3.5 Configuring Change Guardian

After installing the Change Guardian server, you can configure the following.

If you want Change Guardian to run in FIPS mode, you must complete additional steps. For more information, see Configuring FIPS 140-2.

3.5.1 Configuring Memory Settings

The SHMMAX setting configures the maximum size, in bytes, of a shared memory segment for PostgreSQL. Desirable values for SHMMAX start in the hundreds of megabytes to a few gigabytes.

To change the kernel SHMMAX parameter, append the following information to the /etc/sysctl.conf file: # for Sentinel Postgresql kernel.shmmax=1073741824

NOTE:By default, RHEL specifies a small value for this setting so it is important to modify it when installing to this platform.

3.5.2 Configuring Server Date and Time Synchronization

To determine the current date and time configured on the Change Guardian server, run the following command: date -u

To synchronize the Change Guardian server date/time with an external time service, configure NTP.

3.5.3 Verifying Server Host Name

You have the option to install the Change Guardian server using a static IP address or a dynamic (DHCP) IP address mapped to a host name. For the Change Guardian server to work correctly when configured to DHCP, ensure that the system can return its host name correctly using the following procedure:

  1. Verify the host name configuration with the following command: cat /etc/HOSTNAME

  2. Check the server host name setting with the following command: hostname -f

  3. Verify the DHCP configuration with the following command: cat /etc/sysconfig/network/dhcp

    NOTE:The DHCLIENT_HOSTNAME_OPTION setting should reflect the fully-qualified host name of the Change Guardian server.

  4. Resolve the host name to the IP address with the following command: nslookup FULLY_QUALIFIED_HOSTNAME

  5. Resolve the server host name from the client with the following command entered from the remote server: nslookup FULLY_QUALIFIED_CHANGEGUARDIANSERVER_HOSTNAME

3.5.4 Configuring FIPS 140-2

Change Guardian offers enhanced protection against security threats and compliance with United States federal government standards by supporting Federal Information Processing Standards (FIPS). Change Guardian leverages the FIPS 140-2 compliant features to meet the security requirements of United States federal agencies and customers with highly secure environments. Change Guardian is now re-certified by Common Criteria at EAL3+ and provides FIPS 140-2 Inside.

To configure Change Guardian to run in FIPS mode:

  1. As a root user, ensure that Mozilla Network Security Services (NSS) and Mozilla NSS Tools are installed on the Change Guardian server.

    NOTE:For SLES 12 SP3, to enable FIPS mode, you must install libfreebl3-hmac and libsoftokn3-hmac packages.

  2. (Conditional) If you want to change the keystore password, from a command prompt on the Change Guardian server, perform the following steps:

    1. Switch to a novell user.

    2. Change directory to /opt/novell/sentinel/bin.

    3. Enter the chg_keystore_pass.sh script

    Follow the on-screen prompts to change the web server keystore passwords. You will need this password later in this procedure.

  3. From a command prompt on the Change Guardian server, switch to a root user, change directory to /opt/novell/sentinel/bin and enter the following command:

    ./convert_to_fips.sh

  4. Provide the requested input:

    1. When asked whether to backup the server, select n.

    2. Provide a password that meets the stated criteria. You will need this password later in this procedure.

    3. (Conditional) Provide the password for the Web Server keystore (the password you created in Step 2)

    4. When asked whether to enter the external certificate in the keystore database, select n.

    5. When asked whether to restart the Sentinel server, select y.

  5. Ensure that the server0.0.log file (located in /var/opt/novell/sentinel/log) contains the following entry:

    Date_Timestamp|INFO|JAVOS listener|com.netiq.cg.capi.dao.UpgradeDao.upgrade

    Upgrading EventDestination.Upgrade to fips compatible

    Date_Timestamp|INFO|JAVOS listener|com.netiq.cg.capi.dao.UpgradeDao.upgrade

    records updated=1 data={"service-host":"Server_Name","password":"Encrypted_Password","protocol":"vosrestdispatcher:rest

  6. From a command prompt, change directory to /opt/netiq/cg/javos/bin and enter the following command:

    ./convert_to_fips.sh

  7. Provide the password for the FIPS keystore database (the password you created in Step 4.b).

  8. When asked whether to restart the Java OS (javos) service, select y.

  9. Ensure that the following entry is present in the javos.log file (located in javos/log):

    Creating a FIPS SSL listener on 8094

  10. From a command prompt, change directory to /opt/netiq/ams/ams/bin and enter the following command:

    ./convert_to_fips.sh

  11. Provide the requested input:

    1. Create the password for the FIPS keystore database.

    2. Re-enter the password specified in Step 11.a.

    3. When asked whether to restart the Agent Manager service, select y.

  12. Ensure that the ams.log file (located in ams/log) contains the following entry:

    INFO [Date_Timestamp,446] com.netiq.commons.security.FIPSProvider: Running in FIPS mode. Changing the SSL security provider from JSSE to FIPS. /opt/netiq/ams/ams/security/nss

3.5.5 Changing Default Email Host Settings

You can change the Default Email Host Settings in Change Guardian by use the following commands: cd /opt/netiq/cg/scripts

./configure.sh udei

NOTE:To configure secure connection with STARTTLS, set the following options: --secure-connection=true