Sentinel 7.1.1 provides several enhancements and resolves specific previous issues. This document outlines why you should install this service pack.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable inputs. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Sentinel Community Support Forums, our community Web site that also includes product notifications, blogs, and product user groups.
For more information about this service pack and for the latest Release Notes, see the Sentinel 7.1 Documentation Web site.
The following sections outline the enhancements provided and the issues resolved in this service pack:
Sentinel adds support for the following operating system versions:
SUSE Linux Enterprise Server 11 Service Pack 3 (64-bit)
Red Hat Enterprise Linux 6.4 (64-bit) in FIPS mode
New installations of Sentinel 7.1.1 include the Solution Pack for Network Security that helps you solve network security problems in your enterprise. This Solution Pack provides a control-based framework and a wide variety of reports that help you monitor and manage network security. For more information about this Solution Pack, see the Solution Pack for Network Security documentation on the Sentinel Plug-ins Web site.
To use this Solution Pack in upgrade installations of Sentinel 7.1.1, download and install the Solution Pack from the Sentinel Plug-ins Web site.
New installations of Sentinel 7.1.1 include the latest versions of several Sentinel plug-ins. These plug-ins include the latest software fixes, documentation updates, and enhancements. For more information, see the specific plug-in documentation on the Sentinel Plug-ins Web site.
The upgrade installation of Sentinel 7.1.1 updates the Syslog Integrator to version 2011.1r1, which includes significant performance improvements.
This service pack includes the following enhancements:
Sentinel 7.1.1 now includes Java 7 update 40, which includes fixes for several security vulnerabilities.
NOTE:To use Sentinel Control Center on client computers that have Java 7 update 40 installed, you must enable logging in the Java Control Panel. For more information, see Section 4.0, Known Issues.
When you create correlation rules, you can now group events based on the distinct values of event fields in addition to grouping events by same values of event fields.
Sentinel provides a new user interface for grouping the events in a correlation rule. To group the events, select the Group by drop-down list, drag and drop the desired event fields in the Group By Fields or Distinct Fields list depending on how you want to group the events.
You can now create folders to store your favorite reports and searches, which helps you to locate and manage them easily.
This service pack improves the Sentinel system performance in the areas of Searching and Reporting, and also improves the system stability under high load.
You no longer need to manually specify the Maximum number of elements to create dynamic lists. Sentinel now sets the maximum number of elements to 1000 by default. You can change this value as necessary.
You can now specify Transient Elements Life Span in minutes in addition to hours and days. This enhancement is particularly helpful when you want to keep the list elements active for only a few minutes. For example, you can now deny access to specific user accounts or IP addresses for 15 minutes.
You can now configure Sentinel to automatically back up the configuration data and the baseline security intelligence data before the upgrade. Enabling this automatic back up causes the upgrade process to take longer and will require more disk space. To estimate the additional time and disk space required, run the back up utility manually, using the -c and -b options.
To configure automatic data backup, perform the following steps:
Open the /etc/opt/novell/sentinel/config/configuration.properties file.
Add the following property and set the value to true:
sentinel.upgrade.backup=true
Save the changes.
When you upgrade Sentinel, it automatically backs up the configuration data and the baseline security intelligence data, and stores the backup files at the /var/opt/novell/sentinel/data/updates directory.
NOTE:You must manually back up other data, such as the event data, raw event data, Security Intelligence database, and so on as necessary. For more information about backing up and restoring data, see “Backing Up and Restoring Data” in the Sentinel 7.1 Administration Guide.
Sentinel 7.1.1 provides software fixes for the following issues. For the list of software fixes and enhancements in previous releases, see the Sentinel 7.1 Documentation Web site.
The Correlated Event Message Field Displays the Description of the Correlation Rule
Cannot Configure Active Directory Authentication for WebYaST
The Incident XML File Does Not Include the Events Added to the Incident
Some of the Icons Appear Incorrectly in Internet Explorer 10
Search Results with More Than 50,000 Events Cannot be Exported to a File
The Firewall Port is Not Open for Agent Manager Event Source Server
Sentinel Logs Several Errors Related to Database Connections
Sentinel Control Center Displays a Digital Signature Expiry Warning
Issue: Sentinel Control Center does not launch on client computers that have Java 7 Update 45 installed. (BUG 846699)
Fix: Sentinel Control Center now launches on Java 7 Update 45.
