After installing the Change Guardian server, you must configure several items to ensure communication for the components.
If you want Change Guardian to run in FIPS mode, you must complete additional steps. For more information, see Section 2.4.7, Configure Change Guardian to Run in FIPS Mode.
You have the option to install the Change Guardian server using a static IP address or a dynamic (DHCP) IP address mapped to a host name. For the Change Guardian server to work correctly when configured to DHCP, ensure that the system can return its host name correctly using the following procedure:
Verify the host name configuration with the following command: cat /etc/HOSTNAME
Check the server host name setting with the following command: hostname -f
Verify the DHCP configuration with the following command: cat /etc/sysconfig/network/dhcp
NOTE:The DHCLIENT_HOSTNAME_OPTION setting should reflect the fully-qualified host name of the Change Guardian server.
Resolve the host name to the IP address with the following command: nslookup FULLY_QUALIFIED_HOSTNAME
Resolve the server host name from the client with the following command entered from the remote server: nslookup FULLY_QUALIFIED_CHANGEGUARDIANSERVER_HOSTNAME
Enter the following command from the Change Guardian server to verify that the appropriate ports are open:
For SLES, use:
For RHEL, use:
For more information, see Section 1.2, Understanding Change Guardian Components.
To determine the current date/time configured on the Change Guardian server, run the following command: date -u
To synchronize the Change Guardian server date/time with an external time service, configure NTP.
To configure trusted connections when authenticating to the Change Guardian web console, you must install valid certificates on the Change Guardian server. Use the command line tool provided on the Change Guardian server to complete the following procedure.
su to novell.
cd to /opt/novell/sentinel/setup.
Generate certificate signing requests using the ./ssl_certs_cg command, and make the following selections:
Generate certificate signing requests.
Web Server.
Specify a certificate signing request (.csr) filename.
Have your generated .csr file signed by a certificate authority.
Copy your CA root certificate chain (ca.crt) and the signed certificate (.crt) to /opt/novell/sentinel/setup.
Import the CA root certificate chain and the web server certificate with the following commands:
./ssl_certs_cg
At the menu prompt, select Import certificate authority root certificate.
Enter the CA root certificate chain file name (ca.crt).
At the menu prompt, select Import certificate authority root certificate.
At the menu prompt, select Web Server.
Enter the CA root certificate chain file name (ca.crt).
Restart the Change Guardian server using service sentinel restart.
Import the CA root certificate change to the computer where you use the Change Guardian web console.
You can change the email settings after installing Change Guardian server by using the following commands:
The SHMMAX setting configures the maximum size, in bytes, of a shared memory segment for PostgreSQL. Desirable values for SHMMAX start in the hundreds of megabytes to a few gigabytes.
To change the kernel SHMMAX parameter, append the following information to the /etc/sysctl.conf file: # for Sentinel Postgresql kernel.shmmax=1073741824
NOTE:By default, RHEL specifies a small value for this setting so it is important to modify it when installing to this platform.
Change Guardian offers enhanced protection against security threats and compliance with United States federal government standards by supporting Federal Information Processing Standards (FIPS). Change Guardian leverages the FIPS 140-2 compliant features to meet the security requirements of United States federal agencies and customers with highly secure environments. Change Guardian is now re-certified by Common Criteria at EAL3+ and provides FIPS 140-2 Inside.
Complete the following procedure to configure Change Guardian to run in FIPS mode.
Ensure that Mozilla Network Security Services (NSS) and Mozilla NSS Tools are installed on the Change Guardian server.
From a command prompt on the Change Guardian server, change directory to /opt/novell/sentinel/bin and enter the following command:
./convert_to_fips.sh
Provide the requested input:
When asked whether to backup the server, select n.
Provide a password that meets the stated criteria. You will need this password later in this procedure.
When asked whether to enter the external certificate in the keystore database, select n.
When asked whether to restart the Sentinel server, select y.
Ensure that the server0.0.log file (located in /var/opt/novell/sentinel/log) contains the following entry:
Date_Timestamp|INFO|JAVOS listener|com.netiq.cg.capi.dao.UpgradeDao.upgrade
Upgrading EventDestination.Upgrade to fips compatible
Date_Timestamp|INFO|JAVOS listener|com.netiq.cg.capi.dao.UpgradeDao.upgrade
records updated=1 data={"service-host":"Server_Name","password":"Encrypted_Password","protocol":"vosrestdispatcher:rest
From a command prompt, change directory to /opt/netiq/cg/javos/bin and enter the following command:
./convert_to_fips.sh
Provide the password for the FIPS keystore database (the password you created in Step 3.b).
When asked whether to restart the Java OS (javos) service, select y.
Ensure that the following entry is present in the javos.log file (located in javos/log):
Creating FIPS SSL listener on 8094
From a command prompt, change directory to /opt/netiq/ams/ams/bin and enter the following command:
./convert_to_fips.sh
Provide the requested input:
Provide the password for the FIPS keystore database (the password you created in Step 3.b).
When asked whether to restart the Agent Manager service, select y.
Ensure that the ams.log file (located in ams/log) contains the following entry:
INFO [Date_Timestamp,446] com.netiq.commons.security.FIPSProvider: Running in FIPS mode. Changing the SSL security provider from JSSE to FIPS. /opt/netiq/ams/ams/security/nss