Symantec Enterprise Security Architecture Implementation Guide SESA 2.0

Transcription

1 Symantec Enterprise Security Architecture Implementation Guide SESA 2.0

2 Symantec Enterprise Security Architecture Implementation Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 2.0 Copyright Notice Copyright 2004 Symantec Corporation. All Rights Reserved. Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical documentation is being delivered to you AS-IS, and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. No part of this publication may be copied without the express written permission of Symantec Corporation, Stevens Creek Blvd., Cupertino, CA Trademarks Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. SESA, LiveUpdate, Symantec AntiVirus, Symantec Enterprise Security Architecture, and Symantec Security Response are trademarks of Symantec Corporation. Sun is a registered trademark of Sun Microsystems, Inc. Sun JDK and Sun Java are trademarks of Sun Microsystems, Inc. VeriSign is a registered trademark of Verisign, Inc. Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged. Printed in the United States of America

3 Technical support Licensing and registration Contacting Technical Support As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support group s primary role is to respond to specific questions on product feature/ function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts Symantec technical support offerings include: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web support components that provide rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Content Updates for virus definitions and security signatures that ensure the highest level of protection Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week worldwide in a variety of languages Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, offer enhanced response and proactive security support If the product that you are implementing requires registration and/or a license key, the fastest and easiest way to register your service is to access the Symantec licensing and registration site at Alternatively, you may go to select the product that you wish to register, and from the Product Home Page, select the Licensing and Registration link. Customers with a current support agreement may contact the Technical Support group via phone or online at Customers with Platinum support agreements may contact Platinum Technical Support via the Platinum Web site at www-secure.symantec.com/platinum/.

4 When contacting the Technical Support group, please have the following: Product release level Hardware information Available memory, disk space, NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description Error messages/log files Troubleshooting performed prior to contacting Symantec Recent software configuration changes and/or network changes Customer Service To contact Enterprise Customer Service online, go to select the appropriate Global Site for your country, then choose Service and Support. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information on product updates and upgrades Information on upgrade insurance and maintenance contracts Information on Symantec Value License Program Advice on Symantec's technical support options Nontechnical presales questions Missing or defective CD-ROMs or manuals Please visit our Web site for current information on Support Programs. The specific features available may vary based on the level of support purchased and the specific product that you are using.

5 Symantec Software Component License Agreement Supplement SYMANTEC CORPORATION AND/OR ITS SUBSIDIARIES ("SYMANTEC") IS WILLING TO LICENSE THE SOFTWARE COMPONENT ("COMPONENT") TO YOU AS AN INDIVIDUAL, THE COMPANY, OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE COMPONENT (REFERENCED BELOW AS "YOU OR YOUR") ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS LICENSE AGREEMENT SUPPLEMENT ("SUPPLEMENT") AND THE LICENSE AGREEMENT ACOMPANYING THE SYMANTEC PRODUCT WITH WHICH THIS COMPONENT IS UTILIZED ("LICENSE AGREEMENT"). READ THE TERMS AND CONDITIONS OF THE LICENSE AGREEMENT AND THIS SUPPLEMENT CAREFULLY BEFORE USING THE COMPONENT. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND THE LICENSOR. BY OPENING THIS PACKAGE, BREAKING THE SEAL, CLICKING THE "ACCEPT" OR "YES" BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY, OR LOADING THE SOFTWARE, YOU AGREE TO THE TERMS AND CONDITIONS OF THIS SUPPLEMENT. IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS, CLICK THE "I DO NOT ACCEPT," OR "NO" BUTTON, OR OTHERWISE INDICATE REFUSAL AND MAKE NO FURTHER USE OF THE COMPONENT. In addition to the License Agreement, the following terms and conditions apply to You for use of the Component. 1. License: The software and documentation that accompanies this Supplement (collectively the "Component") is the proprietary property of Symantec or its licensors and is protected by copyright law. While Symantec continues to own the Component, you will have certain rights to use the Component after your acceptance of this license. This license governs any releases, revisions, or enhancements to the Component that the Licensor may furnish to you. Except as may be modified by an applicable Symantec license certificate, license coupon, or license key (each a "License Module") that accompanies, precedes, or follows this license, your rights and obligations with respect to the use of this Component are as follows: You may: A. use the number of copies of the Component as required for utilization with the applicable Symantec products as have been licensed to you by Symantec under a License Module. Your License Module shall constitute proof of your right to make such copies. If no License Module accompanies, precedes, or follows this license, you may make one copy of the Component you are authorized to use on a single machine. B. use the Component in combination with any Symantec recognized product that specifies use with the Component; C. use the Component in accordance with any written agreement between You and Symantec. 2. Limited Warranty: Symantec warrants that the media on which the Software is distributed will be free from defects for a period of sixty (60) days from the date of delivery of the Software to You. Your sole remedy in the event of a breach of this warranty will be that Symantec will, at its option, replace any defective media returned to Symantec within the warranty period or refund the money You paid for the Software. Symantec does not warrant that the Software will meet Your requirements or that operation of the Software will be uninterrupted or that the Software will be error-free. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE ABOVE WARRANTY IS EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHER RIGHTS, WHICH VARY FROM STATE TO STATE AND COUNTRY TO COUNTRY. 3. Disclaimer of Damages: SOME STATES AND COUNTRIES, INCLUDING MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC AREA, DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE BELOW LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE, IN NO EVENT WILL SYMANTEC BE LIABLE TO YOU FOR ANY SPECIAL, CONSEQUENTIAL, INDIRECT, OR SIMILAR DAMAGES, INCLUDING ANY LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO CASE SHALL SYMANTEC'S LIABILITY EXCEED THE PURCHASE PRICE FOR THE SOFTWARE. The disclaimers and limitations set forth above will apply regardless of whether or not You accept the Software.

6 4. U.S. Government Restricted Rights: RESTRICTED RIGHTS LEGEND. All Symantec products and documentation are commercial in nature. The software and software documentation are "Commercial Items," as that term is defined in 48 C.F.R. section 2.101, consisting of "Commercial Computer Software" and "Commercial Computer Software Documentation," as such terms are defined in 48 C.F.R. section (a)(5) and 48 C.F.R. section (a)(1), and used in 48 C.F.R. section and 48 C.F.R. section , as applicable. Consistent with 48 C.F.R. section , 48 C.F.R. section , 48 C.F.R. section through , 48 C.F.R. section , and other relevant sections of the Code of Federal Regulations, as applicable, Symantec's computer software and computer software documentation are licensed to United States Government end users with only those rights as granted to all other end users, according to the terms and conditions contained in this license agreement. Manufacturer is Symantec Corporation, Stevens Creek Blvd., Cupertino, CA 95014, United States of America. 5. Export Regulation: Certain Symantec products are subject to export controls by the U.S. Department of Commerce (DOC), under the Export Administration Regulations (EAR) (see Violation of U.S. law is strictly prohibited. Licensee agrees to comply with the requirements of the EAR and all applicable international, national, state, regional and local laws, and regulations, including any applicable import and use restrictions. Symantec products are currently prohibited for export or re-export to Cuba, North Korea, Iran, Iraq, Libya, Syria and Sudan or to any country subject to applicable trade sanctions. Licensee agrees not to export, or re-export, directly or indirectly, any product to any country outlined in the EAR, nor to any person or entity on the DOC Denied Persons, Entities and Unverified Lists, the U.S. Department of State's Debarred List, or on the U.S. Department of Treasury's lists of Specially Designated Nationals, Specially Designated Narcotics Traffickers, or Specially Designated Terrorists. Furthermore, Licensee agrees not to export, or re-export, Symantec products to any military entity not approved under the EAR, or to any other entity for any military purpose, nor will it sell any Symantec product for use in connection with chemical, biological, or nuclear weapons or missiles capable of delivering such weapons. 6. General: This Supplement and the Software License Agreement are the entire agreement governing the use and licensing of this Component. In the event of any conflict between the Supplement and the License Agreement, with regard to the Component, the Supplement shall control. All other terms and conditions of the License Agreement remain in full force and effect. 7. Additional Uses and Restrictions: Notwithstanding any of the terms and conditions contained in this Supplement, the following additional terms apply to the product you have licensed. A. The SSL certificate accompanying this Component will expire within one (1) year of installation of the Component. You may use a self-signed certificate or a separately acquired certificate from a third party vendor. B. The use of Netscape LDAP SDK for Java is governed by the Netscape Public License (NPL), the full text of which can be found at html < 1.1.html>. You are entitled to a copy of the source code of this third party software, which can be found in the Component. C. The use of SNIA CIMOM is governed by the SNIA Public License (SPL), the full text of which can be found at Source.html < Code/Open Source.html>. You are entitled to a copy of the source code of this third party software, which can be found in the Component.

7 Contents Technical support Chapter 1 Introducing Symantec Enterprise Security Architecture About Symantec Enterprise Security Architecture...17 About the Symantec management console What s new in SESA Improved performance and scalability Enhanced data-management capabilities SESA Manager-side event filtering Oracle database support Expanded Solaris platform support Expanded failover capabilities Heartbeat monitoring for the SESA Agent Added flexibility in roles and access control Added support for SESA Agent platforms Multiple SESA administrative domains Enhanced support for Symantec and third-party product installations Enhanced event reporting and querying Simplified administrative auditing Components of SESA SESA Directory SESA DataStore SESA Manager SESA Agent Symantec management console SESA Integration Packages, Symantec Event Managers, and Symantec Event Collectors... 30

8 8 Contents What you can do with SESA Organizational units Configuration groups Product configuration distribution Multiple administrative domains SESA users Roles in SESA Failover support Security technology in SESA LiveUpdate technology Event exclusion, logging, and viewing Alerts and alert notifications Centralized reporting How SESA works How SESA logs events How SESA generates alerts How SESA distributes product configurations How SESA forwards events Where to get more information about SESA SESA Directory third-party software information SESA DataStore third-party software information SESA Manager third-party software information Chapter 2 Planning for deployment SESA data paths SESA security products and SESA Agents Network data paths Data security and protocol Deployment guidelines... 65

9 Contents 9 Chapter 3 Before you install SESA Preparing for installation...67 Logon accounts for SESA installation Copying the SESA Foundation Pack CDs to a Solaris staging area Securing Solaris resources and programs Disabling unnecessary services IBM DB2 library directory ownership Avoiding port conflicts Local administrative privileges on the installation computer System time on the installation computer Using static IP addresses Locations of installation computers Installation drives and volumes Installation directories SESA installations behind firewalls Disabling standby mode Avoiding Microsoft Internet Information Server conflicts SESA and non-english languages Installation CD layout System requirements Supported installation configurations Minimum requirements to install all SESA components on a single Windows computer Minimum requirements for a SESA Directory computer Supported third-party software for the SESA Directory Minimum requirements for the SESA DataStore computer Supported third-party software for the SESA DataStore Minimum requirements for the SESA Manager computer Supported third-party software for the SESA Manager Minimum requirements and supported third-party software for a remote Symantec management console Minimum requirements and supported third-party software for a SESA Agent Preparing third-party software on Windows platforms Installing the Sun Java Development Kit on Windows Installing the Java Runtime Environment on Windows Installing a supported version of the IBM DB2 database Installing an IBM DB2 Runtime Client on a Windows computer... 96

10 10 Contents Preparing third-party software on Solaris platforms Guidelines for installing Solaris Installing the Sun Java Development Kit on Solaris computers Installing the Java Runtime Environment on Solaris or Linux computers Configuring Solaris 8 computers to run the Symantec management console Installing IBM DB2 Enterprise Edition on a Solaris computer Preparing for and installing Oracle 9i on a Solaris computer Installing an IBM DB2 Runtime Client on a Solaris computer Connecting to a remote Solaris computer and exporting its display Chapter 4 Installing SESA SESA Foundation Pack installation overview Installation guidelines Installing SESA with command-line parameters Performing a silent installation on Solaris or Windows computers How a silent installation works Creating a silent installation settings file Running a silent installation Starting the SESA Installation Wizard Performing an express installation Installing the SESA Directory Installing the SESA Directory on a Windows computer Installing the SESA Directory on a Solaris computer Installing the SESA DataStore Installing a SESA DataStore on a Windows computer Installing an additional SESA DataStore on a Windows computer Installing the SESA DataStore on a Solaris computer Installing multiple SESA DataStores on a Solaris computer Installing the SESA Manager Installing the SESA Manager on a Windows computer Installing the SESA Manager on a Solaris computer Installing the SESA Agent for heartbeat monitoring Installing a SESA Agent for heartbeat monitoring on a Windows computer Installing a SESA Agent for heartbeat monitoring on a Solaris computer...199

11 Contents 11 Chapter 5 Chapter 6 After you install SESA Testing the installation Launching the Symantec management console Verifying that the installed services have started Verifying that the IBM HTTP Server is operating Verifying that the SESA servlets are operating Verifying that a shared schema is installed Examining the SESA logs for messages Post-installation tasks Installing additional SESA domains Deploying SESA Directory replicas Configuring SESA to generate SNMP alert responses Integrating security products with SESA About SESA Integration Package deployment in SESA About maintaining SIP deployments About using version 1.1 SESA Integration Packages with SESA Deploying or removing a SESA Integration Package on a SESA Manager Windows computer Deploying or removing a SESA Integration Package on a SESA Manager Solaris computer Forcing a SESA Integration Package deployment Verifying a SESA Integration Package deployment status Verifying the master SIPI service About deleting and reinstalling SESA Agents Uninstalling SESA SESA heartbeat service and uninstalling the SESA Manager and SESA Agent Uninstalling SESA from a Windows computer Uninstalling SESA on Solaris About reinstalling a SESA DataStore in Windows environments Setting up failover support About failover support Setting up SESA Agent-to-Manager failover support Configuring SESA Agent-to-Manager failover support...244

12 12 Contents Setting up SESA Manager-to-Directory failover support Installing a replica SESA Directory on a Windows computer Manually completing the replica SESA Directory installation on Windows computers Installing a replica SESA Directory on a Solaris computer Manually completing the replica SESA Directory installation on Solaris computers Configuring SESA Manager-to-Directory failover support Verifying a replica SESA Directory installation Setting up SESA Manager-to-DataStore failover support Configuring SESA Manager-to-DataStore failover support Chapter 7 Changing your security configuration About required SESA information for SSL upgrades Making SESA security choices About upgrading your security Viewing certificate expiration dates Upgrading to authenticated, self-signed certificates Generating a new, self-signed certificate in the Key database Upgrading to authenticated, CA-signed certificates Upgrading to an authenticated, signed certificate Configuring SESA to use a new certificate Updating the HTTP Server to use the new certificate Installing the new certificate to the Java Trust Stores Updating the SESA configuration to use the new certificate Updating IBM Directory Server to use the new certificate Installing the new certificate on the SESA Agent (client) computers Updating the SESA Agent configuration Updating the SESA Directory to use the new URI Updating the SESA Manager on disk configuration Verifying the SSL upgrade Configuring the Directory Management Tool to connect via SSL...313

13 Contents 13 Chapter 8 Chapter 9 Maintaining the SESA Directory SESA Directory administration Starting and stopping the IBM Directory Server Granting and removing local administrative privileges for the Web Server account Reconfiguring the SESA Directory computer after an IP address change Changing the SESA Directory port Changing the SESA Directory DN and password Updating the ldapdb2 password Changing the SESLDAP account password Ensuring that SESA user passwords stay encrypted SESA Directory backup and recovery Backing up SESA Directory data Restoring SESA Directory data SESA Directory performance tuning Maintaining consistent SESA Directory performance Optimizing SESA Directory performance Maintaining the SESA DataStore Data backup and recovery Backing up the Oracle 9i database server Restoring an Oracle SESA DataStore to its last backup image Backing up the IBM DB2 database Restoring an IBM DB2 database SESA Data Maintenance Tool When to use the SESA Data Maintenance Tool Launching the SESA Data Maintenance Tool Running an immediate database purge, copy, or move operation Configuring and saving a filter Running the SESA Data Maintenance Tool from the command line Using SESA scripts for the Oracle database Available SESA general maintenance scripts for the Oracle database Available SESA partition scripts for the Oracle database Running SESA scripts for the Oracle database Enabling and disabling foreign key constraints in Oracle databases...366

14 14 Contents Data maintenance Returning the Oracle database to a consistent state Returning the IBM DB2 database to a consistent state Rebuilding IBM DB2 database indexes Rebuilding Oracle database indexes Increasing Oracle database size Forwarding a subset of events in real time to another SESA DataStore Changing the SESA DataStore password for an Oracle database Changing the IBM DB2 SESA DataStore password IBM DB2 database performance tuning Running Runstats and DoReorg scripts Running the Refresh script Increasing the IBM DB2 transaction log size Oracle database performance tuning Optimizing Oracle database query performance Removing materialized views from the Oracle Standard Edition database Adjusting the refresh frequency of materialized views Using the Oracle Enterprise Edition Partitioning option Collecting statistics on tables and indexes Increasing the load that an Oracle database can handle Increasing Oracle transaction log size Chapter 10 Maintaining the SESA Manager Starting and stopping the IBM HTTP Server Reconfiguring the SESA Manager computer to use a new IP address Throttling the flow of SESA events to the SESA Manager Setting the SESA Agent queue size Setting SESA Manager minimum available disk space Restricting access to the IBM HTTP Server Configuring SESA to handle a higher SESA Agent load Configuring SESA Manager servlet logs Changing passwords Changing the Java Trust Stores default password Changing the SESA Secure Communications password Changing the Web Server password Changing the SESA Domain Administrator password...403

15 Contents 15 Appendix A Appendix B Appendix C IBM DB2 database memory usage specifications All SESA components SESA Directory and SESA DataStore SESA DataStore and SESA Manager Stand-alone SESA DataStore SESA logs Oracle database server logs IBM DB2 database server logs IBM Directory Server logs IBM HTTP Server logs Apache Tomcat Servlet logs JDBC error log SESA Agent logs SESA Manager logs Post-installation SESA files Post-installation directories on Windows platforms SESA files on Windows platforms Third-party software files on Windows platforms Post-installation directories on Solaris platforms SESA files on Solaris platforms Third-party software files on Solaris platforms Post-installation directories on Oracle database servers SESA files on Oracle database servers Third-party software files on Oracle database servers Glossary Index

16 16 Contents

17 Chapter 1 Introducing Symantec Enterprise Security Architecture This chapter includes the following topics: About Symantec Enterprise Security Architecture What s new in SESA 2.0 Components of SESA What you can do with SESA How SESA works Where to get more information about SESA About Symantec Enterprise Security Architecture Symantec Enterprise Security Architecture (SESA) integrates multiple Symantec Enterprise Security products and third-party products to provide flexible control of security within organizations. SESA is designed to meet the requirements of both large-sized and medium-sized enterprises. It provides a common management framework for native and integrated SESA security products to protect your IT infrastructure from malicious code, intrusions, and blended threats, and help to identify the vulnerabilities that the threats exploit. SESA helps you increase your organization s security posture by simplifying the task of monitoring and managing security-related events and products. You can monitor and manage security-related events through the Symantec management console.

18 18 Introducing Symantec Enterprise Security Architecture About Symantec Enterprise Security Architecture Figure 1-1 shows the basic relationships among the foundation that is provided by SESA, the Symantec management console, and the security products that SESA helps manage. Figure 1-1 SESA foundation Native and non-native security products SESA Agent SESA Agent SESA Agent SESA Manager Symantec management console The Symantec management console is the common user interface that provides manageable integration of security technologies (Symantec or otherwise), Symantec Security Services, and Symantec Security Response.

19 Introducing Symantec Enterprise Security Architecture What s new in SESA About the Symantec management console Using the Symantec management console with the appropriate native and integrated SESA security products, you can do the following: Centrally manage attacks, threats, and exposures by correlating security information from integrated Symantec and non-symantec antivirus products, firewalls, intrusion detectors, incident response management software, and vulnerability scanning tools. Query, filter, and sort data to reduce the security-related events that you see through the Symantec management console, which allows you to focus on threats that require your attention. You can configure alert notifications in response to events, and generate, save, and print tabular and graphical reports of event status, based on filtered views that you have created. Change the security configurations of native and integrated SESA security products. Configuration options differ depending on the features of the integrated product. Configure and adjust SESA components to meet the infrastructure and performance needs of your organization. Group clients according to their security infrastructure and functional management needs to minimize the complexity of managing many security technologies across numerous clients and users. You can logically create groups of managed computers that are based on location, products installed, area of responsibility, or any combination of these. These organizational units help you better delegate event-management, product-configuration, and maintenance tasks. Create user roles and grant product-based or other types of permissions to further help with task delegation. SESA provides role-based administration, in which SESA users are granted permissions according to the roles to which they are assigned. Like organizational units, roles can be defined by product, location, or type of task. The flexible, centralized approach and comprehensive event-management capabilities of SESA give you the up-to-date information that you need to make informed decisions about the security of your network and related devices. What s new in SESA 2.0 Symantec Enterprise Security Architecture version 2.0 provides an expanded set of features and functionality to help you centrally manage events and event configurations for Symantec and third-party security products across networks.

20 20 Introducing Symantec Enterprise Security Architecture What s new in SESA 2.0 The expanded platform and technology support provides SESA 2.0 with superior system reliability across multiple platforms and environments. Improved performance and scalability Query performance has been significantly improved in SESA 2.0 to provide fast query responses even when there are millions of events in the database. SESA 2.0 also supports multiple SESA DataStores within a database instance. One benefit of multiple SESA DataStores is that it lets you create a smaller, faster database that contains the last several weeks of data, and a larger database that contains the data for the last year or more. You can use the smaller, faster database for daily operations and real-time analysis, while reserving the large database for forensics analysis and generating historical trending reports. For more information, see the Symantec Management Console User s Guide. In addition, SESA 2.0 dramatically improves performance through better tuning and configuration of the database, the use of clustered indexes and other indexes, the optimization of queries to leverage these indexes, and better allocation of memory for the database. Scalability has also been significantly improved in SESA 2.0 to support thousands of events per minute for tens of thousands of integrated security products, which means that SESA 2.0 can support even the largest deployments by the largest enterprises. Enhanced data-management capabilities SESA 2.0 includes new features to enable you to better manage the high volumes of data that you receive from your security products. First, SESA 2.0 lets you store and replicate data across multiple SESA DataStores within a database instance. This lets you archive data from one SESA DataStore while you continue to use the other SESA DataStores. For more information, see the Symantec Management Console User s Guide. In addition, SESA 2.0 lets you configure event filters to prevent SESA from inserting unwanted events into any of the SESA DataStores. See SESA Manager-side event filtering on page 21. SESA 2.0 also provides Database Maintenance tools for easily purging, moving, copying, and archiving the data in the SESA DataStores. See SESA Data Maintenance Tool on page 347.

21 Introducing Symantec Enterprise Security Architecture What s new in SESA SESA Manager-side event filtering Oracle database support You can now use the Symantec management console to manually select events to eliminate from insertion in the SESA DataStore. The Symantec management console provides a list of event types that, when selected, are bypassed by the SESA Manager instead of processed for insertion into the SESA DataStore. Using the Symantec management console, you can also define exclusion filters based on product fields, comparison operators (for example, <, >, and =), and Boolean operators. For example, you can create an exclusion filter to exclude all events with a severity of three or less from being inserted into a SESA DataStore. For more information, see the Symantec Management Console User s Guide. SESA 2.0 now supports the installation of the SESA DataStore on an Oracle 9i database server. The Oracle 9i database server must be running on a Sun SPARC Solaris 8 operating system. Expanded Solaris platform support In addition to SESA Agent support for Sun SPARC Solaris 7/8/9 operating systems, SESA now supports the SESA DataStore, SESA Manager, and SESA Directory on computers that run Sun SPARC Solaris 8. Expanded failover capabilities SESA 2.0 now lets you configure the Symantec management console to set up one or more alternate servers for SESA components should any SESA component server become unavailable. The failover feature lets you preconfigure the SESA Agent to connect to alternate SESA Managers when the primary SESA Manager computer goes offline. You can also preconfigure the SESA Manager to connect to alternate, or replica, SESA DataStores or SESA Directories if the primary SESA DataStore or SESA Directory becomes unavailable. In this way you safeguard against unexpected system failures by ensuring that backup resources will be available and accessible, and that no component in the SESA environment becomes a single point of failure. See Failover support on page 40. See Setting up failover support on page 243.

22 22 Introducing Symantec Enterprise Security Architecture What s new in SESA 2.0 Heartbeat monitoring for the SESA Agent The SESA Agent in SESA 2.0 comes with a heartbeat service that provides the SESA Manager with near real-time status of critical services that register with the SESA Agent. Users can configure which services are considered critical. By default, the SESA DataStore, SESA Directory, and SESA Manager are defined as critical services. The SESA Agent detects the availability of these services and reports heartbeat data to the SESA Manager. Administrators can view heartbeat status quickly and easily from the Symantec management console, and can also configure alerts based on heartbeat failure events. See SESA Agent on page 27. For more information on viewing heartbeat status in the Symantec management console, see the Symantec Management Console User s Guide. Added flexibility in roles and access control In earlier versions of SESA, administrators could assign view-only or super-user administrative privileges to SESA roles only. With SESA 2.0, you can now choose from multiple sets of permissions, which gives you more flexibility in allocating administrative and other duties to users. Consequently, roles in SESA 2.0 can now contain more customized and targeted sets of permissions for managed security products. See Roles in SESA on page 39. Added support for SESA Agent platforms In addition to the platforms that were supported in earlier versions of SESA, SESA Agents also run on Windows 2003 and Red Hat Linux 7.3 operating systems. Multiple SESA administrative domains SESA 2.0 now lets you install more than one SESA administrative domain within your SESA environment. SESA 2.0 also supports the creation of subdomains under a root domain. Using multiple domains and subdomains allows you to more flexibly delineate and manage the organization s network resources. See Multiple administrative domains on page 38.

23 Introducing Symantec Enterprise Security Architecture Components of SESA 23 Enhanced support for Symantec and third-party product installations The integration of Symantec and third-party security products with SESA 2.0 is much easier because administrators only need to run the SESA Integration Package (SIP) once on any SESA Manager computer. The product is integrated automatically in the SESA Directory and associated SESA Managers and SESA DataStores. In addition, the SIP can automatically integrate the security product with any new SESA Manager or SESA DataStore computers after the initial product integration takes place. See SESA Integration Packages, Symantec Event Managers, and Symantec Event Collectors on page 30. Enhanced event reporting and querying SESA 2.0 provides Symantec management console viewers with improved report filtering capabilities and more report-driven querying. Viewers can now filter an event view dynamically without having to create a custom report of the events first. Viewers can filter events inclusively and exclusively, as well as use AND/ OR conditions. Users can chain their queries to find the exact desired details in any event view. In addition, SESA 2.0 provides improved querying performance, which lets you sift through larger quantities of data with quicker results. See Roles in SESA on page 39. Simplified administrative auditing Components of SESA In SESA 2.0, any activity that is initiated in the Symantec management console and accesses or changes the SESA Directory is now logged as an event. Examples of some events include successful and failed logon attempts to the Symantec management console, configuration changes, and user and role updates. The following components are the core of Symantec Enterprise Security Architecture: SESA Directory SESA DataStore SESA Manager

24 24 Introducing Symantec Enterprise Security Architecture Components of SESA SESA Agent (on the SESA Directory, SESA DataStore, and SESA Manager, as well as on the integrated security product) Symantec management console SESA Integration Packages, Symantec Event Managers, and Symantec Event Collectors, as required by security products SESA relies on security product SESA Agents, a SESA Directory, a SESA DataStore, and a SESA Manager to collect, store, process, and report security events to the Symantec management console, and to distribute configuration changes to SESA and SESA security products. In some cases, security products may also use a Symantec Event Collector to collect security events to forward to SESA. Figure 1-2 shows the relationships among the major SESA components. No Symantec Event Collectors are shown. Figure 1-2 Relationships among SESA components Symantec management console SESA SESA Agent Manager SESA security product SESA Directory SESA DataStore

25 Introducing Symantec Enterprise Security Architecture Components of SESA 25 SESA Directory The SESA Directory uses the Lightweight Directory Access Protocol (LDAP) to store the configuration data that is required to manage native and integrated SESA security products and SESA services on the network. The configuration data includes the following: Organizational units, which identify of all of the SESA-managed computers and components on the network and their locations in an organizational hierarchy. Configuration groups, which have managed computers as members. Data for each native and integrated SESA security product or SESA service that is installed on each SESA-managed computer (client or server). All authorized Symantec management console users on the network. The administrative roles to which Symantec management console users are assigned. Roles group users to assign Symantec management console access-control permissions. Configuration data that describes the settings for the software features of the SESA security product or products. Information that describes SESA itself. You can view, add, and modify information through the Symantec management console, which then stores the data in the SESA Directory. You can define a number of configurations for each SESA-integrated product. Each product differs as to the type of configuration options that are offered. You can organize managed computers and users into different types of groups to help you delegate administrative tasks, and to better reflect the existing infrastructure of your organization s network. As new SESA security products are installed, SESA automatically adds the products and the computers on which they are installed to the SESA Directory.

26 26 Introducing Symantec Enterprise Security Architecture Components of SESA SESA DataStore SESA Manager SESA Directory replicas Using the same Symantec Installation Wizard that installs SESA Directories, you can also install one or more replica SESA Directories to add failover support. In this way, when a network connection fails on a SESA Directory computer, the associated SESA Manager can automatically switch communication to the replica SESA Directory. Replica SESA Directories are read-only. While a replica SESA Directory is in use, you cannot make configuration changes to SESA components and management objects. See Setting up SESA Agent-to-Manager failover support on page 244. The SESA DataStore is a relational database that stores all event data that is generated by SESA and SESA products. In addition, the SESA DataStore stores alerts that are generated by alert configurations. SESA events and product events are predefined. You can create alert configurations or notifications based on one or more events, and set alerting thresholds. Depending on the rate that security events are logged to the SESA DataStore, more than one SESA DataStore may be necessary for a SESA installation. During SESA installation, you can span a single SESA DataStore across multiple drives or move it to another drive, as available space requires. You can also use thirdparty software to resize and move SESA DataStores after the SESA installation, if necessary. The SESA Manager centrally manages event processing for the SESA Agents, SESA DataStore, SESA Directory, and Symantec management console. The SESA Manager contains a Web server and a servlet engine. Each aspect of the SESA Manager s functionality is implemented as a Java servlet. All SESA data passes through the Web server and the servlet engine. Depending on resource demands and physical constraints such as locations, you can set up the SESA Manager in the following different configurations: SESA Manager, SESA DataStore, and SESA Directory all on a single computer (not supported on Solaris platforms) SESA Manager on one computer, SESA DataStore and SESA Directory on remote computers (distributed)

27 Introducing Symantec Enterprise Security Architecture Components of SESA 27 One or more SESA Managers that log event data to their own SESA DataStores as well as forward events and alerts to other SESA Managers (event and alert forwarding) but share a single SESA Directory Multiple SESA Managers that point to one SESA Directory and SESA DataStore SESA DataStores at multiple sites that replicate to a single master SESA DataStore (replication) See Supported installation configurations on page 79. You can decide which configuration is most appropriate for your networking environment during installation planning. SESA Agent SESA Agents are Java applications that perform communication functions for the SESA components or security products on which they are installed. Depending on where the SESA Agent is running, it handles the following types of communication tasks: SESA Agent installed on a security product When a SESA Agent is installed on a security product, it handles the communication between the product and the SESA Manager. The SESA Agent passes event data from the security product to the SESA Manager and receives product configuration data. One SESA Agent can support multiple security products that are installed on the same computer. (For a SESA Agent to support a product, the product must have been integrated with SESA.) SESA Agents are installed and uninstalled with the security product. If the SESA Agent is not available with the security product, it is typically installed and uninstalled with a Symantec Event Manager, Symantec Event Collector, or some other type of SESA integration method. See SESA Integration Packages, Symantec Event Managers, and Symantec Event Collectors on page 30.

28 28 Introducing Symantec Enterprise Security Architecture Components of SESA SESA Agent installed on the SESA Manager (and if necessary, the SESA Directory and SESA DataStore) In SESA 2.0, a SESA Agent is installed on the SESA Manager, which has a heartbeat provider that monitors the online and offline status of SESA services that are running on the SESA Agent. When security products integrate with SESA, they register certain critical services with the SESA Agent. You can further define critical services in the Symantec management console. The SESA Agent is installed and uninstalled with the SESA Manager. If the SESA Directory or the SESA DataStore is installed on different computers than the SESA Manager, you must use the SESA Installation Wizard to install an additional SESA Agent on each remote SESA Directory or SESA DataStore computer. The purpose of the SESA Agent on a remote SESA Directory or SESA DataStore is to obtain heartbeat status from these SESA components. See SESA Agent heartbeat service on page 28. SESA Agent heartbeat service The SESA Agent in SESA 2.0 comes with a heartbeat service that provides the SESA Manager with near real-time status of critical services. These critical services register with the SESA Agent. Administrators can view heartbeat status quickly and easily from the Symantec management console, and can also configure alerts that are based on heartbeat failure events. Any time that a defined critical service misses a heartbeat (that is, becomes unavailable), SESA generates an event, which you can use for creating an alert, which can generate the proper alert or notification, such as an or page. You can view heartbeat status in the Symantec management console. An icon next to a computer denotes whether the critical services that are running on that computer are operational, have failed, or are not applicable. Without making queries, you can use the Systems view tab as a quick and comprehensive way to identify computers on which a service is unavailable. You can also query properties to see a more detailed status. For more information, see the Symantec Management Console User s Guide. You can view the length of time that a service has been running or the length of time that a service has been unavailable. The view also displays the normal check-in interval of the computer in question.

29 Introducing Symantec Enterprise Security Architecture Components of SESA 29 Event data handling To pass event data, the SESA Agent sends events as follows: Symantec management console Batch events are normal priority events that accumulate on the SESA Agent before the SESA Agent sends them. The SESA Agent sends them according to settings that you configure in the Symantec management console. Batch events provide efficient communication because each time that the SESA Agent connects to the SESA Manager, it must open a connection and authenticate itself to the SESA Manager. Direct events have alert configurations associated with them and are sent immediately to the SESA Manager, which bypasses the SESA Agent event queue. The Symantec management console provides a simple, lightweight, Java-based, user-interface framework. The Symantec management console runs in a Web browser via a secure connection and retrieves events and configurations through the SESA Manager. The Symantec management console provides you with flexible features such as detachable windows, preferences, stored views, and tabular and graphical views. It also offers extensive filtering capabilities, which let you filter any field in the data, including date, time, event, event family, SESA security product, and more. The Symantec management console is data-driven. As SESA security products integrate into SESA, they extend the Symantec management console s functionality by inserting new event classes, views, tabs, and other productspecific data into it.

30 30 Introducing Symantec Enterprise Security Architecture Components of SESA Figure 1-3 Events view displayed in the Symantec management console SESA Integration Packages, Symantec Event Managers, and Symantec Event Collectors After you install all of the SESA components, including any additional domains, subdomains, SESA Agents for heartbeat monitoring (as necessary), and replica or secondary SESA Directories, SESA DataStores, and SESA Managers for failover support, you can start integrating Symantec or third-party security products with SESA. SESA lets you integrate products through a robust framework called the SESA Integration Package (SIP). SIPs contains the product schemas and other descriptions that let SESA recognize products and log events from them. All products require you to run the SESA Integration Wizard to integrate with SESA. However, some products require that you install other integration components in addition to a product SIP. Table 1-1 lists all of the types of integration components that SESA may require for a product integration. For more information on the specific integration components that your product requires to integrate with SESA, see the product documentation.

31 Introducing Symantec Enterprise Security Architecture Components of SESA 31 Table 1-1 Integration component SESA Integration Package (SIP) SESA integration components Description All products that integrate with SESA have a SESA Integration Package (SIP), which is installed on the SESA Manager computer and deployed to the appropriate SESA administrative domains and SESA DataStores. The SIP configures the SESA DataStore to recognize and log events from the product. Each product provides a unique data package, which provides the product schema information for the SESA DataStore. You install SESA Integration Packages using the SESA Integration Wizard. In SESA 2.0, this wizard is accessible on the SESA Manager computer. The wizard prompts you for the product-specific data package. For most Symantec products, this data package is supplied with the product distribution media. Some products are Relays, Bridges, or have UI extensions. Relays and Bridges let SESA relay events from the SESA DataStore to another product. UI extensions allow the Symantec management console to include a unique graphical user interface and functionality for a product. Relays, Bridges, and UI extensions are collectively called Manager extensions. When a SIP contains a Manager extension, you are required to run an additional wizard in the Symantec management console to deploy the Manager extension. See Integrating security products with SESA on page 221. For instructions on deploying Manager extensions, see the Symantec Management Console User s Guide. Other products may use previous versions of the SESA Integration Wizard. In such cases, the wizards and SIPs for the product are provided with a Symantec Event Manager, Symantec Event Collector, or on other distribution media.

32 32 Introducing Symantec Enterprise Security Architecture Components of SESA Integration component SESA Agent Description All products require a SESA Agent to integrate with SESA. The SESA Agent runs on the product (or client) computer, and provides communication services between the product and the SESA Manager. Depending on the product, the SESA Agent can be provided through any of the following mechanisms: Agent Installer: Some products come with a separate software program to install the SESA Agent on the various platforms that are supported by the product. Product installation program: Some products have an option in their installation programs for installing the SESA Agent. Depending on the product, you can install the SESA Agent during product installation, or at a later time. Manual installation: Some product versions that have shipped before other SESA integration methods became available require manual steps to install the SESA Agent. Symantec collectors (also called sensors): Some products require that additional software be installed on a product computer for the purpose of collecting and configuring event data from the product or product logs. If event collecting software is required, a Symantec collector will also typically install the SESA Agent. The SESA Agent passes the collected events to the SESA Manager for insertion into the SESA DataStore. Symantec collectors are often packaged with Symantec Event Managers or Symantec Event Collectors. Symantec Event Managers Symantec Event Collectors Symantec Event Managers provide a suite of SESA integration components for the Symantec products that they support. In addition, depending on the supported product, they may provide a Symantec collector, an Agent Installer, or instructions for installing the SESA Agent manually. Symantec Event Collectors provide the Symantec collectors (also called sensors), SESA Agents, and SESA Integration Packages that are required for a third-party or non-symantec product to integrate with SESA. Each Symantec Event Collector supports a particular third-party product or suite of products. Symantec Event Managers and Symantec Event Collectors let organizations with large SESA installations immediately leverage the benefits of SESA even when their supported security products are versions that were released before SESA.

33 Introducing Symantec Enterprise Security Architecture What you can do with SESA 33 What you can do with SESA Organizational units SESA 2.0 lets you organize resources on your network to more easily manage and view them as objects in graphical and tabular formats. You can change configurations on native and integrated SESA security products as well as on the SESA services that manage these products. You can create and maintain SESA users (who perform SESA administrative tasks), and assign them to roles for the purpose of grouping like access permissions. Organizational units let you group computers into logical collections. You can group computers by location, SESA security product installed, class of user, or class of computer. Through the Symantec management console, you can create, modify, and delete organizational units. This flexibility lets you design your SESA environment to better reflect how your organization is handling or plans to handle its security-management needs across the network. For example, one organization may organize its network by business functions, such as marketing, operations, and accounts payable, while another organization may organize by IT functions. Still others may structure their networks by product groups, such as antivirus and firewall, or by location, for example, regions, cities, or building floors. Many organizations need to organize their networks by a combination of some or all of these criteria. SESA is flexible enough to allow whatever hierarchical grouping is necessary to reflect your organization s IT structure. While the main purpose of organizational units is to group computers with common configurations, you can also use organizational units to change configurations on native and integrated SESA security products. To override a particular configuration, you use configuration groups. Configuration groups let you create exceptions to the computer configurations in organizational units. See Configuration groups on page 34.