Issue: In Sentinel 7.1.0.1 and later, the correlated event message field displays the description of the correlation rule instead of the description of the events that triggered the correlated event. The email alert also displays the description of the correlation rule. (BUG 840953)
Fix: You can now set the description of the correlated event message field to display the description of the events that triggered the correlated event:
Add the following property in the $ESEC_CONFIG_HOME/config/configuration.properties file:
sentinel.correlation.eventformat=7.1
Restart the Sentinel server.
Issue: The Sentinel appliance does not have the necessary modules to configure Active Directory authentication for WebYaST. (BUG 828616)
Fix: The Sentinel appliance now includes the necessary modules that support Active Directory authentication for WebYaST.
Issue: If the Group By event fields contain null values, Sentinel does not include such events in the reports. (BUG 810398)
Fix: Reports now include events that contain null values.
Issue: When you execute the Incident Command through the iTRAC workflow template, the XML file in the attachments does not include the incident details and the events added to the incident. (BUG 796615)
Fix: The XML file now includes the incident details and the events added to the incident.
Issue: When viewing the Sentinel Web console using Internet Explorer 10, the browser displays some icons incorrectly. (BUG 807670)
Fix: Sentinel now launches in the Standards mode and all the icons on the Web console appear correctly.
Issue: Sentinel allows you to access Security Intelligence information in MongoDB though Mongo shell. (BUG 842556)
Fix: Sentinel now requires you to authenticate to MongoDB to access the Security Intelligence information.
Issue: In non-FIPS mode, Sentinel does not trust well-known Certificate Authorities (CA) (for example, Verisign) for LDAP authentication. If a well-known CA signs the LDAP server certificate and if you do not explicitly specify the LDAP server certificate in the LDAP settings, Sentinel does not establish a secure connection with the LDAP server. The LDAP authentication fails. (BUG 832626)
Fix: Sentinel now trusts well-known CAs for LDAP authentication by default.
Issue: You cannot export search results with more than 50,000 events to a file. (BUG 840027)
Fix: You can now export search results up to 200,000 events to a file.
Issue: In upgrade installations of the Sentinel 7.1 appliance, Sentinel deploys the Agent Manager Event Source Server on port 1590. However, the port is not open to accept incoming TCP connections. (BUG 827611)
Fix: Port 1590 is now open to accept incoming TCP connections.
Issue: The View Triggers option displays events that did not trigger the correlation event. (BUG 832857)
Fix: The View Triggers option now displays only events that triggered the correlation event.
Issue: When the EPS rate is high, connections to the database are sometimes delayed for several hours because of resource unavailability. Sentinel frequently logs the error “Connection requested by thread has not been returned to pool.”(BUG 719244)
Fix: Sentinel now improves the system stability and performance, which reduces the delay in database connections.
Issue: When you launch Sentinel Control Center, it displays the warning message “Sentinel Control Center digital signature has expired”. (BUG 816020)
Fix: The Sentinel Control Center digital certificate has been renewed.
You can upgrade to Sentinel 7.1.1 from Sentinel 7.0 or later.
For information about hardware requirements, supported operating systems, and browsers, see Meeting System Requirements
in the NetIQ Sentinel 7.1 Installation and Configuration Guide.
Download the service pack from the Novell Download Web site. You can configure the upgrade installation script to back up the configuration data and the baseline security intelligence data before upgrading Sentinel. For more information, see Automatic Back Up of Configuration Data and Baseline Security Intelligence Data.
The following sections provide information about upgrading Sentinel:
NOTE:
After the upgrade is complete, when the system starts for the first time, Sentinel might take a few minutes to start because the system performs a one-time update to the Security Intelligence schema. The time required to start depends on the amount of Security Intelligence data in your system.
After you upgrade Sentinel, clear the Java Web Start cache on the client computers to use the latest version of Sentinel applications. You can clear the Java Web Start cache by either using the javaws -clearcache command or by using Java Control Center. For more information, see http://www.java.com/en/download/help/plugin_cache.xml.
For information about upgrading to Sentinel 7.1.1, see “Upgrading Sentinel” in the NetIQ Sentinel 7.1 Installation and Configuration Guide.
When you upgrade the Sentinel traditional installation in a high availability setup, first upgrade the passive nodes in the cluster, then upgrade the active cluster node.
Enable the maintenance mode on the cluster:
crm configure property maintenance-mode=true
Maintenance mode helps you to avoid any disturbance to the running cluster resources while you update Sentinel. You can run this command from any cluster node.
