCertificateUpdate -value "true"

  4. If you don't see any errors, restart the Trend Micro Deep Security Manager service.

Upgrade the algorithm in a multi-node environment

If you are running Deep Security Manager on multiple nodes, execute the dsm_c commands (described above) on one of the nodes, and then manually restart the "Trend Micro Deep Security Manager" service on each of the other nodes to make the changes take effect there.

Upgrade the algorithm in a multi-tenant environment

In Deep Security 10.1, the algorithm settings are independent for each tenant. You will need to update the settings for each tenant by appending the tenant name (using -tenantname) or tenant ID (using -tenantid) on the dsm_c command. For example, to change the settings for a tenant whose ID is 5:

dsm_c -action changesetting -name settings.security.defaultSignatureAlg -value "SHA256withRSA" -tenantid 5

dsm_c -action changesetting -name settings.security.defaultKeyLength -value "2048" -tenantid 5

dsm_c -action changesetting -name settings.security.forceCertificateUpdate -value "true" -tenantid 5