34 34 Introducing Symantec Enterprise Security Architecture What you can do with SESA Organizational unit hierarchy Nested objects in an organizational unit hierarchy can inherit the configuration properties of their parent units, but only if they do not already have configurations associated with them. You can associate configurations with organizational units at any level in the hierarchy. If a computer does not find a configuration at its level, it uses the configuration at the next level up the tree. At the same time, you can distribute a configuration to individual computers within an organizational unit without affecting the other computers in the unit. This type of property inheritance reduces repetitive configuration tasks, which makes the maintenance of native and integrated SESA security product configurations more efficient. Default organizational units The organizational units in Table 1-2 already exist when you access the Symantec management console for the first time. Table 1-2 Organizational unit Default Managers Default organizational units Description The Default organizational unit contains computers on which SESA Agents are installed, but have not yet been assigned to other organizational units. When you create organizational units, you move computers from the Default unit to the newly created unit as necessary. Some native or integrated SESA security products may prompt you to specify their organizational unit during the product installation process. The Managers organizational unit is used to contain computers on which SESA Managers are installed, if necessary. You decide during the SESA Manager installation process whether you want the SESA Manager to initially appear in the Manager or in the Default organizational unit. You can later move a SESA Manager to another organizational unit. Configuration groups Configuration groups let you create exceptions to the configurations that you have created for computers in organizational units. You may have cases in which a small number of computers have configurations that would match those of a larger group of computers, but for one or two exceptions. You can still

35 Introducing Symantec Enterprise Security Architecture What you can do with SESA 35 include the near-match computers in the same organizational unit as the larger group of computers, and then handle the differences by creating a configuration group for the near matches that specify the exceptions. Any configurations for computers in configuration groups override the configurations of those same computers in organizational units. Therefore, configuration groups provide a convenient way to track exceptions without having to create a new organizational unit for every computer configuration that differs slightly from existing configurations. For example, you may have three computers in three different organizational units that require the same slight modification to an antivirus configuration. Rather than make three separate configuration changes for each computer, you can create one configuration group for the three computers and define a configuration once. Computers are members of configuration groups, but are contained in organizational units. Configuration groups take precedence over organizational units. Organizational units represent the actual SESA-managed computers on the network, while configuration groups represent exceptions to organizational unit configurations. See Organizational units on page 33. A computer can only be assigned to one configuration group at a time. If you reassign a computer to another configuration group, SESA automatically removes the computer from its original configuration group. Unlike organizational units, configuration groups do not nest hierarchically. Each group receives only the configurations that you have explicitly assigned to it.

36 36 Introducing Symantec Enterprise Security Architecture What you can do with SESA Product configuration distribution Integrating products are installed with predefined categories of product configuration options, which are called software features. The values that have been set for these options are what SESA detects as the various configurations for the computers in organizational units. SESA lets you create, modify, or delete these configurations (including configurations for SESA itself). SESA allows you to have multiple configurations for each native or integrated SESA product so that you can apply a specific configuration to a subset of computers that are running the product. For example, you may want to change an existing configuration for a firewall product by opening a port to grant limited access. You can make this change once in the Symantec management console and then have SESA distribute the change to the necessary antivirus computers. Note: The timing of configuration distribution varies depending on the amount of traffic on the SESA Manager. Products acquire new configurations in the following ways: An administrator with product-management permissions initiates the distribution of the configuration. A message is sent to computers, telling them to contact the SESA Manager for configurations. An administrator can control how to send this message so that the SESA Manager is not overwhelmed by requests for new configurations. The SESA Agent that is installed with a product, or on a SESA Manager, polls the SESA Manager to find out if there are new configurations. This polling can take place at a configured interval, or when the computer on which the SESA Agent is installed is restarted. In both of these cases, the following actions take place: The product, by way of the SESA Agent, queries the SESA Manager for configurations that it needs. SESA performs a hierarchical check to find the right configuration. The SESA Agent pulls the configuration to the computer. Figure 1-4 illustrates the hierarchy of precedence that SESA uses to determine which configuration to distribute. The SESA Agent queries the SESA Manager for specific actions.

37 Introducing Symantec Enterprise Security Architecture What you can do with SESA 37 Figure 1-4 Configuration distribution hierarchy Do configurations exist that are: Directly associated with this computer? YES The SESA Agent pulls the configuration to the computer. NO For the configuration group to which the computer belongs? YES The SESA Agent pulls the configuration to the computer. NO For the organizational unit to which this computer belongs? YES The SESA Agent pulls the configuration to the computer. NO For an organizational unit above the one to which this computer belongs? YES The SESA Agent pulls the configuration to the computer. NO The SESA Agent pulls the default configuration to the computer.

38 38 Introducing Symantec Enterprise Security Architecture What you can do with SESA Multiple administrative domains Multiple administrative domains facilitate the management of your network resources. An administrative domain is a structural container in the SESA Directory that you use to organize a hierarchy of users, organizational units, computers, configuration groups, and managed products and product configurations. By default, at least one administrative domain is installed when you install a SESA Manager. You can install additional domains; however, each domain must have at least one SESA Manager associated with it. For example, if your company is large, with sites in multiple regions, you may need to have a single view of management information, yet have the option to delegate administrative authority, physically separate security data, or have greater flexibility in how users, computers, and policies are organized. You may have similar needs if you are a managed service provider that manages multiple independent companies, as well as Internet service providers. To meet these needs, you can install multiple administrative domains, for example by country, by region, or by company. Each domain that you install provides an additional set of instances of the basic SESA Directory tree. You can organize the domains that you install as peers on different servers, or in a hierarchy on a single server, depending on your needs. You can create additional domains using the SESA Installation Wizard. See Installing additional SESA domains on page 212. SESA users SESA maintains a list of SESA users, or people who have SESA management or non-management roles. SESA installs with a default Administrator user, which is defined during installation when the SESA Installer asks for a user name and password for the SESA Directory Domain Administrator. The default Administrator has access rights to the entire SESA administrative domain. A SESA domain is an autonomous group of objects for which administrative authority is granted through roles. Objects include computers, users, databases, application configurations, and application service locations. SESA 2.0 lets administrators install multiple administrative domains that contain all SESAmanaged objects and to which the default Administrator user is granted administrative authority. When SESA users are created, they have no access rights to SESA domains. Users are granted permissions to objects in the SESA environment through role assignment. When the SESA Installer creates the default Administrator user, it assigns the default role of SESA domain administrator to that user. This role

39 Introducing Symantec Enterprise Security Architecture What you can do with SESA 39 carries the necessary permissions for the default Administrator user to access all objects in the SESA domain. When you create a user, you assign a role that grants that user access rights to a set of objects in the domain. You can add SESA users using a wizard in the Symantec management console. Roles in SESA Roles are a way to create sets of permissions to the various management objects in the Symantec management console. A Symantec management console user can have one or more roles. The logon identity of Symantec management console users determines the role assignment during an administrative session. In SESA 2.0, roles provide more detailed permission levels for almost every management object in the Symantec management console. The first time that you install a SESA Directory, or when you create new domains using the SESA Installer, a domain Administrator role for the domain is created. You cannot modify or delete this role, but you can add users to it. Users who are members of this role have full access (permissions) to all objects that exist in the same domain as the role. When you do not want to give users such complete access, you can create more limited roles. Limited roles Roles that you create in the Symantec management console apply only to the domain in which they are created, and only to one product. If a user needs access to one product in one domain, you (as a member of the domain Administrator role) can make the user a member of a single role. For example, you can limit a user s access by making the user a member of a single role that allows only the viewing of firewall events and management of firewall configurations. However, if users need access to multiple products over several domains, you can make them members of more than one role. For example, a user may be a member of a firewall event viewing role in one domain and a member of an antivirus management role in another domain. This allows the user to view events from a firewall product in one domain, and manage the configuration of an antivirus product in another domain. Permissions Another way that roles control access to objects is through permissions. Permissions specify the rights (read, write, add, delete, and search) that members of a role have over SESA objects. Permissions are automatically added to a role when it is created. You can remove or modify permissions for specific objects by editing the role s properties.

40 40 Introducing Symantec Enterprise Security Architecture What you can do with SESA Failover support Permissions, like roles, can only be modified by members of the domain Administrator role. For more information on configuring roles and permissions, see the Symantec Management Console User s Guide. SESA 2.0 now lets you configure the Symantec management console to set up one or more alternate servers for SESA components should any SESA component server become unavailable. The failover feature lets you preconfigure the SESA Agent to connect to alternate SESA Managers when the primary SESA Manager is unavailable. You can also preconfigure the SESA Manager to connect to alternate, or replica, SESA DataStores or SESA Directories if the primary SESA DataStore or SESA Directory becomes unavailable. Administrators can configure the following types of failover schemes: Automatic failover scheme: Selects an alternate server from a predefined, user-ordered list of SESA component servers in the Symantec management console. No administrator intervention takes place, although administrators can sequence failover servers in the Symantec management console. For failover SESA Directories, the particular failover server is chosen programatically, without user configuration. SESA selects the alternate SESA Directory server with the primary domain name suffix that most closely matches the primary domain name suffix of the failed server. Manual failover scheme: Requires the administrator to select the SESA component server manually at failover time. SESA lets administrators configure the number of connection attempts before a primary SESA component server fails over to an alternate server. In addition, administrators can configure the time interval between connection attempts, both when a server fails over and when it fails back to the primary server. See Setting up failover support on page 243.

41 Introducing Symantec Enterprise Security Architecture What you can do with SESA 41 Security technology in SESA LiveUpdate technology SESA installs with anonymous Secure Sockets Layer (SSL) technology to encrypt data and secure communications between the SESA Manager and any of the following: SESA Agents over HTTPS SESA Directory over LDAPS Symantec management console over HTTPS Other SESA Managers over HTTPS The default SSL that installs with SESA lets the SESA Manager dynamically create self-signed certificates to validate the integrity of, and encrypt data passing between, these components. Anonymous SSL does not provide authentication. However, SESA lets you convert to authenticated SSL, which authenticates connections among SESA Managers and SESA Agents, SESA Directories, Symantec management consoles, and other SESA Managers. SESA Managers always communicate through HTTPS to pass data to other SESA Managers and among its internal components. For example, a single SESA Manager can communicate internally between its servlets (such as an Event Logger to an Alert Logger servlet) over HTTPS. In addition, a SESA Manager can communicate with another SESA Manager using HTTPS, as is done in an event forwarding configuration. Communications between the SESA Manager and SESA DataStore use local TCP/ IP communication when the SESA DataStore and SESA Manager reside on the same computer. When they are installed on separate computers, you can secure communication between them by setting up a secure tunnel, such as a virtual private network (VPN). Transport Layer Security (TLS) is also supported on Sun SPARC Solaris installations. See Changing your security configuration on page 279. LiveUpdate is the Symantec technology that lets installed Symantec products connect to a server automatically for program updates. The connection is made through an HTTP or FTP site. LiveUpdate is installed on the SESA Manager computer when the SESA Installer installs the SESA Manager. Native SESA security products install the SESA Agent as part of their product installations. Security products that require integration with SESA use a Symantec Event Manager, Symantec Event Collector, Relay, or Bridge to install

42 42 Introducing Symantec Enterprise Security Architecture What you can do with SESA the SESA Agent. Regardless of how the SESA Agent is installed, you can configure it to perform a LiveUpdate operation in the Symantec management console. In addition, SESA security products can receive product updates from Symantec through Java LiveUpdate. However, neither the SESA Agent nor SESA Manager Java LiveUpdate sessions are involved in updating native or non-native SESA security products. Note: Some SESA third-party components cannot receive product updates through LiveUpdate. Event exclusion, logging, and viewing Alerts and alert notifications SESA 2.0 lets you select which types of events to exclude from insertion into the SESA DataStore. An integrated SESA security product forwards events to the SESA Agent, which manages and queues the events and sends them to a SESA Manager. The SESA Manager then logs the events in the SESA DataStore. The only way to exclude events from being logged to the SESA DataStore is to define exclusion event filters. One of the filter elements that you can define is the event type. For more information on configuring alert notifications, see the Symantec Management Console User s Guide. Event viewing is provided through Symantec management console views and specific product Symantec management console view extensions. For example, administrators can query, filter, and sort events to quickly find computers that are not protected, are out-of-date, or have high-severity events occurring on them. SESA lets you create alert notifications for events that are collected on the SESA Manager. Notifications can be sent via pagers, SNMP traps, , and OS Event Logs. You can define the notification recipients, day and time ranges when specific recipients are notified, and custom data to accompany the notifications. Each notification recipient can have one or more preferred ways of receiving notifications. You select the user to notify for one or more alerts. You may or may not associate an alert notification with alerts. You can configure alerts to accumulate events until a certain number are received or within a time interval. When a threshold is met, an alert is generated. After the alert is generated, any selected notifications for the alert are sent to a pager,

43 Introducing Symantec Enterprise Security Architecture How SESA works 43 Centralized reporting How SESA works , SNMP trap, or OS Event Log, depending on the alert settings. By applying thresholds, you can use alerts to consolidate the many events that native and non-native security products generate. See How SESA generates alerts on page 46. For more information on configuring alert notifications, see the Symantec Management Console User s Guide. SESA provides centralized reporting capabilities, including graphical reports. SESA provides some common reports, while native and integrated SESA security products have additional predefined reports. You can also create custom reports using the Custom Report Wizard. In SESA 2.0, the Custom Report Wizard provides options for multiple filters and includes a complete selection of operators (for example, =, >, and <). It also includes AND/OR operations. You can use reports to present statistics, recent activity, outbreak and intrusion conditions, and more. SESA provides a variety of report formats such as trend graphs, pie charts, stacked bar charts, and tables, all of which let you drill down to the particular data that you need. You can print current Symantec management console views of events and alerts as reports, or save the views as reports and export them to other formats. For more information, see the Symantec Management Console User s Guide. Symantec Enterprise Security Architecture (SESA) is an enterprise-scalable framework on which Symantec builds its Internet security solutions. Together with native and non-native security products, SESA lets you centrally manage responses to attacks, threats, and exposures by correlating security information from Symantec and non-symantec antivirus products, firewalls, intrusion detectors, incident management software, and vulnerability scanning tools. At its most basic level, SESA is composed of a SESA Agent that runs on nodes on which native and non-native security products are installed. The SESA Agent communicates with the security products, providing them with configuration information and collecting events and logs from the products. One or more SESA Agents pass the data that is generated from the products through a secure communication channel to a management server (the SESA Manager). The data that is provided by the SESA Agents is processed by a middle layer that consists of servlets that run on the SESA Manager. Data that is sent by

44 44 Introducing Symantec Enterprise Security Architecture How SESA works the SESA Agents and processed by the SESA Manager is posted to the SESA DataStore, and configuration changes are written to the SESA Directory. The Symantec management console process runs in a Web browser, but it accesses data through the SESA Manager. This process lets you configure alerts and notifications, review logs, generate reports, manage groups of objects within SESA, and control access for various user roles for security products that are integrated into SESA. To help you manage your security data, SESA performs specific operations, including the following: Logging an event See How SESA logs events on page 44. Generating an alert See How SESA generates alerts on page 46. Distributing a security product configuration See How SESA distributes product configurations on page 47. Forwarding an event or alert See How SESA forwards events on page 49. Each operation uses the SESA Manager to process the security data, but data is handled differently depending on the process. How SESA logs events SESA logs events in the SESA DataStore. You can view and manipulate them through the Symantec management console. Figure 1-5 shows the event logging process in SESA.

45 Introducing Symantec Enterprise Security Architecture How SESA works 45 Figure 1-5 How SESA logs an event SESA SESA Agent Manager SESA DataStore Security products on a SESA client computer Symantec management console Events One or more security products that are running on a client send events, which the SESA Agent collects. The SESA Agent queues the events to more efficiently manage the transfer of data to the SESA Manager. You can configure the SESA Agent queue settings, including queue size and flushing interval, through the Symantec management console. See Setting the SESA Agent queue size on page 396. The SESA Agent communicates with the SESA Manager over a secure HTTPS channel. It queues events for the SESA Manager to handle. If an alert configuration is associated with an event, the SESA Agent and SESA Manager handle it differently. See How SESA generates alerts on page 46. The SESA Manager processes the events and inserts them into the SESA DataStore. You can view the events in the Symantec management console. The SESA Manager handles the query requests and displays the events in the Symantec management console.

46 46 Introducing Symantec Enterprise Security Architecture How SESA works How SESA generates alerts You can reduce the number of security-related events that you see by querying, filtering, and sorting events to display only the desired information in the Symantec management console. You can then generate and print reports of event status, which are based on filtered views that you create. When you configure an alert, the SESA Manager stores the alert configuration in the SESA Directory. You can configure alerts to be generated with specific thresholds and time intervals or for every occurrence of a matching event. You can also configure a notification for each alert. Figure 1-6 shows how SESA generates an alert notification when enough alerts are generated to exceed a configured threshold. Figure 1-6 How SESA generates an alert notification Alerts Threshold = 5 events per minute SESA Manager SESA Agent Symantec management console SESA security products sending events on SESA client computers SMTP mail message SESA Directory SNPP pager In the Symantec management console, you can configure an alert in which you define the type and number of events to track over a specified interval. For

47 Introducing Symantec Enterprise Security Architecture How SESA works 47 example, you can create an alert to trigger when SESA logs five critical events over a one-minute period. The SESA Manager processes the alert and inserts it into the SESA DataStore. On clients, SESA Agents collect events. SESA identifies events that have alerts associated with them as direct events. SESA Agents send direct events over a secure HTTPS channel to the SESA Manager by queuing them for immediate processing. When there is no connectivity between the SESA Manager and SESA Agents, SESA Agents queue both direct and batched events until the connection is restored and the SESA Manager can process them or the queue becomes full. The SESA Manager immediately processes direct events using its Event Logger servlet to insert the events into the SESA DataStore. When the particular type of event that was configured in the alerts is logged to the SESA DataStore the specified number of times within the specified interval, the alert threshold is exceeded and the alert is triggered. In Figure 1-6, the alert configuration has a threshold of five critical events in one minute. The SESA Manager triggers the alert only after it logs the fifth critical event that has been sent in under one minute. You can associate one or more alert notifications with an alert. Depending on how notification delivery is configured for the user who is specified in the alert, the service can be an SNPP pager or SMTP mail message. Additionally, you can use an SNMP trap or OS Event Log for alert notifications. How SESA distributes product configurations When you configure a security product, the SESA Manager processes the configuration, stores it in the SESA Directory, and distributes it to the appropriate security products on the network. Figure 1-7 shows the distribution of product configurations in SESA.

48 48 Introducing Symantec Enterprise Security Architecture How SESA works Figure 1-7 How SESA distributes product configurations Config SESA Manager SESA Agent Symantec management console SESA Agent SESA Directory SESA Agent In the Symantec management console, you can change a configuration for a security product that integrates with SESA. The SESA Manager processes the configuration request and stores it in the SESA Directory. When you select the Distribution option in the Symantec management console, the SESA Agents that were installed with the security products pull the configuration from the SESA Manager. The SESA Agent processes the configuration data to modify the necessary product settings. Note: All SESA Agents poll for configuration changes every eight hours. However, when an administrator makes a configuration change and distributes it, SESA informs the SESA Agent that a new configuration is available. The SESA Agent then immediately downloads the configuration change rather than waiting up to eight hours.

49 Introducing Symantec Enterprise Security Architecture How SESA works 49 How SESA forwards events You may want to use event forwarding to roll up particular events to certain locations so that the necessary information is supplied where it is needed. When you set up an installation for event forwarding, one or more SESA Managers log events to their own local SESA DataStores. However, you can configure a SESA Manager to forward a subset of events to another SESA Manager to insert into its SESA DataStore. Figure 1-8 shows event forwarding in SESA. Figure 1-8 How SESA forwards events SESA Agent REGION 1 SESA Agent SESA Manager SESA DataStore HEADQUARTERS Security products on SESA client computers SESA Manager SESA DataStore SESA Agent REGION 2 SESA Agent SESA Manager SESA DataStore

50 50 Introducing Symantec Enterprise Security Architecture Where to get more information about SESA In Figure 1-8, an organization has installed two SESA Managers and SESA DataStores at its regional offices, and one SESA Manager and SESA DataStore at the corporate headquarters. Administrators at the organization want to log all events to the regional SESA DataStores, but forward only virus events to the SESA DataStore at corporate IT headquarters. Clients at the regional site generate events, which the SESA Agents pass to their respective regional SESA Managers. The regional SESA Managers process the events, which logs them to their own regional SESA DataStores. Because the regional SESA Managers have been configured to forward virus events from the regional SESA DataStores, they also forward, over a secure HTTPS channel, a copy of the virus events to the SESA Manager at corporate headquarters. The corporate SESA Manager then processes the virus event data and inserts it into the corporate SESA DataStore. Virus event data from the regional client computers is logged to both the regional SESA DataStores and the corporate headquarters SESA DataStore. Where to get more information about SESA For more information on SESA, a SESA knowledge base is available on the Symantec Technical Support Web site at: The knowledge base link is the first one under Technical Support. You can find the Symantec Enterprise Security Architecture knowledge base listed under Security Management. To obtain an updated version of the SESA Implementation Guide and other SESA guides, visit the Symantec Public FTP site at any of the following URLs: ftp://ftp.symantec.com/public/english_us_canada/doc ftp://ftp.symantec.com/english_us_canada/products/sesa/manuals SESA Directory third-party software information Table 1-3 lists the SESA Directory middleware components and how to access online documentation for them.

51 Introducing Symantec Enterprise Security Architecture Where to get more information about SESA 51 Table 1-3 How to access SESA Directory third-party online documentation Third-party product IBM Directory Server IBM Directory Management Tool (DMT) IBM HTTP Server IBM Key Management Utility (IKEYMAN) How to access online documentation To access IBM Directory Server online documentation On the Windows taskbar, click Start > Programs > IBM Directory Server 4.1 > Getting Started. To access IBM DMT online documentation 1 On the Windows taskbar, click Start > Programs > IBM Directory Server 4.1 > Directory Management Tool. 2 In the DMT, in the upper-right corner of the right pane, click the question mark icon. To access IBM HTTP Server online documentation On the Windows taskbar, click Start > Programs > IBM HTTP Server > Documentation. To access IBM IKEYMAN online documentation 1 On the Windows taskbar, click Start > Programs > IBM HTTP Server > Getting Started. 2 In IKEYMAN, on the Help menu, click Contents. SESA DataStore third-party software information Table 1-4 lists the SESA DataStore middleware components and how to access documentation for them. Table 1-4 How to access SESA Manager third-party online documentation Third-party product IBM DB2 databases IBM DB2 Control Center How to access online documentation To access IBM DB2 online documentation On the Windows taskbar, click Start > Programs > IBM DB2 > Information > DB2 Information. To access IBM DB2 Control Center online documentation 1 On the Windows taskbar, click Start > Programs > IBM DB2 > Control Center. 2 In the Control Center, on the Help menu, click Help Index, General Help, or Information Center.

52 52 Introducing Symantec Enterprise Security Architecture Where to get more information about SESA Third-party product IBM DB2 Command Center Oracle database How to access online documentation To access IBM DB2 Command Center online documentation 1 On the Windows taskbar, click Start > Programs > IBM DB2 > Command Center. 2 In the Command Center, on the Help menu, click Help Index, General Help, or Information Center. To access Oracle database server online Help In Oracle Enterprise Manager, access the online Help menu. To access online documentation for Oracle 9i databases In a Web browser, go to the following URL: Free registration is required to view documentation. To access all Oracle documentation In a Web browser, go to the following URL: You may find the following reference materials especially useful: Database Concepts Installation Guide for UNIX Systems Database Administrator's Guide Backup and Recovery Concepts Recovery Manager User's Guide Advanced Security Administrator's Guide Performance Tuning Guide and Reference Oracle database for users with Oracle support licenses To access licensed Oracle customer support In a Web browser, go to the following URL: SESA Manager third-party software information Table 1-5 lists the SESA Manager middleware components and how to access online documentation for them.

53 Introducing Symantec Enterprise Security Architecture Where to get more information about SESA 53 Table 1-5 How to access SESA Manager third-party online documentation Third-party product IBM DB2 IBM DB2 Control Center IBM DB2 Command Center IBM HTTP Server IBM Key Management Utility (IKEYMAN) How to access online documentation To access IBM DB2 online documentation On the Windows taskbar, click Start > Programs > IBM DB2 > Information > DB2 Information. To access IBM DB2 Control Center online documentation 1 On the Windows taskbar, click Start > Programs > IBM DB2 > Control Center. 2 In the Control Center, on the Help menu, click Help Index, General Help, or Information Center. To access IBM DB2 Command Center online documentation 1 On the Windows taskbar, click Start > Programs > IBM DB2 > Command Center. 2 In the Command Center, on the Help menu, click Help Index, General Help, or Information Center. To access IBM HTTP Server online documentation On the Windows taskbar, click Start > Programs > IBM HTTP Server > Documentation. To access IBM IKEYMAN online documentation 1 On the Windows taskbar, click Start > Programs > IBM HTTP Server > Getting Started.In IKEYMAN, on the Help menu, click Contents. 2 In IKEYMAN, on the Help menu, click Contents.

54 54 Introducing Symantec Enterprise Security Architecture Where to get more information about SESA

55 Chapter 2 Planning for deployment This chapter includes the following topics: SESA data paths Data security and protocol Deployment guidelines SESA data paths A SESA installation includes at least one security product, one or more SESA Agents, one or more SESA Managers, one or more SESA DataStores, and a single SESA Directory. Data is passed from one component to another along specific data paths that allow for communication among components. Providing for the efficient and secure flow of data along each of these data paths is critical to an efficient SESA installation. SESA is designed to account for temporary disruption or overflow on its data communication paths. For the purposes of deployment, you can consider communications among components in terms of the following: Volume of expected data on each data path Protocols that are used on each data path Supported data flow on each data path Security needs of your organization The majority of data that is generated, processed, and collected within the SESA framework is event data. All event data includes base information such as Event Type, Date, Time, and Machine Name along with the data that is specific to the event. SESA also passes configuration data along data paths. Configurations allow you to distribute product settings to predefined groups of computers.

56 56 Planning for deployment SESA data paths SESA components transmit this data to each other, either over the network, between computers, or internally, on the same computer. Regardless of the physical locations of SESA components, data flows in a prescribed hierarchy along prescribed data paths. Not all components, however, communicate with all of the others. Depending on the operating system platform, SESA provides flexibility for a number of SESA component installation strategies. However, when you consider network data transmission, SESA component installations fall into the following types: Centralized installation: The SESA DataStore, SESA Manager, and SESA Directory are all physically located on the same computer. A centralized installation is possible only when all of the SESA components are installed on a Windows operating system. No network data transmission occurs. Distributed installation: One or more SESA components are remotely located from another SESA component or components, which results in a SESA installation across multiple computers. A distributed installation is possible in all-windows, all-solaris, or mixed-platform environments. Network data transmission occurs between the SESA components that are remotely located. In a fully distributed installation, in which each SESA component is installed on a different computer, network communication occurs for all components. In both centralized and distributed installations, communication between a security product and its SESA Agent is never over the network, because the SESA Agent and security product always reside on the same computer. SESA security products and SESA Agents The SESA Agent facilitates all SESA communications with an integrated (nonnative) or native SESA security product. The security product sends event data and requests to the SESA Agent for forwarding to the SESA Manager. Likewise, the SESA Agent pulls configuration and status data from the SESA Manager, and communicates this data to the security product. Security product to SESA Agent data path and flow Individual SESA security products integrate within the SESA framework by means of communication with the SESA Agent. A single SESA Agent can support multiple products. Figure 2-1 shows the security product to SESA Agent data channel on a single computer that is running three integrated SESA security products.

57 Planning for deployment SESA data paths 57 Figure 2-1 Security product to SESA Agent data channel Native and nonnative SESA security products SESA Agent Network data paths Because the SESA Agent always resides on the same physical computer as the product or products that it is servicing, there are no data security or network performance issues for this data path. SESA can manage any event data overflow that may occur, for example, during a network attack. Depending on how you group SESA components, a SESA installation can have as many as four network data channels for communications, as follows: SESA Agent to SESA Manager data path (SSL) SESA Manager to SESA Agent data path (not SSL) Symantec management console to SESA Manager data path SESA Manager to SESA DataStore data path SESA Manager to SESA Directory data path The SESA DataStore, SESA Directory, and SESA Manager can reside on one, two, or three computers, which results in up to two additional data channels. Figure 2-2 shows the maximum number of data channels that a SESA installation might require.

58 58 Planning for deployment SESA data paths Figure 2-2 Data channels for major SESA components Symantec management console SESA SESA Agent SESA security product Manager SESA Directory SESA DataStore SESA Agent to SESA Manager data path and flow The SESA Agent communicates with the SESA Manager by XML-encoded CIM (Common Information Model) data over HTTPS. HTTPS communication occurs on port 443 by default. The SESA Agent is a CIMOM (Common Information Model Object Manager) and uses the default CIMOM port of SESA can manage event data overflow that may occur, for example, during a network attack. Figure 2-3 shows the SESA Agent to SESA Manager data channel.

59 Planning for deployment SESA data paths 59 Figure 2-3 SESA Agent to SESA Manager data channel SESA Agent SESA SESA Agent Manager SESA Agent SESA Manager to SESA DataStore data path and flow The SESA Manager communicates with the SESA DataStore using JDBC and an IBM DB2 or Oracle driver. By default, the SESA Manager communicates with an IBM DB2 database server on port and an Oracle database server on port The SESA DataStore can receive events from multiple SESA Managers. Figure 2-4 shows the SESA DataStore to SESA Manager data channel.

60 60 Planning for deployment SESA data paths Figure 2-4 SESA DataStore to SESA Manager data channel SESA Manager SESA DataStore SESA Manager to SESA Directory data and flow The SESA Directory and SESA Manager communicate over Secure Lightweight Directory Access Protocol (LDAPS). By default, LDAPS uses port 636 for SSL communications. The SESA Manager always initiates communication with the SESA Directory. Figure 2-5 shows the SESA Directory to SESA Manager data channel.

61 Planning for deployment SESA data paths 61 Figure 2-5 SESA Directory to SESA Manager data channel SESA Manager SESA Directory Symantec management console to SESA Manager data path and flow The SESA management console uses Java applets to communicate with the SESA Manager over HTTPS. Figure 2-6 shows the Symantec management console to SESA Manager data channel.

62 62 Planning for deployment SESA data paths Figure 2-6 Symantec management console to SESA Manager data channel Symantec management console SESA Manager All data that is displayed in the Symantec management console is the result of requests from the Symantec management console to the SESA Manager. The SESA Manager passes on the appropriate requests to the SESA Directory or SESA DataStore and returns that data to the Symantec management console for display. In this sense, all data flow from the SESA Manager to the Symantec management console is constrained by the data flow from the SESA Directory and from the SESA DataStore to the SESA Manager. SESA Manager to SESA Manager communications In a SESA implementation, SESA Managers communicate with each other in much the same way that a SESA Agent communicates with SESA Managers. The data that is passed among SESA Managers includes the information that has been configured for Event Forwarding and Alert Forwarding.

63 Planning for deployment Data security and protocol 63 Event Forwarding and Alert Forwarding To provide greater flexibility in the aggregation of event data, SESA can filter events and forward them from one SESA Manager for insertion into another SESA Manager s SESA DataStore. Event Forwarding is only possible between SESA Managers that share the same SESA Directory. See Forwarding a subset of events in real time to another SESA DataStore on page 375. Note: To prevent duplicate events, do not forward events between two SESA Managers that share the same SESA DataStore. SESA data path properties Table 2-1 summarizes SESA data path properties. Table 2-1 Data path Properties of SESA data paths (for distributed installations) Protocol SESA Agent sending to a SESA Manager SESA Manager sending to a SESA Agent SESA Manager sending to a SESA DataStore SESA Directory sending to a SESA Manager Symantec management console sending to a SESA Manager XML-encoded CIM over HTTPS XML-encoded CIM over HTTP JDBC LDAPS HTTPS Data security and protocol SESA uses the Secure Sockets Layer (SSL) protocol for its network transport security. SESA Manager to SESA Agent communication is not done using SSL. However, SESA Agent to SESA Manager communication is done using SSL. In its default installation, SESA implements and enables anonymous SSL to secure communication between the SESA Manager and the following components: SESA Agent Symantec management console SESA Directory

64 64 Planning for deployment Data security and protocol Other SESA Managers After installation, you can increase SSL security to include authentication. In order of increasing data security, the levels are as follows: Anonymous, self-signed SSL (default) Authenticated, self-signed SSL Authenticated, Certificate Authority (CA)-signed SSL Anonymous SSL uses IP addresses in its self-signed certificates instead of DNS names (for example, instead of Figure 2-7 shows the IP addresses that are used and the path that data takes from the SESA security product and SESA Agent to the various SESA components. Figure 2-7 The SESA Agent uses an IP address of , , or the IP address of the local adapter SESA Agent IP addresses and security available to SESA data Communication from the SESA Manager to the SESA Agent uses the SESA Agent IP address and is not over SSL Communication from the SESA Agent to the SESA Manager is over SSL on HTTPS, and uses the SESA Manager IP address: This IP address is used on the default, anonymous, self-signed certificate SESA Manager Communication between the SESA Manager and the SESA DataStore is over JDBC: A secure connection can be established through IPSec, VPN, or a physically secure connection (SSL is enabled if the database driver provider supports it) Communication between the SESA Manager and the SESA Directory is over secure LDAP SESA Directory SESA DataStore Anonymous, self-signed SSL encrypts data and ensures data integrity, but does not provide authentication. See Changing your security configuration on page 279.

65 Planning for deployment Deployment guidelines 65 Deployment guidelines Use the following task list to plan your SESA deployment: Define how many SESA administrative domains are required. Define configuration and role groups for the network. Define event correlations that will be used by alert detection. Estimate event volume for each domain. Define failover policy and solutions for each SESA component. Determine how many SESA DataStores are required for each domain, and the amount of data you want to keep online in SESA DataStores. Determine how many SESA Managers are required for each domain. Determine how many SESA Directories are required for the target network. Determine the types and number of servers that are required. Determine SESA administration staff requirements. Define the roll-out plan.

66 66 Planning for deployment Deployment guidelines

67 Chapter 3 Before you install SESA This chapter includes the following topics: Preparing for installation System requirements Preparing third-party software on Windows platforms Preparing third-party software on Solaris platforms Preparing for installation Before you install any SESA Foundation Pack software, ensure that the computers on which SESA components will be installed are properly prepared and that you understand the logon and other information that the SESA Installation Wizard requires. Depending on which operating system platforms and how many computers you are using for your SESA installation, you will need to preinstall some third-party components and prepare some computers before you use the SESA Installation Wizard to install the SESA components. Logon accounts for SESA installation During installation, the SESA Installer prompts you to type user names and passwords for SESA infrastructure components. Table 3-1 lists the logon accounts.

68 68 Before you install SESA Preparing for installation Table 3-1 Account SESA Directory SESA Administrator Logon accounts for SESA installation Description The user name (in the form cn=<name>) and password for IBM Directory Server. This is the superuser or administrator account. The SESA Installer creates this account if you are installing IBM Directory Server for the first time. You can use up to 32 characters for the password, including embedded blank spaces. You can also use embedded blank spaces in the user name. Do not use characters from a double-byte character set (DBCS) or extended ASCII. Use this user name and password to connect to an already installed SESA Directory when you install other SESA components and perform IBM Directory Server maintenance outside of SESA. The SESA Directory account is independent of any operating system account. On Solaris platforms, the SESA Directory account is created by the root user. The user name (SESAdmin) and password (which you supply) for the default SESA Administrator account. The SESA Installer creates this account in the SESA Directory. You can use between 6 and 12 characters in the password, including embedded blank spaces. SESA can have multiple top-level, or root, administrative domains as well as multiple subdomains. An administrator who uses the SESA Administrator account to log on to the Symantec management console has access rights to all SESA administrative domains across the entire SESA environment, regardless of which SESA Manager and associated administrative domain was used for logon. Because this default account has access rights to all SESA administrative domains on every SESA Manager computer, it is typically not used as a routine logon account by administrators who are not managing the entire SESA environment. Instead, the SESA Domain Administrator account is available to top-level administrators who need access to the entire SESA Directory tree for installing SESA DataStores and SESA Managers. You can log on to the Symantec management console using the SESA Administrator account after installation without having to specify a SESA administrative domain. On Windows platforms, the SESA Administrator is not a Windows 2000 account and is independent of any Windows account. On Solaris platforms, the SESA Administrator account is created by the superuser.

69 Before you install SESA Preparing for installation 69 Account SESA Domain Administrator Description The specified user name and password of the default SESA Domain Administrator. The SESA Installer creates this account in the SESA Directory. You can use between 6 and 12 characters in the password, including embedded blank spaces. You can use up to 32 characters in the user name, including embedded blank spaces. Do not use characters from a double-byte character set (DBCS) in the user name. SESA has a single administrative domain that contains all SESAmanaged objects and to which the default SESA Domain Administrator user is granted administrative authority. This default administrator has access rights to the entire SESA administrative domain. Use the Domain Administrator name and password to log on to the SESA Manager after the SESA installation is complete. The SESA Domain Administrator is not a Windows 2000 account, and is independent of any Windows account. On Solaris platforms, the SESA Domain Administrator account is created by the superuser. SESA Secure Communications The password that is used to access the key database, the company name and company location, and the key that is used to create the selfsigned certificate. Key size is used to encrypt and decrypt the certificate key. The longer the key, the higher the security of the data. The default setting of 1024 bits is standard. You can use between 6 and 32 characters in the password, including embedded blank spaces.

70 70 Before you install SESA Preparing for installation Account SESA DataStore Web Server (Windows only) Description The user name and password of the IBM DB2 or Oracle 9i database. To manage password changes, set up a unique account. When you are installing the database on a Windows computer, the SESA Installer creates a Windows 2000 account if you are installing IBM DB2 for the first time. You can use up to 14 characters in the password, including embedded blank spaces. You can use up to 30 characters for the user name. User names can only include standard alphabetic characters, digits, and the #, and $. Do not prefix a user name with a digit, SQL, IBM, or SYS, or end it with a $. In addition, you cannot use any of the following reserved words for user names: USERS, ADMINS, GUESTS, PUBLIC, or LOCAL. Do not use characters from a double-byte character set (DBCS) or extended ASCII in either a user name or password. Use this user name and password to connect to an already installed SESA DataStore when you install other SESA components and perform database maintenance outside of SESA. On Windows platforms, as a best practice, use a local account rather than a Windows domain account. This prevents domain accounts from controlling the definition and membership of Windows groups that the DBA uses to grant DB2 privileges. The user name and password for a Windows 2000 account. These are required to install the IBM HTTP Server. If the account does not exist, it is created. This Windows 2000 account must use a password. You can use up to 32 characters in the user name or password, including embedded blank spaces. Do not use characters from a double-byte character set (DBCS) in the password. To manage password changes, set up a unique account. The Windows 2000 account user name is case-sensitive when it is used to log on to the IBM HTTP Server. As a best practice, use a local account other than the local Administrator account. Copying the SESA Foundation Pack CDs to a Solaris staging area If you are installing any SESA components on Solaris computers, you should copy the installation images of the SESA Foundation Pack CDs to a staging area on a local Solaris computer.

71 Before you install SESA Preparing for installation 71 To copy the SESA Foundation Pack CDs to a Solaris staging area 1 On the Solaris computer, insert the Solaris CD1 into the CD-ROM drive. 2 To copy the installation image on the CD, type the following command: cp -pr /cdrom/cdrom0/* /u01/solaris.cd1 You many need to create a directory first, depending on your Solaris environment. 3 Repeat steps 1 and 2 for the Solaris CD2. Securing Solaris resources and programs As a best practice, before you begin the SESA installation, make sure to secure the various programs and resources that are operating in your Solaris environment. Following is a partial list of some Solaris resources and programs that you should secure from exploitation: telnet ftp finger sadmind rusersd sprayd rstatd printer (lpd) fs (font server) In addition, the Oracle database server sets up default passwords that are known to all Oracle users. The default password for the user SYMCMGMT is password. As a best practice, change these default passwords to secure your Oracle database.