Verify whether the maintenance mode is active:
crm status
The cluster resources should appear in the unmanaged state.
Upgrade the passive cluster node:
Stop the cluster stack:
rcopenais stop
Stopping the cluster stack ensures that the cluster resources remain accessible and avoids fencing of nodes.
Log in as root to the server where you want to upgrade Sentinel.
Extract the install files from the tar file:
tar xfz <install_filename>
Run the following command in the directory where you extracted the install files:
./install-sentinel --cluster-node
After the upgrade is complete, restart the cluster stack:
rcopenais start
Repeat Step 3 for all passive cluster nodes.
Upgrade the active cluster node:
Back up your configuration, then create an ESM export.
For more information about backing up data, see Backing Up and Restoring Data
in the NetIQ 7.1 Administration Guide.
Stop the cluster stack:
rcopenais stop
Stopping the cluster stack ensures that the cluster resources remain accessible and avoids fencing of nodes.
Log in as root to the server where you want to upgrade Sentinel.
Run the following command to extract the install files from the tar file:
tar xfz <install_filename>
Run the following command in the directory where you extracted the install files:
./install-sentinel
After the upgrade is complete, start the cluster stack:
rcopenais start
Disable the maintenance mode on the cluster:
crm configure property maintenance-mode=false
You can run this command from any cluster node.
Verify whether the maintenance mode is inactive:
crm status
The cluster resources should appear in the Started state.
(Optional) Verify whether the Sentinel upgrade is successful:
rcsentinel version
When you upgrade the appliance from Sentinel 7.0.1 or earlier, the upgrade fails in WebYaST because the vendor name for the patch has changed from Novell to NetIQ. You must upgrade the appliance by using the zypper patch command.
To upgrade the appliance by using zypper:
Back up your configuration, then create an ESM export. For more information, see Backing Up and Restoring the Data
in the NetIQ Sentinel 7.1 Administration Guide.
Log in to the appliance console as the root user.
Run the following command:
/usr/bin/zypper patch
Enter 1 to accept the vendor change from Novell to NetIQ.
Enter Y to proceed.
Enter yes to accept the license agreement.
Restart the Sentinel appliance.
If you upgrade Sentinel from 7.0 to 7.1.1 and your Sentinel installation is in a non-default location, run the following commands as the novell user:
ln -s
"$RPM_INSTALLATION_PREFIX/opt/novell/sentinel/3rdparty/activemq/activemq-all-5.4.2.jar"
"$RPM_INSTALLATION_PREFIX/opt/novell/sentinel/lib/activemq-all-5.4.2.jar"
Where $RPM_INSTALLATION_PREFIX is the location of the Sentinel installation.
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issue is currently being researched. If you need further assistance with any issue, please contact Technical Support.
Issue: On systems with more than 2 TB, Sentinel might not start automatically after the installation. (BUG 846296)
Workaround: As a one-time activity, start the Sentinel services manually by specifying the following command in /usr/sbin/rcsentinel:
rcsentinel -start
Issue: In the Kerberos module, when you select Enable Kerberos Authentication, configure Kerberos authentication, and click Save, the console displays a message to confirm that the Kerberos client configuration was successful. However, the Kerberos authentication is not enabled and when you view the Kerberos module again, the Enable Kerberos Authentication option is deselected. (BUG 843623)
Workaround: There is no workaround at this time.
Issue: If you have Java 7 update 40 installed on the client computer, Sentinel Control Center does not launch. (BUG 841921)
Workaround: In Control Panel > Programs > Java > Advanced, select Enable logging or upgrade your Java version.
Issue: When you perform a full server backup on Sentinel installations that use a custom port, the backup operation fails. (BUG 844062)
Workaround: In the /opt/novell/sentinel/bin/backup_util.sh file, change the PORT_PARAM parameter value to the custom Web server port number, save the file, and then rerun the backup_util.sh script.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information Web site.
For general corporate and product information, see the NetIQ Corporate Web site.
For interactive conversations with your peers and NetIQ experts, become an active member of Qmunity, our community Web site that offers product forums, product notifications, blogs, and product user groups.
NetIQ Sentinel is protected by United States Patent No(s): 05829001.
THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.
For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.
This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.
© 2013 NetIQ Corporation and its affiliates. All Rights Reserved.
For information about NetIQ trademarks, see http://www.netiq.com/company/legal/.