3.2 Traditional Installation

IMPORTANT:You cannot install Change Guardian server as a non-root user.

Change Guardian offers enhanced protection against security threats and compliance with United States federal government standards by supporting Federal Information Processing Standards (FIPS). For Change Guardian to run in FIPS mode, you must configure it after you install the Change Guardian server. For more information, see Configuring FIPS 140-2.

NOTE:FIPS mode is supported only for Change Guardian. Change Guardian is not supported if the operating system is in FIPS mode.

3.2.1 Prerequisites

The operating system for the Change Guardian server must include at least the Base Server components of the SLES server or the RHEL server. Change Guardian requires the 64-bit versions of the following RPMs:

bash
bc
curl
expect
coreutils
gettext
glibc
grep
libgcc
libstdc
lsof
net-tools
openssl
python-libs
samba-client
samba-common-libs
samba-common-tools
samba-libs
sed
tcl
zlib
fontconfig
dejavu-fonts

NOTE:For SLES 11 SP4 platform, enable SLES 11-Security-Module to install the curl-openssl1 package before installing Change Guardian.

3.2.2 Performing an Interactive Installation

This section provides information about standard and custom installation.

Standard Installation

Use the following steps to perform a standard installation:

To install the Change Guardian server:

On the command line, log in as the root user and type the following command to extract the installation file:

tar zxvf cgserver-x.x.x-xx.x86_64.tgz
Run the Change Guardian server installation program as the root user by typing the following command in the root of the extracted directory:

./install-changeguardian.sh

NOTE:To see additional installation script options, run the command ./install-changeguardian.sh -h to display the Help.

Or

If you want to install Change Guardian on more than one system, you can record your installation options in a file. You can use this file for an unattended Change Guardian installation on other systems. To record your installation options, specify the following command:./install-sentinel -r <response_filename>
Specify the language as English, then press Enter. The end user license agreement is displayed in the selected language.
Press the space bar to read the license agreement. You must scroll through the entire agreement before you can accept it.
When prompted, select the standard configuration.

The installation proceeds with the 60-day evaluation license key included with the installer. This license key activates the full set of product features for a 60-day evaluation period. At any time you can replace the evaluation license with a license key you have purchased.
Create an admin account password for global system administration.

NOTE:While setting the admin password, only the following non-alphanumeric characters are allowed:` ! @ $ ^ _ { } [ ] \ : " , . / ?.
Create a Change Guardian cgadmin user password.

Use this account to log in to the Policy Editor. This account has the privilege to administer monitoring configuration.

NOTE:The cgadmin, dbauser, and appuser accounts use this password.
Configure the default email host using the following information:
- SMTP Host – The full name, including domain name, of the email server from which you want to send scheduled reports by email. You must be able to resolve the specified hostname from the Change Guardian server.
- SMTP Port – The remote SMTP port used to connect. The default is 25. For secure connection use 587.
- From – The return email address appearing on each email sent.
- SMTP User Name (Optional) – The user name to connect to the SMTP server.
- SMTP Password (Optional) – The password that corresponds to the SMTP user name.
- Secure Connection – The connection mechanism for STARTTLS protocol.
NOTE:This step is necessary if you want to email reports. You can skip this step, but if you later decide to email reports and events, you must use the Change Guardian server configure_cg.sh script to update this configuration. For more information, see Changing Default Email Host Settings.
1. (Conditional) If the SMTP server certificate is self-signed, or if not signed by a well-known CA, such as VeriSign, you have to import the certificate to the server's trust-store. To import the self-signed certificate or CA certificate, complete the following steps:
  1. Download the certificate to the server.
  2. To store the certificate in activemqkeystore, run the following command at the server machine: /opt/novell/sentinel/jdk/jre/bin/keytool -import -alias <appropriate_alias> -keystore /etc/opt/novell/sentinel/config/.activemqkeystore.jks -file <certificate_file_path> -storepass password
  3. Restart the server by running the following command: rcsentinel restart.

After the Change Guardian server installation completes, the server starts. It might take a few minutes for all services to start after installation. Wait until the installation finishes and all services start before you log in to the server.