72 72 Before you install SESA Preparing for installation Disabling unnecessary services Any time that Windows 2000 services are running and not being used, they become potential security risks. The best policy is to turn off unused services. By default, SESA sets the following services to manual at installation: DB2 Remote Command DB2 Security Server The IBM HTTP Administration program allows you to configure the IBM HTTP Server (Web Server) remotely using an Internet browser and is set to run as a service by the installation program. You may want to change the IBM HTTP Administration program to manual start for security reasons, but this program must be running before you can remotely configure the IBM HTTP Server. To disable unnecessary services 1 On the computer on which you installed IBM DB2 Universal Database Workgroup Edition or IBM DB2 Universal Database Personal Edition, on the Windows taskbar, click Start > Settings > Control Panel. 2 In the Control Panel window, double-click Administrative Tools. 3 In the Administrative Tools window, double-click Services. 4 In the Services dialog box, stop the service. 5 Change the Startup Type for the service to Manual. 6 Close the Services dialog box. IBM DB2 library directory ownership Avoiding port conflicts IBM has released a warning about potential security vulnerabilities in IBM DB2 v7.1 and v8.1. The suggested solution per Security Wire Digest vol. S, No. 62, dated August 18, 2003 is to change group ownership on some of the IBM DB2 libraries. However, the computers will not have interactive users and the installation of SESA is performed by superuser. Therefore, you should not change the ownership or group ownership as suggested. On computers on which you plan to install a SESA Manager or SESA Directory, ensure that any Web servers that are running on the computers do not listen on port 443. The IBM Directory Server, which is a component used by the SESA Manager and SESA Directory, listens on port 443.

73 Before you install SESA Preparing for installation 73 In addition, the SESA Installation Wizard requires that you supply a listening port for the SESA DataStore. The SESA Installation Wizard changes the IBM DB2 or Oracle 9i database server listening port to whatever you specify. By default, port is specified on Windows computers. Port 1521 is specified on Solaris computers. Ensure that no other application is using the same port. Additionally, if you currently have another application that is communicating with IBM DB2 or Oracle 9i, ensure that it is using the specified listening port. By default, SESA Agents use the CIMOM port, 5998, as well as port 8086; you can change these port assignments when you configure the SESA Agents. Local administrative privileges on the installation computer On Windows computers, SESA requires that you install the SESA software under a local administrator s account. Ensure that you log on to the computer on which you run the SESA Installation Wizard as a local administrator for that computer. Warning: The user name for the local administrator account must not include any spaces, or the SESA Directory does not install properly. For example, the user name FirstName_LastName is acceptable, while FirstName LastName is not. On Solaris computers, SESA requires that you become superuser on the computer on which you are installing a SESA component. If you are initiating a Telnet session from a remote computer, you can connect to the installation computer using regular user privileges, and then switch to superuser after the connection across the network is made. See Connecting to a remote Solaris computer and exporting its display on page 135. System time on the installation computer Ensure that the system time of the computer from which you run the SESA Installation Wizard is no more than 24 hours behind the system time of the computer or computers to which you plan to install the SESA components. If this is not the case, the SESA Directory connection will fail and you may encounter problems with default SESA SSL authentication. SESA uses a default, self-signed SSL certificate with an expiration date that requires the time synchronization.

74 74 Before you install SESA Preparing for installation Using static IP addresses If you are using the anonymous SSL self-signed certificates in Solaris and Windows environments, install the SESA Manager on computers that have static IP addresses. If you find that you must change the IP address of a SESA Manager or SESA Directory computer, the SESA Manager and SESA Directory computer or computers will require reconfiguring to enable SESA to use the new IP address. See Reconfiguring the SESA Directory computer after an IP address change on page 322. See Reconfiguring the SESA Manager computer to use a new IP address on page 394. Locations of installation computers If you are installing a SESA component on a Windows computer, you must be physically located at the computer to perform the installation. SESA does not support installations via terminal services on Windows computers. If you are installing a SESA component on a Solaris computer, you can be either physically located at the Solaris computer or remotely located at another Solaris computer. You should copy the SESA Foundation Pack Solaris CD set to a staging area that is accessible from your installation computer. See Copying the SESA Foundation Pack CDs to a Solaris staging area on page 70. See Connecting to a remote Solaris computer and exporting its display on page 135. Installation drives and volumes Regardless of the drive that you choose for a SESA installation, make sure that 20 MB of free disk space is available on the operating system drive of the computer. SESA always installs 20 MB of operating system and other environment files to the default system drive of the installation computer. Windows drives As a best practice in Windows environments, install the SESA Manager, SESA DataStore, and SESA Directory to NTFS drives to ensure security. In addition, certain processes are faster under NTFS rather than FAT32. Because of FAT32 file system limitations, the maximum size for the SESA DataStore is 8 GB under FAT32. Installation fails if a size larger than 8 GB is specified. To specify a SESA DataStore larger than 8 GB, use NTFS.

75 Before you install SESA Preparing for installation 75 On Windows 2000 computers, you cannot install SESA to encrypted folders or compressed drives or the installation fails. Solaris volumes Installation directories As a best practice in Solaris environments, avoid installing SESA components on NFS volumes. If you install SESA software to an NFS volume, permissions to files on the NFS volume are not properly configured for SESA to run without encountering problems. When you install SESA, the SESA Installation Wizard requires you to supply a location for the SESA Working Directory and for the SESA Manager logs. On Windows computers, the default location is C:\SESA. On Solaris computers, the default location is /opt/symantec/sesa. You can specify the same or different locations for these directories depending on your needs For optimal performance, the installation location should not be on the same drive as the operating system. Ensure that this directory is not read-only; otherwise, SESA does not have write access to necessary files. The SESA Installation Wizard also requires you to supply a temporary location for installation files, after which SESA deletes them. Ensure that the location that you specify has at least 75 MB of hard disk space available. The Browse dialog box in which you locate a temporary folder contains two icons: a folder and a solid circle. The solid circle identifies a folder that has no sub-folders. SESA installations behind firewalls Disabling standby mode If you plan to install the SESA Manager behind a firewall or gateway, the SESA Installation Wizard does not detect whether the Sun Java Development Kit (SDK) is previously installed and consequently cannot prompt you to install it. If you complete the SESA installation without first installing the SDK, you will not be able to access the Symantec management console. Therefore, always ensure that the SDK 1.3.1_09 is installed on computers on which a SESA Manager is to be installed, particularly when the computer is behind a firewall or gateway. Disable standby mode on any Windows or Solaris computer on which you are installing the SESA Manager, SESA Directory, or SESA DataStore. These

76 76 Before you install SESA Preparing for installation components cannot make contact with or be contacted by the necessary SESA components when standby mode is enabled. Avoiding Microsoft Internet Information Server conflicts Before you install the SESA Manager on a Windows computer that is also hosting Microsoft Internet Information Server (IIS), ensure that the WWW Publishing Service is stopped in the Services Control Panel. If you plan to run Microsoft IIS on the same computer as the SESA Manager, after you install the SESA Manager, make sure to configure IIS to listen on a port other than 443. For information on configuring Windows services and Microsoft IIS, see your Microsoft Windows and Microsoft Internet Information Server documentation. SESA and non-english languages In SESA installations that use non-english languages, you must install a SESA Manager in a single, non-english target language. English is always installed. If you install non-english native and non-native SESA security products, you must install them in the same language as the SESA Manager. However, you can install an English-only security product on any non-english SESA Manager. Typically, SESA logs events in a language-independent format by using tokens to represent event data. The language of the SESA Manager installation determines how the event data is displayed. The tokenized event data appears in the language of the user who is currently logged on, which is defined when the user is created. You can only create new users for the one non-english language that the SESA Manager may support or English. At any time that event data cannot be displayed in a non-english language, it is displayed in English. For example, a French SESA Manager is only French and English. A German SESA Manager is only German and English. A French SESA Manager can only create new users that have a preferred language of French or English. A French security product cannot be installed to a German SESA Manager. If a French SESA Manager is installed, a user whose preferred language is French will see the tokenized event data in French. An English user will see that same data in English. Warning: When you install the SESA Directory on a Solaris computer that uses a UTF-8 language locale, the installation fails. IBM Directory Server does not support the UTF-8 locale for any language.

77 Before you install SESA Preparing for installation 77 Installation CD layout SESA installation is divided among four CDs. One set of two CDs contains the SESA Foundation Pack for Windows platforms, while the other set contains the SESA Foundation Pack for Solaris platforms. Windows CD set The Windows CD set contains the following CDs: CD1: SESA 2.0 WINDOWS MANAGER (Volume ID is SESAWIN1MGR) This CD contains the following directories: ACROBAT: Contains Adobe Acrobat Reader software for Windows, Solaris, and Linux platforms AGENT: Contains the necessary components to install the SESA Agent DOCS: Contains documentation for the SESA product MANAGER: Contains the necessary components to install the SESA Manager OPENSRC: Contains installation open source files (LDAP SDK, SNMP, and CIMOM) RSPFILES: Contains silent installation response files for IBM DB2 Personal Edition SIPI: Contains some of the necessary components for integrating Symantec and other security products with SESA UTILS: Contains Windows 32-bit LiveUpdate and redistributed thirdparty components (J2RE, SDK, JSSE, IBM HTTP, Apache Tomcat, and Microsoft DLLs) UTILS/DBTOOLS: Contains scripts and batch files to maintain and optimize database performance, and a SESA Data Maintenance Tool to purge, copy, and move data UTILS/MIB: Contains SESA SNMP trap definition files CD2: SESA 2.0 WINDOWS DIRECTORY AND DATASTORE (Volume ID is SESAWIN2DIRDB) This CD contains the necessary components to install the IBM Directory Server, IBM DB2 Database Personal Edition (for demonstration or test installations), and product documentation.

78 78 Before you install SESA System requirements Solaris CD set System requirements The Solaris CD set contains the following CDs: CD1: SESA 2.0 SOLARIS SESA MANAGER (Volume ID is SESASOL1MGR) This CD contains the following directories: ACROBAT: Contains Adobe Acrobat Reader software for Windows, Solaris, and Linux platforms AGENT: Contains the necessary components to install the SESA Agent DOCS: Contains documentation for the SESA product MANAGER: Contains the necessary components to install the SESA Manager OPENSRC: Contains installation open source files (LDAP SDK, SNMP, and CIMOM) ORACLE: Contains the necessary components to configure the Oracle 9i database server SIPI: Contains some of the necessary components for integrating Symantec and other security products with SESA UTILS: Contains redistributed third-party components (J2RE, SDK, JSSE, IBM HTTP, Apache Tomcat, and Microsoft DLLs) UTILS/TOOLS: Contains scripts and batch files to maintain and optimize database performance, and a SESA Data Maintenance Tool to purge, copy, and move data UTILS/MIB: Contains SESA SNMP trap definition files CD2: SESA 2.0 SOLARIS DIRECTORY (Volume ID is SESASOL2DIR) This CD contains the necessary components to install the IBM Directory Server, the accompanying IBM DB2 Enterprise Edition, and product documentation. Before you install SESA, ensure that the computers on which you will install SESA software meet the necessary requirements. SESA supports a number of installation configurations. It has the following system requirements and supported third-party software: Minimum requirements to install all SESA components on a single Windows computer Minimum requirements for a SESA Directory computer Supported third-party software for the SESA Directory

79 Before you install SESA System requirements 79 Minimum requirements for the SESA DataStore computer Supported third-party software for the SESA DataStore Minimum requirements for the SESA Manager computer Supported third-party software for the SESA Manager Minimum requirements and supported third-party software for a remote Symantec management console Minimum requirements and supported third-party software for a SESA Agent If you are installing more than one component on a single computer, you can increase the system requirements accordingly. Note: The minimum system requirements for SESA are applicable for demo or evaluation deployments of SESA only. For an enterprise production deployment, the hardware requirements are significantly higher. On Windows platforms, the RunAsService service must be enabled and running during the SESA installation. You can disable the service after installation, if desired. Warning: Do not install SESA components on a computer that is also functioning as an Active Directory Domain Controller, or the SESA installation does not run properly. Supported installation configurations The SESA Manager, SESA DataStore, and SESA Directory can run on either Windows or Solaris operating systems. You can install SESA components on all Windows computers, all Solaris computers, or a combination of both. If you are using Oracle 9i as the database for the SESA DataStore, you must install it on a dedicated Solaris computer that is separate from the SESA Manager and SESA Directory. You can install the SESA Manager and SESA Directory on either Solaris or Windows computers, as necessary. If you are using IBM DB2 as the database for the SESA DataStore, you can install the SESA Manager, SESA DataStore, and SESA Directory on one, two, or three Windows computers. SESA also supports a SESA DataStore on a Windows computer while a SESA Manager and SESA Directory are installed on either Solaris or Windows computers. However, organizations with high-volume, high-performance, or otherwise large networking environments should install each SESA component on a separate computer, regardless of the operating system. If resource limitations

80 80 Before you install SESA System requirements make separate computers impossible, or network size and traffic allow, you can install two SESA components on one computer. Typically, you install all three SESA components on the same Windows computer for testing purposes only. Table 3-2 lists the various combinations of operating system platforms on which you can install the SESA Directory, SESA DataStore, and SESA Manager to set up a single SESA installation. Table 3-2 Supported variations of SESA installations Installation configuration Description of installation SESA Manager OS SESA DataStore OS SESA Directory OS Express installation (Demonstration and testing purposes only) Use one Windows computer for all three SESA components. IBM DB2 Personal Edition, which is provided on the SESA Foundation Pack CD, is installed as the SESA DataStore software. This type of configuration is for testing and demonstration installations only. IBM DB2 Personal Edition is not robust enough to handle a fullproduction SESA installation. Windows Windows Windows All Windows Use one, two, or three Windows computers. An IBM DB2 Universal database must be used for the SESA DataStore. IBM DB2 Universal databases are not included on the SESA Foundation Pack CD set. If the SESA DataStore and SESA Manager are installed on different computers, the IBM DB2 Runtime Client must be installed on the SESA Manager computer as well to support a remote connection between the SESA Manager and SESA DataStore. Windows Windows Windows All Solaris Use two or three Solaris computers. A dedicated Solaris computer that is running Oracle 9i must be used for the SESA DataStore. To support the IBM Directory Server 4.1 on a Solaris platform and the connection to the SESA DataStore, a supported IBM DB2 database (Workgroup or Enterprise Edition version 7.1 or later with FixPak 5) must be installed before installing the SESA Directory. IBM DB2 Enterprise Edition is provided on the SESA Foundation Pack Solaris CD2. Solaris Solaris (dedicated computer) Solaris

81 Before you install SESA System requirements 81 Installation configuration Mixed platforms 1: SESA Directory on Solaris Description of installation Use one Solaris computer for the SESA Directory. Use one or two Windows computers for the SESA Manager and SESA DataStore, as resources and network topology dictate. IBM DB2 Workgroup Edition, Enterprise Edition, or Enterprise Extended Edition must be used for the SESA DataStore. The IBM DB2 Enterprise Edition (provided on Solaris CD2) must be installed on the same computer as the SESA Directory to support the IBM Directory Server 4.1 and the connection to the SESA DataStore. In addition, if the SESA DataStore and SESA Manager are installed on different Windows computers, the IBM DB2 Runtime Client must be installed on the SESA Manager computer to support a remote connection between the SESA Manager and SESA DataStore. SESA Manager OS SESA DataStore OS SESA Directory OS Windows Windows Solaris Mixed platforms 2: SESA DataStore on Solaris One Solaris computer running Oracle 9i is required for the SESA DataStore. One or two Windows computers are used for the SESA Manager and SESA Directory. Windows Solaris Windows Mixed platforms 3: SESA Manager on Solaris One Solaris computer is used for the SESA Manager. One or two Windows computers are used for the SESA DataStore and SESA Directory. An IBM DB2 Universal database must be used for the SESA DataStore. IBM DB2 Universal databases are not included on the SESA Foundation Pack CD set. The IBM Runtime Client must be installed on the SESA Manager computer to support a remote connection to the SESA DataStore. Solaris Windows Windows Mixed platforms 4: SESA Manager on Windows One dedicated Solaris computer that is running Oracle 9i is required for the SESA DataStore. One Windows computer is used for the SESA Manager. Another Solaris computer is used for the SESA Directory. To support the IBM Directory Server 4.1 on a Solaris platform and the connection to the SESA DataStore, a supported IBM DB2 database (Workgroup or Enterprise Edition version 7.1 or later with FixPak 5) must be installed before installing the SESA Directory. IBM DB2 Enterprise Edition is provided on the SESA Foundation Pack Solaris CD2. Windows Solaris (dedicated computer) Solaris

82 82 Before you install SESA System requirements Installation configuration Description of installation SESA Manager OS SESA DataStore OS SESA Directory OS Mixed platforms 5: SESA DataStore on Windows One Solaris computer is used for the SESA Manager. Another Solaris computer is used for the SESA Directory. An IBM DB2 Universal database must be used for the SESA DataStore. IBM DB2 Universal databases are not included on the SESA Foundation Pack CD set. IBM DB2 Enterprise Edition (provided on Solaris CD2) must be installed on the same computer as the SESA Directory to to support the IBM Directory Server 4.1 and the connection to the SESA DataStore. In addition, the IBM Runtime Client must be installed on the SESA Manager computer to support a remote connection to the SESA DataStore. Solaris Windows Solaris Mixed platforms 6: SESA Directory on Windows One dedicated Solaris computer that is running Oracle 9i is required for the SESA DataStore. Another Solaris computer is used for the SESA Manager. One Windows computer is used for the SESA Directory. Solaris Solaris (dedicated computer) Windows Minimum requirements to install all SESA components on a single Windows computer If you are installing all of the SESA components on a single, Windows computer, for example, in an express installation, the computer must meet the following minimum system requirements: Windows 2000 Server/Advanced Server with Service Pack 3 or later and the latest Microsoft security patches Intel Pentium-compatible 1 GHz or higher processor 256-color video adapter for installation Microsoft IIS services stopped prior to installation Physical access to a computer with no applications or components other than SESA and associated third-party software installed on it 1 GB of RAM minimum 3.5 GB of free hard disk space minimum plus extra space for event data TCP/IP communications enabled Transport Layer Security (TLS) version 1.0 or Secure Sockets Layer (SSL) version 3.0 or 3.1 enabled

83 Before you install SESA System requirements 83 Minimum requirements for a SESA Directory computer Table 3-3 lists the minimum system requirements for a single Windows or Solaris computer to support a SESA Directory installation. Table 3-3 SESA Directory minimum system requirements Installation platform Requirements Solaris and Windows computers Physical access to a computer with no applications or components other than SESA and associated third-party software installed on it 256 MB of RAM minimum 1 GB of free hard disk space minimum (of which 200 MB is required for the SESA Directory program and swap files) An additional 5 to 15 MB of hard disk space per managed security product instance (see your product system requirements for precise hard disk space requirements) TCP/IP communications enabled Transport Layer Security (TLS) version 1.0 or Secure Sockets Layer (SSL) version 3.0 or 3.1 enabled Solaris computer only Sun Solaris 8 (64-bit) with the latest recommended security patches from Sun, including patches , , , and You can download this patch from sunsolve.sun.com. UltraSPARC II 500 MHz or higher processor Windows computers only Windows 2000 Server/Advanced Server with Service Pack 3 or later and the latest Microsoft security patches Intel Pentium-compatible 1 GHz or higher processor 256-color video adapter for installation Microsoft IIS services stopped prior to installation of the SESA Directory Supported third-party software for the SESA Directory The third-party software components for the SESA Directory that are listed in Table 3-4 are supported by the SESA Foundation Pack. Except as indicated, the third-party software is provided on the SESA Foundation Pack CDs.

84 84 Before you install SESA System requirements Table 3-4 SESA Directory supported third-party software Third-party software Platform Description Sun Java Runtime Environment (J2RE) 1.3.1_09 IBM Directory Server with FixPak 1 IBM Directory Server 4.1 with FixPak 1 IBM Apache HTTP server, version IBM DB2 Personal Edition 7.2 with FixPak 5 Windows and Solaris Windows Solaris Windows and Solaris Windows Required and included with the SESA Foundation Pack. J2RE can be installed on its own or as part of the Sun Java Development Kit (SDK). Java Runtime Environment 1.2.2_008 through 1.4.1_02 are supported. Required and included with the SESA Foundation Pack. Underlying software for the SESA Directory on Windows computers. Required and included with the SESA Foundation Pack. Underlying software for the SESA Directory on Solaris computers. Required and included with the SESA Foundation Pack. Used for SESA Agent-to- SESA Manager communications. Included with the SESA Foundation Pack. Used by the SESA Directory if the SESA DataStore is not installed on the same computer. Intended for non-production installations only. You have the option of using other IBM DB2 editions, which are not included with the SESA Foundation Pack.

85 Before you install SESA System requirements 85 Third-party software Platform Description One of the following IBM DB2 Universal databases if IBM DB2 Personal Edition is not used: IBM DB2 Workgroup Edition 7.2 with FixPak 5 IBM DB2 Enterprise Edition 7.2 with FixPak 5 IBM DB2 Enterprise Extended Edition 7.2 with FixPak 5 IBM DB2 Enterprise Edition 7.2 with FixPak 5 Windows Solaris Optional, but not included with the SESA Foundation Pack. Used by the SESA Directory if the SESA DataStore is not installed on the same computer. The three supported variations of IBM DB2 Enterprise Extended Edition are as follows: Single-partition database server: The SESA Installer detects and installs SESA components with the database. Instance-owning database partition server: The SESA Installer detects and installs SESA components with the database. Be sure to install IBM DB2 Enterprise Extended Edition under a Domain Administrator account, and create a local administrator account with the same name in the IBM DB2 Installation Wizard. SESA installation does not support new nodes on existing partitioned IBM DB2 Enterprise Extended Edition database servers. Included with the SESA Foundation Pack. Used by the SESA Directory if the SESA DataStore is installed on a Solaris computer. This edition cannot be used as the SESA DataStore. Minimum requirements for the SESA DataStore computer Table 3-5 lists the minimum system requirements for a single Windows or Solaris computer to support a SESA DataStore installation.

86 86 Before you install SESA System requirements Table 3-5 SESA DataStore minimum system requirements Installation platform Requirements Solaris and Windows computers Physical access to a computer with no applications or components other than associated third-party software installed on it. On Windows computers, other SESA components can also be installed with the SESA DataStore. Additional disk space for database event entries, depending on the number and type of managed security products. As a guide, to maintain one month of SESA DataStore security event data, 750 KB (for example, for an antivirus product) to 35 GB (for example, for a firewall product) of hard disk space should be allocated per managed security product instance. Disk space requirements may increase significantly depending on the number of events that are received by the SESA DataStore and the length of time that they are stored. For high-load environments, post-installation tasks for the database server should be completed. This increases the recommended minimum system memory and hard disk requirements. TCP/IP communications should be enabled. Solaris computer only Sun Solaris 8 (64-bit) with the latest cluster patch from Sun. You can download this patch from sunsolve.sun.com. UltraSPARC II 500 MHz or higher processor. 512 MB of memory minimum. 3.5 GB of free disk space minimum for SESA DataStore program files and swap space in addition to space for event entries. Existing installation of Oracle 9i.

87 Before you install SESA System requirements 87 Installation platform Requirements Windows computers only Windows 2000 Server/Advanced Server with Service Pack 3 and the latest Microsoft security patches. 256 MB of RAM minimum. Intel Pentium-compatible 1 GHz or higher processor. 256-color video adapter for installation. Existing installation of a supported IBM DB2 Universal database. 1.5 GB of free disk space minimum for SESA DataStore program files and swap space in addition to space for event entries. Supported third-party software for the SESA DataStore The third-party software components that are listed in Table 3-6 are required for a SESA DataStore-only installation of SESA on a single computer. Except where indicated, the third-party software is provided on the SESA Foundation Pack CDs. Table 3-6 SESA DataStore supported third-party software Third-party software Platform Description Sun Java Runtime Environment (J2RE) 1.3.1_09 Oracle 9i version 9.01 (Release 1, 32-bit version) to (Release 2, 64-bit version) Windows and Solaris Solaris Required and included with the SESA Foundation Pack. J2RE can be installed on its own or as part of the Sun Java Development Kit (SDK). Java Runtime Environment 1.2.2_008 through 1.4.1_02 are supported. Not included in the SESA Foundation Pack. Used as the underlying software for the SESA DataStore. Oracle 9i must reside on a dedicated Solaris computer.

88 88 Before you install SESA System requirements Third-party software Platform Description IBM DB2 Personal Edition 7.2 with FixPak 5 One of the following IBM DB2 Universal databases if IBM DB2 Personal Edition is not used: IBM DB2 Workgroup Edition 7.2 with FixPak 5 IBM DB2 Enterprise Edition 7.2 with FixPak 5 IBM DB2 Enterprise Extended Edition 7.2 with FixPak 5 Windows Windows Included with the SESA Foundation Pack. Intended for nonproduction SESA DataStores only. The SESA Manager must be installed on the same computer because the Personal Edition database can only support a single processor. In addition, it only has a 2 GB storage limit. You can use other IBM DB2 editions, which are not included with the SESA Foundation Pack. Optional, but not included with the SESA Foundation Pack. Used as the underlying software for the SESA DataStore in production environments. Minimum requirements for the SESA Manager computer Table 3-7 lists the minimum system requirements for a single Windows or Solaris computer to support a SESA Manager installation. Table 3-7 SESA Manager minimum system requirements Installation platform Requirements Solaris and Windows computers Transport Layer Security (TLS) version 1.0 enabled or Secure Sockets Layer (SSL) version 3.0 or 3.1 enabled TCP/IP communications enabled

89 Before you install SESA System requirements 89 Installation platform Requirements Solaris computer only Sun Solaris 8 (64-bit) with the latest cluster patch from Sun You can download this patch from sunsolve.sun.com. Physical access to a computer with no applications or components other than associated third-party software installed on it UltraSPARC II 500 MHz or higher processor 256 MB of memory minimum 1 GB of free disk space minimum for SESA Manager program files and swap space Windows computers only Windows 2000 Server/Advanced Server with Service Pack 3 and the latest Microsoft security patches Physical access to a computer with no applications or components other than associated third-party software installed on it Intel Pentium-compatible 1 GHz or higher processor 256 MB of RAM minimum 1 GB of free disk space minimum for SESA Manager program files and swap space 256-color video adapter for installation Supported third-party software for the SESA Manager The third-party software components that are listed in Table 3-8 are required for a SESA Manager-only installation of SESA on a single computer. Except where indicated, the third-party software is provided on the SESA Foundation Pack CDs.

90 90 Before you install SESA System requirements Table 3-8 SESA Manager supported third-party software Third-party software Platform Description Sun Java Development Kit (SDK)/Sun Java Runtime Environment (J2RE) 1.3.1_09 IBM Apache HTTP server version Apache Tomcat 4.03 Servlet/JSP container IBM DB2 Runtime client 7.2 with FixPak 5 Solaris and Windows Solaris and Windows Solaris and Windows Solaris and Windows Required and included with the SESA Foundation Pack. The SDK is used with the Symantec management console to access the SESA Manager. The J2RE is used to install SESA components and for SESA processing. Sun Java Development Kit (SDK)/Sun Java Runtime Environment (J2RE) 1.3.1_02 are supported but are not included. Required and included with the SESA Foundation Pack. Used for SESA Agent-to-Manager communications. Required and included with the SESA Foundation Pack. Used for SESA Manager processing. Not included with the SESA Foundation Pack CD set. Used when the SESA Manager on Windows or Solaris must connect remotely with an IBM DB2 Universal database (the SESA DataStore on Windows). Minimum requirements and supported third-party software for a remote Symantec management console Table 3-9 lists the minimum system requirements and supported third-party software for the Symantec management console. Table 3-9 Symantec management console minimum system requirements and supported third-party software Installation platform Requirements All supported platforms Scripting and Java Virtual Machine (JVM) enabled in the Internet browser 256-color video adapter (1024 x 768 minimum resolution) TCP/IP communications enabled Transport Layer Security (TLS) version 1.0 enabled or Secure Sockets Layer (SSL) version 3.0 or 3.1 enabled

91 Before you install SESA System requirements 91 Installation platform Requirements Windows 98 or later Microsoft Internet Explorer 5.5 or 6.0 with Service Pack 2 or Netscape Navigator 7.0x with the latest security patches applied Sun Java Runtime Environment (J2RE) 1.3.1_02 or 1.3.1_09 Intel Pentium-compatible 400 MHz processor or higher 64 MB of RAM minimum Solaris 7 or later Netscape Navigator 7.0x with the latest security patches applied Sun Java Runtime Environment (J2RE) Sun Solaris UltraSPARC II or higher processor 128 MB of memory minimum Red Hat Linux 6.2/7.0/ 7.1/7.2 or later Netscape Navigator 7.0x with the latest security patches applied Sun Java Runtime Environment (J2RE) 1.3.1_02 or 1.3.1_09 Intel Pentium-compatible 233 MHz processor or higher 64 MB of RAM minimum Minimum requirements and supported third-party software for a SESA Agent A SESA Agent that is running on a computer that does not also host the SESA Manager requires J2RE (version 1.2.2_008 to 1.3.1_09). Table 3-10 lists the minimum system requirements and supported third-party software for a SESA Agent.

92 92 Before you install SESA System requirements Table 3-10 SESA Agent minimum system requirements and supported thirdparty software Installation platform Requirements All supported platforms 32 MB of memory in addition to the minimum system requirements for the operating system 40 MB of free disk space for SESA Agent program files TCP/IP communications enabled Any remaining hardware requirements imposed by the security product, Symantec Event Manager, Symantec Event Collector, Relay, or Bridge being managed by the SESA Agent For more information on system requirements, see the product documentation. Windows NT 4.0 with Service Pack 6a/2000 Server with Service Pack 3 or 4/2000 Advanced Server with Service Pack 3 or 4/2000 Professional with Service Pack 3 or 4/ XP/2003 Server (.NET) Solaris 7/8/9 (32-bit or 64- bit) Intel Pentium-compatible 133 MHz processor or higher Sun Java Runtime Environment (J2RE) 1.3.1_09 recommended (included with the SESA Foundation Pack) Sun Java Runtime Environment (J2RE) 1.2.2_008 to 1.4.1_02 are supported but not included with the SESA Foundation Pack. Sun Solaris UltraSPARC or higher processor Sun Java Runtime Environment (J2RE) 1.3.1_09 recommended (included with the SESA Foundation Pack) Sun Java Runtime Environment (J2RE) 1.2.2_008 to 1.4.1_02 are supported but not included with the SESA Foundation Pack. The 32-bit and 64-bit versions of J2RE 1.4.1_02 are supported. Red Hat Linux 7.2/7.3 Intel Pentium-compatible 133 MHz processor or higher Sun Java Runtime Environment (J2RE) 1.3.1_09 recommended (included with SESA Foundation Pack) Sun Java Runtime Environment (J2RE) 1.2.2_008 to 1.4.1_02 are supported but not included with the SESA Foundation Pack.

93 Before you install SESA Preparing third-party software on Windows platforms 93 Preparing third-party software on Windows platforms Table 3-11 lists the tasks that you must complete to prepare third-party software on Solaris platforms depending on the SESA component that you are installing. Table 3-11 Tasks to prepare third-party software on Solaris platforms SESA component All SESA components SESA DataStore Task SESA requires the Sun Java Development Kit (SDK) version 1.3.1_09 for SESA Managers that are installed on Solaris computers. SESA Directories and SESA DataStores require only the Java Runtime Environment (J2RE), which is a part of the SDK. See Installing the Sun Java Development Kit on Windows on page 93. In all production environments, you must install a supported version of IBM DB2 database server before you install the SESA DataStore. See Installing a supported version of the IBM DB2 database on page 94. If you are installing over an existing IBM DB2 database, make sure the existing version was installed as a typical version and not a compact version. SESA does not support compact IBM DB2 database versions. Regardless of the IBM DB2 database edition that you install, ensure that IBM DB2 services are set to automatic startup in the Windows Services Control Panel before you install the SESA DataStore and SESA Manager. If you do not, the installation fails. Installing the Sun Java Development Kit on Windows SESA requires the Sun Java Development Kit (SDK) version 1.3.1_09 (program files only). You must install the SDK 1.3.1_09 on any computer on which the SESA Manager is going to be installed. The Java Runtime Environment (J2RE) is included in the SDK. All computers that run SESA components other than the SESA Manager require the J2RE. If the SDK is already installed, you can initiate an installation of the SDK again, if necessary.

94 94 Before you install SESA Preparing third-party software on Windows platforms On Windows platforms, the SDK automatically installs with the default Java Trust Store password. Password requirements at your organization may require you to modify the Java Trust Store password after it is installed. See Changing the Java Trust Stores default password on page 401. To install the Sun Java Development Kit (SDK) on a Windows computer 1 To start the SESA Installation Wizard, locate the folder that contains the SESA installation files, and then double-click CDStart.exe. 2 Click Install SDK 1.3.1_09. The SESA Manager requires at least the SDK program files. All other SESA components require only the J2RE, which is installed with the SDK. Installing the Java Runtime Environment on Windows All computers that run SESA components other than the SESA Manager require the Java Runtime Environment (J2RE). When you use the SESA Installation Wizard to install the SDK, the J2RE is also installed. However, you can also install the J2RE without the accompanying SDK files. J2RE version 1.3.1_09 is located on the SESA Foundation Pack Windows CD1. SESA also supports JRE 1.3.1_02, which is not included on the CD. To install the Java Runtime Environment on a Windows computer 1 On the SESA component computer, insert the SESA Foundation Pack CD1 into the CD-ROM drive. 2 Change to the drive that is running the CD. 3 Navigate to the UTILS/JRE directory. 4 In the UTILS/JRE directory, double-click j2re-1_3_1_09-i586-i.exe. 5 Follow the on-screen instructions to complete the J2RE installation. Installing a supported version of the IBM DB2 database Unless you are installing SESA in a nonproduction environment, you will most likely want to install the underlying IBM DB2 database before you run the SESA Installation Wizard. The SESA Foundation Pack supports, but does not include, the following IBM DB2 databases: IBM DB2 Workgroup Edition 7.2 with FixPak 5 IBM DB2 Enterprise Edition 7.2 with FixPak 5 IBM DB2 Enterprise Extended Edition 7.2 with FixPak 5

95 Before you install SESA Preparing third-party software on Windows platforms 95 For nonproduction and test environments, the SESA Foundation Pack also supports IBM DB2 Personal Edition 7.2 with FixPak 5. This database version comes with the SESA Foundation Pack. However, the database has a 2-GB storage limit, and it only supports a single processor. The single-processor limitation requires you to install the SESA Manager on the same computer as IBM DB2 Personal Edition. Install a supported version of the IBM DB2 database After you install the IBM DB2 database, you must run the Usejdbc2 batch file on the computer and then restart the computer before you log on to the Symantec management console. The batch file instructs the SESA Manager, if it is installed on the computer, to use the JDBC2 driver instead of the JDBC1 driver. If you do not run the batch file, you will not be able to access the Symantec management console after you install SESA. To install IBM DB2 using the IBM DB2 installation wizard 1 On the Windows computer on which you want to install the IBM DB2 database, change directories to the IBM DB2 installation media. 2 Run the IBM DB2 installation wizard. 3 To begin the installation, follow the on-screen instructions. 4 When a wizard panel prompts you to select a type of IBM DB2 installation, click Typical. If you install a compact version, the wizard does not install certain database tools that SESA requires to operate. 5 When a wizard panel prompts you to specify a database administrator user name and password, type the user name and password of the SESA DataStore account. See Logon accounts for SESA installation on page To complete the software installation and exit the wizard, click Finish. To configure JDBC for the IBM DB2 database 1 On the computer on which the IBM DB2 database is installed, on the Windows taskbar, click Start > Programs > Administrative Tools > Services. 2 In the Services window, scroll down, right-click DB2 JDBC Applet Server, and then click Stop. 3 Right-click DB2 - DB2 service, and then click Properties. 4 In the Properties dialog box, on the General tab, in the Startup Type dropdown list, click Automatic.

96 96 Before you install SESA Preparing third-party software on Windows platforms 5 Click Apply. 6 Close the Services window. 7 In Windows Explorer, navigate to the Java12 directory in the IBM DB2 installation path. The default location is \Program Files\Sqllib\Java12. 8 Double-click Usejdbc2.bat. An Inuse file appears, which indicates the Usejdbc2 is now running. 9 Restart the computer. Installing an IBM DB2 Runtime Client on a Windows computer If you are using an IBM DB2 Universal database server as the SESA DataStore, and are installing it remotely from the SESA Manager, IBM DB2 software requires that an IBM DB2 Runtime Client 7.2 with FixPak 5 be installed on the SESA Manager computer to support the remote database connection. The IBM DB2 Runtime Client for Windows platforms is available to IBM DB2 Universal database server users. It is not included with the SESA Foundation Pack CD set. The IBM DB2 Runtime Client with FixPak 5 must be installed on the SESA Manager computer before you install the SESA Manager. Install an IBM DB2 Runtime Client on a Windows computer To install the IBM DB2 Runtime Client on a Windows computer, you perform the following tasks: Run the IBM DB2 Runtime Client Setup wizard to install the client software. Configure JDBC to use the Runtime Client. To install an IBM DB2 Runtime client 7.2 with FixPak 5 on a Windows computer 1 On the SESA Manager computer, copy and paste the IBM DB2 Runtime Client 7.2 to a temporary directory. 2 Change directories to the location of the IBM DB2 Runtime Client Setup program. 3 Double-click Setup.exe. 4 In the Select Products panel, click Next. 5 In the Select Installation Type panel, click Typical.

97 Before you install SESA Preparing third-party software on Windows platforms 97 6 In the Choose Destination Location panel, do one of the following: Confirm the default installation location. Click Browse, navigate to another location, and then click OK. 7 In the Start Copying Files window, click Next. Wait while the program installs. 8 In the Setup Complete panel, click Finish. 9 If necessary, apply FixPak Download the FP5_WR21294.zip file from the following IBM FTP site: ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/db2ntv7/ FP5_WR21294/ 11 Navigate to the directory to which you downloaded the FixPak 5 patch file, and then unzip the file. 12 Double-click Setup.exe and follow the on-screen instructions. To configure JDBC for the IBM DB2 database 1 On the computer on which the IBM DB2 Runtime Client is installed, on the Windows taskbar, click Start > Programs > Administrative Tools > Services. 2 In the Services window, scroll down, right-click DB2 JDBC Applet Server, and then click Stop. 3 Right-click DB2 - DB2 service, and then click Properties. The service is not present if only the IBM DB2 Runtime Client is installed. 4 In the Properties dialog box, on the General tab, in the Startup Type dropdown list, click Automatic. 5 Click Apply. 6 Close the Services window. 7 In Windows Explorer, navigate to the Java12 directory in the IBM DB2 installation path. The default location is \Program Files\Sqllib\Java12. 8 Double-click Usejdbc2.bat. An Inuse file appears, which indicates the Usejdbc2 is now running. 9 Restart the computer.

98 98 Before you install SESA Preparing third-party software on Solaris platforms Adding an IBM DB2 SESA DataStore to an existing environment When a SESA Manager is installed and configured to connect to a remote Oracle database and then an IBM DB2 SESA DataStore is added to the environment, you need to do the following: Modify the Windows registry to include the IBM DB2 Java file. Restart the Apache Tomcat Server. To modify the Windows registry to include the IBM DB2 Java file 1 On the computer on which the IBM DB2 Runtime Client is installed, on the Windows taskbar, click Start > Run. 2 In the Run dialog box, type Regedit 3 In the Registry Editor window, expand HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > Apache Tomcat > Parameters. 4 In the right pane, double-click JVM Option Number 0. 5 In the Edit String dialog box, in the Value data box, place your cursor in the path after \bootstrap.jar. 6 Type ;C:\Program Files\Sqllib\Java\Db2java.zip 7 Click OK. 8 Exit the Windows registry. Preparing third-party software on Solaris platforms Table 3-12 lists the tasks that you must complete to prepare third-party software on Solaris platforms depending on the SESA component that you are installing.

