4.2 Traditional Change Guardian Server Installation

IMPORTANT:You cannot install Change Guardian server as a non-root user.

You can install the Change Guardian server on your own Linux server, where you own both the hardware and the full Linux operating system that is installed on your hardware. If you want to install the managed software appliance, see Appliance Change Guardian Server Installation.

RPM Prerequisites

The operating system for the Change Guardian server must include at least the Base Server components of the SLES server or the RHEL server. Change Guardian requires the 64-bit versions of the following RPMs:

  • bash

  • bc

  • curl

  • expect

  • coreutils

  • gettext

  • glibc

  • grep

  • libgcc

  • libstdc

  • lsof

  • net-tools

  • openssl

  • python-libs

  • samba-client

  • samba-common-libs

  • samba-common-tools

  • samba-libs

  • sed

  • tcl

  • zlib

NOTE:For SLES 11 SP4 platform, enable SLES 11-Security-Module to install the curl-openssl1 package before installing Change Guardian 5.0 or higher versions.

To install the Change Guardian Server interactively:

  1. On the command line, log in as the root user and type the following command to extract the installation file:

    tar zxvf cgserver-x.x.x-xx.x86_64.tgz

  2. Run the Change Guardian server installation program as the root user by typing the following command in the root of the extracted directory:

    ./install-changeguardian.sh

    NOTE:To see additional installation script options, run ./install-changeguardian.sh -h to display the Help.

  3. (Conditional) If you want to install from a custom path, specify the following command:

    ./install-changeguardian.sh --location= <custom_CG_directory_path>

    NOTE:This custom path must have 0755 permissions.

  4. Specify the language as English, then press Enter. The end user license agreement is displayed in the selected language.

  5. Press the space bar to read the license agreement. You must page through the entire agreement before you can accept it.

  6. When prompted, select the standard or custom configuration.

    If you select standard, installation proceeds with the 60-day evaluation license key included with the installer. This license key activates the full set of product features for a 60-day evaluation period. At any time you can replace the evaluation license with a license key you have purchased.

  7. (Conditional) If you select the custom configuration, complete the configuration using the following information:

    • Add a production license key: Installs a production web console license key.
    • Assign admin account password: Account for global administration of the system.
    • Assign dbauser account password: PostgreSQL database maintenance account.
    • Assign appuser account password: Account used to interact with the PostgreSQL database at runtime.
    • Customize port assignments: Change the default ports used by the system.
    • Configure LDAP authentication integration: Configure an LDAP user repository to handle authentication.
    • Configure FIPS mode: Configuring FIPS using the custom configuration is not currently supported. For more information about configuring Change Guardian to run in FIPS mode, see Configure Change Guardian to Run in FIPS Mode.

  8. Create an admin account password for global system administration.

  9. Create a Change Guardian cgadmin user password. Use this account to log in to the Policy Editor. This account has the privilege to administer monitoring configuration.

    NOTE:The cgadmin, dbauser, and appuser accounts use this password.

  10. Configure the default email host using the following information:

    • SMTP Host – The full name, including domain name, of the email server from which you want to send scheduled reports by email. You must be able to resolve the specified hostname from the Change Guardian server.

    • SMTP Port – The remote SMTP port used to connect. The default is 25.

    • From – The return email address appearing on each email sent.

    • SMTP User Name (Optional) – The user name to use when connecting to the SMTP server.

    • SMTP Password (Optional) – The password that corresponds to the SMTP user name.

    NOTE:This step is necessary if you want to email reports. You can skip this step, but if you later decide to email reports and events, you must use the Change Guardian server configure_cg.sh script to update this configuration.

When the Change Guardian server installation finishes, the server starts. It might take a few minutes for all services to start after installation. Wait until the installation finishes and all services start before you log in to the server.

To access the Change Guardian web interface, specify the following URL in your web browser:

https:// IP_Address_Change_Guardian_server :8443

4.2.1 Configuring Change Guardian Server

After installing the Change Guardian server, you must configure several items to ensure communication for the components.

If you want Change Guardian to run in FIPS mode, you must complete additional steps. For more information, see Configure Change Guardian to Run in FIPS Mode.

Verify the Server Host Name

You have the option to install the Change Guardian server using a static IP address or a dynamic (DHCP) IP address mapped to a host name. For the Change Guardian server to work correctly when configured to DHCP, ensure that the system can return its host name correctly using the following procedure:

  1. Verify the host name configuration with the following command: cat /etc/HOSTNAME

  2. Check the server host name setting with the following command: hostname -f

  3. Verify the DHCP configuration with the following command: cat /etc/sysconfig/network/dhcp

    NOTE:The DHCLIENT_HOSTNAME_OPTION setting should reflect the fully-qualified host name of the Change Guardian server.

  4. Resolve the host name to the IP address with the following command: nslookup FULLY_QUALIFIED_HOSTNAME

  5. Resolve the server host name from the client with the following command entered from the remote server: nslookup FULLY_QUALIFIED_CHANGEGUARDIANSERVER_HOSTNAME

Ensure the Appropriate Server Ports Are Open

Enter the following command from the Change Guardian server to verify that the appropriate ports are open:

For SLES, use:

  • iptables -I INPUT -p tcp --dport <port_number> -j ACCEPT
  • iptables-save

For RHEL, use:

  • iptables -I INPUT -p tcp --dport <port_number> -j ACCEPT
  • service iptables save

For more information, see Understanding Change Guardian Components.