Custom Installation

Use the following steps to perform a custom installation.

To install the Change Guardian server:

On the command line, log in as the root user and type the following command to extract the installation file:

tar zxvf cgserver-x.x.x-xx.x86_64.tgz
To install from a custom path, specify the following command:./install-changeguardian.sh --location=<custom_CG_directory_path>

NOTE:This custom path must have 0755 permissions.

Or

If you want to install Change Guardian on more than one system, you can record your installation options in a file. You can use this file for an unattended Change Guardian installation on other systems. To record your installation options, specify the following command:./install-sentinel --location=<custom_CG_directory_path> -r <response_filename>
Specify the language as English, then press Enter. The end user license agreement is displayed in the selected language.
Press the space bar to read the license agreement. You must scroll through the entire agreement before you can accept it.

NOTE:The installation finishes with the message: Change Guardian installation is complete.
When prompted, select custom configuration, and complete the configuration by using the following information:
- Add a production license key: Installs a production web console license key.
- Assign admin account password: Account for global administration of the system.
- Assign dbauser account password: PostgreSQL database maintenance account.
- Assign appuser account password: Account used to interact with the PostgreSQL database at runtime.
- Customize port assignments: Change the default ports used by the system.
- Configure LDAP authentication integration: Configure an LDAP user repository to handle authentication.
- Configure FIPS mode: Configuring FIPS using the custom configuration is currently not supported. For more information about configuring Change Guardian to run in FIPS mode, see Configuring FIPS 140-2.
NOTE:While setting the admin password, only the following non-alphanumeric characters are allowed:` ! @ $ ^ _ { } [ ] \ : " , . / ?.
Create an admin account password for global system administration.
Create a Change Guardian cgadmin user password.

Use this account to log in to the Policy Editor. This account has the privilege to administer monitoring configuration.

NOTE:The cgadmin, dbauser, and appuser accounts use this password.
Configure the default email host using the following information:
- SMTP Host – The full name, including domain name, of the email server from which you want to send scheduled reports by email. You must be able to resolve the specified hostname from the Change Guardian server.
- SMTP Port – The remote SMTP port used to connect. The default is 25. For secure connection use 587.
- From – The return email address appearing on each email sent.
- SMTP User Name (Optional) – The user name to connect to the SMTP server.
- SMTP Password (Optional) – The password that corresponds to the SMTP user name.
- Secure Connection – The connection mechanism for STARTTLS protocol. Set the value to true if you want to configure SMTP server for STARTTLS.
NOTE:This step is necessary if you want to email reports. You can skip this step, but if you later decide to email reports and events, you must use the Change Guardian server configure_cg.sh script to update this configuration.
1. (Conditional) If the SMTP server certificate is self-signed or not signed by a well-known CA, such as VeriSign, you have to import the certificate to the server's trust-store. To import self-signed certificate or the CA certificate, complete the following steps:
  1. Download the certificate to the server.
  2. To store the certificate in activemqkeystore, run the following command at the server machine: /opt/novell/sentinel/jdk/jre/bin/keytool -import -alias <appropriate_alias> -keystore /etc/opt/novell/sentinel/config/.activemqkeystore.jks -file <certificate_file_path> -storepass password
  3. Restart the server by running the following command: rcsentinel restart.

3.2.3 Performing a Silent Installation

The silent or unattended installation is useful if you need to install more than one Change Guardian in your deployment. You can record the installation parameters during the interactive installation and then run the recorded files on other systems.

Ensure that you have recorded the installation parameters to a file. For more information about creating the response file, see:

To enable FIPS 140-2 mode, ensure that the response file includes the following parameters:

ENABLE_FIPS_MODE
NSS_DB_PASSWORD

To perform a silent installation:

Download the installation files from the Download site.
Log in as root to the server where you want to install Change Guardian.
Specify the following command to extract the install files from the tar file: tar -zxvf <install_filename>
To record the steps to a response file, run the following command: ./install-sentinel -u <response_filename>

The installation proceeds with the values stored in the response file. Wait until the installation finishes before you log in to the server.