99 Before you install SESA Preparing third-party software on Solaris platforms 99 Table 3-12 Tasks to prepare third-party software on Solaris platforms SESA component All SESA components SESA DataStore Task SESA requires the Sun Java Development Kit (SDK) version 1.3.1_09 for any SESA component that is installed on a Solaris computer. See Installing the Sun Java Development Kit on Solaris computers on page 105. To ensure that SESA components operate as they are designed to on Solaris computers, make sure that the installation of the Solaris operating system on the computer is optimized for use with SESA software. See Guidelines for installing Solaris 8 on page 100. If you are installing a SESA DataStore on a Solaris platform, you must first install the underlying Oracle 9i database and prepare it for SESA DataStore installation. The Oracle 9i database is not included with the SESA Foundation Pack. See Preparing for and installing Oracle 9i on a Solaris computer on page 115. You must also install IBM DB2 Enterprise Edition on the SESA Directory computer to support the remote connection with the SESA DataStore. IBM DB2 Enterprise Edition is included with the SESA Foundation Pack. See Installing IBM DB2 Enterprise Edition on a Solaris computer on page 111. Note: IBM DB2 Enterprise Edition is for SESA Directory use only. If you use it as the SESA DataStore, your SESA installation will fail.

100 100 Before you install SESA Preparing third-party software on Solaris platforms SESA component SESA Manager Task If you are installing a SESA Manager on a Solaris computer, but you want the SESA Manager to use an IBM DB2 database server on a Windows computer as the SESA DataStore, then you must install the IBM DB2 Runtime Client on the Solaris computer before you install the SESA Manager. The SESA Manager requires the IBM DB2 Runtime Client on Solaris platforms to communicate with an IBM DB2 database server on Windows platforms. The SESA Foundation Pack CD set for Solaris does not include the IBM DB2 Runtime Client for Solaris platforms. See Installing an IBM DB2 Runtime Client on a Solaris computer on page 133. Guidelines for installing Solaris 8 The procedures for installing Solaris 8 on a computer that will support SESA are only guidelines. The exact procedures depend on your hardware and network environment. Ask your UNIX administrator for additional assistance. Before you install Solaris 8 Before you install Solaris 8, ensure that the following requirements are met: System requirements for Solaris 8 and any other components that you will be installing have been met. All hardware, such as hard drives and memory, has been installed. Installing Solaris 8 from the CD If you are doing a core only Solaris 8 installation, Table 3-13 lists the packages that you must install in order to export the SESA graphical user interface (GUI) to another display. Exporting the SESA GUI is required when you are running the SESA Installation Wizard from a computer other than the one on which you are installing components.

101 Before you install SESA Preparing third-party software on Solaris platforms 101 Table 3-13 Packages that are required to export the SESA GUI to a remote computer SUNWadmr SUNWarc SUNWarcx SUNWatfsr SUNWatfsu SUNWauda SUNWaudd SUNWauddx SUNWbtool SUNWbzip SUNWcar SUNWcarx SUNWced SUNWcedx SUNWcg6 SUNWcg6x SUNWcsd SUNWcsl SUNWcslx SUNWcsr SUNWcsu SUNWcsxu SUNWctpls SUNWdfb SUNWdtcor SUNWdtct SUNWeridx SUNWesu SUNWfcip SUNWfcipx SUNWfcp SUNWfcpx SUNWfctl SUNWfctlx SUNWftpr SUNWftpu SUNWged SUNWhea SUNWhmd SUNWhmdx SUNWi1of SUNWjvrt SUNWkey SUNWkvm SUNWkvmx SUNWlibC SUNWlibCx SUNWlibm SUNWlibms SUNWlmsx SUNWloc SUNWlocx SUNWluxdx SUNWluxop SUNWluxox SUNWm64 SUNWm64x SUNWmdi SUNWmdix SUNWmfrun SUNWnamdt SUNWnamos SUNWnamow SUNWnamox SUNWnisr SUNWnisu SUNWpd SUNWpdx SUNWpiclr SUNWpiclu SUNWpiclx SUNWpl5u SUNWqfed SUNWqfedx SUNWrmodu SUNWscpu SUNWses SUNWsesx SUNWsndmr SUNWsndmu SUNWsolnm SUNWsprot SUNWsprox SUNWssad SUNWssadx SUNWswmt SUNWtltk SUNWtoo SUNWtoox SUNWuaud SUNWuaudx SUNWudf SUNWudfr SUNWudfrx SUNWuiu8 SUNWusb SUNWusbx SUNWvolr SUNWvolu SUNWvolux SUNWwsr2 SUNWxcu4 SUNWxildh SUNWxilow SUNWxilrl SUNWxwdv SUNWxwdvx SUNWxwfnt SUNWxwice SUNWxwicx SUNWxwmod SUNWxwmox SUNWxwplt SUNWxwplx SUNWxwrtl SUNWxwrtx To install Solaris 8 from a CD 1 Turn on the computer and insert the Solaris 8 software 1 of 2 disk. 2 If necessary, press STOP+a to stop the computer from launching a preinstalled version of the operating system. 3 At the ok prompt, type the following command: boot cdrom 4 When you are prompted by the Solaris 8 pre-installation program, type the following information: Language Locale Networked Use DHCP English en_us ISO Yes No

102 102 Before you install SESA Preparing third-party software on Solaris platforms Host Name IP Address Part of subnet User choice You should not use a mixed-case machine name, as UNIX is casesensitive. The static IP address of the computer (for example, ) You must use a static IP address or SESA will not install properly. Obtain a static IP address from your network administrator. Yes Subnet mask The subnet mask for this computer (for example, ) Enable IPv6 Enable Kerberos Security Name service DNS servers DNS Search List Domain name New name service Time Zone Geographic Region Date and Time No No DNS The IP address of the Domain Name Service (DNS) servers for this computer Specify only if required See your network administrator for more information. The fully qualified domain name for this computer (for example, corp.symantec.com) No Geographic region Your time zone (for example, United States - Pacific) The current local date and time 5 When the Solaris pre-installation program displays a summary window, verify that the information that you entered is correct, and then click Continue. 6 In the Solaris Interactive Installation window, select Initial as the install option, and then click Next. 7 When you are prompted by the Solaris installation program, type the following information: Geographic Regions Default (Partial North America) or as needed

103 Before you install SESA Preparing third-party software on Solaris platforms 103 Software Disks Preserve Data Automatically Layout File Systems File System and Disk Layout Customize Disks Mount remote? Entire Distribution plus OEM support If you are doing a core only installation, be sure to also install the packages that are listed in Table The boot disk (for example, C0t0d0) No (Continue) This erases any existing files. Yes (Auto Layout) Customize... The sizes for the operating system directories that are required for your computer The minimum required directories are swap and root. A swap directory should be twice the maximum amount of memory that can be installed in the computer. For nonproduction computers, the balance of the disk space can be allocated to the root directory. Ask your UNIX administrator for advice on the optimal layout. No (Continue) 8 When you are prompted by the Solaris 8 installation program, verify the installation information that you entered, and then click Begin Installation. 9 Click Auto Reboot. The operating system is copied to your computer. 10 Type the password for root access. 11 When the Solaris installation program prompts you for the media type, select CD/DVD, click Next, insert the Solaris Software disk 2 of 2, and then click OK. 12 After the Solaris Software disk 2 of 2 files are copied to your computer, click Next. 13 When the Solaris installation program prompts you for the media type, select CD/DVD, click Next, insert the Solaris 8 Languages disk, and then click OK. 14 Verify the languages to be installed, and then click Install Now.

104 104 Before you install SESA Preparing third-party software on Solaris platforms 15 After the Solaris 8 Languages files are copied to your computer, in the Installation Summary window for Languages, verify that the languages were installed properly, and then click Next. 16 Click Reboot Now. Solaris 8 post-installation tasks Solaris 8 requires some post-installation tasks in order to connect to the local area network and be brought up-to-date. Solaris 8 post-installation tasks After the basic Solaris 8 installation completes, you must do the following: Create the defaultrouter file. Apply the required Solaris 8 patches. To create the defaultrouter file 1 Open a Terminal window, and then become superuser. 2 In a text editor, create a file named etc/defaultrouter. This file should contain the IP address of the default gateway for your computer (for example, ). 3 Save and close the file. 4 Verify that the file etc/resolv.conf exists and contains the correct domain name server information. If it does not, use a text editor to create the file. Use the following as a model: domain <your fully qualified domain> nameserver <IP address of the first DNS server> nameserver <IP address of the second DNS server> hostresorder local bind 5 Save and close the file. 6 Restart your computer. To apply the required Solaris 8 patches 1 In an Internet browser, navigate to sunsolve.sun.com. 2 Under Sun Solve Patch Contents, click Patch Portal. 3 Under Downloads, click Recommended Patch Clusters. 4 In the Recommended Solaris Patch Clusters and J2SE Clusters box, click 8 (not 8 x86).

105 Before you install SESA Preparing third-party software on Solaris platforms Select one of the following: Download by HTTP Download by FTP 6 Click Go. 7 Type the location on your computer to which you would like the patch copied. For example, /opt/tmp/8_recommended.zip. The patch is very large and may take a long time to download depending on the speed of your Internet connection. 8 After the patch finishes downloading, navigate to the location of the patch file on your computer, and then type the following command to decompress the patch: unzip 8_Recommended.zip 9 Change to the 8_Recommended directory, and then type the following command to run the patch:./install_cluster This step takes a considerable amount of time, longer than the initial OS install. Ignore any Return code 2 or 8 errors that are generated. 10 After the patch finishes installing, restart the computer. Installing the Sun Java Development Kit on Solaris computers SESA requires the Sun Java Development Kit (SDK) version 1.3.1_09 (program files only). You must install the SDK 1.3.1_09 on any computer on which a SESA Manager is going to be installed. Other SESA components require only the Java Runtime Environment (J2RE) be installed. However, you may want to consider installing the SDK on all SESA component computers, since the JDK installation also installs J2RE. If the SDK is already installed, you can initiate an installation of the SDK again, if necessary. To install the Sun Java Development Kit (SDK) on a Solaris computer 1 Ensure that a local copy of the SESA Foundation Pack distribution media (including the SDK) has been copied to the SESA component computer and that the Solaris computer at which you are physically located has access to the SESA component computer. See Copying the SESA Foundation Pack CDs to a Solaris staging area on page 70.

106 106 Before you install SESA Preparing third-party software on Solaris platforms 2 Open a Terminal window to the Solaris computer on which you want to install the SDK, and then become superuser, if you are not already. See Connecting to a remote Solaris computer and exporting its display on page 135. You do not need to export a display. 3 To change to the /usr directory, type the following command: cd /usr 4 To grant executable privileges to the SDK installer, type the following command: chmod 700 /u01/solaris.cd1/utils/jdk/j2sdk-1_3_1_09-solarissparc.sh /u01 is the default staging area for the SESA CD images. If you copied your installation CDs to a different location, change the above path accordingly. 5 To run the SDK installer, type the following command: /u01/solaris.cd1/utils/jdk/j2sdk-1_3_1_09-solaris-sparc.sh 6 Follow the on-screen instructions to install the Java files. 7 To rename any older SDK files that currently reside on the Solaris computer, type the following command: mv java java.old 8 To create a link to the new Java version, type the following command: ln -s./j2sdk1_3_1_09 java 9 To confirm that the link is working correctly, type the following command: which java The computer should respond with the following path information: usr/bin/java 10 To confirm that the correct Java version was installed, type the following command: java -version The command responds with the following information: java version 1.3.1_09 Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.1_09-b03) Java HotSpot(TM) Client VM (build 1.3.1_09-b03, mixed mode)

107 Before you install SESA Preparing third-party software on Solaris platforms 107 Installing the Java Runtime Environment on Solaris or Linux computers All Solaris computers that run SESA components require the Java Runtime Environment (J2RE). The J2RE is included in the SDK so that when you install the SDK, the J2RE is also installed. You can also install the J2RE without the accompanying SDK files. You need to do this when you install the SESA Agent separately from the SESA Manager. You must also install the J2RE on Solaris computers, with or without SESA components, from which you will connect remotely to a SESA manager using the Symantec management console in a browser. The J2RE versions 1.3.1_09 and 1.4.2_02 are located on the SESA Foundation Pack Windows CD1 in the UTILS/JRE directory. The version of the J2RE that you install depends on the Symantec security products that the computers run. Solaris computers that run SESA components and Linux computers that run the Symantec management console require J2RE 1.3.1_09. Solaris computers that run the Symantec management console require J2RE 1.4.2_02. Solaris computers that run SESA components and the Symantec management console require that both versions of the J2RE be installed. The installation procedure for either version of J2RE is the same. However, the directory to which you install the J2RE depends on which J2RE version you install. J2RE 1.3.1_09 is installed to /usr, while J2RE 1.4.2_02 is installed to /opt. If you plan to run Netscape Navigator 7.0 or later on the Solaris computer, you must also create a symbolic link to a required Java Plug-in file after the J2RE is installed. The Java Plug-in file supports the Netscape Navigator Web browser in the Java Runtime Environment. To install the J2RE 1.3.1_09 on a Solaris or Linux computer 1 Ensure that a local copy of the SESA Foundation Pack distribution media (including the J2RE) has been copied to the SESA component computer and that the Solaris computer at which you are physically located has access to the SESA component computer. See Copying the SESA Foundation Pack CDs to a Solaris staging area on page Open a Terminal window to the Solaris or Linux computer on which you want to install the J2RE, and then become superuser, if you are not already. See Connecting to a remote Solaris computer and exporting its display on page 135. You do not need to export a display.

108 108 Before you install SESA Preparing third-party software on Solaris platforms 3 To change to the /usr directory, type the following command: cd /usr 4 To grant executable privileges to the J2RE installer, type the following command: chmod 700 /u01/solaris.cd1/utils/jre/j2re-1_3_1_09-solarissparc.sh /u01 is the default staging area for the SESA CD images. If you copied your installation CDs to a different location, change the above path accordingly. 5 To run the J2RE installer, type the following command: /u01/solaris.cd1/utils/jre/j2re-1_3_1_09-solaris-sparc.sh 6 Follow the on-screen instructions to install the Java Runtime Environment. 7 To rename any older J2RE files that currently reside on the Solaris computer, type the following command: mv java java.old 8 To create a link to the new Java version, type the following command: ln -s./j2re1_3_1_09 java 9 To confirm that the link is working correctly, type the following command: which java The computer should respond with the following path information: usr/bin/java 10 To confirm that the correct Java version was installed, type the following command: java -version The command responds with the following information: java version 1.3.1_09 Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.1_09-b03) Java HotSpot(TM) Client VM (build 1.3.1_09-b03, mixed mode) Configuring Solaris 8 computers to run the Symantec management console In order to run the Symantec management console on a Solaris 8 computer, you must first install and properly configure J2RE 1.4.2_02 and Netscape 7 on that computer.

109 Before you install SESA Preparing third-party software on Solaris platforms 109 Configure Solaris 8 computers to run the Symantec management console To configure a Solaris 8 computer to run the Symantec management console, you must complete the following tasks: Download Netscape 7 and the required Solaris 8 patches. Install the Solaris 8 patches for Netscape 7. Install the J2RE 1.4.2_02. Install Netscape 7. Create the necessary symbolic links. To download Netscape 7 and the required Solaris 8 patches 1 In an Internet browser, navigate to: wwws.sun.com/software/solaris/ netscape/ 2 Follow the links on the Web site to download Netscape 7 and the required patches to your computer. You may have to register with Sun to get the software. The following files should be downloaded: n7_sunpkgs_sparc_s5.7.zip n7-patches-s8-sparc.zip To install the Solaris 8 patches for Netscape 7 1 Open a Terminal window to the Solaris computer on which you want to install the patches, and then become superuser, if you are not already. See Connecting to a remote Solaris computer and exporting its display on page 135. You do not need to export a display. 2 Navigate to the directory to which you downloaded the Solaris 8 patch file (n7-patches-s8-sparc.zip). 3 Type the following command: unzip n7-patches-s8-sparc.zip The patch is decompressed and the following patch files are added to the current directory:

110 110 Before you install SESA Preparing third-party software on Solaris platforms 4 Verify that there are no files in the current directory, other than the patch files, that begin with 1, and then type the following command to apply the patches: patchadd 1* After the patches are installed, Solaris responds that a later version of patch has already been installed. To install the J2RE 1.4.2_02 on a Solaris computer 1 Ensure that a local copy of the SESA Foundation Pack distribution media (including the J2RE) has been copied to the SESA component computer and that the Solaris computer at which you are physically located has access to the SESA component computer. See Copying the SESA Foundation Pack CDs to a Solaris staging area on page Open a Terminal window to the Solaris or Linux computer on which you want to install the J2RE, and then become superuser, if you are not already. See Connecting to a remote Solaris computer and exporting its display on page 135. You do not need to export a display. 3 To change to the /opt directory, type the following command: cd /opt 4 To grant executable privileges to the J2RE installer, type the following command: chmod 700 /u01/solaris.cd1/utils/jre/j2re-1_4_2_02-solarissparc.sh /u01 is the default staging area for the SESA CD images. If you copied your installation CDs to a different location, change the above path accordingly. 5 To run the J2RE installer, type the following command: /u01/solaris.cd1/utils/jre/j2re-1_4_2_02-solaris-sparc.sh 6 Follow the on-screen instructions to install the Java Runtime Environment. To install Netscape 7 1 Navigate to the directory to which you downloaded the file n7_sunpkgs_sparc_s5.7.zip, and then type the following command:./nsinstall 2 Verify that you are installing to the default location (/opt). 3 Disregard the warning about packages that aren t installed and the warning about no Java To complete the installation, follow the on-screen instructions.

111 Before you install SESA Preparing third-party software on Solaris platforms 111 To create the necessary symbolic links 1 Navigate to /usr/local/bin, and then type the following command: ln -s /opt/sunwns/netscape ns7 2 Navigate to /opt/sunwns/plugins, and then type the following command: ln -s /opt/j2re1.4.2_02/plugin/sparc/ns610/libjavaplugin_oji.so libjavaplugin_oji.so Installing IBM DB2 Enterprise Edition on a Solaris computer If you are installing the SESA Directory (IBM Directory Server 4.1) on a Solaris computer, you must first install IBM DB2 Workgroup or Enterprise Edition on the Solaris SESA Directory computer. IBM DB2 Enterprise Edition 7.2 is included on the SESA Foundation Pack Solaris CD2. You will also have to download and install FixPak 5 from IBM. IBM DB2 Enterprise Edition requires you to restart the Solaris computer after installation. Warning: IBM DB2 Enterprise Edition on Solaris platforms is intended as support software for the IBM Directory Server 4.1. It will not run as an IBM DB2 Universal database for the SESA DataStore. Install IBM DB2 Enterprise Edition on a Solaris computer To install IBM DB2 Enterprise Edition, you must complete the following tasks: Append IBM DB2 kernel parameters to the /etc/system file. Run the IBM DB2 Enterprise Edition installation script. Download and apply IBM DB2 FixPak 5. To append IBM DB2 kernel parameters to the /etc/system file 1 Ensure that a local copy of the SESA Foundation Pack distribution media image has been copied to the SESA Directory computer and that the Solaris computer at which you are physically located has access to the SESA DataStore computer. 2 On the Solaris computer at which you are physically located, become superuser. 3 To open a local Terminal window, right-click anywhere on the Solaris screen, and then click Tools > Terminal. If you are installing IBM DB2 Enterprise Edition on the computer at which you are physically located, your local Terminal window displays the SESA Directory computer environment.

112 112 Before you install SESA Preparing third-party software on Solaris platforms 4 If you are installing IBM DB2 Enterprise Edition from a remote Solaris computer, initiate a Telnet session with the SESA Directory computer, and then set and export the remote display to the local computer. See Connecting to a remote Solaris computer and exporting its display on page 135. The Terminal window displays the environment of the SESA DataStore computer. 5 In the SESA Directory computer Terminal window, in a text editor, open the /etc/system file. 6 To modify the kernel configuration parameters, type the following lines in the /etc/system file: *db2 kernel parameters set msgsys:msginfo_msgmax = set msgsys:msginfo_msgmnb = set msgsys:msginfo_msgmap = 258 set msgsys:msginfo_msgmni = 256 set msgsys:msginfo_msgssz = 16 set msgsys:msginfo_msgtql = 1024 set msgsys:msginfo_msgseg = set shmsys:shminfo_shmmax = set shmsys:shminfo_shmseg = 50 set shmsys:shminfo_shmmni = 300 set semsys:seminfo_semmni = 1024 set semsys:seminfo_semmap = 1026 set semsys:seminfo_semmns = 2048 set semsys:seminfo_semmnu = 2048 set semsys:seminfo_semume = 50 You can modify the values of the parameters as necessary. 7 Save and close the /etc/system file. 8 Restart the SESA Directory computer. If you are remotely connected to the computer, the Telnet session closes.

113 Before you install SESA Preparing third-party software on Solaris platforms 113 To run the IBM DB2 Enterprise Edition installation script 1 On the Solaris computer at which you are physically located, become superuser. 2 To open a local Terminal window, right-click anywhere on the Solaris screen, and then click Tools > Terminal. If you are installing IBM DB2 Enterprise Edition on the computer at which you are physically located, your local Terminal window displays the SESA Directory computer environment. 3 If you are installing IBM DB2 Enterprise Edition from a remote Solaris computer, initiate a Telnet session with the SESA Directory computer, and then set and export the remote display to the local computer. See Connecting to a remote Solaris computer and exporting its display on page 135. The Terminal window displays the environment of the SESA DataStore computer. 4 In the SESA Directory computer Terminal window, become superuser. 5 To change to a directory that contains IBM DB2 Enterprise Edition, type the appropriate command. For example, if you have copied the SESA Foundation Pack Solaris CD images to a Solaris staging area, type the following command: cd /u01/solaris.cd2/udb72 The default location is on the SESA Foundation Pack CD2 in the /udb72 directory. 6 To ensure that the SESA Directory computer Terminal window is at least 24 lines by 80 columns, type the following command: TERM=v+100;export TERM You cannot run the db2setup script in a Terminal window that is smaller than this size. 7 To start the DB2 Installer, type the following command:./db2setup 8 In the Install DB2 V7 window, select DB2 UDB Enterprise Edition. 9 Select [OK], and then press Enter. 10 In the Create DB2 Services window, select [OK] to accept the default settings, and then press Enter.

114 114 Before you install SESA Preparing third-party software on Solaris platforms 11 When a message informs you that you have not created an instance, select [OK], and then press Enter. 12 When a message informs you that an Administration Server was not created, select [OK], and then press Enter. 13 In the Summary Report window, press the Up Arrow or Down Arrow keys to review the information. 14 To start the installation, select [Continue], and then press Enter. 15 When a message prompts you to start or stop the installation, select [OK] to start the installation, and then press Enter. The IBM DB2 Enterprise Edition installation program begins. 16 When you see a Completed successfully message, select [OK], and then press Enter. 17 In the Status Report window, press the Up Arrow or Down Arrow keys to review the information. 18 Select OK, and then press Enter. 19 Select Close, and then press Enter. 20 In the next two warning messages, select [OK], and then press Enter. 21 When a message prompts you to exit, select [OK], and then press Enter. To download and apply IBM DB2 FixPak 5 1 Download the FP5_U tar.Z file from the following IBM FTP site: ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/db2sun64v7/ FP5_U480363/ 2 Navigate to the directory to which you downloaded the patch, and then type the following command to uncompress the patch file: zcat < FP5_U tar.Z tar xvf -

115 Before you install SESA Preparing third-party software on Solaris platforms After the patch file finishes decompressing, type the following command to install the patch:./installallpatch When the patch installs successfully, the following information appears in the Terminal window: ======================================================== Summary ======================================================== Package Patch ID Patch Level Result db2tspf SUCCESS db2elic SUCCESS db2rte SUCCESS db2engn SUCCESS db2das SUCCESS db2csna SUCCESS db2crte SUCCESS db2cipx SUCCESS db2cdrd SUCCESS db2conn SUCCESS db2cliv SUCCESS Log saved in /tmp/db2installallpatch.log Preparing for and installing Oracle 9i on a Solaris computer Before you can install the SESA DataStore, you must first complete the following tasks: Prepare the Solaris environment for Oracle 9i installation. Install the Oracle 9i database software. Apply the required Oracle 9i database patches. Create one or more Oracle 9i databases. Configure and start the Oracle listener process. Enable redo log archival. Secure the network connection between Oracle 9i and the SESA Manager computer.

116 116 Before you install SESA Preparing third-party software on Solaris platforms The SESA Directory and SESA Manager must reside on different computers than the one on which the Oracle 9i database server is installed. Oracle 9i is not included with the SESA Foundation Pack. Note: The instructions to install and prepare the Oracle 9i database server assume that you are an Oracle database administrator or have equivalent knowledge. In addition, you should have access to Oracle technical support. Preparing the Solaris 8 environment for Oracle 9i installation The Solaris 8 operating system environment must be specially configured before you install Oracle 9i. Prepare the Solaris 8 environment for Oracle 9i installation To prepare the Solaris 8 environment for Oracle 9i installation, complete the following tasks: Configure kernel parameters in the /etc/system file. Add a dba group and an Oracle user. Copy the Oracle 9i installation disks to a staging area on the SESA DataStore computer. Modify the.profile file in the Oracle user login environment. To configure kernel parameters in the /etc/system file 1 Log in to the Solaris 8 SESA DataStore computer, and become superuser. If you are connecting to the SESA DataStore computer from another computer, see Connecting to a remote Solaris computer and exporting its display on page 135 for more information. 2 In a text editor, open the /etc/system file, and then append the following lines: set shmsys:shminfo_shmmax = set shmsys:shminfo_shmmin = 1 set shmsys:shminfo_shmmni = 100 set semsys:seminfo_semmni = 100 set shmsys:shminfo_shmseg = 10 set semsys:seminfo_semmsl = 100 set semsys:seminfo_semmns = Save and close the /etc/system file.

117 Before you install SESA Preparing third-party software on Solaris platforms 117 To add a dba group and an Oracle user 1 As superuser in the SESA DataStore computer Terminal window, type the following command: groupadd -g 400 dba 2 Verify that the /export/home directory exits, and if it does not, type the following command to create it: mkdir /export/home 3 Type the following command to create an Oracle user: useradd -u 400 -c "Oracle Owner" -d /export/home/oracle -g "dba" -m -s /usr/bin/ksh oracle 4 Type the following command to set the password for the Oracle user: passwd oracle 5 Verify that the /u01 and /u02 directories exist, and if they do not, type the following command to create them: mkdir /u01 /u02 6 Type the following command to change the ownership of the /u01 and /u02 directories to the Oracle user: chown -R oracle:dba /u01 /u02 To copy the Oracle 9i installation disks to a staging area on the SESA DataStore computer 1 As the superuser in the SESA DataStore computer Terminal window, type the following command: mkdir /export/home/oracle/staging 2 On the SESA DataStore computer, insert the Oracle9i Database (64-bit) CD 1 of 3 into the CD-ROM drive, and then type the following command: cp -rp /cdrom/disk1 /export/home/oracle/staging/disk1 Make sure that the directory disk1, as well as disk2 and disk3 in the following steps, is renamed with an uppercase D in the copy process. This ensures that the Oracle Installer can copy the files from all 3 disks without user intervention during the installation process. 3 After the copy process completes, insert the Oracle9i Database (64-bit) CD 2 of 3 into the CD-ROM drive, and then type the following command: cp -rp /cdrom/disk2 /export/home/oracle/staging/disk2 4 After the copy process completes, insert the Oracle9i Database (64-bit) CD 3 of 3 into the CD-ROM drive, and then type the following command: cp -rp /cdrom/disk3 /export/home/oracle/staging/disk3

118 118 Before you install SESA Preparing third-party software on Solaris platforms 5 After the copy process completes, remove CD3 from the CD-ROM drive, and then store all of the Oracle9i Database CDs in a safe place. To modify the.profile file in the Oracle user login environment 1 As superuser on the SESA DataStore computer, in a text editor, open the /export/home/oracle/.profile file, and then append the following lines: ORACLE_SID=SESA;export ORACLE_SID ORACLE_HOME=/u02/app/oracle/product/ ;export ORACLE_HOME ORACLE_BASE=/u02/app/oracle;export ORACLE_BASE PATH=$PATH:$ORACLE_HOME/bin;export PATH 2 Save and close the.profile file. 3 Restart the SESA DataStore computer. As the computer restarts, ensure that there are no genunix error messages in the Terminal window. If you see any errors, you probably mistyped a kernel parameter. Reconfigure the kernel parameters as necessary. If you are remotely connected to the computer, the Telnet session closes. Installing the Oracle 9i database software You must next install the Oracle 9i software. To install the Oracle 9i database software 1 Log in to the Solaris 8 SESA DataStore computer, and become Oracle user. If you are connecting to the SESA DataStore computer from another computer, you must export the display of the remote computer on which you are running the Oracle installation program. See Connecting to a remote Solaris computer and exporting its display on page Type the following command to run the Oracle Universal Installer:./staging/Disk1/runInstaller 3 In the Oracle Universal Installer Welcome window, click Next. 4 In the Inventory Location window, type or verify the Inventory Location path that matches the ORACLE_BASE that you specified in the.profile file with /orainventory appended ( /u02/app/oracle/orainventory), and then click OK. 5 In the UNIX Group Name window, in the UNIX Group Name box, type dba, and then click Next.

119 Before you install SESA Preparing third-party software on Solaris platforms When an Oracle Universal Installer message informs you that you need root privileges to perform the following actions, open a new Terminal window to the SESA DataStore computer. 7 Become superuser in this new window, and then type the following command: /orainstroot.sh 8 When the shell script completes, return to the Oracle Universal Installer message window, and then click Continue. 9 In the File Locations window, type an Oracle Home name (for example, Oracle920), type or verify the default Oracle Home path that matches what you specified in the.profile file (u02/app/oracle/product/ ), and then click Next. 10 In the Available Products window, select Oracle9i Database , and then click Product Languages. 11 In the Language Selection window, use the arrow keys to select the languages that are required by your installation, and then click OK. 12 Click Next. 13 In the Installation Types window, select Custom, and then click Next. 14 In the Available Product Components window, select all of the software for which you have a license, except for the following components: Oracle HTTP Server Legato Networker Single Server 15 Expand Oracle Enterprise Manager Products , and then uncheck the following: Enterprise Manager Web Site Oracle Management Server Oracle HTTP Server Expand Enterprise Edition Options , and then uncheck Legato Networker Single Server Click Next. 18 In the Component Locations window, accept the default location for the Oracle Universal Installer or change it if necessary, and then click Next. 19 In the Privileged Operating System Groups window, type or verify dba as the Database Administrator (OSDBA) Group and the Database Operator (OSOPER) Group, and then click Next. 20 In the Create Database window, select No, and then click Next.

120 120 Before you install SESA Preparing third-party software on Solaris platforms 21 In the Summary window, verify all of the selections that you have made, and then click Install. 22 In the Installation Types window, select the appropriate database server option, and then click Next. It is assumed that Oracle has licensed you for the software that you select. 23 In the Summary window, click Install. 24 When the Setup Privileges window informs you that a configuration script must be run with root privileges, change focus to the SESA DataStore computer Terminal window, and then change to superuser if necessary. 25 In the Oracle computer Terminal window, change to the directory that is listed in the Setup Privileges message window, and then type the following command:./root.sh 26 Follow the instructions in the script. 27 After the script completes, in the Setup Privileges window, click OK. 28 In the Oracle Net Configuration Welcome window, select Perform typical configuration, and then click Next. 29 In the Add Database to Tree window, click Cancel. 30 In the End of Installation window, click Exit. The Oracle 9i database installation completes successfully. 31 Ensure that you update Oracle 9i with the required database patch. Applying the required Oracle 9i database patch You must apply the latest Oracle cluster patch to prepare your Oracle 9i database for use with SESA. Apply the required Oracle 9i database patch After you install Oracle 9i, you must apply the (or later) cluster patch. Oracle cluster patches are collections of individual recommended patches. These patch collections have passed a more thorough testing process. Apply the patch by completing the following tasks: Download and decompress the patch from Oracle. Stop any Oracle processes that are running. Launch the currently installed Oracle Universal Installer. Install the Oracle Universal Installer that is included with the patch. Install the Oracle patch.

121 Before you install SESA Preparing third-party software on Solaris platforms 121 To download and decompress the patch from Oracle 1 Connect to the Oracle technical support Web site. You must have an Oracle support account to access this Web site. For more information, see your Oracle administrator. 2 Download patch (this patch number corresponds to the patch for Solaris 64 bit) to the SESA DataStore computer on which you installed Oracle 9i. If a later cluster patch than exists, download and install it instead. 3 Decompress the patch. To stop any Oracle processes that are running 1 Log in to the Solaris 8 SESA DataStore computer, and become Oracle user. If you are connecting to the SESA DataStore computer from another computer, you must export the display of the remote computer on which you are running the Oracle installation program. See Connecting to a remote Solaris computer and exporting its display on page Type the following commands: agentctl stop lsnrctl stop To launch the currently installed Oracle Universal Installer 1 Navigate to the home directory for Oracle user (/export/home/oracle), if you are not there already, and then type the following command to run the currently installed Oracle Universal Installer:./staging/Disk1/runInstaller 2 In the Oracle Universal Installer Welcome window, click Next. 3 In the File Locations window, in the Source Path box, type the location to which you downloaded and decompressed the patch., and then click Next. 4 Verify that the Destination Name and Path match those used in the original Oracle installation, and if they do not, type the correct values, and then click Next. To install the Oracle Universal Installer that is included with the patch 1 In the Available Products window, select Oracle Universal Installer , and then click Product Languages. 2 In the Language Selection window, select the languages required by your installation, and then click OK.

122 122 Before you install SESA Preparing third-party software on Solaris platforms 3 In the Language Selection window, use the arrow keys to select the languages that are required by your installation, click OK, and then click Next. 4 Click Next. 5 In the Component Locations window, accept the default location for the new Oracle Universal Installer or change it if necessary, and then click Next. 6 In the Summary window, verify all of the selections that you have made, and then click Install. 7 In the End of Installation window, click Next Install. To install the Oracle patch 1 In the File Locations window, verify the information, and then click Next. 2 In the Available Products window, select Oracle 9iR2 Patchset , and then click Next. 3 In the Summary window, verify the selections that you have made, and then click Install. 4 When the Setup Privileges window informs you that a configuration script must be run with root privileges, change focus to the SESA DataStore computer Terminal window, and then change to superuser if necessary. 5 In the Oracle computer Terminal window, change to the directory that is listed in the Setup Privileges message window, and then type the following command:./root.sh 6 Follow the instructions in the script. 7 After the script completes, in the Setup Privileges window, click OK. 8 In the End of Installation window, click Exit. Creating an Oracle 9i database The SESA Foundation Pack Solaris CDs contain two sample configuration files and one SQL script to use in creating an Oracle 9i database, its tablespaces, and an Oracle user. You must customize the sample files by changing file paths, file sizes, and memory allocations as appropriate for your Solaris environment. As a best practice, isolate redo logs on their own drives, mirror redo and control files on separate drives, and spread the remaining tablespaces across as many drives as possible.

123 Before you install SESA Preparing third-party software on Solaris platforms 123 In addition, for security purposes, you may want to change the default passwords of the sys, system, symcmgmt, and other Oracle users. Create an Oracle 9i database To create an Oracle 9i database, complete the following tasks: Create directories for scripts, and modify the initsesa.ora and create.sql scripts. Run the create.sql script. To create directories for scripts, and modify the initsesa.ora and create.sql scripts 1 If necessary, in the SESA DataStore computer Terminal window, change to Oracle user. 2 To create directories for admin, data, redo, and arch files, type the following command: mkdir -p <directory path> For admin files /u02/app/oracle/admin/sesa/bdump /u02/app/oracle/admin/sesa/cdump /u02/app/oracle/admin/sesa/udump For data files For redo files For arch files /u01/oradata/sesa /u02/oradata/sesa /u01/oradata/sesa/arch The files contain the tablespaces for the Oracle database server. The tablespaces and user names in the database that you create must match the values in the sample configuration and SQL script files that are provided on the SESA Foundation Pack CDs. 3 To copy the initsesa.ora file to $ORACLE_HOME/dbs, type the following command: cp initsesa.ora $ORACLE_HOME/dbs The default location for the initsesa.ora file is Solaris.CD1/ORACLE. 4 If necessary, in Solaris.CD1/ORACLE, open the initsesa.ora file, and then modify the following paths as indicated: For admin files For data files /u02/app/oracle/admin/sesa /u01/oradata/sesa

124 124 Before you install SESA Preparing third-party software on Solaris platforms For redo files For ORACLE_HOME /u02/oradata/sesa /u02/app/oracle/product/ If necessary, save and close the initsesa.ora file. 6 If necessary, repeat steps 4 and 5 for the create.sql file. To run the create.sql script 1 Ensure that the values that were specified in the create.sql script file match the values that are specified in the.profile file. 2 Ensure that the Oracle 9i database is started. 3 If necessary, in the SESA DataStore computer Terminal window, change to Oracle user. 4 To change directories to the location of the create.sql script, type the following command: cd /<path to create.sql> The default location of create.sql is Solaris.CD1/ORACLE. 5 To run the create.sql script, type the following command: sqlplus 6 Verify that the script did not encounter any fatal errors. Creating multiple Oracle 9i databases to support multiple SESA DataStores SESA allows you to install multiple SESA DataStores. Each SESA DataStore is supported by a separate Oracle database. These databases must be created prior to running the SESA installation program. Create multiple Oracle 9i databases to support multiple SESA DataStores The preparation for installing multiple SESA DataStores requires that you create an Oracle 9i database for each SESA DataStore. This means that you must do the following: Create the directory structure for each Oracle database. Create an init<dbname>.ora file for each Oracle database. Add an entry in the oratab, listener.ora, and tnsnames.ora files for each Oracle database. Run a customized create.sql script for each Oracle database.

125 Before you install SESA Preparing third-party software on Solaris platforms 125 Each database that you create must have a unique ORACLE_SID and directory structure. Note: The following procedures are only one example of how you could prepare your Solaris 8 computer to use multiple SESA DataStores. The exact procedures depend on your pre-existing hardware and software setup. For example, the following procedures assume that you are creating multiple Oracle databases on a single Solaris computer, but you can create databases on separate computers. To create the directory structure for each Oracle database 1 Open a Terminal window to the SESA DataStore computer. 2 Change to Oracle user, and then type the following command to create the directories for each of the Oracle databases: mkdir -p <directory path> Use the following information as a model: For admin files /u02/app/oracle/admin/<sesa1, SESA2,, SESA#>/bdump /u02/app/oracle/admin/<sesa1, SESA2,, SESA#>/cdump /u02/app/oracle/admin/<sesa1, SESA2,, SESA#>/udump For data files For redo files For arch files /u01/oradata/<sesa1, SESA2,, SESA#> /u02/oradata/<sesa1, SESA2,, SESA#> /u01/oradata/<sesa1, SESA2,, SESA#>/arch The directory structure for each database differs only in the database name. Each Oracle database requires six directories and each of these directories use the unique database name in the path. For example, if you were to create the directory structure for databases SESA1, SESA2, and SESA3, you would create 18 directories total, 6 for SESA1, 6 for SESA2, and 6 for SESA3. To create an init<dbname>.ora file for each Oracle database 1 Open a Terminal window to the SESA DataStore computer. 2 Change to Oracle user, navigate to the location of the initsesa.ora file, and then type the following command: cp initsesa.ora $ORACLE_HOME/dbs/initSESA1.ora The default location of the initsesa.ora file is /<installation staging area>/solaris.cd1/oracle. 3 Navigate to $ORACLE_HOME/dbs.

