3.5 Configuring Change Guardian

After installing the Change Guardian server, you can configure the following:

3.5.1 Configuring Memory Settings

The SHMMAX setting configures the maximum size, in bytes, of a shared memory segment for PostgreSQL. Desirable values for SHMMAX ranges from hundreds of megabytes to a few gigabytes.

To change the kernel SHMMAX parameter, append the following information to the /etc/sysctl.conf file:

# for Sentinel Postgresql
kernel.shmmax=1073741824

NOTE:By default, in RHEL SHMMAX is a low value, so it is important to modify it when installing to this platform.

3.5.2 Configuring Server Date and Time Synchronization

To determine the current date and time configured on the Change Guardian server, run the following command: date -u

To synchronize the Change Guardian server date and time with an external time service, configure NTP.

3.5.3 Verifying Server Hostname

You have the option to install the Change Guardian server using a static IP address or a dynamic (DHCP) IP address mapped to a hostname. For the Change Guardian server to work correctly when configured to DHCP, ensure that the system can return its hostname correctly by using the following procedure:

  1. Verify the hostname configuration:

    cat /etc/HOSTNAME

  2. Check the server hostname setting:

    hostname -f

  3. Verify the DHCP configuration:

    cat /etc/sysconfig/network/dhcp

    NOTE:The DHCLIENT_HOSTNAME_OPTION setting should reflect the fully-qualified hostname of the Change Guardian server.

  4. Resolve the hostname to the IP address:

    nslookup FULLY_QUALIFIED_HOSTNAME

  5. Resolve the server hostname from the client by running the following command entered from the remote server:

    nslookup FULLY_QUALIFIED_CHANGEGUARDIANSERVER_HOSTNAME

3.5.4 Configuring FIPS 140-2

Change Guardian offers enhanced protection against security threats and compliance with United States federal government standards by supporting FIPS. Change Guardian leverages the FIPS 140-2 compliant features to meet the security requirements of United States federal agencies and customers with highly secure environments. Change Guardian is re-certified by Common Criteria at EAL3+ and provides FIPS 140-2 Inside.

To configure Change Guardian to run in FIPS mode:

  1. As a root user, ensure that Mozilla Network Security Services (NSS) and Mozilla NSS Tools are installed on the Change Guardian server.

    NOTE:To enable FIPS mode in SLES 12 SP3, you must install libfreebl3-hmac and libsoftokn3-hmac packages.

  2. Enable TLS 1.1.

  3. (Conditional) If you want to change the keystore password, at the Change Guardian server command prompt, perform the following steps:

    1. Switch to novell user.

    2. Change directory to /opt/novell/sentinel/bin, and run the following command: chg_keystore_pass.sh

    Follow the on-screen prompts to change the web server keystore passwords. You need this password later during this procedure.

  4. Switch to novell user.

  5. Change directory to /opt/novell/sentinel/bin, and run the following command:

    ./convert_to_fips.sh

  6. Enter the following information:

    1. When prompted to backup the server, select n.

    2. Provide a password that meets the stated criteria. This password is required later during this procedure.

    3. (Conditional) If you have created web server keystore password in Step 2, specify here.

    4. When prompted to enter the external certificate in the keystore database, select n.

    5. When prompted to restart the Sentinel server, select y.

  7. Ensure that the file /var/opt/novell/sentinel/log/server0.0.log contains the following entry:

    Date_Timestamp|INFO|JAVOS listener|com.netiq.cg.capi.dao.UpgradeDao.upgrade

    Upgrading EventDestination.Upgrade to fips compatible

    Date_Timestamp|INFO|JAVOS listener|com.netiq.cg.capi.dao.UpgradeDao.upgrade

    records updated=1 data={"service-host":"Server_Name","password":"Encrypted_Password","protocol":"vosrestdispatcher:rest

  8. Change directory to /opt/netiq/cg/javos/bin, and run the following command:

    ./convert_to_fips.sh

  9. Provide the password for the FIPS keystore database (the password you created in Step 6.b).

  10. When prompted to restart the javos service, select y.

  11. Ensure that the following entry is present in the javos/log/javos.log file:

    Creating a FIPS SSL listener on 8094

  12. Change directory to /opt/netiq/ams/ams/bin, and run the following command:

    ./convert_to_fips.sh

  13. Enter the following information:

    1. Create the password for the FIPS keystore database.

    2. Re-enter the password specified in Step 13.a.

    3. When prompted to restart the Agent Manager service, select y.

  14. Ensure that the ams.log file (located in ams/log) contains the following entry:

    INFO [Date_Timestamp,446] com.netiq.commons.security.FIPSProvider: Running in FIPS mode. Changing the SSL security provider from JSSE to FIPS. /opt/netiq/ams/ams/security/nss

3.5.5 Changing Default Email Host Settings

You can change the default Email Host Settings by running the following commands:

  1. Change directory:

    cd /opt/netiq/cg/scripts

  2. Set the email host settings:

    configure.sh udei --admin-account=<admin_account> --admin-password=<admin_account_password> --mail-host=<SMTP_hostname> --mail-port=<SMTP_port> ---mail-from=<e-mail_address> --secure-connection=<true/false

NOTE:To configure secure connection with STARTTLS, set the following option:

--secure-connection=true