Configure the Server Date and Time Synchronization

To determine the current date/time configured on the Change Guardian server, run the following command: date -u

To synchronize the Change Guardian server date/time with an external time service, configure NTP.

Configure Server Certificates

To configure trusted connections when authenticating to the Change Guardian web console, you must install valid certificates on the Change Guardian server. Use the command line tool provided on the Change Guardian server to complete the following procedure.

  1. su to novell.

  2. cd to /opt/novell/sentinel/setup.

  3. Generate certificate signing requests using the./ssl_certs_cg command, and make the following selections:

    1. Generate certificate signing requests.

    2. Web Server.

    3. Specify a certificate signing request (.csr) filename.

    4. Have your generated .csr file signed by a certificate authority.

  4. Copy your CA root certificate chain (ca.crt) and the signed certificate (.crt) to /opt/novell/sentinel/setup.

  5. Import the CA root certificate chain and the web server certificate with the following commands:

    1. ./ssl_certs_cg

    2. At the menu prompt, select Import certificate authority root certificate.

    3. Enter the CA root certificate chain file name (ca.crt).

    4. At the menu prompt, select Import certificate signed by certificate authority.

    5. When prompted, select Web Server.

    6. Specify the name of the file that contains the CA’s signed digital certificate.

    7. Select another service if necessary, or select Done and exit from the service option.

  6. At the menu prompt, select Exit to exit from the TLS/SSL certificate configuration.

  7. Restart the Change Guardian server using service sentinel restart.

  8. Import the CA root certificate change to the computer where you use the Change Guardian web console.

Change Default Email Host Settings

You can change the email settings after installing Change Guardian server by using the following commands:

  • cd /opt/netiq/cg/scripts
  • ./configure.sh udei

Verify the SHMMAX Setting

The SHMMAX setting configures the maximum size, in bytes, of a shared memory segment for PostgreSQL. Desirable values for SHMMAX start in the hundreds of megabytes to a few gigabytes.

To change the kernel SHMMAX parameter, append the following information to the /etc/sysctl.conf file: # for Sentinel Postgresql kernel.shmmax=1073741824

NOTE:By default, RHEL specifies a small value for this setting so it is important to modify it when installing to this platform.

Configure Change Guardian to Run in FIPS Mode

Change Guardian offers enhanced protection against security threats and compliance with United States federal government standards by supporting Federal Information Processing Standards (FIPS). Change Guardian leverages the FIPS 140-2 compliant features to meet the security requirements of United States federal agencies and customers with highly secure environments. Change Guardian is now re-certified by Common Criteria at EAL3+ and provides FIPS 140-2 Inside.

Complete the following procedure to configure Change Guardian to run in FIPS mode.

  1. As a root user, ensure that Mozilla Network Security Services (NSS) and Mozilla NSS Tools are installed on the Change Guardian server.

    NOTE:For SLES 12 SP3, to enable FIPS mode, you must install libfreebl3-hmac and libsoftokn3-hmac packages.

  2. (Conditional) If you want to change the keystore password, from a command prompt on the Change Guardian server, perform the following steps:

    1. Switch to a novell user.

    2. Change directory to /opt/novell/sentinel/bin.

    3. Enter the chg_keystore_pass.sh script

    Follow the on-screen prompts to change the web server keystore passwords. You will need this password later in this procedure.

  3. From a command prompt on the Change Guardian server, switch to a root user, change directory to /opt/novell/sentinel/bin and enter the following command:

    ./convert_to_fips.sh

  4. Provide the requested input:

    1. When asked whether to backup the server, select n.

    2. Provide a password that meets the stated criteria. You will need this password later in this procedure.

    3. (Conditional) Provide the password for the Web Server keystore (the password you created in Step 2)

    4. When asked whether to enter the external certificate in the keystore database, select n.

    5. When asked whether to restart the Sentinel server, select y.

  5. Ensure that the server0.0.log file (located in /var/opt/novell/sentinel/log) contains the following entry:

    Date_Timestamp|INFO|JAVOS listener|com.netiq.cg.capi.dao.UpgradeDao.upgrade

    Upgrading EventDestination.Upgrade to fips compatible

    Date_Timestamp|INFO|JAVOS listener|com.netiq.cg.capi.dao.UpgradeDao.upgrade

    records updated=1 data={"service-host":"Server_Name","password":"Encrypted_Password","protocol":"vosrestdispatcher:rest

  6. From a command prompt, change directory to /opt/netiq/cg/javos/bin and enter the following command:

    ./convert_to_fips.sh

  7. Provide the password for the FIPS keystore database (the password you created in Step 4.b).

  8. When asked whether to restart the Java OS (javos) service, select y.

  9. Ensure that the following entry is present in the javos.log file (located in javos/log):

    Creating FIPS SSL listener on 8094

  10. From a command prompt, change directory to /opt/netiq/ams/ams/bin and enter the following command:

    ./convert_to_fips.sh

  11. Provide the requested input:

    1. Create the password for the FIPS keystore database.

    2. Re-enter the password specified in Step 11.a.

    3. When asked whether to restart the Agent Manager service, select y.

  12. Ensure that the ams.log file (located in ams/log) contains the following entry:

    INFO [Date_Timestamp,446] com.netiq.commons.security.FIPSProvider: Running in FIPS mode. Changing the SSL security provider from JSSE to FIPS. /opt/netiq/ams/ams/security/nss