126 126 Before you install SESA Preparing third-party software on Solaris platforms 4 In a text editor, open the initsesa1.ora file. 5 Change any instance of the default database name (SESA) to SESA1. You may want to use a find and replace tool in your text editor to ensure that all of the required changes are made. 6 Reduce the Sga_max_size (default=500m)and Db_cache_size (default =300M) so that when they are combined and then multiplied by the number of database instances that run at the same time on a single computer, the total is less than half of the physical memory on that computer. For example, if you use the default values for Sga_max_size and Db_cache_size, and run three SESA DataStores on a single computer, the following calculation results: (500M + 300M)*3 = 2400M In order to comply with the above recommendation, your computer would require 5 GB or more of physical memory. See your Oracle administrator for advice on how much memory to allocate to each database instance. 7 Save and close the initsesa1.ora file. 8 Create an additional copy of initsesa<#>.ora. SESA<#> should correspond to the ORACLE_SID for the additional database. 9 Type the following command: cp initsesa1.ora initsesa<#>.ora 10 In a text editor, open the file initsesa<#>.ora, and make the same changes to the file as you did in steps 5-7, except SESA1 should be replaced with SESA<#> to match the ORACLE_SID and the directory structures that you created earlier. 11 Repeat steps 8-10 for each additional database that you create. Remember to increment SESA<#> for each additional database. To add an entry in the oratab, listener.ora, and tnsnames.ora files for each Oracle database 1 Open a Terminal window to the SESA DataStore computer, and change to Oracle user. 2 In a text editor, open the /var/opt/oracle/oratab file, and then type entries for each database that you create. Be sure to increment SESA<#> as needed to correspond to the ORACLE_SID of the additional databases that you create. For example, if you want to

127 Before you install SESA Preparing third-party software on Solaris platforms 127 create three databases on a single Solaris computer, you would add the following lines to the oratab file: SESA1:/u02/app/oracle/product/ :Y SESA2:/u02/app/oracle/product/ :Y SESA3:/u02/app/oracle/product/ :Y In this example, SESA<#> is the ORACLE_SID, the path is the Oracle Home directory, and Y ensures that the instance starts when Oracle user issues a dbstart command. 3 Save and close the /var/opt/oracle/oratab file. 4 Navigate to the /u02/app/oracle/product/ /network/admin directory. 5 In a text editor, open the listener.ora file, and locate the following section: SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (SID_NAME = PLSExtProc) (ORACLE_HOME = /UO2/APP/ORACLE/PRODUCT/ ) (PROGRAM = extproc) ) 6 Type entries for each database that you create. Be sure to increment SESA<#> as needed to correspond to the ORACLE_SID of the additional databases that you create. For example, if you want to create two databases on a single Solaris computer, you would add the following lines to the listener.ora file: (SID_DESC = (GLOBAL_DBNAME = SESA1) (ORACLE_HOME = /u02/app/oracle/product/ ) (SID_NAME = SESA1) ) (SID_DESC = (GLOBAL_DBNAME = SESA2) (ORACLE_HOME=/u02/app/oracle/product/ ) (SID_NAME=SESA2) ) 7 Save and close the listener.ora file. 8 In a text editor, open the tnsnames.ora file, and type entries for each database that you create. Be sure to increment SESA<#> as needed to correspond to the ORACLE_SID of the additional databases that you create. For example, if you want to create two databases on a single Solaris computer, you would add the following lines to the tnsnames.ora file:

128 128 Before you install SESA Preparing third-party software on Solaris platforms SESA1 = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = LOCALHOST)(PORT = 1521)) ) (CONNECT_DATA = (SID = SESA1) (SERVER = DEDICATED)) ) ) SESA2 = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = LOCALHOST)(PORT = 1521)) ) (CONNECT_DATA = (SID = SESA2) (SERVER = DEDICATED)) ) ) 9 Save and close the tnsnames.ora file. 10 To register the changes that were made to the listener.ora file, restart the listener by typing the following command: lsnrctl start 11 If the listener fails to start because it is already running, type the following command: lsnrctl reload To run a customized create.sql script for each Oracle database 1 Open a Terminal window to the SESA DataStore computer. 2 Change to Oracle user, navigate to the location of the create.sql file, and then type the following command: cp create.sql $ORACLE_HOME/dbs The default location of the create.sql file is /<installation staging area>/ Solaris.CD1/ORACLE. 3 Navigate to $ORACLE_HOME/dbs. 4 In a text editor, open the create.sql file, and then change the instances of the default database name (SESA) to SESA<#>, where <#> is the number of the database that you are now creating. You may want to use a find and replace tool in your text editor to ensure that all of the required changes are made.

129 Before you install SESA Preparing third-party software on Solaris platforms Ensure that the value that is specified for ORACLE_HOME is correct and if it is not, change it. The default is /u02/app/oracle/product/ and the value should match the ORACLE_HOME that was specified in the.profile file that corresponds to Oracle user. 6 Save and close the create.sql file. 7 In the Terminal window to the SESA DataStore computer, as Oracle user, type the following command (make sure to include a space between the period and the oraenv):. oraenv 8 Type the name of the database that you are creating. This value should match the database name in the customized create.sql file. 9 Type the following commands: sqlplus /nolog connect / as 10 After the database is successfully created, type the following command: exit 11 To create the remaining Oracle databases, repeat steps 3 through 10 for each database that you create. Ensure that you change all of the instances of the database name in the ORACLE_SID file, file paths, Oracle environment, create.sql script, and so on, to the new database name. Configuring and starting the Oracle listener process After you create the Oracle 9i database using modified sample files and the SQL script, you must also configure and start the Oracle listener script. The sample listener.ora script is provided on the SESA Foundation Pack Solaris CDs. This script is a separate Oracle process that accepts remote connections on behalf of all of the databases that are installed on a computer. You start the listener.ora script in $ORACLE_HOME/network/admin. To configure and start the listener.ora script 1 If necessary, in the SESA DataStore computer Terminal window, change to Oracle user. 2 In a text editor, open listener.ora, and then change the host name in the file to localhost (HOST=localhost).

130 130 Before you install SESA Preparing third-party software on Solaris platforms 3 If necessary, change the ORACLE_HOME path to match the ORACLE_HOME path in the.profile file. 4 If it is not there already, copy the listener.ora file to the following location: cp listener.ora /u02/app/oracle/product/ /network/admin 5 To start the lsnrctl file, type the following command: lsnrctl start 6 To verify that the listener process is running, type the following command: lsnrctl status Automatically restarting Oracle databases By default, Oracle databases do not automatically restart on Solaris 8 computers after the computer is restarted. To enable the automatic restart of Oracle databases used as SESA DataStores, you modify the Oracle dbshut script, create a script to handle the restart process, and then create several symbolic links. The Oracle dbshut script must be modified so that it closes the Oracle database even if there are users (such as the SESA Manager) connected to it. Specifically, the command shutdown must be changed to shutdown immediate at the appropriate script location. Shutdown immediate closes the Oracle database regardless of any connected users. Automatically restart Oracle databases To configure the Solaris 8 computer to automatically restart any Oracle databases when the computer is restarted, you must complete the following procedures: Modify the Oracle dbshut script. Create a restart script. Create several symbolic links to the restart script. To modify the Oracle dbshut script 1 As Oracle user, in a text editor, open the $ORACLE_HOME/bin/dbshut file. 2 Locate the line after the following: connect / as sysdba 3 Change shutdown to the following: shutdown immediate 4 Save the file and exit. 5 Navigate to /var/opt/oracle, and then, in a text editor, open oratab.

131 Before you install SESA Preparing third-party software on Solaris platforms Verify that Y appears at the end of the database lines that do not begin with an asterisk (*). If it does not, make this change. For example, the following line has the required Y: SESA:/u02/app/oracle/product/ :Y 7 Save the file and exit. To create the restart script 1 As superuser, navigate to /etc/init.d, and then, in a text editor, create the following script: # Oracle database/listener start/stop script ORA_HOME=/u02/app/oracle/product/ ;export ORA_HOME ORA_OWNER=oracle;export ORA_OWNER if [! -f $ORA_HOME/bin/dbstart ] then echo Oracle startup: cannot start exit fi case $1 in start ) su - $ORA_OWNER -c $ORA_HOME/bin/dbstart & su - $ORA_OWNER -c $ORA_HOME/bin/ lsnrctl start & ;; stop ) su - $ORA_OWNER -c $ORA_HOME/bin/dbshut & su - $ORA_OWNER -c $ORA_HOME/bin/ lsnrctl stop & ;; esac 2 Save and close the file. To create the required symbolic links to the restart script 1 Navigate to /etc/rc3.d, and then type the following command: ln -s /etc/init.d/dbora S95dbora 2 Navigate to /etc/rc2.d, and then type the following command: ln -s /etc/init.d/dbora K05dbora 3 Navigate to /etc/rc1.d, and then type the following command: ln -s /etc/init.d/dbora K05dbora 4 Navigate to /etc/rc0.d, and then type the following command: ln -s /etc/init.d/dbora K05dbora

132 132 Before you install SESA Preparing third-party software on Solaris platforms Enabling redo log archival You may want to enable redo log archival so that you can reapply changes that are made to your database after a specific backup point. Enabling redo log archival results in slower database performance. Enable redo log archival To enable redo log archival on an Oracle database that supports a SESA DataStore, you must complete the following tasks: Modify the initsesa.ora file. Shut down and restart the Oracle database that supports the SESA DataStore. Change the Oracle database to enable redo log archival. To modify the initsesa.ora file 1 In a text editor, open the initsesa.ora file, then remove the pound characters (#) from in front of the following lines: # log_archive_start=true # log_archive_dest_1= location=/u01/oradata/sesa/arch 2 Save and close the initsesa.ora file. 3 Verify that the archive directory exists, and if it does not, change to Oracle user, and then type the following command to create it: mkdir /u01/oradata/sesa/arch To shut down and restart the Oracle database that supports the SESA DataStore 1 Open a Terminal window to the SESA DataStore computer as Oracle user, and then type the following command to launch Sqlplus: sqlplus /nolog 2 At the sqlplus prompt, type the following commands: connect / as sysdba shutdown immediate startup mount

133 Before you install SESA Preparing third-party software on Solaris platforms 133 To change the Oracle database to enable redo log archival 1 Open a Terminal window to the SESA DataStore computer as Oracle user, and then type the following command to launch Sqlplus: sqlplus /nolog 2 At the sqlplus prompt, type the following commands: alter database archivelog; alter database open; alter log list Securing the network connection between Oracle 9i and the SESA Manager computer The communication between the Oracle 9i database and the SESA Manager is over normal unencrypted sql.net. Therefore, this connection should be on a private network. Access to the SESA DataStore computer should not be available to anyone except authorized users through a firewall. Installing an IBM DB2 Runtime Client on a Solaris computer If you are installing the SESA Manager on a Solaris computer, but you are using an IBM DB2 Universal database server on a Windows computer as the SESA DataStore, the IBM DB2 software requires that an IBM DB2 Runtime Client 7.2 with FixPak 5 be installed on the SESA Manager computer to support the remote database connection. The IBM DB2 Runtime Client for Solaris platforms is available to IBM DB2 Universal database server users. It is not included with the SESA Foundation Pack CD set. The IBM DB2 Runtime Client with FixPak 5 must be installed on the SESA Manager computer before you install the SESA Manager. If your IBM DB2 Runtime Client CD does not include FixPak 5, you must download FixPak 5 from IBM and apply it manually. Install an IBM DB2 Runtime Client on a Solaris computer To install the IBM DB2 Runtime Client on a Solaris computer, you must do the following: Install the IBM DB2 Runtime Client. Install the SESA Manager. See Installing the SESA Manager on a Solaris computer on page 192.

134 134 Before you install SESA Preparing third-party software on Solaris platforms In addition, if a SESA Manager is already installed and configured to connect to a remote Oracle database, and a new IBM DB2 database has been added to the environment, you must also complete the following tasks: Modify the catalina.sh script. Create a symbolic link for libdb2jdbc.so. Restart Tomcat. To install the IBM DB2 Runtime Client 1 Ensure that the kernel parameters for IBM DB2 are included in the /etc/ system file. See To append IBM DB2 kernel parameters to the /etc/system file on page On the SESA Manager Solaris computer, copy the IBM DB2 Runtime Client 7.2 installation files to a temporary directory. 3 Navigate to the /udb72 directory. 4 To start the DB2 Installer, type the following command:./db2setup 5 In the Install DB2 V7 window, select DB2 Run-Time Client, select OK, and then press Enter. 6 In the Create DB2 Services window, select Create a DB2 Instance, accept the default DB2 Instance settings, select OK, and then press Enter. 7 In the DB2 Setup Utility window, select Continue, and then press Enter. 8 In the Warning window, select Continue, and then press Enter. 9 In the DB2 Setup Utility window, select OK, and then press Enter. 10 After the IBM DB2 Runtime Client finishes installing, apply FixPak 5. See To download and apply IBM DB2 FixPak 5 on page 114. To modify the catalina.sh script 1 In a text editor, open the shell script /opt/ibmhttpd/tomcat/bin/ catalina.sh. 2 Verify the following two lines: DB2INSTANCE=db2inst1 Export DB2INSTANCE If you did not specify db2inst1 (default) as the instance name when you installed the IBM DB2 Runtime Client, change db2inst1 to the instance name that you specified.

135 Before you install SESA Preparing third-party software on Solaris platforms To add the path /opt/ibmdb2/v7.1/java12/db2java.zip to Tomcat s classpath, append the path to the line that includes bootstrap.jar. After modification, the line should read as follows: CLASSPATH= $CLASSPATH : $CATALINA_HOME /bin/bootstrap.jar:/opt/ IBMdb2/V7.1/java12/db2java.zip 4 Save and close the catalina.sh script. To create a symbolic link for libdb2jdbc.so 1 In a Terminal window to the SESA Manager computer, change to superuser, if you are not already, and then navigate to /usr/lib. 2 Type the following command: ln -s /opt/ibmdb2/v7.1/lib/libdb2jdbc.so libdb2jdbc.so in /usr/lib pointing to /opt/ibmdb2/v7.1/lib/libdb2jdbc.so 3 After you create the symbolic link, type the following command to verify that the link was created correctly: ls -l /usr/lib/libdb2jdbc.so The Solaris computer should respond with something similar to the following: lrwxrwxrwx 1 root other 34 Sep 11 20:18 libdb2jdbc.so -> /opt/ibmdb2/v7.1/lib/libdb2jdbc.so To restart Tomcat In a Terminal window on the Tomcat computer, change to superuser, if you are not already, and then type the following commands. /opt/ibmhttpd/tomcat/bin/catalina.sh stop /opt/ibmhttpd/tomcat/bin/catalina.sh start Connecting to a remote Solaris computer and exporting its display Remote installations are convenient when the Solaris computer on which the SESA component is to be installed does not have a video card or monitor, or is not physically accessible to you. You can use Telnet sessions to access the installation computer remotely. When the installation has a graphical user interface (GUI) associated with it, as does the SESA Installation Wizard, you must set and export the display of the remote computer to the computer at which you are physically located. That is, you must configure the two computers so that the GUI output of the remote SESA computer is displayed on the Solaris computer at which you are located. You must also export the display if you are installing Oracle 9i on a local Solaris computer, but you did not log in to the local computer s GUI as Oracle user.

136 136 Before you install SESA Preparing third-party software on Solaris platforms To connect to a remote Solaris computer and export its display 1 Log on to the GUI on the Solaris computer at which you are physically located (local computer). 2 Open a Terminal window on the local computer, and then type the following command: xhost + <Host name of the remote SESA computer> The only user that can add additional hosts to the access list is the user that originally logged in to the GUI desktop. You can also check the xhost man pages for instructions on exporting a display with the level of security that your environment requires. 3 In the Terminal window on the local computer, type the following command to initiate a Telnet session with the remote SESA computer: telnet <IP address or host name of the remote SESA computer> 4 Type the username and password of an account on the remote SESA computer. You are now connected to the remote computer through the Terminal window on the local computer. 5 If you need to change to a different user on the remote computer (such as root or Oracle), type the following command: su - <new user> 6 At the prompt, type the password that is associated with the new user. 7 Change to the user under which you want to run a program with a GUI (for example, the SESA Installation Wizard must be run as superuser), and then type the following command: DISPLAY=<Host name of the local Solaris computer>:0;export DISPLAY

137 Chapter 4 Installing SESA This chapter includes the following topics: SESA Foundation Pack installation overview Performing a silent installation on Solaris or Windows computers Starting the SESA Installation Wizard Performing an express installation Installing the SESA Directory Installing the SESA DataStore Installing the SESA Manager Installing the SESA Agent for heartbeat monitoring SESA Foundation Pack installation overview Depending on the computer platforms and database products that you plan to use for a SESA installation, you can install SESA components in a number of configurations. To install SESA components on a Windows platform, you must be physically located at the Windows computer. You can run a SESA component installation either locally or remotely on Solaris computers. The three main components of the SESA Foundation Pack are the SESA Directory (IBM Directory Server), the SESA DataStore (IBM DB2 on Windows platforms; Oracle 9i on Solaris platforms), and the SESA Manager. If you are using IBM DB2 as the SESA DataStore, you can install all of the SESA components on a single Windows computer. Typically, however, SESA components are divided among two or more Windows computers, depending on your network size and configuration requirements.

138 138 Installing SESA SESA Foundation Pack installation overview Installation guidelines If you are using Oracle 9i as the SESA DataStore, you must dedicate a single Solaris computer for its use. The SESA Manager and SESA Directory can reside on one or two Solaris computers, depending on your networking requirements. You cannot install SESA directly to the root directory of a computer. See Preparing for installation on page 67. Whether you install all of the components on one computer or divide components among computers, you must install the SESA Directory first, then the SESA DataStore, and, finally, the SESA Manager. The available computer resources in your network and the database that you choose for the SESA DataStore dictate which operating systems and the number of computers that you use in your SESA installation. There are nine variations of supported SESA installations that range from a complete installation on a single computer to various combinations of components on multiple computers and multiple platforms. The same SESA Installation Wizard guides you through all SESA installation types. Using the SESA Installation Wizard, you install each SESA component one at a time. Before you start the SESA Installation Wizard, ensure that you do the following: Have a SESA deployment plan in place. See Deployment guidelines on page 65. For complete information on SESA deployment, see the Symantec Enterprise Security Architecture Deployment Guide. Install the necessary third-party software on the computers. See Preparing third-party software on Windows platforms on page 93. See Preparing third-party software on Solaris platforms on page 98. Prepare your environment for SESA components. See Preparing for installation on page 67.

139 Installing SESA SESA Foundation Pack installation overview 139 Installation variations Table 4-1 lists the installation configurations that the SESA Foundation Pack supports along with the associated procedures to set up each type of installation. After you install the SESA Directory, SESA DataStore, and SESA Manager, you can use the SESA Installation Wizard again to install SESA Directory replicas, additional SESA domains, and SESA Agents for heartbeat monitoring, as necessary. See Setting up failover support on page 243. See Installing additional SESA domains on page 212. See Installing the SESA Agent for heartbeat monitoring on page 196. Regardless of the type of installation that you perform, you must first install the SESA Directory. You then install one or more SESA DataStores. You must give each SESA DataStore information about the SESA Directory. Finally, you must install the SESA Manager. You must give each SESA Manager information about the SESA Directory and the SESA DataStore to which it connects. Table 4-1 Supported variations of SESA installations Installation variation Installation procedures Express installation You only need one Windows computer to test or demonstrate SESA in a nonproduction environment. The express installation installs all three SESA components and IBM DB2 Personal Edition on a single Windows computer. IBM DB2 Personal Edition is provided on the SESA distribution media and is used for the SESA DataStore. You are not required to install any third-party components prior to installing SESA components. Performing an express installation on page 154

140 140 Installing SESA SESA Foundation Pack installation overview Installation variation All-Windows installation All three SESA components installed on a single Windows computer or Two SESA components on one Windows computer and one SESA component on another Windows computer or One SESA component on each Windows computer To run SESA in an all-windows production environment, you can use one, two, or three Windows computers. The Windows platform requires you to use an IBM DB2 Universal database (Workgroup Edition, Enterprise Edition, or Enterprise Extended Edition) for the SESA DataStore, which you must have installed prior to installing the SESA DataStore. Before you install the SESA Manager on a Windows computer, you must first do the following: If the SESA DataStore and SESA Manager are on different computers, install the IBM DB2 Runtime Client to support the remote connection with the SESA DataStore computer. Install the Sun Java Development Kit (SDK) 1.3.1_09. If the SESA DataStore or SESA Directory is installed remotely from the SESA Manager, before you install SESA software on the remote computer or computers, you must install the Java Runtime Environment (J2RE) 1.3.1_09. (JRE 1.2.2_008 through J2RE 1.4.1_02 are supported.) Installation procedures Complete the following procedures in the order in which they are listed: Installing a supported version of the IBM DB2 database on page 94 Installing an IBM DB2 Runtime Client on a Windows computer on page 96 (if the SESA Manager and SESA DataStore will be installed on different computers) Installing the Sun Java Development Kit on Windows on page 93 (on the SESA Manager computer) Installing the Java Runtime Environment on Windows on page 94 (on all other SESA component computers) Installing the SESA Directory on a Windows computer on page 162 Installing a SESA DataStore on a Windows computer on page 171 Installing the SESA Manager on a Windows computer on page 188 Installing a SESA Agent for heartbeat monitoring on a Windows computer on page 197 (if more than one Windows computer is used) After you install the SESA Manager, SESA Directory, and SESA DataStore, you must install a SESA Agent for heartbeat monitoring on the SESA Directory and SESA DataStore computer or computers.

141 Installing SESA SESA Foundation Pack installation overview 141 Installation variation Installation procedures All-Solaris installation Solaris SESA DataStore (Oracle) or SESA Directory on one Solaris computer and SESA Manager on another Solaris computer SESA Directory and SESA Manager on a single Solaris computer You can use two or three Solaris computers for an all-solaris installation. You must have a dedicated Solaris computer that is running Oracle 9i for the SESA DataStore. The SESA DataStore and SESA Manager can be installed on the same or different computers. Before you install the SESA Manager on a Solaris computer, you must first install the Sun Java Development Kit (SDK) 1.3.1_09 or 1.3.1_02. Before you install the SESA Directory, you must install a supported IBM DB2 database (Workgroup or Enterprise Edition version 7.1 or later with FixPak 5) to support the IBM Directory Server 4.1 and the connection to the SESA DataStore. In addition, before you install the SESA Directory or SESA DataStore, you must install the Java Runtime Environment (J2RE) 1.3.1_09. (JRE 1.2.2_008 through J2RE 1.4.1_02 are supported.) After you install the SESA Directory, SESA DataStore, and SESA Manager, you must install a SESA Agent for heartbeat monitoring on the SESA DataStore computer. If the SESA Directory is on a different computer than the SESA Manager, you must also install another SESA Agent for heartbeat monitoring on the SESA Directory computer. Complete the following procedures in the order in which they are listed: Preparing for and installing Oracle 9i on a Solaris computer on page 115 Installing the Sun Java Development Kit on Solaris computers on page 105 (on the SESA Manager computer) Installing the Java Runtime Environment on Solaris or Linux computers on page 107 (on all other SESA component computers) Installing IBM DB2 Enterprise Edition on a Solaris computer on page 111 Installing the SESA Directory on a Solaris computer on page 167 Installing the SESA DataStore on a Solaris computer on page 181 Installing the SESA Manager on a Solaris computer on page 192 Installing a SESA Agent for heartbeat monitoring on a Solaris computer on page 199 (on the SESA DataStore and, if necessary, on the SESA Directory computers)

142 142 Installing SESA SESA Foundation Pack installation overview Installation variation Installation procedures Mixed platforms 1: SESA Directory on Solaris Solaris SESA Directory SESA DataStore and SESA Manager on a single Windows computer or SESA DataStore on one Windows computer and SESA Manager on another Windows computer You can use one Solaris computer for the SESA Directory, and either one or two Windows computers for the SESA Manager and SESA DataStore. An IBM DB2 Universal database (Workgroup Edition, Enterprise Edition, or Enterprise Extended Edition) must be used for the SESA DataStore. Before you install the SESA Directory on a Solaris computer, you must first install the following: A supported IBM DB2 database (Workgroup or Enterprise Edition version 7.1 or later with FixPak 5) to support the IBM Directory Server 4.1 and the connection to the SESA DataStore. The Java Runtime Environment (J2RE) 1.3.1_09. (JRE 1.2.2_008 through J2RE 1.4.1_02 are supported.) Before you install the SESA Manager on a Windows computer, you must first install the following: The IBM DB2 Runtime Client on the SESA Manager Windows computer to support the remote database connection if the SESA DataStore and SESA Manager are installed on different computers The Sun Java Development Kit (SDK) 1.3.1_09 If the SESA DataStore computer is installed remotely from the SESA Manager computer, before you install the SESA DataStore, you must install the Java Runtime Environment (J2RE) 1.3.1_09. (JRE 1.2.2_008 through J2RE 1.4.1_02 are supported.) After you install the SESA Directory, SESA DataStore, and SESA Manager, you must also install a SESA Agent for heartbeat monitoring on the SESA Directory Solaris computer. If the SESA DataStore is installed remotely from the SESA Manager, you must also install a SESA Agent for heartbeat monitoring on the SESA DataStore Windows computer. Complete the following procedures in the order in which they are listed: Installing IBM DB2 Enterprise Edition on a Solaris computer on page 111 Installing a supported version of the IBM DB2 database on page 94 Installing an IBM DB2 Runtime Client on a Windows computer on page 96 (if the SESA Manager and SESA DataStore are installed on different computers) Installing the Sun Java Development Kit on Windows on page 93 (on the SESA Manager computer) Installing the Java Runtime Environment on Windows on page 94 (on the SESA DataStore computer, if it is remotely installed from the SESA Manager computer) Installing the Java Runtime Environment on Solaris or Linux computers on page 107 (on the SESA Directory computer) Installing the SESA Directory on a Solaris computer on page 167 Installing a SESA DataStore on a Windows computer on page 171 Installing the SESA Manager on a Windows computer on page 188 Installing a SESA Agent for heartbeat monitoring on a Solaris computer on page 199 Installing a SESA Agent for heartbeat monitoring on a Windows computer on page 197 (if the SESA Manager and SESA DataStore are installed on different computers)

143 Installing SESA SESA Foundation Pack installation overview 143 Installation variation Installation procedures Mixed platforms 2: SESA DataStore on Solaris Solaris SESA DataStore (Oracle) SESA Directory and SESA Manager on a single Windows computer or SESA Directory on one Windows computer and SESA Manager on another Windows computer To use Oracle 9i as the database for the SESA DataStore, you must use a dedicated Solaris computer that has no other SESA components installed. You can use one or two Windows computers for other SESA components. Before you install the SESA Manager on a Windows computer, you must first install the Sun Java Development Kit (SDK) 1.3.1_09. Before you install the SESA Directory on a Windows computer, if it is on a different computer than the SESA Manager, you must first install the Java Runtime Environment (J2RE) 1.3.1_09. (JRE 1.2.2_008 through J2RE 1.4.1_02 are supported.) Before you install the SESA DataStore on a Solaris computer, you must install the Java Runtime Environment (J2RE) 1.3.1_09. (JRE 1.2.2_008 through J2RE 1.4.1_02 are supported.) After you install the SESA Directory, SESA DataStore, and SESA Manager, you must do the following: Install a SESA Agent for heartbeat monitoring on the SESA DataStore Solaris computer or computers. If the SESA Directory is installed remotely from the SESA Manager, install the SESA Agent for heartbeat monitoring on the SESA Directory Solaris computer. Complete the following procedures in the order in which they are listed: Preparing for and installing Oracle 9i on a Solaris computer on page 115 Installing the Sun Java Development Kit on Windows on page 93 (on the SESA Manager computer) Installing the Java Runtime Environment on Solaris or Linux computers on page 107 (on the SESA DataStore computer) Installing the Java Runtime Environment on Windows on page 94 (on the SESA Directory computer if it is installed remotely from the SESA Manager computer) Installing the SESA Directory on a Windows computer on page 162 Installing the SESA DataStore on a Solaris computer on page 181 Installing the SESA Manager on a Windows computer on page 188 Installing a SESA Agent for heartbeat monitoring on a Solaris computer on page 199 Installing a SESA Agent for heartbeat monitoring on a Windows computer on page 197 (if the SESA Directory is installed remotely from the SESA Manager)

144 144 Installing SESA SESA Foundation Pack installation overview Installation variation Installation procedures Mixed platforms 3: SESA Manager on Solaris Solaris SESA Manager SESA DataStore and SESA Directory on a single Windows computer or SESA DataStore on one Windows computer and SESA Directory on another Windows computer You can install the SESA Manager on a Solaris computer and install other SESA components on one or two Windows computers. Because the SESA DataStore is running on a Windows platform, you must install an IBM DB2 Universal database (Workgroup Edition, Enterprise Edition, or Enterprise Extended Edition) for the SESA DataStore. Before you install the SESA Manager on a Solaris computer, you must first install the following: The IBM DB2 Runtime Client on the SESA Manager Solaris computer to support the remote database connection The Sun Java Development Kit (SDK) 1.3.1_09 or 1.3.1_02 Because the SESA DataStore or SESA Directory is installed remotely from the SESA Manager, before you install SESA software, you must install the Java Runtime Environment (J2RE) 1.3.1_09 on the SESA DataStore and SESA Directory computer or computers. (JRE 1.2.2_008 through J2RE 1.4.1_02 are supported.) After you install the SESA Directory, SESA DataStore, and SESA Manager, you must also install a SESA Agent for heartbeat monitoring on the SESA Directory and SESA DataStore Windows computer or computers. Complete the following procedures in the order in which they are listed: Installing a supported version of the IBM DB2 database on page 94 Installing an IBM DB2 Runtime Client on a Solaris computer on page 133 Installing the Sun Java Development Kit on Solaris computers on page 105 (on the SESA Manager computer) Installing the Java Runtime Environment on Windows on page 94 (on all other SESA component computers) Installing the SESA Directory on a Windows computer on page 162 Installing a SESA DataStore on a Windows computer on page 171 Installing the SESA Manager on a Solaris computer on page 192 Installing a SESA Agent for heartbeat monitoring on a Windows computer on page 197 (on the SESA DataStore and SESA Directory computer or computers)

145 Installing SESA SESA Foundation Pack installation overview 145 Installation variation Installation procedures Mixed platforms 4: SESA Manager on Windows SESA Manager Windows SESA Directory Solaris SESA DataStore (Oracle) Solaris You can install the SESA Manager on a Windows computer and the other SESA components on two different Solaris computers. Because the underlying database for the SESA DataStore is Oracle 9i, you must use a dedicated Solaris computer. You can use a different Solaris computer for the SESA Directory. Before you install the SESA Manager on a Windows computer, you must first install the Sun Java Development Kit (SDK) 1.3.1_09. Before you install the SESA Directory, you must install a supported IBM DB2 database (Workgroup or Enterprise Edition version 7.1 or later with FixPak 5) to support the IBM Directory Server 4.1 and the connection to the SESA DataStore. In addition, because the SESA Directory and SESA DataStore are remotely installed from the SESA Manager, you must install the Java Runtime Environment (J2RE) 1.3.1_09 on the remote computers. (JRE 1.2.2_008 through J2RE 1.4.1_02 are supported.) After you install the SESA Directory, SESA DataStore, and SESA Manager, you must also install a SESA Agent for heartbeat monitoring on the SESA DataStore and SESA Directory Solaris computers. Complete the following procedures in the order in which they are listed: Preparing for and installing Oracle 9i on a Solaris computer on page 115 Installing the Sun Java Development Kit on Windows on page 93 (on the SESA Manager computer) Installing the Java Runtime Environment on Solaris or Linux computers on page 107 (on all other SESA component computers) Installing IBM DB2 Enterprise Edition on a Solaris computer on page 111 Installing the SESA Directory on a Solaris computer on page 167 Installing the SESA DataStore on a Solaris computer on page 181 Installing the SESA Manager on a Windows computer on page 188 Installing a SESA Agent for heartbeat monitoring on a Solaris computer on page 199 (on both the SESA Directory and SESA DataStore computers)

146 146 Installing SESA SESA Foundation Pack installation overview Installation variation Installation procedures Mixed platforms 5: SESA DataStore on Windows Windows SESA DataStore (IBM DB2) SESA Manager and SESA Directory on a single Solaris computer or SESA Manager on one Solaris computer and SESA Directory on another Solaris computer You can install the SESA DataStore on a Windows computer that is running an IBM DB2 Universal database (Workgroup Edition, Enterprise Edition, or Enterprise Extended Edition). You can install the other SESA components on Solaris computers. Before you install the SESA Manager on a Solaris computer, you must first install the following: The IBM DB2 Runtime Client on the SESA Manager Solaris computer to support the remote database connection The Sun Java Development Kit (SDK) 1.3.1_09 or 1.3.1_02 In addition, before you install the SESA Directory, you must install the following: A supported IBM DB2 database (Workgroup or Enterprise Edition version 7.1 or later with FixPak 5) to support the IBM Directory Server 4.1 and the connection to the SESA DataStore The Java Runtime Environment (J2RE) 1.3.1_09. (JRE 1.2_008 through J2RE 1.4.1_02 are supported.) Before you install the SESA DataStore, you must install the Java Runtime Environment (J2RE) 1.3.1_09. (JRE 1.2.2_008 through J2RE 1.4.1_02 are supported.) After you install the SESA Directory, SESA DataStore, and SESA Manager, you must also do the following: Install a SESA Agent for heartbeat monitoring on the SESA DataStore Windows computer. If the SESA Directory is installed remotely from the SESA Manager, install the SESA Agent for heartbeat monitoring on the SESA Directory Solaris computer. Complete the following procedures in the order in which they are listed: Installing a supported version of the IBM DB2 database on page 94 Installing IBM DB2 Enterprise Edition on a Solaris computer on page 111 Installing an IBM DB2 Runtime Client on a Solaris computer on page 133 Installing the Sun Java Development Kit on Solaris computers on page 105 (on the SESA Manager computer) Installing the Java Runtime Environment on Solaris or Linux computers on page 107 (on the SESA Directory computer, if it is installed remotely from the SESA Manager computer) Installing the Java Runtime Environment on Windows on page 94 (on the SESA DataStore computer) Installing the SESA Directory on a Solaris computer on page 167 Installing a SESA DataStore on a Windows computer on page 171 Installing the SESA Manager on a Solaris computer on page 192 Installing a SESA Agent for heartbeat monitoring on a Windows computer on page 197 (on the SESA DataStore computer) Installing a SESA Agent for heartbeat monitoring on a Solaris computer on page 199 (on the SESA Directory computer if it is remotely installed from the SESA Manager)

147 Installing SESA SESA Foundation Pack installation overview 147 Installation variation Mixed platforms 6: SESA Directory on Windows SESA Directory Windows SESA Manager Solaris SESA DataStore (Oracle) Solaris You can install the SESA Directory on a Windows computer, the SESA DataStore on a dedicated Solaris computer that is running Oracle 9i, and the SESA Manager on another Solaris computer. Before you install the SESA Manager on a Solaris computer, you must first install the Sun Java Development Kit (SDK) 1.3.1_09 or 1.3.1_02. Before you install the SESA DataStore on a Solaris computer, you must also install the Java Runtime Environment (J2RE) 1.3.1_09. (JRE 1.2.2_008 through J2RE 1.4.1_02 are supported.) Before you install the SESA Directory on a Windows computer, you must first install the Java Runtime Environment (J2RE) 1.3.1_09. (JRE 1.2.2_008 through J2RE 1.4.1_02 are supported.) After you install the SESA Directory, SESA DataStore, and SESA Manager, you must install a SESA Agent for heartbeat monitoring on the SESA Directory Windows and SESA DataStore Solaris computers. Installation procedures Complete the following procedures in the order in which they are listed: Preparing for and installing Oracle 9i on a Solaris computer on page 115 Installing the Sun Java Development Kit on Solaris computers on page 105 (on the SESA Manager computer) Installing the Java Runtime Environment on Windows on page 94 (on the SESA Directory computer) Installing the Java Runtime Environment on Solaris or Linux computers on page 107 (on the SESA DataStore computer) Installing the SESA Directory on a Windows computer on page 162 Installing the SESA DataStore on a Solaris computer on page 181 Installing the SESA Manager on a Solaris computer on page 192 Installing a SESA Agent for heartbeat monitoring on a Solaris computer on page 199 Installing SESA with command-line parameters You can run the SESA Installation Wizard with command-line parameters on either Windows or Solaris operating systems. Table 4-2 lists the available command-line parameters. Table 4-2 Installation command-line parameters Parameter Value Description -debug None Displays trace output while you are installing SESA. -log None Writes trace output to the Sesainst.log file, which is located in the system Temp directory that Java uses.

148 148 Installing SESA SESA Foundation Pack installation overview Parameter Value Description -silent -f <filename> Performs a silent (unattended) installation using the values in the specified settings file <filename>. See Performing a silent installation on Solaris or Windows computers on page silentfile -f <filename> Creates a settings file named <filename> by recording the user s input. This option does not perform an actual installation; it only creates the settings file for use in subsequent silent (unattended) installations. See Performing a silent installation on Solaris or Windows computers on page 149. Note: To prevent performance problems, do not run the installation with a command line directly from the SESA Foundation Pack distribution media. To install SESA with command-line parameters 1 To change directories to the SESA Foundation Pack CD1, on the computer on which you are starting the SESA Installation Wizard, at the command prompt, type the following command: cd /<SESA CD1 directory> 2 To start the SESA Installation Wizard with the desired command-line parameters, type the following command: java -jar setup.ja_ <parameter> where <parameter> is the command-line parameter that you want to use. For example, java -jar setup.ja_ -debug. 3 To continue with the installation, do one of the following: Windows Go to step 2 of any of the following procedures: Installing the SESA Directory on a Windows computer on page 162 Installing a SESA DataStore on a Windows computer on page 171 Installing the SESA Manager on a Windows computer on page 188 If you want to install SESA in a demonstration or nonproduction environment, go to step 4 of Performing an express installation on page 154.

149 Installing SESA Performing a silent installation on Solaris or Windows computers 149 Solaris Go to step 7 of any of the following procedures: Performing an express installation on page 154 Installing the SESA Directory on a Solaris computer on page 167 Installing the SESA DataStore on a Solaris computer on page 181 Installing the SESA Manager on a Solaris computer on page 192 Performing a silent installation on Solaris or Windows computers SESA provides a method for users to perform silent installations. A silent installation is an unattended, automated installation in which user input is not required. The values that would normally be typed into the installation panels by a user during the installation are instead automatically supplied by a settings file that is created prior to the silent installation. You may want to perform a silent installation to simplify the repeated installation of similar components. For example, if you have already installed the SESA Directory and SESA DataStore, and you plan to install several SESA Managers on similar computers, you can automate this by creating a silent installation settings file that will automatically provide the necessary information. Alternatively, you may want to perform a silent installation to automate complex repeated installations. For example, you may need to run several SESA test cases that you can quickly reinstall. You can set up the silent installation once to record the steps, and use a silent installation parameter to reinstall each subsequent time. How a silent installation works When you run the SESA Installation Wizard from the command line with the -silentfile parameter, the wizard only creates the settings file that you can use in subsequent silent installations. The wizard does not install any SESA components. You must run the SESA Installation Wizard from the command line using the -silent parameter to silently install the SESA components with the settings file that you created. The silent installation duplicates each segment of an attended installation. You must create a separate settings file for each segment of the SESA installation that you want to duplicate. For example, if you are installing the SESA Directory on one Solaris computer, the SESA DataStore on another Solaris computer, and

150 150 Installing SESA Performing a silent installation on Solaris or Windows computers the SESA Manager on a Windows computer, you must create an installation settings file for each of these installations. Silent installations require that all of the values be identical to the ones that were typed when the installation settings file was created. This includes SESA Manager IP addresses, account user names and passwords, directory locations, and so on. This also includes the location of additional required SESA installation files. For example, if you directed the SESA Installation Wizard to drive E when you were prompted for SESA Foundation Pack CD2, you must ensure that the CD2 files are available on drive E when you execute the silent installation. You may want to place these resources on a mapped common network drive so that they are available for each silent installation that you perform. You can modify the location of these files by directly editing the silent installation settings file that you created. Additional installation steps that take place outside of the SESA Installation Wizard will not be automated in the silent installation settings file and must be completed using the SESA Installation Wizard. For example, some distributed installation scenarios require that you modify certain IBM DB2 services settings on Windows and that you install an IBM DB2 Runtime Client. This occurs outside of the scope of the SESA Installation Wizard and cannot be automated as part of the silent installation. If any errors are encountered during a silent installation, the installation process may be interrupted and an error message may be displayed. You should try to avoid any errors. For example, the SESA Installation Wizard will display an error that instructs the user to disable the Microsoft IIS World Wide Web Publishing Service if the service is running on a computer on which the SESA Manager is to be installed. In this case, you would want to ensure that the Microsoft IIS World Wide Web Publishing Service was disabled prior to running the silent installation to avoid this error message, which would pause the installation process. Table 4-2 lists the available silent installation command-line parameters. To perform a silent installation, you must complete the following tasks: Creating a silent installation settings file Running a silent installation Note: To prevent performance problems, do not run the installation with a command line directly from the SESA Foundation Pack distribution media.

151 Installing SESA Performing a silent installation on Solaris or Windows computers 151 Creating a silent installation settings file Performing a silent installation requires a settings file to supply the values that are normally input by the user during installation. Running the SESA Installation Wizard from the command line to create the settings file does not install any SESA components. To create the silent installation settings file 1 To change directories to the SESA Foundation Pack CD1, on the computer on which you are starting the SESA Installation Wizard, at the command prompt, type the following command: cd /<SESA CD1 directory> 2 If you are installing on a UNIX computer, ensure that the environment variables for HOMEROOT and TMPDIR are set to the desired values before you run the silent installation. The default values are as follows: HOMEROOT=/export/home TMPDIR=/var/tmp 3 Ensure that the exported variable LD_LIBRARY_PATH includes the current directory. 4 If the LD_LIBRARY_PATH variable is not exported from the command line, to execute it, type the following command: export LD_LIBRARY_PATH =./ 5 To start the SESA Installation Wizard with the -silentfile parameter, type the following command: java -jar setup.ja_ -silentfile -f<filename> where <filename> contains the location and name of the file to be created. For example, java -jar setup.ja_ -silentfile -f manager.settings. You must have write access to the file name and location that you specify. 6 Follow the on-screen instructions in the SESA Installation Wizard. This creates the silent installation settings file. The actual installation of components does not occur. The SESA Installation Wizard will display a Silent Install Script File Created panel that notes the location of the new file.

152 152 Installing SESA Starting the SESA Installation Wizard Running a silent installation After you have created the silent installation settings file, you can run the silent installation using the values in the settings file. You can run repeated silent installations using the same settings file, for example, if you had several SESA Managers that you wanted to quickly install on several similar computers. To run a silent installation 1 Ensure that you have created a silent installation settings file. See Creating a silent installation settings file on page To change directories to the SESA Foundation Pack CD1, on the computer on which you are starting the SESA Installation Wizard, at the command prompt, type the following command: cd /<SESA CD1 directory> 3 If you are installing on a UNIX computer, ensure that the environment variables for HOMEROOT and TMPDIR are set to the desired values before you run the silent installation. The default values are as follows: HOMEROOT=/export/home TMPDIR=/var/tmp 4 To start the SESA Installation Wizard with the -silent parameter, type the following command: java -jar setup.ja_ -silent -f <filename> where <filename> contains the location and name of the silent installation settings file that you created. Several processes will launch while the silent installation is running. This may take several minutes. Do not interrupt the silent installation process. When the process completes, the focus returns to the original command prompt from which you launched the silent installation, and one of several Task Completed messages appears. Starting the SESA Installation Wizard You can start the SESA Installation Wizard on Windows or Solaris operating systems. Start the SESA Installation Wizard On Windows platforms, you must be physically located at the computer on which you are installing the SESA software. On Solaris platforms, you can either be physically located at the computer or use a remote connection.

153 Installing SESA Starting the SESA Installation Wizard 153 To start the SESA Installation Wizard on a Windows computer 1 To start the SESA Installation Wizard, insert the SESA Foundation Pack CD1 into the CD-ROM drive. 2 If the wizard does not start automatically, locate the folder that contains the SESA installation files, and then double-click CDStart.exe. 3 To start the installation, click Install SESA Components. 4 If a message informs you that the SDK is not installed, do the following: Click OK. In the SESA Installation Wizard panel, click Install SDK 1.3.1_09. Rerun the installation. 5 Continue with the desired installation. To start the SESA Installation Wizard on a Solaris computer 1 Ensure that a local copy of the SESA Foundation Pack distribution media image has been copied to the SESA computer and that the Solaris computer at which you are physically located has access to the SESA computer. 2 On the Solaris computer at which you are physically located, become superuser. 3 To display a local Terminal window, right-click anywhere on the Solaris screen, and then click Tools > Terminal. If you are installing the SESA component on the computer at which you are physically located, your local Terminal window displays the SESA component computer environment. 4 If you are installing a SESA component from a remote Solaris computer, initiate a Telnet session with the SESA component computer, and then set and export the remote display to the local computer. See Connecting to a remote Solaris computer and exporting its display on page 135. The Terminal window displays the environment of the SESA component Solaris computer. 5 To change directories to the SESA Foundation Pack installation image, in the SESA component computer Terminal window, type the following command: cd /<installation image location> 6 To start the SESA Installation Wizard, type the following command: sh install.sh 7 Continue with the desired installation.

154 154 Installing SESA Performing an express installation Performing an express installation If you want to install the SESA Foundation Pack on a single Windows computer for nonproduction purposes, the SESA Installation Wizard provides an Express Install option that lets you easily set up a single demonstration or test computer that has all of the necessary SESA components installed. The Express Install option does not require you to have a pre-existing installation of IBM DB2 Workgroup Edition/Enterprise Edition/Enterprise Extended Edition on the Windows computer to support the SESA Directory and SESA DataStore. Instead, the option uses IBM DB2 Personal Edition 7.2, which is provided on the SESA Foundation Pack distribution media and installed automatically when you select the Express Install option. However, be aware that the size and design of IBM DB2 Personal Edition limits its use as a database. By design, IBM DB2 Personal Edition can only support a single Intel processor and up to 2 GB of data storage. It must also be installed on the same computer as the SESA Manager. Because of these limitations, you should use express installations in nonproduction environments only. Perform an express installation You perform an express installation in two phases. The first phase gathers information such as logon accounts and component locations. The SESA Installation Wizard then prompts you to restart your computer to finish the installation process. To start an express installation 1 To start the SESA Installation Wizard, insert the SESA Foundation Pack CD1 into the CD-ROM drive. 2 If the wizard does not start automatically, locate the folder that contains the SESA installation files, and then double-click CDStart.exe. 3 To start the installation, click Install SESA Components. 4 If a message informs you that the Sun Java Development Kit is not installed, do the following: Click OK. In the SESA Installation Wizard panel, click Install JDK 1.3.1_09. To rerun the installation, click Install SESA Components.

155 Installing SESA Performing an express installation When you are prompted to supply a location for temporary installation files, do one of the following: Accept the default location as long as it has at least 75 MB of free hard disk space available. Type a location or click Browse to find a different location that has 75 MB of hard disk space available. 6 In the introductory wizard panels, follow the on-screen instructions until you reach the SESA Preinstallation Requirements Summary panel. 7 In the SESA Preinstallation Requirements Summary panel, confirm the following: The computer to which you are installing is running Windows 2000 Server or Advanced Server with Service Pack 3 or later. The Sun Java Development Kit (SDK) 1.3.1_09 is installed. 8 In the SESA Install Menu panel, click Advanced Options. 9 In the SESA Advanced Install Menu panel, click Express Install. 10 When a message informs you that no IBM DB2 database is installed, click Yes to continue. If you click No, you cannot continue with the installation. 11 In the Select Working Directory panel, do the following: For the Working Directory, accept the default location or select another location. SESA requires a folder on your hard drive as a working directory and database storage location. The drive on which this folder resides should have at least 1 GB of free space. The 1 GB minimum is required only if you plan to install the SESA DataStore on a single drive. If you plan to install it across multiple drives, the minimum space requirement decreases according to the actual drive space that you specify for this directory. See Allocating additional drives for tablespace containers in low maintenance mode on page 175. For the Manager Log Directory, accept the default location or select another location for SESA Manager logs. This is the directory to which the SESA Manager will write its working logs.

156 156 Installing SESA Performing an express installation 12 In the Local SESA Directory Master panel, do the following for the SESA Directory installation: Directory Server Path Directory Administrator Name Directory Administrator Password IP Address Directory port number Type the location of the SESA Directory (by default, C:\Program Files\IBM\LDAP). Type the name for the IBM Directory Server administrator account in the form cn=<name> (by default, cn=root). Type an administrator password. Type the IP address of the computer on which the SESA Directory is being installed. SESA Managers use this IP address to communicate with the SESA Directory. If connections to the SESA Directory computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Type the secure listening port for the SESA Directory (by default, 636). SESA Managers use this port to communicate with the SESA Directory. 13 In the SESA Domain panel, type a unique name for the SESA administrative domain. High-ASCII characters are allowed, but do not use special characters such #, $, %, ^, &, and *, or characters from a double-byte character set (DBCS). The name appears in the Symantec management console navigational tree as the top-level administrative domain. You can install additional SESA domains after the SESA components are installed. See Installing additional SESA domains on page In the SESA Administrator panel, type a password for the SESA Directory Administrator account. The SESA Directory Administrator password must be between six and twelve alphanumeric characters. This account is intended for top-level SESA Administrators who need access to the entire SESA Directory tree for installing SESA DataStores and SESA Managers. You can use this account to log onto the Symantec management console after installation. SESA provides the user name of SESAdmin.

157 Installing SESA Performing an express installation In the SESA Directory Domain Administrator panel, do the following for the SESA Domain Administrator account: Domain Administrator Domain Administrator Password Type the name for the SESA Domain Administrator account. This account provides access to its associated SESA administrative domain. Each SESA administrative domain is associated with a single SESA Manager. Use this Domain Administrator name and password to log onto a particular SESA administrative domain (and SESA Manager) after the SESA installation is complete. Type a Domain Administrator password between six and twelve alphanumeric characters. Select Preferred Language Select the language of the SESA Manager. The default language is English. If you install non-english security products, you must install them in the same language as the SESA Manager. 16 In the SESA Secure Communications panel, to create the key database for self-signed SSL certificates, do the following: Key Database Password Company Country Select host IP Address Key size (bits) Type the password for the key database of six alphanumeric characters minimum. High-ASCII and DBCS characters are not allowed. Type the company name. High-ASCII and DBCS characters are not allowed. Type the company location. Type the IP address of the computer on which the SESA Manager is being installed. If connections to the SESA Manager computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Select the encryption length in bits for the default, selfsigned certificate that SESA uses to secure data communication. The default setting of 1024 bits is standard. The longer the key size, the higher the security of the data encryption. However, the higher the security of the data encryption, the longer the amount of time required to encrypt and decrypt data.

158 158 Installing SESA Performing an express installation 17 In the Local SESA DataStore panel, do the following for the SESA DataStore installation: DB2 path Database Administrator Name Database Administrator Password IP Address Type the location for the SESA DataStore (by default, C:\Program Files\SQLLIB). Type the Database Administrator account name for the SESA DataStore. If the account does not exist, it is created. Type a password of six or more alphanumeric characters. An account with a password is required. Type the IP address of the computer on which the SESA DataStore is being installed. If connections to the SESA DataStore computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. 18 If the SESA Installation Wizard prompts you to set up a valid Windows NT user account, click Yes. 19 In the SESA DataStore panel, confirm the default settings or do the following: SESA DataStore Name Caption Description Type the new name for the SESA DataStore. The default setting is SESA. Type a caption for the SESA DataStore. The default setting is the name of the computer. Type a new description, if necessary. The default setting describes the SESA 2.0 schema and database driver type. 20 In the SESA DataStore: Database Definition Path panel, in the Enter SESA DataStore Database definition path box, accept the default location or click Browse to select another location. The SESA DataStore Database definition path is the location of the SESA DataStore system files.

159 Installing SESA Performing an express installation Under SESA DataStore Log Path, do one of the following: Accept the default log path for the SESA DataStore. The default path is DB2\node0000\<sql00001>\sqlogdir. Depending on the number of SESA DataStores that you install, and the number of IBM DB2 databases, <sql00001> may use a different number in it. Check This Log path, and then type a location or browse to the new log path location. By default, IBM DB2 stores logs on the same physical drive as the database. As a best practice, select a different physical drive. 22 In the SESA DataStore: Event Data Tablespace Configuration panel, do one of the following: To install a SESA DataStore with automatically expanding tablespaces, click Low maintenance. You can allocate more than one physical drive for tablespace containers. See Allocating additional drives for tablespace containers in low maintenance mode on page 175. To install a SESA DataStore with tablespaces that must be manually increased, click High performance. You can specify more than one physical drive for tablespace containers and allocate the amount of available disk space per drive. If you select this option, you must ensure that any antivirus Realtime scanning is turned off before the SESA DataStore is installed. You can reenable Realtime scanning after the SESA DataStore installation. See Allocating additional drives for tablespace containers in high performance mode on page In the SESA DataStore: Tuning panel, confirm the default settings or do the following: Buffer Pool Size Extent Size Type the amount of temporary RAM in MB to make available for the computer processor to manipulate SESA DataStore data before transferring the data to the hard disk. Type the amount of contiguous storage space in 32-KB pages to make available to data. The larger the extent size, the faster the database fills. The smaller the extent size, the faster the database becomes fragmented.

160 160 Installing SESA Performing an express installation Circular Logging/ Archive Logging SESA DataStore/IBM DB2 backup directory Click Circular Logging to enable restore-only database recovery without the ability to perform online backups of the SESA DataStore. This option saves disk space. Click Archive Logging to enable roll-forward database recovery and the ability to perform backups of the SESA DataStore without requiring first stopping the IBM DB2 database instance. Available for archive logging only. Type a location or click Browse to navigate to the location of the backup directory for the IBM DB2 SESA DataStore. The default Windows location is C:\SESA\symc_data. Depending on how many computers you are using to deploy the SESA Manager, SESA Directory, and SESA DataStore, Buffer Pool Size and Extent Size may work better with particular values. See IBM DB2 database memory usage specifications on page In the Java SDK Directory panel, confirm the location in which you installed the Sun Java Development Kit (SDK). 25 In the Web Server Installation panel, for a Windows 2000 account, do the following: Web Server Directory Login Name Password Type the path for the IBM HTTP Server installation (by default, C:\Program Files\IBM Http Server). Type the login name for a Windows 2000 account of the computer on which the IBM HTTP Server is being installed. If the account does not exist, it is created. Type a password for the account. An account with a password is required. 26 If the SESA Installation Wizard prompts you to set up a valid Windows NT user account, click Yes. The SESA Installation Wizard displays this message if the Login Name and Password pair that you specified for the Web Server is not currently a Windows 2000 account. 27 In the SESA Agent Listen IP panel, confirm that the SESA Agent IP address is The express installation does not support Microsoft Windows Network Load Balancing.

161 Installing SESA Installing the SESA Directory In the SESA Agent panel, confirm the IP address of the SESA Manager computer. 29 In the Insert SESA CD dialog box, when you are prompted, browse to the location of the requested installation files, which are located on the SESA Foundation Pack distribution media. The SESA Installation Wizard reports the status of the components that are being installed using the specified logons, passwords, paths, and ports information. 30 If necessary, remove the SESA CD from the CD-ROM drive. 31 Restart the computer when you are prompted. The restart is required to initialize the SESA Directory. To finish an express installation 1 After you restart your computer, in the Welcome to the SESA Installation panel, click Next. 2 In the SESA Install Menu panel, click Exit SESA Installer. 3 When you are prompted to exit the installation, click Yes. 4 In the SESA Installation Successful panel, to complete the installation and exit the SESA Installation Wizard, click Finish. Installing the SESA Directory You install the SESA Directory on a single computer. After you install the SESA Directory, you install the SESA DataStore on the same computer or a separate one, depending on your resource requirements and the database software that you are using. See Installing the SESA DataStore on page 170. If you are installing the SESA Directory for the first time, you must install it in two phases. The first phase gathers information such as logon accounts and component locations. The SESA Installation Wizard then prompts you to restart your computer to finish the installation process. If IBM Directory Server is already installed on the computer, the SESA Installation Wizard detects it and prompts you to install over the existing version or connect to the already installed version. If you are installing over or connecting to an existing version, the SESA Directory installation steps vary somewhat from the new installation steps.

162 162 Installing SESA Installing the SESA Directory Installing the SESA Directory on a Windows computer The SESA Installation Wizard installs the IBM Directory Server and IBM Apache HTTP Web server as the underlying software for the SESA Directory. If the SESA DataStore will be on a computer other than the one on which you are installing the SESA Directory, the SESA Directory requires one of the following IBM DB2 database servers: IBM DB2 Personal Edition 7.2 with FixPak 5 IBM DB2 Workgroup Edition 7.2 with FixPak 5 IBM DB2 Enterprise Edition 7.2 with FixPak 5 When no IBM DB2 installations are present, the SESA Installation Wizard installs IBM DB2 Personal Edition 7.2, which is provided on the SESA Foundation Pack distribution media. If you are installing the SESA DataStore on the same Windows computer as the SESA Directory, and IBM DB2 Personal Edition is already installed on the computer, the SESA DataStore integrates with IBM DB2 Personal Edition. IBM DB2 Personal Edition requires that the SESA Manager also be installed on the same computer, or it won t be able to process events to the SESA DataStore. Because of this limitation, you must already have IBM DB2 Workgroup Edition/ Enterprise Edition/Enterprise Extended Edition installed on the Windows computer before you install the SESA Directory. On Windows operating systems, to prevent installation failure when you install the SESA Directory over an existing version of IBM Directory Server, ensure that the following conditions are met: A SESA DataStore is already installed. The existing version of the SESA Directory must already be connected to an existing version of the SESA DataStore. This SESA DataStore must already have an entry in the SESA Directory or the reinstallation fails. If the SESA DataStore does not have an entry in the SESA Directory, you must uninstall the SESA Directory rather than install over it. The existing IBM Directory Server installation was performed using the Typical Install option rather than the Compact or Custom Install option in the installation wizard. Existing IBM DB2 databases and IBM HTTP Servers must also have been installed using a Typical Install option. Install the SESA Directory on a Windows computer The SESA Installation Wizard requires you to install the SESA Directory in two phases. The first phase gathers information such as logon accounts and

163 Installing SESA Installing the SESA Directory 163 component locations. The SESA Installation Wizard then prompts you to restart your computer to finish the installation process. To start the SESA Directory installation on a Windows computer 1 On the SESA Directory computer, start the SESA Installation Wizard. See Starting the SESA Installation Wizard on page When you are prompted to supply a location for temporary installation files, do one of the following: Accept the default location as long as it has at least 75 MB of free hard disk space available. Type a location or click Browse to find a different location that has 75 MB of hard disk space available. 3 In the SESA Preinstallation Requirements Summary panel, confirm the following: The computer to which you are installing is running Windows 2000 Server or Advanced Server with Service Pack 3 or later. Sun Java Development Kit (SDK) 1.3.1_09 is installed. In addition, the computer must already have an existing installation of IBM DB2 Workgroup Edition/Enterprise Edition/Enterprise Extended Edition 7.2 present. If no existing version is present, the SESA Installation Wizard installs IBM DB2 Personal Edition In the SESA License Agreement panel, review the agreement, click I accept the agreement, and then click Next. If you don t accept the License Agreement, you exit the SESA Installation Wizard. 5 In the SESA Install Menu panel, click Install SESA Directory. 6 In the Select Working Directory panel, accept the default location or select another location. SESA requires a folder on your hard drive as a working directory and storage location. If you are going to install the SESA DataStore on the same computer, the drive on which the folder resides should have at least 800 MB of free space. Otherwise, it needs approximately 20 MB of free space. 7 If no previous installation of IBM DB2 Personal Edition/Workgroup Edition/ Enterprise Edition/Enterprise Extended Edition is on the computer, when you are prompted to continue, click Yes. The SESA Installation Wizard will install IBM DB2 Personal Edition from the SESA Foundation Pack distribution media. This version of IBM DB2 is intended for demonstration or test environments only.

164 164 Installing SESA Installing the SESA Directory If you click No, the wizard returns you to the previous panel, where you can exit the program. If a previous installation of a supported IBM DB2 database is already installed, the SESA Installation Wizard bypasses the prompt. 8 In the Local SESA Directory Master panel, do the following for the SESA Directory installation: Directory Server Path Administrator Name Administrator Password IP Address Directory port number Type the location of the SESA Directory (by default, C:\Program Files\IBM\LDAP). Type the name for the IBM Directory Server administrator account in the form cn=<name> (by default, cn=root). Type a Directory Administrator password. Type the IP address of the computer on which the SESA Directory is being installed. SESA Managers use this IP address to communicate with the SESA Directory. If connections to the SESA Directory computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Type the secure listening port for the SESA Directory (by default 636). SESA Managers use this port to communicate with the SESA Directory. 9 In the Domain Selection panel, type a unique name for the SESA administrative domain. High-ASCII characters are allowed, but do not use special characters such #, $, %, ^, &, and *, or characters from a double-byte character set (DBCS). The name appears in the Symantec management console navigational tree as the top-level administrative domain. You can add additional SESA domains after you install the SESA Foundation Pack. See Installing additional SESA domains on page In the SESA Administrator panel, type a password for the SESA Directory Administrator account. The SESA Directory Administrator password must be between six and twelve alphanumeric characters. This account is intended for top-level SESA Administrators who need access to the entire SESA Directory tree for installing SESA DataStores and SESA Managers. You can use this account to log onto the Symantec management console after installation.

165 Installing SESA Installing the SESA Directory 165 SESA provides the user name of SESAdmin. 11 In the SESA Directory Domain Administrator panel, do the following for the SESA Domain Administrator account: Domain Administrator Domain Administrator Password Type the name for the SESA Domain Administrator account. This account provides access to its associated SESA administrative domain. Each SESA administrative domain is associated with a single SESA Manager. Use this Domain Administrator name and password to log onto a particular SESA administrative domain (and SESA Manager) after the SESA installation is complete. Type a Domain Administrator password (between six and twelve alphanumeric characters). Select Preferred Language Select the language of the SESA Manager. The default language is English. If you install non-english security products, you must install them in the same language as the SESA Manager. 12 In the SESA Secure Communications panel, to create the key database for self-signed SSL certificates, do the following: Key Database Password Company Country Select host IP Address Key size (bits) Type a password for the key database of six alphanumeric characters minimum. High-ASCII and DBCS characters are not allowed. Type the company name. High-ASCII and DBCS characters are not allowed. Type the company location. Type the IP address of the computer on which the SESA Manager is being installed. If connections to the SESA Manager computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Type the encryption length in bits for the default, selfsigned certificate that SESA uses to secure data communication. The default setting of 1024 bits is standard. The longer the key size, the higher the security of the data encryption. However, the higher the security of the data encryption, the longer the amount of time required to encrypt and decrypt data.

166 166 Installing SESA Installing the SESA Directory 13 If an existing installation of IBM DB2 Universal Workgroup Edition/ Enterprise Edition/Enterprise Extended Edition is not present on the computer, in the DB2 Personal Edition Installation panel, type the requested logon and location information. 14 In the Web Server Installation panel, do the following for a Windows 2000 user account: Web Server Directory Login Name Password Type the path for the IBM HTTP Server installation (by default, C:\Program Files\IBM Http Server). Type the login name for a Windows 2000 account of the computer on which the IBM HTTP Server is being installed. If the account does not exist, it is created. Type a password for the account. An account with a password is required. 15 If the SESA Installation Wizard prompts you to set up a valid Windows NT user account, click Yes. The SESA Installation Wizard displays this message if the Login Name and Password pair that you specified for the Web Server is not currently a Windows 2000 account. 16 In the Insert SESA CD dialog box, when you are prompted, select the location of the requested installation files, which are located on the SESA distribution media. The SESA Installation Wizard reports the status of the components that are being installed using the specified logons, passwords, paths, and ports information. 17 If necessary, remove the SESA CD from the CD-ROM drive. 18 When you are prompted, restart the computer. The restart is required to initialize the SESA Directory. To finish the SESA Directory installation on a Windows computer 1 After you restart your computer, in the Welcome to the SESA Installation panel, click Next. 2 Follow the on-screen instructions until you reach the SESA Install Menu panel.

167 Installing SESA Installing the SESA Directory In the SESA Install Menu panel, do one of the following: Click Install SESA DataStore to install the SESA DataStore on the same computer using the SESA Installation Wizard. See Installing the SESA DataStore on page 170. Click Exit SESA Installer, click Next, and then, in the SESA Installation Successful panel, click Finish to exit the SESA Installation Wizard. Installing the SESA Directory on a Solaris computer The SESA Installation Wizard installs the IBM Directory Server 4.1 and IBM Apache HTTP Web Server as the underlying software for the SESA Directory. The SESA Directory also requires one of the following IBM DB2 database servers to hold SESA Directory information for LDS: IBM DB2 Workgroup Edition 7.1 or later with FixPak 5 IBM DB2 Enterprise Edition 7.1 or later with FixPak 5 Before you install the SESA Directory, you must install the IBM DB2 database server. If the database server is not installed, the SESA Installation Wizard generates an error message informing you that one must be installed first. The SESA Foundation Pack distribution media includes IBM DB2 Enterprise Edition 7.2 with FixPak 3. You must also apply FixPak 5 to the database. See Preparing third-party software on Solaris platforms on page 98. Warning: The IBM DB2 Enterprise Edition database server that is provided is only licensed for integrating with LDS. Do not use it as the SESA DataStore or the SESA installation will not work properly. To install the SESA Directory on a Solaris computer 1 On the SESA Directory computer, start the SESA Installation Wizard. See Starting the SESA Installation Wizard on page When you are prompted to supply a location for temporary installation files, do one of the following: Accept the default location as long as it has at least 75 MB of free hard disk space available. Type a location or click Browse to find a different location that has 75 MB of hard disk space available. 3 In the introductory wizard panels, review and type the requested information, and then click Next.

168 168 Installing SESA Installing the SESA Directory 4 In the SESA Preinstallation Requirements Summary panel, confirm that the computer to which you are installing is running Sun Solaris version 8 (64- bit). In addition, the computer must already have an installation of IBM DB2 Enterprise Edition 7.2 with FixPak 5 present. 5 In the SESA Install Menu panel, click Install SESA Directory, and then click Next. 6 In the Select Working Directory panel, accept the default location of /opt/ Symantec/SESA or select another location, and then click Next. SESA requires a folder on your hard drive with 20 MB of free disk space as a working directory. 7 In the Local SESA Directory Master panel, do the following for the SESA Directory installation: Directory Server Path Administrator Name Administrator Password IP Address Directory port number Type the location of the SESA Directory (by default, /opt). Type the name for the IBM Directory Server administrator account in the form cn=<name> (by default, cn=root). Type a Directory Administrator password. An account with a password is required. Type the IP address of the computer on which the SESA Directory is being installed. SESA Managers use this IP address to communicate with the SESA Directory. If connections to the SESA Directory computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Type the secure listening port for the SESA Directory (by default, 636). SESA Managers use this port to communicate with the SESA Directory. 8 In the Domain Selection panel, type a unique name for the SESA administrative domain. To type high-ascii characters and special characters such #, $, %, ^, &, and *, use the Compose key on the Solaris keyboard. For example, to type the copyright symbol, use the key sequence, Compose+c+o. Characters from the double-byte character set (DBCS) are not allowed. The name appears in the Symantec management console navigational tree as the top-level administrative domain.

169 Installing SESA Installing the SESA Directory 169 You can add additional SESA domains after you install the SESA Foundation Pack. See Installing additional SESA domains on page In the SESA Administrator panel, type a password for the SESA Directory Administrator account. The SESA Directory Administrator password must be between six and twelve alphanumeric characters. This account is intended for top-level SESA Administrators who need access to the entire SESA Directory tree for installing SESA DataStores and SESA Managers. You can use this account to log onto the Symantec management console after installation. SESA provides the user name SESAdmin. 10 In the SESA Directory Domain Administrator panel, do the following for the SESA Domain Administrator account: Domain Administrator Domain Administrator Password Type the name for the SESA Domain Administrator account. This account provides access to its associated SESA administrative domain. Each SESA administrative domain is associated with a single SESA Manager. Use this Domain Administrator name and password to log onto a particular SESA administrative domain (and SESA Manager) after the SESA installation is complete. Type a Domain Administrator password (between six and twelve alphanumeric characters). Select Preferred Language Select the language of the SESA Manager. The default language is English. If you install non-english security products, you must install them in the same language as the SESA Manager. 11 In the SESA Secure Communications panel, to create the key database for self-signed SSL certificates, do the following: Key Database Password Company Country Type a password for the key database of six alphanumeric characters minimum. High-ASCII and DBCS characters are not allowed. Type the company name. Type the company location.

170 170 Installing SESA Installing the SESA DataStore Select host IP Address Key size (bits) Type the IP address of the computer on which the SESA Manager is being installed. If connections to the SESA Manager computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Type the encryption length in bits for the default, selfsigned certificate that SESA uses to secure data communication. The default setting of 1024 bits is standard. The longer the key size, the higher the security of the data encryption. However, the higher the security of the data encryption, the longer the amount of time required to encrypt and decrypt data. 12 In the Web Server Installation panel, type the location of the folder in which the Web server is to be installed, or click Browse to navigate to the location. The default location is /opt. The SESA Installation Wizard reports the status of the components that are being installed using the specified logons, passwords, paths, and ports information. 13 In the Insert SESA CD dialog box, when you are prompted, type the location of the IBM Directory Server installation files. These files are part of the SESA Foundation Pack installation image. When they are copied to the default staging area, the default location for these files is /u01/solaris.cd2/ibmdirectoryserverv In the Operation Complete panel, click Next. 15 In the SESA Install Menu panel, do one of the following: Installing the SESA DataStore Click Install SESA DataStore to continue with the installation, and then begin with step 4 of To install the SESA DataStore on a Solaris computer on page 182. Click Exit SESA Installer, click Next, and then, in the SESA Installation Successful panel, click Finish to exit the SESA Installation Wizard. After you install the SESA Directory, you can install the SESA DataStore. This installation places the SESA DataStore on a single computer. If you are using an IBM DB2 database server on Windows as the underlying software for the SESA DataStore, you can install the SESA DataStore on the same computer as the SESA Directory, or you can install it on a separate computer. If you are using

171 Installing SESA Installing the SESA DataStore 171 Oracle 9i on Solaris as the underlying software for the SESA DataStore, you must install the SESA DataStore on a separate, dedicated Solaris computer. Installing a SESA DataStore on a Windows computer You can install a SESA DataStore on a single Windows computer. IBM Directory Server (the SESA Directory) must already be installed and functioning on the same or another computer. To use SESA in a production environment, one of the following IBM DB2 Universal database servers must already be installed on the Windows computer: IBM DB2 Universal database Workgroup Edition 7.2 with FixPak 5 IBM DB2 Universal database Enterprise Edition 7.2 with FixPak 5 IBM DB2 Universal database Enterprise Extended Edition 7.2 with FixPak 5 Warning: You must ensure that one of the required supported versions with the correct FixPak is installed prior to running the SESA Installation Wizard. Installing with an unsupported version or FixPak may result in a failed or corrupt installation. If none of the supported IBM DB2 database servers is present, the SESA Installation Wizard installs IBM DB2 Personal Edition 7.2 with FixPak 5. Warning: The Personal Edition of the IBM DB2 database server is not designed to handle the data volume in production networking environments. In addition, the SESA Manager must reside on the same computer as the database server, or the SESA installation does not work. If you are going to install the SESA DataStore on the same computer as the SESA Directory, are currently using the SESA Installation Wizard, and have just finished with step 2 of To finish the SESA Directory installation on a Windows computer on page 166, you can begin with step 8 of To install a SESA DataStore on a Windows computer on page 171. To install a SESA DataStore on a Windows computer 1 On the SESA DataStore computer, start the SESA Installation Wizard. See Starting the SESA Installation Wizard on page In the SESA Install Menu panel, click Install SESA DataStore. 3 In the SESA DataStore: Database Server Options panel, click Install SESA DataStore (Use IBM DB2).

172 172 Installing SESA Installing the SESA DataStore 4 In the Select Working Directory panel, accept the default location for the working directory or select another location. SESA requires a folder on your hard drive as a working directory and database storage location. The drive on which this folder resides should have at least 817 MB of free space. The 817 MB minimum is required only if you plan to install a single SESA DataStore on a single drive. If you plan to install more than one SESA DataStore or a single SESA DataStore across multiple drives, the minimum space requirement decreases according to the actual drive space that you specify for this directory. If you have a previously existing SESA component on the computer, this option is unavailable and you must accept the existing working directory. 5 In the Existing SESA Directory panel, do the following for the SESA DataStore to connect with the SESA Directory: SESA Administrator Password IP Address Directory port number Type a Directory Administrator password for the SESAdmin account. Type the IP address of the computer on which the SESA Directory is installed. This can be the local computer or a remote computer. SESA Managers use this IP address to communicate with the SESA Directory. If connections to the SESA Directory computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Type the secure listening port for the SESA Directory (by default, 636). SESA Managers use this port to communicate with the SESA Directory. 6 In the Domain Selection panel, correct or confirm the name of the SESA administrative domain that you typed when you installed the SESA Directory. The SESA administrative domain name and extension appear in the Symantec management console navigational tree as the top-level administrative domain.

173 Installing SESA Installing the SESA DataStore In the SESA DataStore panel, confirm the default settings or do the following: SESA DataStore Name Caption Description Type a name for the additional SESA DataStore. The name must be different from other SESA DataStore names. The default setting is SESA. Type a caption for the additional SESA DataStore. The default setting is the name of the computer. Type a new description, if necessary. The default setting describes the SESA 2.0 schema and database driver type. 8 In the SESA DataStore: Database Definition Path panel, in the Enter SESA DataStore Database definition path box, accept the default location or click Browse to select another location. The SESA DataStore Database definition path is the location of the SESA DataStore system files. 9 Under SESA DataStore Log Path, do one of the following: Accept the default log path for the SESA DataStore. The default path is DB2\node0000\<sql00001>\sqlogdir. Depending on the number of SESA DataStores that you install, and the number of IBM DB2 databases, <sql00001> may use a different number. Check This Log path, and then type a location or browse to the new log path location. By default, IBM DB2 stores logs on the same physical drive as the database. As a best practice, select a different physical drive. 10 In the SESA DataStore: Event Data Tablespace Configuration panel, do one of the following: To install a SESA DataStore with automatically expanding tablespaces, click Low maintenance. You can allocate more than one physical drive for tablespace containers. See Allocating additional drives for tablespace containers in low maintenance mode on page 175. To install a SESA DataStore with tablespaces that must be manually increased, click High performance. You can specify more than one physical drive for tablespace containers as well as allocate the amount of available disk per drive.

174 174 Installing SESA Installing the SESA DataStore 11 Click Next. If you select this option, you must ensure that any antivirus Realtime scanning is turned off before the SESA DataStore is installed. You can reenable Realtime scanning after the SESA DataStore installation. See Allocating additional drives for tablespace containers in high performance mode on page In the SESA DataStore: Tuning panel, confirm the following settings or do the following: Buffer Pool Size Extent Size Circular Logging/ Archive Logging SESA DataStore/IBM DB2 backup directory Type a value in MB. The buffer pool is a temporary storage area in RAM used by the SESA DataStore. It allows the computer to manipulate data before transferring it to the hard disk. Type a value in KB. The extent size is the amount of contiguous storage space available to data. The larger the extent size, the faster the database fills. The smaller the extent size, the faster the database becomes fragmented. Click Circular Logging to enable restore-only database recovery without the ability to perform online backups of the SESA DataStore. This option saves disk space. Click Archive Logging to enable roll-forward database recovery and the ability to perform backups of the SESA DataStore without requiring first stopping the IBM DB2 database instance. Available for archive logging only. Type a location or click Browse to navigate to the location of the backup directory for the IBM DB2 SESA DataStore. The default Windows location is C:\SESA\symc_data. The default Solaris location is /opt/symantec/sesa/ symc_data. Depending on how many computers you are using to deploy the SESA Manager, SESA Directory, and SESA DataStore, Buffer Pool Size and Extent Size may work better with particular values. See IBM DB2 database memory usage specifications on page 405.

175 Installing SESA Installing the SESA DataStore In the Local SESA DataStore panel, do the following for the SESA DataStore installation: Database Administrator Name Database Administrator Password IP Address Database port number Type the administrator account name for the SESA DataStore. This account was created when the IBM DB2 database server was installed. Type an administrator account password of six or more alphanumeric characters. An account with a password is required. Type the IP address of the computer on which the SESA DataStore is being installed. If connections to the SESA DataStore computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Type the listening port for the SESA DataStore (by default, 50000). This installs the SESA DataStore on the computer on which you are running the SESA Installation Wizard. 14 After the SESA Installation Wizard completes the necessary configuration tasks, in the Operation Complete panel, click Next. 15 In the SESA Install Menu panel, do one of the following: Click Install SESA Manager to install the SESA DataStore on the same computer using the SESA Installation Wizard. See Installing the SESA Manager on page 188. Click Exit SESA Installer, click Next, and then in the SESA Installation Successful panel, click Finish to exit the SESA Installation Wizard. 16 If you have not already done so, configure JDBC for the SESA DataStore, and then restart the computer. See To configure JDBC for the IBM DB2 database on page If necessary, install another SESA DataStore. See Installing an additional SESA DataStore on a Windows computer on page 177. Allocating additional drives for tablespace containers in low maintenance mode To improve database performance, the SESA Installation Wizard lets you install the tablespace containers in the SESA DataStore across multiple Windows

176 176 Installing SESA Installing the SESA DataStore drives. When you install tablespace containers across multiple drives, the system files for the SESA DataStore remain in one location, but the data is spread across the drives that you specify. To allocate additional drives for tablespace containers in low maintenance mode 1 In the SESA DataStore: Event Data Tablespace Configuration panel, click Low maintenance, and then click Add. 2 In the Select Container dialog box, under Drives, select one of the drives on which to install tablespace containers. 3 Repeat step 2 for the other drives. 4 To return to the SESA DataStore: Event Data Tablespace Configuration panel, click OK. 5 To remove a drive, select the drive, and then click Remove. Allocating additional drives for tablespace containers in high performance mode To improve database performance, the SESA Installation Wizard provides the option of installing SESA DataStore tablespace containers across multiple Windows drives and then specifying the amount of drive disk space to allocate for the tables. When you install tablespace containers across multiple drives, the system files for the SESA DataStore remain in one location, but the data is spread across the drives that you specify. Note: If you use high performance mode, you must ensure that any antivirus Realtime scanning is turned off before the SESA DataStore is installed. You can reenable Realtime scanning after the SESA DataStore installation. To allocate additional drives for tablespace containers in high performance mode 1 In the SESA DataStore: Event Data Tablespace Configuration panel, click High performance, and then click Add. 2 In the Select Container dialog box, under Drive, select one of the drives on which to install tablespace containers. 3 In the Size box, type the amount of space, in MB, to allocate for the tablespace container on that drive.

177 Installing SESA Installing the SESA DataStore Repeat steps 2 and 3 for the other drives. Ensure that the total allocated space is at least 800 MB. Do not exceed 1024 GB of total allocated space. To calculate the amount of space that you need, assume that each event is 1.5 KB. 5 To return to the SESA DataStore: Event Data Tablespace Configuration panel, click OK. 6 To modify the space that is allocated for a particular drive, click Modify. 7 In the Select Container dialog box, under Drive, select the drive to modify. 8 In the Size box, retype the amount of space, in MB, to allocate for the tablespace container on the drive. 9 To return to the SESA DataStore: Event Data Tablespace Configuration panel, click OK. 10 To remove a drive, select the drive, and then click Remove. Retrying an IBM DB2 database installation If you cancel the SESA Installation Wizard while you are installing the SESA DataStore on an already installed IBM DB2 database, or the wizard stops or fails for any reason, the IBM DB2 database may be left in an inconsistent state. You can use the wizard again to retry the SESA DataStore installation, but only after you have dropped the database instance to return IBM DB2 to a consistent state. See Dropping an IBM DB2 database instance on page 368. Installing an additional SESA DataStore on a Windows computer After you have installed the initial SESA DataStore, depending on your requirements, you may want to install one or more additional SESA DataStores. You can install additional SESA DataStores on the same IBM DB2 Universal database instance as the first SESA DataStore. You may want to use two or more SESA DataStores if you have different needs for event viewing in the Symantec management console, or want to separate product event data into separate SESA DataStores. See Enhanced data-management capabilities on page 20.

178 178 Installing SESA Installing the SESA DataStore To install an additional SESA DataStore on a Windows computer 1 On the SESA DataStore computer, start the SESA Installation Wizard. See Starting the SESA Installation Wizard on page Follow the on-screen instructions, without modifying existing settings, until you reach the SESA Install Menu panel. 3 In the SESA Install Menu panel, click Advanced Options. 4 In the SESA Advanced Install Menu, click Install Additional SESA DataStore (DB2). 5 In the Existing SESA Directory panel, do the following for the additional SESA DataStore to connect with the SESA Directory: SESA Administrator Password IP Address Directory port number Type the Directory Administrator password for the SESAdmin account. Type the IP address of the computer on which the SESA Directory is installed. This can be the local computer or a remote computer. SESA Managers use this IP address to communicate with the SESA Directory. If connections to the SESA Directory computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Type the secure listening port for the SESA Directory (by default, 636). SESA Managers use this port to communicate with the SESA Directory. 6 In the Domain Selection panel, correct or confirm the name of the SESA administrative domain that you typed when you installed the SESA Directory. High-ASCII characters are allowed, but do not use special characters such #, $, %, ^, &, and *, or characters from a double-byte character set (DBCS). The SESA administrative domain name appears in the Symantec management console navigational tree as the top-level administrative domain.

179 Installing SESA Installing the SESA DataStore In the SESA DataStore panel, confirm the default settings or do the following: SESA DataStore Name Caption Description Type a name for the additional SESA DataStore. The name must be different from other SESA DataStore names. The default setting is SESA1. Type a caption for the additional SESA DataStore. The default setting is the name of the computer. Type a new description, if necessary. The default setting describes the SESA 2.0 schema and database driver type. 8 In the SESA DataStore: Database Definition Path panel, in the Enter SESA DataStore Database definition path box, accept the default location or click Browse to select another location. The SESA DataStore Database definition path is the location of the SESA DataStore system files. 9 Under SESA DataStore Log Path, do one of the following: Accept the default log path for the additional SESA DataStore. The default path is DB2\node0000\<sql00001>\sqlogdir. Depending on the number of SESA DataStores that you install, and the number of IBM DB2 databases, <sql00001> may use a different number. Check This Log path, and then type a location or browse to the new log path location for the additional SESA DataStore. By default, IBM DB2 stores logs on the same physical drive as the database. As a best practice, select a different physical drive. 10 In the SESA DataStore: Event Data Tablespace Configuration panel, do one of the following: To install the additional SESA DataStore with automatically expanding tablespaces, click Low maintenance. You can allocate more than one physical drive for tablespace containers. See Allocating additional drives for tablespace containers in low maintenance mode on page 175. To install the additional SESA DataStore with tablespaces that must be manually increased, click High performance. You can specify more than one physical drive for tablespace containers as well as allocate the amount of available disk per drive.

180 180 Installing SESA Installing the SESA DataStore 11 Click Next. If you select this option, you must ensure that any antivirus Realtime scanning is turned off before the SESA DataStore is installed. You can reenable Realtime scanning after the SESA DataStore installation. See Allocating additional drives for tablespace containers in high performance mode on page In the SESA DataStore: Tuning panel, if necessary, to change any of the default settings, do the following: Buffer Pool Size Extent Size Circular Logging/ Archive Logging SESA DataStore/IBM DB2 backup directory Type a value in MB. The buffer pool is a temporary storage area in RAM used by the SESA DataStore. It allows the computer to manipulate data before transferring it to the hard disk. Type a value in KB. The extent size is the amount of contiguous storage space available to data. The larger the extent size, the faster the database fills. The smaller the extent size, the faster the database becomes fragmented. Click Circular Logging to enable restore-only database recovery without the ability to perform online backups of the SESA DataStore. This option saves disk space. Click Archive Logging to enable roll-forward database recovery and the ability to perform backups of the SESA DataStore without requiring first stopping the IBM DB2 database instance. Available for archive logging only. Type a location or click Browse to navigate to the location of the backup directory for the IBM DB2 SESA DataStore. The default Windows location is C:\SESA\symc_data. The default Solaris location is /opt/symantec/sesa/ symc_data. Depending on how many computers you are using to deploy the SESA Manager, SESA Directory, and SESA DataStore, Buffer Pool Size and Extent Size may work better with particular values. See IBM DB2 database memory usage specifications on page 405.

181 Installing SESA Installing the SESA DataStore In the Local SESA DataStore panel, do the following for the SESA DataStore installation: Database Administrator Name Database Administrator Password IP Address Database port number Type the administrator account name for the SESA DataStore. This account was created when the IBM DB2 database server was installed. Type an administrator account password of six or more alphanumeric characters. An account with a password is required. Type the IP address of the computer on which the SESA DataStore is being installed. If connections to the SESA DataStore computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Type the listening port for the SESA DataStore (by default, 50000). This installs the additional SESA DataStore on the computer on which you are running the SESA Installation Wizard. 14 After the SESA Installation Wizard completes the necessary configuration tasks, in the Operation Complete panel, click Next. 15 In the SESA Install Menu panel, do one of the following: Click Install SESA Manager to install the SESA DataStore on the same computer using the SESA Installation Wizard. See Installing the SESA Manager on page 188. Click Exit SESA Installer, click Next, and then in the SESA Installation Successful panel, click Finish to exit the SESA Installation Wizard. 16 If you have not already done so, configure JDBC for the SESA DataStore, and then restart the computer. See To configure JDBC for the IBM DB2 database on page 95. Installing the SESA DataStore on a Solaris computer You can install the SESA DataStore on a single Solaris computer. You must already have installed and prepared Oracle 9i (version 9.0.x to x) on the Solaris computer. The SESA Integration Wizard does not detect whether the Oracle database server is already installed.

182 182 Installing SESA Installing the SESA DataStore Before you install the SESA DataStore, you should complete the following tasks: Install the Oracle database server. Create a SESA database on the Oracle database server. Create and grant privileges to an Oracle database user. See Preparing third-party software on Solaris platforms on page 98. In addition, IBM Directory Server 4.1 (the SESA Directory) must already be installed and functioning on another Solaris or Windows computer. Remote installations are convenient when the Solaris computer on which the SESA DataStore is to be installed does not have a video card or monitor, or is not physically accessible to you. You can use Telnet sessions to access the installation computer remotely. However, because the SESA Installation Wizard has a graphical user interface associated with it, you must export the display of the installation computer. To install the SESA DataStore on a Solaris computer 1 On the SESA DataStore computer, start the SESA Installation Wizard. See Starting the SESA Installation Wizard on page When you are prompted to supply a location for temporary installation files, do one of the following: Accept the default location as long as it has at least 75 MB of free hard disk space available. Type a location or click Browse to find a different location that has 75 MB of hard disk space available. 3 In the introductory wizard panels, review and type the requested information, and then click Next. 4 In the SESA Preinstallation Requirements Summary panel, confirm that the computer to which you are installing is running Sun Solaris version 8 (64- bit). In addition, the computer must already have an existing installation of Oracle 9i. 5 In the SESA Install Menu panel, click Install SESA DataStore. 6 In the SESA DataStore: Database Server Options panel, click Install SESA DataStore (Use Oracle).

183 Installing SESA Installing the SESA DataStore In the Select Working Directory panel, accept the default location of /opt/ Symantec/SESA or select another location. SESA requires a folder on your hard drive with 817 MB of free disk space as a working directory. If you have a previously existing SESA component on the computer, then this option will be unavailable and you must accept the existing working directory. 8 In the Install SESA DataStore on Oracle panel, review the preparation steps and verify that they have been completed. See Preparing third-party software on Solaris platforms on page Verify that the Oracle database instance that you want to use for the SESA DataStore and the Oracle listener are both running. 10 If necessary, type the following commands to start the database: sqlplus /nolog connect / as sysdba startup 11 If necessary, type the following command to start the Oracle listener: lsnrctl start 12 Click Next. 13 In the Existing SESA Directory panel, do the following for the SESA DataStore to connect with the SESA Directory: Administrator Name SESA Directory Administrator Password IP Address Type the name for the IBM Directory Server administrator account in the form cn=<name> (by default, cn=root). Type the Directory Administrator password. Type the IP address of the computer on which the SESA Directory is installed. This can be the local computer or a remote computer. SESA Managers use this IP address to communicate with the SESA Directory. If connections to the SESA Directory computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Because the default location is the local computer, you must modify this address before continuing.

184 184 Installing SESA Installing the SESA DataStore Directory port number Type the secure listening port for the SESA Directory (by default, 636). SESA Managers use this port to communicate with the SESA Directory. 14 In the Domain Selection panel, correct or confirm the name of the SESA administrative domain that you typed when you installed the SESA Directory. To type high-ascii characters and special characters such #, $, %, ^, &, and *, use the Compose key on the Solaris keyboard. For example, to type the copyright symbol, use the key sequence Compose+c+o. Characters from the double-byte character set (DBCS) are not allowed. The SESA administrative domain name appears in the Symantec management console navigational tree as the top-level administrative domain. 15 In the SESA DataStore panel, confirm the information for the SESA DataStore installation, or do the following: SESA DataStore Name Caption Description Type the name of the Oracle database (ORACLE_SID) that you want to use for the SESA DataStore. The default is SESA. Type an additional identifier for the SESA DataStore. The default is the computer name. SESA DataStores are identified in the Symantec management console by the combination of the Caption and the SESA DataStore Name. Type an additional description of the database. The default description includes the type of SESA DataStore, the schema, and the Oracle driver type. 16 In the Local SESA DataStore panel, confirm the default settings or do the following for the SESA DataStore installation: Database Administrator Name Database Administrator Password Type the Database Administrator name symcmgmt. The symcmgmt Database Administrator account is created when you run the create.sql script. Type the password for the symcmgmt Database Administrator account. The default password given to this account by the create.sql script is password.

185 Installing SESA Installing the SESA DataStore 185 IP Address Database port number Type the IP address of the computer on which the SESA DataStore is being installed. If connections to the SESA DataStore computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Type the listening port for the SESA DataStore (by default, 1521). 17 In the Database Driver Directory panel, type the location of the Oracle driver (classes12.jar) or click Browse to navigate to this location. On the Solaris SESA Foundation Pack CDs, the default location is Solaris.CD1/MANAGER/LIB. The SESA Installation Wizard reports the status of the components that are being installed using the specified logons, passwords, paths, and ports information. 18 In the Operation Complete panel, click Next. 19 In the SESA Install Menu panel, click Next. 20 In the SESA Installation Successful panel, click Finish to exit the SESA Installation Wizard. Installing multiple SESA DataStores on a Solaris computer SESA allows you to install multiple SESA DataStores. Each SESA DataStore is supported by a separate Oracle database. These databases must be created prior to running the SESA Installation Wizard. See Creating multiple Oracle 9i databases to support multiple SESA DataStores on page 124. Once the supporting databases have been created, you run the SESA Installation Wizard to integrate the SESA DataStores into SESA. To install multiple SESA DataStores on a Solaris computer 1 On the SESA DataStore computer, start the SESA Installation Wizard. See Starting the SESA Installation Wizard on page Follow the on-screen instructions, without modifying existing settings, until you reach the SESA Install Menu panel. 3 In the SESA Install Menu panel, click Advanced Options, and then click Next.

186 186 Installing SESA Installing the SESA DataStore 4 In the SESA Advanced Install Menu, click Install Additional SESA DataStore (Oracle), and then click Next. 5 In the Install SESA DataStore on Oracle panel, verify that you completed the required preinstallation steps for an Oracle SESA DataStore, and then click Next. 6 In the Existing SESA Directory panel, do the following for the additional SESA DataStore to connect with the SESA Directory: SESA Administrator Password IP Address Directory port number Type the Directory Administrator password for the SESAdmin account. Type the IP address of the computer on which the SESA Directory is installed. This can be the local computer or a remote computer. SESA Managers use this IP address to communicate with the SESA Directory. If connections to the SESA Directory computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Type the secure listening port for the SESA Directory (by default, 636). SESA Managers use this port to communicate with the SESA Directory. 7 In the Domain Selection panel, correct or confirm the name of the SESA administrative domain that you typed when you installed the SESA Directory. High-ASCII characters are allowed, but do not use special characters such #, $, %, ^, &, and *, or characters from a double-byte character set (DBCS). The SESA administrative domain name appears in the Symantec management console navigational tree as the top-level administrative domain. 8 In the SESA DataStore panel, confirm the default settings or do the following: SESA DataStore Name Caption Type a name for the additional SESA DataStore. The name must be different from other SESA DataStore names. The default setting is SESA1. Type a caption for the additional SESA DataStore. The default setting is the name of the computer.

187 Installing SESA Installing the SESA DataStore 187 Description Type a new description, if necessary. The default setting describes the SESA 2.0 schema and database driver type. 9 In the Local SESA DataStore panel, confirm the default settings or do the following for the SESA DataStore installation: Database Administrator Name Database Administrator Password Host Name or IP Address Database port number Type the Administrator account name for the SESA DataStore. You must have created a symcmgmt user as the Oracle administrator prior to starting the SESA Installation Wizard. Type the Administrator account password of six or more alphanumeric characters. An account with a password is required. Type the IP address of the computer on which the SESA DataStore is being installed. If connections to the SESA DataStore computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Type the listening port for the SESA DataStore (by default, 1521). This installs the additional SESA DataStore on the computer on which you are running the SESA Installation Wizard. 10 In the Database Driver Directory panel, type the location in which the Oracle driver (classes12.jar) is installed or click Browse to navigate to this location. On the Solaris SESA Foundation Pack CDs, the default location is Solaris.CD1/MANAGER/LIB. The SESA Installation Wizard reports the status of the components that are being installed using the specified logons, passwords, paths, and ports information. 11 In the Operation Complete panel, click Next. 12 After the SESA DataStore finishes installing, repeat this procedure for each additional SESA DataStore that you want to add.

188 188 Installing SESA Installing the SESA Manager Installing the SESA Manager After you install the SESA Directory and SESA DataStore, you can install the SESA Manager. The SESA Installation Wizard installs the SESA Manager on a single computer. On all-windows platforms, you can install the SESA Manager with the SESA Directory or the SESA DataStore, or both. On all-solaris platforms, however, you must separate the SESA DataStore (Oracle 9i database server) from all of the other SESA components. This means that you can install the SESA Manager with the SESA Directory, or by itself, but you cannot install it on the same computer as the SESA DataStore. When you use Oracle 9i for the SESA DataStore, you must separate the SESA DataStore from all of the other SESA components. See SESA Foundation Pack installation overview on page 137. For installations in which you are using the IBM DB2 Universal database server as the SESA DataStore, and are going to install the SESA Manager (Solaris or Windows platform) on a separate computer, you must also install the IBM DB2 Runtime Client 7.2 (with FixPak 5) on the SESA Manager computer to support the remote connection with the IBM DB2 Universal database server (the SESA DataStore). You must install the IBM DB2 Runtime Client on the SESA Manager computer before you install the SESA Manager. Note: IBM provides the Runtime Client for both Windows and Solaris platforms for customers who have an IBM DB2 Universal database server. The SESA Foundation Pack distribution media for SESA 2.0 does not include the IBM DB2 Runtime Client. Installing the SESA Manager on a Windows computer You install the SESA Manager after the SESA Directory and SESA DataStore have been installed. If the SESA Directory or SESA DataStore is installed on a Windows computer, you can install the SESA Manager along with one or both of these other SESA components. If the computer on which you are installing the SESA Manager is also hosting Microsoft Internet Information Server (IIS), ensure that the World Wide Web Publishing Service is stopped. See Avoiding Microsoft Internet Information Server conflicts on page 76. If you are going to install the SESA Manager on the same computer as the SESA DataStore, are currently using the SESA Installation Wizard, and have just finished with step 14 of To install a SESA DataStore on a Windows computer

189 Installing SESA Installing the SESA Manager 189 on page 171, you can begin with step 7 of To install the SESA Manager on a Windows computer on page 189. Install the SESA Manager on a Windows computer For installation configurations in which the SESA Manager is installed on a different Windows computer than the IBM DB2 database server (SESA DataStore), you must first install the IBM DB2 Runtime Client, run Usejdbc2.bat on the SESA Manager computer, and then restart the SESA Manager computer before you can install the SESA Manager. To run Usejdbc2.bat on the SESA Manager computer 1 On the SESA Manager computer, in Windows Explorer, navigate to the Java12 directory in the IBM DB2 installation path. The default location is \Program Files\Sqllib\Java12. 2 Double-click Usejdbc2.bat. 3 Restart the SESA Manager computer. To install the SESA Manager on a Windows computer 1 On the SESA Manager computer, start the SESA Installation Wizard. See Starting the SESA Installation Wizard on page When you are prompted to supply a location for temporary installation files, do one of the following: Accept the default location as long as it has 75 MB of free hard disk space available. Type a location or click Browse to find a different location that has 75 MB of hard disk space available. 3 In the Welcome to the SESA Installation panel, review the information, and then click Next. 4 In the SESA License Agreement panel, review the agreement, click I accept the agreement, and then click Next. If you don t accept the agreement, you exit the SESA Installation Wizard. 5 In the SESA Preinstallation Requirements Summary panel, confirm the following: The computer to which you are installing is running Windows 2000 Server or Advanced Server with Service Pack 3 or later. Sun Java Development Kit (SDK) 1.3.1_09 is installed. 6 In the SESA Install Menu panel, click Install SESA Manager.

190 190 Installing SESA Installing the SESA Manager 7 In the Select Working Directory panel, do the following: For the Working Directory, accept the default location or select another location. SESA requires a folder on your hard drive as the working directory. The drive on which this folder resides should have at least 20 MB of free space. For the Manger Log Directory, accept the default location or select another location for SESA Manager logs. This is the directory to which the SESA Manager will write its working logs. If you have a SESA component on this computer, this option will be unavailable and you must accept the already existing working directory. 8 In the Existing SESA Directory panel, do the following for the SESA DataStore to connect with the SESA Directory: SESA Directory Administrator Password IP Address Type the Directory Administrator password. The account name is in the form cn=<name> (by default, cn=root). Type the IP address of the computer on which the SESA Directory is installed. This can be the local computer or a remote computer. SESA Managers use this IP address to communicate with the SESA Directory. If connections to the SESA Directory computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Directory port number Type the secure listening port for the SESA Directory (by default, 636). SESA Managers use this port to communicate with the SESA Directory. 9 In the Domain Selection panel, correct or confirm the name of the SESA administrative domain that you typed when you installed the SESA Directory. High-ASCII characters are allowed, but do not use special characters such #, $, %, ^, &, and *, or characters from a double-byte character set (DBCS). The SESA administrative domain name appears in the Symantec management console navigational tree as the top-level administrative domain.

191 Installing SESA Installing the SESA Manager In the Manager Organizational Unit panel, select one of the following: Managers: Store information about the SESA Manager in the Managers organizational unit. Default: Store information about the SESA Manager in the Default organizational unit. You can view the organizational unit that you select in the Symantec management console. For more information, see the Symantec Management Console User s Guide. 11 In the SESA DataStore panel, select the SESA DataStore to configure for the SESA Manager. 12 In the Java SDK Directory panel, confirm the location in which you installed the Sun Java Development Kit (SDK). 13 If the Web Server Installation panel appears, do the following for a Windows 2000 user account: Web Server Directory Login Name Password Type the path for the IBM HTTP Server installation (by default, C:\Program Files\IBM Http Server). Type the logon name for the Windows 2000 account of the computer on which the IBM HTTP Server is being installed. If the account does not exist, it is created. Type the password for the account. An account with a password is required. This panel appears only when the SESA Directory is installed on a different computer. 14 If Microsoft IIS is installed on the computer, in the dialog box that prompts you to stop and configure IIS or continue, click Yes. 15 If a Windows 2000 account has not previously been created for the IBM HTTP Server, in the dialog box that prompts you to set up a Windows NT account, click Yes. 16 If the SESA Secure Communications panel appears, do the following to create the key database for self-signed SSL certificates: Key Database Password Company Type a password for the key database of six alphanumeric characters minimum. High-ASCII and DBCS characters are not allowed. Type the company name. High-ASCII and DBCS characters are not allowed.

192 192 Installing SESA Installing the SESA Manager Country Select host IP Address Key size (bits) Type the company location. Type the IP address of the computer on which the SESA Manager is being installed. If connections to the SESA Manager computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Type the encryption length in bits for the default, selfsigned certificate that SESA uses to secure data communication. The default setting of 1024 bits is standard. The longer the key size, the higher the security of the data encryption. However, the higher the security of the data encryption, the longer the amount of time required to encrypt and decrypt data. This panel appears only when the SESA Directory is installed on a different computer. 17 In the SESA Agent Listen IP panel, confirm that the SESA Agent heartbeat IP address is The SESA Installation Wizard reports the status of the components that are being installed using the specified logons, passwords, paths, and ports information. The SESA Installation Wizard installs the SESA Manager and SESA Agent on the computer on which you are running the wizard. (Like SESA clients, the SESA Manager must use a SESA Agent to pass data from the computer on which you installed the SESA Manager.) 18 If you are installing the SESA Manager remotely from the SESA Directory or SESA DataStore, in the SESA Agent panel, confirm the IP address of the SESA Manager computer. This panel does not appear if you are installing the SESA Manager on the same computer as the other SESA components. The SESA Installation Wizard configures and installs the SESA Manager. This process may take a while. 19 In the Operation Complete panel, click Next. 20 In the SESA Install Menu panel, click Exit the Installer. Installing the SESA Manager on a Solaris computer You install the SESA Manager after the SESA Directory and SESA DataStore have been installed. If your SESA Directory is installed on a Solaris computer, you can install the SESA Manager with it on the same computer. However, if you

193 Installing SESA Installing the SESA Manager 193 are using Oracle 9i as the SESA DataStore on a Solaris computer, you must install the SESA Manager on a separate computer from the SESA DataStore. Install the SESA Manager on a Solaris computer After you install the SESA Manager on a Solaris computer, you must configure and preinstall the /etc/syslog.conf file on the SESA Manager computer if you want SESA to log alert notifications. To install the SESA Manager on a Solaris computer 1 On the SESA Manager computer, start the SESA Installation Wizard. See Starting the SESA Installation Wizard on page When you are prompted to supply a location for temporary installation files, do one of the following: Accept the default location as long as it has at least 75 MB of free hard disk space available. Type a location or click Browse to find a different location that has 75 MB of hard disk space available. 3 In the introductory wizard panels, review and type the requested information, and then click Next. 4 In the SESA Preinstallation Requirements Summary panel, confirm that the computer to which you are installing is running the following: Sun Solaris version 8 (64-bit) Sun Java Development Kit (SDK) 1.3.1_09 5 In the SESA Install Menu panel, click Install SESA Manager. 6 In the Select Working Directory panel, do the following: For the Working Directory, accept the default location of /opt/ Symantec/SESA or select another location. The SESA Manager requires a folder on your hard drive as the working directory. The drive on which this folder resides should have at least 20 MB of free space. For the Manager Log Directory, accept the default location of /opt/symantec/sesa or select another location for the SESA Manager logs. This is the directory to which the SESA Manager will write its working logs. If you have a SESA component on this computer, this option will be unavailable and you must accept the existing working directory.

194 194 Installing SESA Installing the SESA Manager 7 In the Existing SESA Directory panel, do the following for the SESA DataStore to connect with the SESA Directory: SESA Directory Administrator Password IP Address Type the Directory Administrator password. The account name is in the form cn=<name> (by default, cn=root). Type the IP address of the computer on which the SESA Directory is installed. This can be the local computer or a remote computer. SESA Managers use this IP address to communicate with the SESA Directory. If connections to the SESA Directory computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Because the default location of this IP address is the local computer, you must change the IP address to reflect that of the SESA Directory computer. Directory port number Type the secure listening port for the SESA Directory (by default 636). SESA Managers use this port to communicate with the SESA Directory. 8 In the Domain Selection panel, retype or confirm the name of the SESA administrative domain that you typed when you installed the SESA Directory. To type high-ascii characters and special characters such #, $, %, ^, &, and *, use the Compose key on the Solaris keyboard. For example, to type the copyright symbol, use the key sequence Compose+c+o. Characters from the double-byte character set (DBCS) are not allowed. The SESA administrative domain name appears in the Symantec management console navigational tree as the top-level administrative domain. 9 In the Manager Organizational Unit panel, select one of the following: Managers: Store information about the SESA Manager in the Managers organizational unit. Default: Store information about the SESA Manager in the Default organizational unit. You can view the organizational unit that you select in the Symantec management console. For more information, see the Symantec Management Console User s Guide. 10 In the SESA DataStore panel, select the SESA DataStore to configure for the SESA Manager.

195 Installing SESA Installing the SESA Manager In the Java SDK Directory panel, confirm the location in which you installed the Sun Java Development Kit (SDK). 12 If the SESA Secure Communications panel appears, do the following to create the key database for self-signed SSL certificates: Key Database Password Company Country Select host IP Address Key size (bits) Type a password for the key database of six alphanumeric characters minimum. High-ASCII and DBCS characters are not allowed. Type the company name. High-ASCII and DBCS characters are not allowed. Type the company location. Type the IP address of the computer on which the SESA Manager is being installed. If connections to the SESA Manager computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Type the encryption length in bits for the default, selfsigned certificate that SESA uses to secure data communication. The default setting of 1024 bits is standard. The longer the key size, the higher the security of the data encryption. However, the higher the security of the data encryption, the longer the amount of time required to encrypt and decrypt data. This panel appears only when the SESA Directory is installed on a different computer. 13 In the SESA Agent Listen IP panel, confirm that the SESA Agent heartbeat IP address is The SESA Installation Wizard reports the status of the components that are being installed using the specified logons, passwords, paths, and ports information. The SESA Installation Wizard installs the SESA Manager and SESA Agent on the computer on which you are running the wizard. (Like SESA clients, the SESA Manager must use a SESA Agent to pass data from the computer on which you installed the SESA Manager.) 14 In the SESA Agent panel, confirm the IP address of the SESA Manager computer. The SESA Installation Wizard configures and installs the SESA Manager. This process may take a while. 15 In the Operation Complete panel, click Next.

196 196 Installing SESA Installing the SESA Agent for heartbeat monitoring 16 In the SESA Install Menu panel, do one of the following: Click Advanced Options, and then in the SESA Advanced Install Menu panel, click Install SESA Agent for Heartbeats. Begin with step 4 of To install the SESA Agent for heartbeat monitoring on a Solaris computer on page 199. Click Exit SESA Installer, click Next, and then in the SESA Installation Successful panel, click Finish to exit the SESA Installation Wizard. To configure and preinstall SESA alert logging 1 On the Solaris computer on which the SESA Manager is installed, in the Terminal window, change directories to the /etc/syslog.conf file. 2 In a text editor, open the syslog.conf file. 3 Add the following lines to the syslog.conf file, making sure to tab between each incidence of the words debug and /var: local0.debug /var/adm/sesa.log local1.debug /var/adm/sesa_alert.log local2.debug /var/adm/sesa_datastore.log local3.debug /var/adm/sesa_directory.log local4.debug /var/adm/sesa_manager.log 4 To preinstall the log files that you configured in step 3, type the following commands in the order in which they are listed: touch /var/adm/sesa.log touch /var/adm/sesa_alert.log touch /var/adm/sesa_datastore.log touch /var/adm/sesa_directory.log touch /var/adm/sesa_manager.log 5 To stop the syslog service, type the following command: /etc/init.d/syslog stop 6 To start the syslog service, type the following command: /etc/init.d/syslog start Installing the SESA Agent for heartbeat monitoring When you install the SESA Manager, a SESA Agent is also installed to monitor and help process communications to and from the SESA Manager. To monitor and process communications, the SESA Agent uses various providers, each of which assists with some type of SESA Agent function, such as SESA logging, configuration, state, and inventory services. In SESA 2.0, SESA Agents include a

197 Installing SESA Installing the SESA Agent for heartbeat monitoring 197 new heartbeat provider, which determines the state of all of the other SESA Agent providers. When a SESA Directory or SESA DataStore component is installed on the same computer as the SESA Manager, the SESA Agent that is automatically installed with the SESA Manager handles the communication and heartbeat monitoring for the SESA Directory and SESA DataStore components, too. However, when a SESA Directory or SESA DataStore is installed remotely from the SESA Manager, you must install an additional SESA Agent to provide heartbeat monitoring between the SESA Manager and the other SESA component. Installing a SESA Agent for heartbeat monitoring on a Windows computer You run the SESA Installation Wizard to install the SESA Agent. To install the SESA Agent for heartbeat monitoring on a Windows computer 1 On the SESA Directory or SESA DataStore computer, start the SESA Installation Wizard. See Starting the SESA Installation Wizard on page When you are prompted to supply a location for temporary installation files, do one of the following: Accept the default location as long as it has 75 MB of free hard disk space available. Type a location or click Browse to find a different location that has 75 MB of hard disk space available. 3 In the Welcome to the SESA Installation panel, review the information, and then click Next. 4 In the SESA License Agreement panel, review the agreement, click I accept the agreement, and then click Next. If you don t accept the agreement, you exit the SESA Installation Wizard. 5 In the SESA Preinstallation Requirements Summary panel, confirm that you meet the requirements, and then click Next. 6 In the SESA Install Menu panel, click Advanced Options. 7 In the SESA Advanced Install Menu panel, click Install SESA Agent for Heartbeats. 8 In the Select Working Directory panel, accept the default directory (C:\SESA) or select another location. If you have a SESA component on this computer, this option will be unavailable and you must accept the existing working directory.

198 198 Installing SESA Installing the SESA Agent for heartbeat monitoring 9 In the Existing SESA Directory panel, do the following for the SESA DataStore to connect with the SESA Directory: SESA Directory Administrator Password IP Address Type the Directory Administrator password. The account name is in the form cn=<name> (by default, cn=root). An account with a password is required. Type the IP address of the computer on which the SESA Directory is installed. This can be the local computer or a remote computer. SESA Managers use this IP address to communicate with the SESA Directory. If connections to the SESA Directory computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Directory port number Type the secure listening port for the SESA Directory (by default, 636). SESA Managers use this port to communicate with the SESA Directory. 10 In the Domain Selection panel, confirm the name of the SESA administrative domain that you typed when you installed the SESA Directory. 11 In the SESA Agent panel, type the IP address of the SESA Manager to which the SESA Agent communicates. If connections to the SESA Manager computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. 12 In the Agent Organizational Unit panel, select one of the following: Managers: Store information about the SESA Agent in the Managers organizational unit. Default: Store information about the SESA Agent in the Default organizational unit. You can view the organizational unit that you select in the Symantec management console. For more information, see the Symantec Management Console User s Guide. 13 In the SESA Agent Listen IP panel, do one of the following: If the Windows computer on which you are installing the SESA Manager also acts as a cluster server for Microsoft Windows Network Load Balancing, type the heartbeat IP address of the Microsoft Windows clustering technology.

199 Installing SESA Installing the SESA Agent for heartbeat monitoring 199 If the Windows computer on which you are installing the SESA Manager is not part of a Microsoft Windows Network Load Balancing system, confirm that the SESA Agent heartbeat IP address is The SESA Installation Wizard installs the SESA Agent on the computer on which you are running the wizard. 14 In the Operation Complete panel, click Next. 15 In the SESA Advanced Install Menu panel, click Main SESA Install Menu. 16 In the SESA Install Menu panel, click Exit the Installer. 17 When you are prompted to exit, click Yes. 18 In the SESA Installation Successful panel, click Finish to complete the SESA Agent installation. Installing a SESA Agent for heartbeat monitoring on a Solaris computer You must install a SESA Agent for heartbeat monitoring on the SESA DataStore computer if you are running the Oracle database server. If you have installed the SESA Directory on a Solaris computer that is remotely located from the SESA Manager, you must also install a SESA Agent for heartbeat monitoring on the SESA Directory computer. You run the SESA Installation Wizard on the Solaris computer on which you want to install the SESA Agent. However, you do not need to be physically located at this computer, as long as you can connect to it from another Solaris computer. To install the SESA Agent for heartbeat monitoring on a Solaris computer 1 On the SESA Directory or SESA DataStore computer, start the SESA Installation Wizard. See Starting the SESA Installation Wizard on page When you are prompted to supply a location for temporary installation files, do one of the following: Accept the default location as long as it has at least 75 MB of free hard disk space available. Type a location or click Browse to find a different location that has 75 MB of hard disk space available. 3 In the Welcome to the SESA Installation panel, review the information, and then click Next.

200 200 Installing SESA Installing the SESA Agent for heartbeat monitoring 4 In the SESA License Agreement panel, review the agreement, click I accept the agreement, and then click Next. If you don t accept the agreement, you exit from the SESA Installation Wizard. 5 In the SESA Preinstallation Requirements Summary panel, confirm that the computer to which you are installing is running Sun Solaris version 8 (64- bit). 6 In the SESA Install Menu panel, click Advanced Options. 7 In the SESA Advanced Install Menu panel, click Install SESA Agent for Heartbeats. 8 In the Select Working Directory panel, accept the default location (/opt/ Symantec/SESA) or select another location. If you have a SESA component on this computer, this option will be unavailable and you must accept the existing working directory. 9 In the Existing SESA Directory panel, do the following for the SESA DataStore to connect with the SESA Directory: SESA Directory Administrator Password IP Address Directory port number Type the Directory Administrator password. The account name is in the form cn=<name> (by default, cn=root). Type the IP address of the computer on which the SESA Directory is installed. This can be the local computer or a remote computer. SESA Managers use this IP address to communicate with the SESA Directory. If connections to the SESA Directory computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Type the secure listening port for the SESA Directory (by default 636). SESA Managers use this port to communicate with the SESA Directory. 10 In the Domain Selection panel, confirm the name of the SESA administrative domain that you typed when you installed the SESA Directory. 11 In the SESA Agent panel, type the IP address of the SESA Manager to which the SESA Agent communicates. If connections to the SESA Manager computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address.

201 Installing SESA Installing the SESA Agent for heartbeat monitoring In the Agent Organizational Unit panel, select one of the following: Managers: Store information about the SESA Agent in the Managers organizational unit. Default: Store information about the SESA Agent in the Default organizational unit. You can view the organizational unit that you select in the Symantec management console. For more information, see the Symantec Management Console User s Guide. 13 In the SESA Agent Listen IP panel, confirm that the SESA Agent heartbeat IP address is The SESA Installation Wizard installs the SESA Agent on the computer on which you are running the wizard. 14 In the Operation Complete panel, click Next. 15 In the SESA Advanced Install Menu panel, click Main SESA Install Menu. 16 In the SESA Install Menu panel, click Exit the Installer.

202 202 Installing SESA Installing the SESA Agent for heartbeat monitoring

203 Chapter 5 After you install SESA This chapter includes the following topics: Testing the installation Post-installation tasks Integrating security products with SESA Uninstalling SESA About reinstalling a SESA DataStore in Windows environments Testing the installation After installation, you can verify that you installed the appropriate components and that they are working properly. You can test the SESA installation by performing the following tasks: Verify that the installed services have started. Verify that the IBM HTTP Server is operating. Verify that the SESA servlets are operating. Examine the SESA logs for messages. Launching the Symantec management console The Symantec management console is launched from Windows, Solaris, and Linux computers via the supported Web browsers and Sun Java 2 Runtime Environments (J2REs) that are listed in Table 5-1.

204 204 After you install SESA Testing the installation Table 5-1 Supported Web browsers and remote computers Remote computer Supported Web browser Supported J2RE Windows 98 or later Microsoft Internet Explorer 5.5 with Service Pack 2 or 6.0 or Netscape Navigator 7.0x with the latest security patches applied J2RE 1.3.1_02 or 1.3.1_09 Solaris 7 or later Red Hat Linux 6.2/7.0/ 7.1/7.2 or later Netscape Navigator 7.0x with the latest security patches applied Netscape Navigator 7.0x with the latest security patches applied J2RE J2RE 1.3.1_02 or 1.3.1_09 Before you launch the Symantec management console, ensure that the appropriate Sun Java 2 Runtime Environment is installed on the computer that is running the Web browser. The J2RE includes the Java Plug-in product, which is required when running the Java 2 environment inside Netscape Navigator Web browsers. When installing Netscape Navigator on a Solaris or Linux computer, always install the patches first, followed by the Netscape Navigator software, and then the Java Plug-in product. The J2RE is included on the Windows and Solaris CD1 of the SESA Foundation Pack CD set in the UTILS\JRE directory. Launch the Symantec management console You can launch the Symantec management console remotely in an Internet browser on Windows, Solaris, or Linux platforms. On Windows, you can also launch the console locally on the SESA Manager computer. To launch the Symantec management console on a Windows computer 1 Do one of the following: Connect from a remote computer In a supported Microsoft Internet Explorer or Netscape Navigator browser window, type the URL for the SESA Manager, and then press Enter. For example: address, host name, or FQDN of SESA Manager computer>/sesa/ssmc If connections to the SESA Manager computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address.

205 After you install SESA Testing the installation 205 Connect from the SESA Manager computer On the Windows taskbar, click Start > Programs > Symantec Enterprise Security > Symantec Security Console. 2 Do one or both of the following: In the security alert message that warns you that you are about to view pages over a secure connection, click In the future, do not show this warning, and then click OK. If you have previously disabled this message, it does not appear. In the security alert message that informs you about your site s security certificate, click Yes. If you do not want this message to appear in the future, upgrade to selfsigned SSL certificates, or to fully authenticated, CA-signed SSL certificates (recommended). See Upgrading to authenticated, CA-signed certificates on page In the Logon window, type the name, password, and, optionally, the domain name for one of the following SESA accounts: SESA Administrator account SESA Domain Administrator account By default, the user name for this account is SESAdmin. This account has access rights to every SESA administrative domain on every SESA Manager computer. Therefore, you do not have to type a domain name when you log on to the Symantec management console using this account. This account has access rights to the administrative domain in which the SESA Manager is located. To log on to the administrative domain in which the SESA Manager is located, leave the Domain box empty. To log on to a different administrative domain or subdomain, type the domain name in either dotted or full notation. An example of full notation is: dc=symantec,dc=ses An example of dotted notation is: Symantec.SES 4 Click Login. 5 If you are asked whether you want to view both secure and nonsecure items, select one of the following: Yes No Because the browser is connecting over HTTPS (a secure connection), all items are secured, so selecting Yes or No yields the same results.

206 206 After you install SESA Testing the installation To launch the Symantec management console on a Solaris or Linux computer 1 In Netscape Navigator, type the URL for the SESA Manager, and then press Enter. For example, address, host name, or FQDN of the SESA Manager computer>/sesa/ssmc If connections to the SESA Manager computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. 2 In the Website Certified By an Unknown Authority message that warns you that Netscape does not recognize your certificate, click Remember this certificate permanently, and then click Continue. If you have previously disabled this message, it does not appear. 3 Depending on the message that appears, do one of the following: In the Security Error Domain Name Mismatch message that informs you about your site s security certificate, click OK. This message appears whenever the certificate label does not match the name or IP address that you used in the URL of the Symantec management console. If you are currently using default, anonymous SSL, but typed the host name or FQDN in the URL, Netscape Navigator detects a mismatch because the certificate name is using the IP address of the SESA Manager computer instead. To avoid this message in the future, use the IP address in the URL, or upgrade to self-signed SSL certificates or to fully authenticated, CA-signed SSL certificates (recommended). See Upgrading to authenticated, CA-signed certificates on page 290. In the Security Warning message, click Alert me whenever I am about to view an encrypted page, and then click OK. 4 In the Logon window, type the name, password, and, optionally, the domain name for one of the following SESA accounts: SESA Administrator account By default, the user name for this account is SESAdmin. This account has access rights to every SESA administrative domain on every SESA Manager computer. Therefore, you do not have to type a domain name when you log on to the Symantec management console using this account.

207 After you install SESA Testing the installation 207 SESA Domain Administrator account This account has access rights to the administrative domain in which the SESA Manager is located. To log on to the administrative domain in which the SESA Manager is located, leave the Domain box empty. To log on to a different administrative domain or subdomain, type the domain name in either dotted or full notation. An example of full notation is: dc=symantec,dc=ses An example of dotted notation is: Symantec.SES 5 Click Login. Verifying that the installed services have started SESA installs several applications that run as services on Windows and daemons on Solaris. You can verify that they are successfully executing by checking the respective lists of currently running services or processes. Verify that the installed services have started Depending on the platform, you either verify that services or daemons have started. To verify that the installed services have started on Windows On the computer on which the services are installed, open the Windows Services Control Panel and verify that the corresponding services are listed and that their corresponding status is Started: Apache Tomcat DB2 (all services with a Startup Type of Automatic) IBM HTTP Server IBM Directory Server V4.1 SESA AgentStart Service To verify that the installed daemons have started on Solaris 1 On the computer on which the daemons are installed, become superuser. 2 To list the daemon processes that are currently running, at the command prompt, type the following command: ps -efu root

208 208 After you install SESA Testing the installation 3 In the display of processes that are shown, verify that the corresponding processes are listed for the daemons that you want to verify: Apache Tomcat /usr/j2sdk1_3_1_09/bin/../bin/sparc/ native_threads/java -server -verbosegc -Xms /usr j2sdk1_3_1_09/jre/bin/../bin/sparc/ native_threads/java -Dnetworkaddress.ca DB2 Oracle Database IBM HTTP Server db2sysc (multiple entries) ora_pmon_sesxxx opt/ibmhttpd/bin/httpd IBM Directory Server V4.1 bin/slapd -f /etc/slap32.conf SESA AgentStart Service opt/symantec/sesa/agent/agentd Note that these entries assume you have installed the components in their default directories. Your display may appear differently. Note also that seeing these processes listed is only a first-level verification, there may be other factors affecting their correct operation. However, if you do not see an entry for the process running, you can assume it was not successfully installed. Verifying that the IBM HTTP Server is operating You can verify that the IBM HTTP Server is installed and operating correctly by browsing to the IBM HTTP Server administrative interface. To verify that the IBM HTTP Server is operating on Windows or Solaris In a supported Internet browser, type one the following URLs: On the computer on which the IBM HTTP Server is installed, type: On a remote computer, type: Address of the HTTP Server> The IBM HTTP Server welcome page appears. Verifying that the SESA servlets are operating SESA servlets are components executing on the SESA Manager that are responsible for specific SESA tasks, such as logging or alerting. You verify that the SESA servlets are operating successfully by browsing to the corresponding servlet s location.

209 After you install SESA Testing the installation 209 To verify that the SESA servlets are operating in Windows or Solaris 1 In a supported Internet browser, type one of the following URLs: For Event Logger: For Alert Logger: For Config: If you are browsing to the SESA Manager from a remote computer, type the IP Address or FQDN of the SESA Manager instead of localhost. 2 To display the status page for the server, when prompted, type an administrator user name and password. Verifying that a shared schema is installed You can verify that the schema that the SESA Installation Wizard installs during SESA Manager installation has been successfully installed. To verify that a shared schema is installed 1 On the SESA Manager computer, in a supported Web browser, type the following URL: address of SESA Manager computer>/sipi/servlet/ sipi?action=indexinfo 2 When you are prompted to type a user name and password, type the user name and password for the SESA Domain Administrator. 3 In the SIP Service Web page, in the Package Info drop-down box, select Installed Domain Packages, and then click Go. This option detects that all shared schemas have been successfully deployed to the SESA administrative domain or domains. 4 If necessary, scroll to the Status tables. 5 Verify that the Package Status column in all of the Status tables shows a green Installed in each row. If one or more displays a Failed status, or a Pending status stays without resolving to an Installed status after five minutes, you can view deployment or removal information in the SIP Servlet logs or the Symantec management console. See To view SIP Service logs on page Exit the Web browser.

210 210 After you install SESA Testing the installation Examining the SESA logs for messages SESA maintains ongoing status logs for its components. You can use these logs to verify successful operation and to troubleshoot problems. If you see any exceptions or other issues written to these logs, you can call Symantec Technical Support. To examine the SESA logs for messages 1 At the command prompt, change directories to the location of the logs that you specified during installation. By default the directory is: C:\SESA\<computer name>\<component>\logs on a Windows machine /opt/symantec/sesa/<computer name>/<component>/logs on a Solaris machine 2 Open and examine the logs in each of the following subfolders: Admin Alert Bootstrap command Config DirMgrAPI Event heartbeat Inventory InventoryQueue Manager_LiveUpdate Notification ses_manager SIPI SIPIConfigurationLoader State

211 After you install SESA Post-installation tasks At the command prompt, change directories to the location of the SESA Agent logs. The default location on Windows computers is C:\SESA\Agent. The default location on Solaris computers is /opt/symantec/sesa/agent. 4 Open and examine the following logs: Post-installation tasks AgentStart.log (For routine startup information) sesa-agent.log (For SESA Agent operation) uninst.log (After removing SESA components) 5 If you notice what appear to be error messages in the sesa-agent.log file, compare the messages to the following: Error: no management server defined Error: no management server defined Created HttpServer object on :8086 with 6 threads. SymcProvider.initialize: finished initialization; using interface Contents changed - saving sesaagent.svc Shut down complete SESA Agent (v ) - Copyright(c) Symantec Corporation Created HttpServer object on :8086 with 6 threads. SymcProvider.initialize: finished initialization; using interface StateProxy::exec() -- error. Connection refused: connect Disregard any messages that match the text above. They do not indicate problems. After you install SESA, ensure that you do the following: Install additional SESA domains, as necessary. See Installing additional SESA domains on page 212. Deploy SESA Directory replicas if you have added a new SESA domain after installing SESA Directory replicas. See Deploying SESA Directory replicas on page 219. Configure SESA to generate SNMP alert responses as necessary. See Configuring SESA to generate SNMP alert responses on page 219.

212 212 After you install SESA Post-installation tasks Upgrade the IBM HTTP Server version with the latest security patches that are available from Apache. Ensure that you install the proper version-specific patches. Edit the security properties of Windows 2000 folders on the applicable SESA Manager computers. By default, SESA gives everyone access to the SESA Manager folders in the SESA Directory on the SESA Manager computer. Similarly, SESA gives full permissions to everyone who accesses the IBM HTTP Server, IBM DB2, and IBM Directory Server folders. Only the administrators group needs access to the SESA Manager and other third-party component folders. Therefore, you may want to edit the security properties of the folders in Windows 2000 to restrict permissions to them. Back up the SESA DataStore. See Data backup and recovery on page 339. Maintain SESA data. See SESA Data Maintenance Tool on page 347. See Data maintenance on page 366. Tune database performance, as necessary. See Oracle database performance tuning on page 380. See IBM DB2 database performance tuning on page 377. Installing additional SESA domains By default, at least one administrative domain is installed when you install your SESA Manager. You can install additional domains; however, each domain must have at least one SESA Manager associated with it. You can also install subdomains under top-level domains. You install the additional domains and subdomains on the SESA Manager computer using the SESA Installation Wizard. You can uninstall SESA domains and subdomains using the SESA Uninstallation Wizard. See Uninstalling SESA on page 238. Install additional SESA domains You can use the SESA Installation Wizard to install an additional top-level domain on a Windows or Solaris computer. If you install a new top-level domain, and one or more replica SESA Directories that already exist, you must manually copy the domain name suffix of the newly added top-level domain to the replica SESA Directory or SESA Directories before you can complete the installation of the additional top-level domain.

213 After you install SESA Post-installation tasks 213 You can also install a subdomain under any top-level domain. Warning: Any time that you modify the configuration of a SESA Directory or replica SESA Directory on the Windows platform, such as when you add a domain name suffix of a new top-level domain to an existing replica SESA Directory, you must first grant administrative privileges to the Web Server account. After you modify the configuration, you can remove the administrative privileges from the Web Server account. Always restart the IBM HTTP Server after adding or removing privileges. See Starting and stopping the IBM Directory Server on page 320. To install an additional SESA domain on a Windows or Solaris computer 1 On the SESA Directory computer, start the SESA Installation Wizard. See Starting the SESA Installation Wizard on page When you are prompted to supply a location for temporary installation files, do one of the following: Accept the default location as long as it has 75 MB of free hard disk space available. Type a location or click Browse to find a different location that has 75 MB of hard disk space available. 3 In the introductory wizard panels, review and type the requested information, and then click Next. 4 In the SESA Install Menu panel, click Advanced Options. 5 In the SESA Advanced Install Menu panel, click Create New Domain. 6 In the Select Working Directory panel, click Next. Because you have a previously existing SESA component on this computer, this option is dimmed and you must accept the already existing working directory.

214 214 After you install SESA Post-installation tasks 7 In the Existing SESA Directory window, for the SESA DataStore to connect with the SESA Directory, do the following: SESA Directory Administrator Name SESA Directory Administrator Password IP Address Directory port number Type the name for the IBM Directory Server administrator account in the form cn=<name> (by default, cn=root). Type the Directory Administrator password. Type the IP address of the computer on which the SESA Directory is installed. This can be the local computer or a remote computer. SESA Managers use this IP address to communicate with the SESA Directory. If connections to the SESA Directory computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Type the secure listening port for the SESA Directory (by default, 636). SESA Managers use this port to communicate with the SESA Directory. 8 In the Create New Domain panel, do one of the following: If the panel contains a domain field, skip to step 9. If the panel contains text instructions, you must manually add domain suffixes for each replica SESA Directory. The text instructions appear because the wizard has detected that replicas exist for the SESA Directory in which you are installing the new domain. You must manually add the suffix to the replicas before you can continue with the new domain installation. 9 In the Create New Domain panel, type the name of the new SESA administrative domain that you want to add to the SESA Directory. The SESA administrative domain name will appear in the Symantec management console navigational tree as the top-level administrative domain.

215 After you install SESA Post-installation tasks In the SESA Directory Domain Administrator panel, do the following: Domain Administrator Domain Administrator Password Type or confirm the name for the SESA Domain Administrator account. This account provides access to its associated SESA administrative domain. Use this Domain Administrator name and password to log on to a particular SESA administrative domain (and SESA Manager) after the SESA installation is complete. Type or confirm the Domain Administrator password. It must be between six and twelve alphanumeric characters. Select Preferred Language Type or confirm the Language of the SESA Manager. The default language is English. If you install non-english security products, you must install them in the same language as the SESA Manager. The SESA Installation panel reports the status of components being installed using the specified logons, passwords, paths, and ports information. 11 In the Operation Complete panel, click Next. 12 In the SESA Install Menu panel, click Exit SESA Installer, and then click Next. 13 In the SESA Installation Successful panel, to exit the SESA Installation Wizard, click Finish. To manually copy a domain name suffix to each replica SESA Directory 1 Do one of the following: If you are physically located at the replica SESA Directory Windows computer, log on using the appropriate administrative privileges. If you are physically located at the replica SESA Directory Solaris computer, become superuser. If you are located at a remote Solaris computer, you must initiate a Telnet session with the replica SESA Directory computer, and then export a display. See Connecting to a remote Solaris computer and exporting its display on page On the replica SESA Directory computer, stop the IBM Directory Server. To stop the IBM Directory Server, you use the IBM Directory Server Web Admin interface. See Starting and stopping the IBM Directory Server on page 320.

216 216 After you install SESA Post-installation tasks 3 To log on to the master SESA Directory computer do one of the following: If you are physically located at the master SESA Directory Windows computer, log on using the appropriate administrative privileges. If you are physically located at the master SESA Directory Solaris computer, become superuser. If you are located at a remote Solaris computer, you must initiate a Telnet session with the master SESA Directory computer, and then export a display. See Connecting to a remote Solaris computer and exporting its display on page On the master SESA Directory, in a text editor, open the Slapd32.conf configuration file. On Windows computers, the default location is C:\Program Files\IBM\LDAP\etc\slapd32.conf. On Solaris computers, the default location is /opt/ibmldaps/etc/ slapd32.conf. 5 In the configuration file, search for the section that begins with the following characters: dn: cn=directory 6 Locate the last three lines of this section. Each line starts with the following text: ibm-slapdsuffix: This text represents the suffixes that are added by SESA. 7 Copy the three lines to the same location in the Slapd32.conf file on the replica SESA Directory computer. 8 Restart the IBM Directory Server. See Starting and stopping the IBM Directory Server on page Repeat steps 1 through 8 for each replica computer. 10 Continue with step 8 of To install an additional SESA domain on a Windows or Solaris computer on page 213.

217 After you install SESA Post-installation tasks 217 To install an additional SESA subdomain on a Windows or Solaris computer 1 On the SESA Directory computer, start the SESA Installation Wizard. See Starting the SESA Installation Wizard on page When you are prompted to supply a location for temporary installation files, do one of the following: Accept the default location as long as it has 75 MB of free hard disk space available. Type a location or click Browse to find a different location that has 75 MB of hard disk space available. 3 In the introductory wizard panels, review and type the requested information, and then click Next. 4 In the SESA Install Menu panel, click Advanced Options. 5 In the SESA Advanced Install Menu panel, click Create New Subdomain. 6 In the Select working Directory panel, click Next. Because you have a previously existing SESA component on this computer, this option is dimmed and you must accept the already existing working directory. 7 In the Existing SESA Directory panel, for the SESA DataStore to connect with the SESA Directory, do the following: SESA Directory Administrator Password IP Address Directory port number Type the Directory Administrator password. The password for the account cn=<name> (by default, cn=root) is required. Type the IP address of the computer on which the SESA Directory is installed. This can be the local computer or a remote computer. SESA Managers use this IP address to communicate with the SESA Directory. If connections to the SESA Directory computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Type the secure listening port for the SESA Directory (by default, 636). SESA Managers use this port to communicate with the SESA Directory.

218 218 After you install SESA Post-installation tasks 8 In the Create New Subdomain panel, do the following: Select the parent domain of the subdomain that you are going to create. Type the name of the new subdomain without the extension.ses. High-ASCII characters are allowed, but do not use special characters such #, $, %, ^, &, and *, or characters from a double-byte character set (DBCS). The SESA administrative domain name and extension appear in the Symantec management console navigational tree as a subdomain of the selected parent domain. 9 In the SESA Directory Domain Administrator panel, do the following: Domain Administrator Domain Administrator Password Type or confirm the name for the SESA Domain Administrator account. This account provides access to its associated SESA administrative domain. Use this Domain Administrator name and password to log on to a particular SESA administrative domain (and SESA Manager) after the SESA installation is complete. Type or confirm the Domain Administrator password. It must be between six and twelve alphanumeric characters. Select Preferred Language Type or confirm the Language of the SESA Manager. The default language is English. If you install non-english security products, you must install them in the same language as the SESA Manager. The SESA Installation Wizard reports the status of components being installed using the specified logons, passwords, paths, and ports information. 10 In the Operation Complete panel, click Next. 11 In the SESA Install Menu panel, click Exit SESA Installer, and then click Next. 12 In the SESA Installation Successful panel, to exit the SESA Installation Wizard, click Finish.

219 After you install SESA Post-installation tasks 219 Deploying SESA Directory replicas When you install a replica SESA Directory, it is only visible from the SESA administrative domain to which it was originally installed. If you want to make an installed SESA Directory replica visible in another SESA domain or subdomain, you must deploy the replica to the other domains. You can do this using the Deploy SESA Directory replicas option in the SESA Installation Wizard. You must deploy one SESA Directory at a time. Repeat the process for each additional replica that requires deployment. To deploy a SESA Directory replica to another domain on Windows or Solaris computers 1 On the computer on which the SESA Directory for the replica SESA Directory is installed, start the SESA Installation Wizard. See Starting the SESA Installation Wizard on page Follow the on-screen instructions until the SESA Install Menu panel appears. 3 In the SESA Install Menu panel, click Advanced Options. 4 In the SESA Advanced Install Menu panel, click Deploy Directory Replicas. 5 In the Existing SESA Directory panel, type the SESA Directory Administrator password. This account has a user name in the form cn=<name> (by default, cn=root). 6 In the Installed Directory Replicas panel, check the replica to deploy. 7 In the Installed SESA Domains panel, check the SESA administrative domain or domains to which to deploy the SESA Directory replica. 8 Wait while the SESA Installation Wizard reports the progress of the deployment. 9 In the Operation Complete panel, click Next. 10 In the SESA Install Menu panel, click Exit SESA Installer, and then click Next. 11 In the SESA Installation Successful panel, to exit the SESA Installation Wizard, click Finish. Configuring SESA to generate SNMP alert responses If you want SESA to generate SNMP alert responses, you must install the appropriate version of Management Information Base (MIB) to your SNMP

220 220 After you install SESA Post-installation tasks console. The SESA Foundation Pack CD1 (Windows or Solaris) contains four Version 1 and Version 2 MIB files each. Configure SESA to generate SNMP alert responses Depending on the version that your SNMP console uses, you must install one version set of MIBs on your SNMP console. After you install the MIBs to your SNMP console, you can configure the Symantec management console to use the MIBs. To install the MIB version set on your SNMP console 1 On the computer on which your SNMP console is installed, insert the SESA Foundation Pack CD1 into the CD-ROM drive. 2 If you are at a Solaris computer, mount the CD. 3 Do one of the following: On Windows computers, at the command prompt, change directories to the UTILS/MIB directory in which the two sets of MIB files are stored. On Solaris computers, in the Terminal, change directories to the UTILS/MIB directory in which the two sets of MIB files are stored. 4 Depending on which version set that your SNMP console requires, install either all Version 1 or Version 2 files. For more information, see the SNMP console documentation. To configure the Symantec management console to use the MIBs 1 In an Internet browser, type the following URL: Address, host name, or FQDN of SESA Manager computer>/ sesa/ssmc If connections to the SESA Manager computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. 2 Log on to the Symantec management console using the rights of the SESA Domain Administrator. 3 In the Symantec management console, on the Configurations view tab, expand the desired domain. 4 Under the domain, expand SESA > SESA Manager Components Configuration > Default. 5 In the right pane, on the SNMP tab, in the Host value box, type the IP address of the SNMP listener. 6 In the Port value box, type the port number of the SNMP listener.

221 After you install SESA Integrating security products with SESA Do one of the following: If you are using Version 1 MIBs, ensure that the Version one value is True. If you are using Version 2 MIBs, in the Version box, type False 8 Click Apply. When you create an alert, you can now specify SNMP as an additional notification. Integrating security products with SESA Depending on the security product and its version, you may be required to do one or more of the following to enable SESA to recognize and log events from a product: Run a SESA Integration Wizard. Install collector software. The wizard installs the product s SESA Integration Package (SIP). The product SIP contains the configuration settings and event schemas that SESA requires to recognize and log events from a product. Depending on the product, the SESA Integration Package may be provided via a Symantec Event Manager, Symantec Event Collector, the security product itself, or the Symantec Relay or Bridge. The collector software gathers the events that are generated by the product. Only some products require collector software. Typically, those that do use a Symantec Event Manager, Symantec Event Collector, or other type of collector to install the SIP, SESA Agent, and any other required components for product integration. Run the Deploy/ Remove SESA Manager Extensions Wizard in the Symantec management console. Some SIPs also contain product UI extensions, Bridges, or Relays. Collectively these software components are called Manager extensions. UI extensions extend the Symantec management console to include a graphical user interface for a product. Bridges and Relays connect SESA to another product, which allows SESA to send events to the product. When a SIP contains one of these additional components, you must deploy (and remove) the component using a separate Deploy/Remove SESA Manager Extensions Wizard in the Symantec management console. For more information on using the Deploy/Remove SESA Manager Extensions Wizard, see the Symantec Management Console User s Guide.

222 222 After you install SESA Integrating security products with SESA Install the SESA Agent. The SESA Agent passes events from the product to the SESA Manager for insertion into the SESA DataStore. Depending on the product, the SESA Agent may be provided with the product itself or an Agent Installer that comes with the product. The Agent may also be provided by a Symantec Event Manager, Symantec Event Collector, or other type of collector. A few products may require you to install the SESA Agent manually. SESA 2.0 provides a SESA Integration Wizard (and underlying SESA Integrated Installer program) that lets you install the SESA Integration Package to any SESA 2.0 Manager. Note: Some product versions must use a version of the SESA Integration Wizard earlier than the 2.0 version. For more information, see the Symantec product documentation. About SESA Integration Package deployment in SESA 2.0 The SESA 2.0 Integration Wizard lets you install a SESA 2.0 Integration Package (2.0 SIP) to multiple SESA administrative domains. By running the SESA 2.0 Integration Wizard only once, the SIP is installed to the selected SESA Directory domains and to all SESA DataStores. The SESA DataStores are updated with the 2.0 SIP data according to a schedule that you can modify in the Symantec management console. Note: You cannot use the SESA 2.0 Integration Wizard to install a SESA 1.1 Integration Package. If you do, the 2.0 Wizard displays a message prompting you to confirm that the correct SIP version is being used, and you cannot proceed with the installation. You must use the SESA 1.1 Integration Wizard. See About using version 1.1 SESA Integration Packages with SESA 2.0 on page 224. If a 2.0 SIP also contains a data package that requires installation on the SESA Manager, it must be deployed after the 2.0 SIP is deployed. Data packages that require installation on a SESA Manager are called Manager Extensions. Manager Extensions can include Symantec Relays, Bridges, or UI extensions to SESA Managers. You deploy them with the Deploy/Remove SESA Manager Extensions Wizard in the Symantec management console.

223 After you install SESA Integrating security products with SESA 223 For more information on scheduling deployment time and the Deploy/Remove SESA Manager Extensions Wizard, see the Symantec Management Console User s Guide. Note: When you use the Deploy/Remove SESA Manager Extensions Wizard to deploy Manager Extensions to SESA Managers, at least one SESA 2.0 Manager must be available in the SESA domain. If the domain does not have a SESA 2.0 Manager, you must upgrade a SESA 1.1 Manager in the SESA domain to a SESA 2.0 Manager. For more information on upgrading SESA components, see the Symantec Enterprise Security Architecture Migration Guide. You can also force a SIP or Manager extension deployment in the SIP Service Web page. See Forcing a SESA Integration Package deployment on page 234. About maintaining SIP deployments When a new SESA DataStore is installed or an existing SESA DataStore comes online again, a master SIP service updates the SESA DataStore with the current SIP integration data. The same process occurs when an existing SESA Manager comes online again. However, if you install a new SESA Manager, you must run the Deploy/Remove SESA Manager Extensions Wizard to update the new SESA Manager with the SIP data. Similarly, if you install an additional SESA domain after a SIP installation, you must run the SESA 2.0 Integration Wizard again if you want the product to be integrated into the new domain. The SESA 2.0 Integration Wizard also lets you remove deployed SIPs. When you use this wizard to remove SIPs, it removes the complete product from SESA, including any product data that was generated by the product. The Deploy/ Remove SESA Manager Extensions Wizard removes only the Manager Extensions. After the SIPs are installed by the SESA 2.0 Integration Wizard, they can be updated by LiveUpdate. You may want to configure a SESA alert for SIP installations that fail. For more information on configuring alerts, see the Symantec Management Console User s Guide.

224 224 After you install SESA Integrating security products with SESA About using version 1.1 SESA Integration Packages with SESA 2.0 SESA 2.0 is backward compatible with all SESA 1.1 Integration Packages (SIPs). However, because SESA 2.0 provides features that are not available in SESA 1.1, the following SESA 2.0 features are not available when you use a SESA 1.1 Integration Package to integrate a security product with SESA 2.0: Multiple SESA DataStores Heartbeat monitoring at the security product Multiple SESA administrative domains SESA Managers, Directories, or DataStores that run on a Solaris platform SESA DataStores that run on an Oracle database To access these features in SESA 2.0, you must integrate the security product with a SESA 2.0 Integration Package. However, you cannot use the SESA 2.0 Integration Wizard to install a SESA 1.1 Integration Package. If you do, the 2.0 Wizard displays a message prompting you to confirm that the correct SIP version is being used., and you cannot proceed with the installation. You must use the SESA 1.1 SESA Integration Wizard. In addition, when you install a 1.1 SIP to an installation with multiple SESA Managers, and the 1.1 SIP contains Manager Extensions, you must run the SESA 1.1 Integration Wizard on each SESA Manager. Warning: Because of possible unexpected results, do not remove a 1.1 SESA Integration Package using the SESA 1.1 Integration Wizard uninstall program. For more information on uninstalling a version 1.1 SIP, contact Symantec Technical Support. Deploying or removing a SESA Integration Package on a SESA Manager Windows computer The SESA 2.0 Integration Wizard lets you deploy or remove SESA Integration Packages (SIPs) from any Windows computer on which a SESA Manager is installed. During installation, the wizard prompts you for the location of your product SIP. Depending on the product, its SIP may be included with the product itself, a Symantec Event Manager, Symantec Event Collector, or other distribution media.

225 After you install SESA Integrating security products with SESA 225 For more information on how to obtain the SIP for your product, see your product documentation or your Symantec Event Collector or other collector documentation. Warning: Your event data will be unavailable after you remove a SIP. Consider purging, moving, or copying important data before you uninstall the SIP. See SESA Data Maintenance Tool on page 347. One possible reason that the SESA Integration Wizard may fail to complete the removal of a SIP is because an option called Delete user data is unchecked in the Symantec management console. When you remove a product SIP, any event data generated by the product is also removed. For more information, see the Symantec management console online Help or the Symantec Management Console User s Guide. Deploy or remove a SESA Integration Package on a SESA Manager Windows computer On a Windows computer, you can use the SESA Integration Wizard to deploy or remove a SIP. If you are installing a Manager extension, you must also run the Deploy/Remove SESA Manager Extensions Wizard in the Symantec management console to deploy the Relay, Bridge, or UI extension. For more information on using the Deploy/Remove SESA Manager Extensions Wizard, see the Symantec Management Console User s Guide. Before you deploy SESA Integration Packages, ensure that the JSSE.jar, Jcert.jar, and Jnet.jar files reside in the <J2RE Home>\Lib\Ext directory on the SESA Manager computer. To deploy a SESA Integration Package to a SESA Manager Windows computer 1 On a Windows computer on which a SESA Manager is installed, on the Windows taskbar, click Start > Symantec Enterprise Security > Register SESA Integrated Product. 2 In the Welcome to the SESA Integration Wizard panel, click Next. 3 In the SESA Integration Requirements panel, verify that the JVM is configured to run Secure Sockets Layer (SSL) by ensuring that the JSSE.jar, Jcert.jar, and Jnet.jar files reside in the <J2RE Home>\Lib\Ext directory on the SESA Manager computer.

226 226 After you install SESA Integrating security products with SESA 4 In the SESA Directory Domain Administrator Information panel, do the following: SESA Directory Domain Administrator Name SESA Directory Domain Administrator Password Log on to domain (in dotted notation) Host Name or IP Address of SESA Directory Secure Directory Port Type the name for the SESA Domain Administrator account. This account provides access to its associated SESA administrative domain. Type the Directory Domain Administrator password. Type the SESA administrative domain. An example of dotted notation is: NorthAmerica.SES Do one of the following: If SESA is using default, anonymous SSL communications, type the IP address of the computer on which the SESA Directory is installed (it may be the same as the SESA Manager IP address if they are installed on the same computer). If SESA is using authenticated SSL communications, type the host name of the SESA Directory computer. For example, mycomputer.com. Type the number of the SESA Directory SSL port (by default, 636). 5 In the SESA Integration Package to Install panel, type or browse to the location in which the SESA Integration Package (SIP) for your product is located. SIPs are files with the extension of.sip. 6 In the Request Immediate Undeployment/Removal of SIP panel, check one of the following: Deploy or remove the SIP at a scheduled time: Deploys the SIP at the time that is specified in the Deploy time option in the Symantec management console. The default setting for Deploy time is every Saturday and Sunday at 2:00 P.M. GMT. For instructions on changing the default setting, see the Symantec Management Console User s Guide. Deploy or remove the SIP immediately: Queues the SIP for immediate deployment to the SESA Directory and SESA DataStores.

227 After you install SESA Integrating security products with SESA Do one of the following: To restart the Web services at the time that is specified in the Symantec management console, ensure that If necessary, restart the Web server is unchecked. The default setting for restarting the Web server is every Saturday and Sunday at 2:00 P.M. GMT. For instructions on changing the default setting, see the Symantec Management Console User s Guide. To restart the Web services immediately after the wizard completes, check If necessary, restart the Web server. SESA 2.0 uses a version of the Apache Tomcat Web servlet that restarts automatically, regardless of whether you check this option. 8 In the Select the Domains panel, check the SESA administrative domains to which you want to install the SIPs. If you receive a warning during SIP installation that reports Master SIP Servlet not found, a SESA Manager was not installed in the domain or subdomain you selected. A SESA Manager that is installed to a top-level domain is never installed to any subdomains. Ensure that all top-level and subdomains that you select for SIP deployment have SESA Managers installed before you deploy a SIP. See Installing the SESA Manager on a Windows computer on page 188. A warning message that reports Unable to ping Master SIP Servlet means that the network connection has failed. 9 Follow the on-screen instructions until you reach the SESA Integration Successful panel. 10 To complete the SESA Integration Wizard, click Finish. If your product is a Relay, Bridge, or comes with UI extensions to install in the Symantec management console, you must run the Deploy/Remove SESA Manager Extensions Wizard in the Symantec management console to install these components. For instructions on using the Deploy/Remove SESA Manager Extensions Wizard, see the Symantec Management Console User s Guide.

228 228 After you install SESA Integrating security products with SESA To remove a SESA Integration Package from a SESA Manager Windows computer 1 On a Windows computer on which a SESA Manager is installed, on the Windows taskbar, click Start > Symantec Enterprise Security > Unregister SESA Integrated Product. 2 In the Welcome to the SESA Integration Wizard panel, click Next. 3 In the SESA Integration Requirements panel, click Next. 4 In the SESA Directory Domain Administrator Information panel, do the following: SESA Directory Domain Administrator Name SESA Directory Domain Administrator Password Log on to domain (in dotted notation) Host Name or IP Address of SESA Directory Secure Directory Port Type the name for the SESA Domain Administrator account. This account provides access to its associated SESA administrative domain. Type the Directory Domain Administrator password. Type the SESA administrative domain. An example of dotted notation is: Symantec.SES Do one of the following: If SESA is using default, anonymous SSL communications, type the IP address of the computer on which the SESA Directory is installed (it may be the same as the SESA Manager IP address if they are both installed on the same computer). If SESA is using authenticated SSL communications, type the host name of the SESA Directory computer. For example, mycomputer.com. Type the number of the SESA Directory SSL port (by default, 636). 5 In the SESA Integration Package to Uninstall panel, type or browse to the location in which the SESA Integration Package (SIP) for your product is located. SIPs are files with the extension.sip.

229 After you install SESA Integrating security products with SESA In the Request Immediate Undeployment/Removal of SIP panel, check one of the following: Deploy or remove the SIP at a scheduled time: Removes the SIP at the time that is specified in the Deploy time option in the Symantec management console. The default setting for Deploy time is every Saturday and Sunday at 2:00 P.M. GMT. For instructions on changing the default setting, see the Symantec Management Console User s Guide. Deploy or remove the SIP immediately: Queues the SIP for immediate removal from the SESA Directory and SESA DataStores. 7 To restart the Web services after the wizard completes, check If necessary, restart the Web server. SESA 2.0 uses a version of the Apache Tomcat Web servlet that restarts automatically, regardless of whether you check this option. 8 In the Select the Domains panel, check the SESA administrative domains from which you want to remove the SIPs. 9 Follow the on-screen instructions until you reach the SESA Integration Successful panel. 10 To complete the SESA Integration Wizard, click Finish. Deploying or removing a SESA Integration Package on a SESA Manager Solaris computer You can run a SESA 2.0 Integration Wizard remotely or locally from a SESA Manager Solaris computer to deploy SESA Integration Packages (SIPs) on SESA Managers. During installation, the wizard prompts you for the location of your product SIP. Depending on the product, its SIP may be included with the product itself, a Symantec Event Manager, Symantec Event Collector, or other distribution media. For more information on how to obtain the SIP for your product, see your product documentation or your Symantec Event Collector or other collector software documentation. Warning: Your event data will be unavailable after you remove a SIP. Consider purging, moving, or copying important data before you uninstall the SIP. See SESA Data Maintenance Tool on page 347.

230 230 After you install SESA Integrating security products with SESA Deploy or remove a SESA Integration Package on a SESA Manager Solaris computer On a Solaris computer, you can use the SESA Integration Wizard to deploy or remove a SIP. If you are installing a Relay or Bridge, or your product comes with a Symantec management console UI extension, you must also run the Deploy/ Remove SESA Manager Extensions Wizard in the Symantec management console to deploy the Relay, Bridge, or UI extension. For more information on using the Deploy/Remove SESA Manager Extensions Wizard, see the Symantec Management Console User s Guide. Before deploying SESA Integration Packages, ensure that the JSSE.jar, Jcert.jar, and Jnet.jar files reside in the <J2RE Home>/lib/ext directory on the SESA Manager computer. Warning: To deploy SESA Integration Packages from a SESA Manager Solaris computer to Windows computers, the SESA Manager Solaris computer must have the IBM DB2 Runtime Client installed on it. See Installing an IBM DB2 Runtime Client on a Solaris computer on page 133. To deploy a SESA Integration Package on a SESA Manager Solaris computer 1 Do one of the following: If you are physically located at the SESA Manager Solaris computer, become superuser. If you are located at a remote Solaris computer, you must initiate a Telnet session with the master SESA Directory computer, and then export a display. See Connecting to a remote Solaris computer and exporting its display on page On the Solaris computer, in the SESA Manager Terminal window, change directories to the sesa/sipi directory on the SESA Foundation Pack Solaris CD1. 3 To launch the SESA Integration Wizard, type the following command: java -jar setup.jar 4 In the Welcome to the SESA Integration Wizard panel, click Next. 5 In the SESA Integration Requirements panel, verify that the JVM is configured to run Secure Sockets Layer (SSL) by ensuring that the JSSE.jar, Jcert.jar, and Jnet.jar files reside in the <J2RE Home>/lib/ext directory on the SESA Manager computer.

231 After you install SESA Integrating security products with SESA In the SESA Directory Domain Administrator Information panel, do the following: SESA Directory Domain Administrator Name SESA Directory Domain Administrator Password Log on to domain (in dotted notation) Host Name or IP Address of SESA Directory Secure Directory Port Type the name for the SESA Domain Administrator account. This account provides access to its associated SESA administrative domain. Type the Directory Domain Administrator password. Type the SESA administrative domain. An example of dotted notation is: Symantec.SES Do one of the following: If SESA is using default, anonymous SSL communications, type the IP address of the computer on which the SESA Directory is installed (it may be the same as the SESA Manager IP address if they are both installed on the same computer). If SESA is using authenticated SSL communications, type the host name of the SESA Directory computer. For example, mycomputer.com. Type the number of the SESA Directory SSL port (by default, 636). 7 In the SESA Integration Package to Install panel, type or browse to the location in which the SESA Integration Package (SIP) for your product is located. SIPs are files with the extension.sip. 8 In the Request Immediate Undeployment/Removal of SIP panel, check one of the following: Deploy or remove the SIP at a scheduled time: Deploys the SIP at the time that is specified in the Deploy time option in the Symantec management console. The default setting for Deploy time is every Saturday and Sunday at 2:00 P.M. GMT. For instructions on changing the default setting, see the Symantec Management Console User s Guide. Deploy or remove the SIP immediately: Queues the SIP for immediate deployment to the SESA Directory and SESA DataStores. 9 To restart the Web services after the wizard completes, check If necessary, restart the Web server. SESA 2.0 uses a version of the Apache Tomcat Web servlet that restarts automatically, regardless of whether you check this option.

232 232 After you install SESA Integrating security products with SESA 10 In the Select the Domains panel, check the SESA administrative domains to which you want to install the SIPs. If you receive a warning during SIP installation that reports Master SIP Servlet not found, a SESA Manager was not installed in the domain or subdomain you selected. A SESA Manager that is installed to a top-level domain is never installed to any subdomains. Ensure that all top-level and subdomains that you select for SIP deployment have SESA Managers installed before you deploy a SIP. See Installing the SESA Manager on a Windows computer on page 188. A warning message that reports Unable to ping Master SIP Servlet means that the network connection has failed. 11 Follow the on-screen instructions until you reach the SESA Integration Successful panel. 12 To complete the SESA Integration Wizard, click Finish. If your product is a Relay, Bridge, or comes with UI extensions to install in the Symantec management console, you must run the Deploy/Remove SESA Manager Extensions Wizard in the Symantec management console to install these components. For instructions on using the Deploy/Remove SESA Manager Extensions Wizard, see the Symantec Management Console User s Guide. To remove a SESA Integration Package from a SESA Manager Solaris computer 1 Do one of the following: If you are physically located at the SESA Manager Solaris computer, become superuser. If you are located at a remote Solaris computer, initiate a Telnet session with the master SESA Directory computer, and then export a display. See Connecting to a remote Solaris computer and exporting its display on page On the Solaris computer, in the SESA Manager Terminal window, change directories to the sesa/sipi directory, which is located in the SESA working directory. The default location is opt/symantec/sesa /sipi. 3 To launch the SESA Integration Wizard in uninstall mode, type the following command: java -jar setup.jar -r 4 In the SESA Integration Requirements panel, click Next.

233 After you install SESA Integrating security products with SESA In the SESA Directory Domain Administrator Information panel, do the following: SESA Directory Domain Administrator Name SESA Directory Domain Administrator Password Log on to domain (in dotted notation) Host Name or IP Address of SESA Directory Secure Directory Port Type the name for the SESA Domain Administrator account. This account provides access to its associated SESA administrative domain. Type the Directory Domain Administrator password. Type the SESA administrative domain. An example of dotted notation is: Symantec.SES Do one of the following: If SESA is using default, anonymous SSL communications, type the IP address of the computer on which the SESA Directory is installed (it may be the same as the SESA Manager IP address if they are both installed on the same computer). If SESA is using authenticated SSL communications, type the host name of the SESA Directory computer. For example, mycomputer.com. Type the number of the SESA Directory SSL port (by default, 636). 6 In the SESA Integration Package to Uninstall panel, type or browse to the location in which the SESA Integration Package (SIP) for your product is located. SIPs are files with the extension.sip. 7 In the Request Immediate Undeployment/Removal of SIP panel, check one of the following: Deploy or remove the SIP at a scheduled time: Removes the SIP at the time that is specified in the Deploy time option in the Symantec management console. The default setting for Deploy time is every Saturday and Sunday at 2:00 P.M. GMT. For instructions on changing the default setting, see the Symantec Management Console User s Guide. Deploy or remove the SIP immediately: Queues the SIP for immediate removal from the SESA Directory and SESA DataStores. 8 To restart the Web services after the wizard completes, check If necessary, restart the Web server. SESA 2.0 uses a version of the Apache Tomcat Web servlet that restarts automatically, regardless of whether you check this option.

234 234 After you install SESA Integrating security products with SESA 9 In the Select the Domains panel, check the SESA administrative domains from which you want to remove the SIPs. 10 Follow the on-screen instructions until you reach the SESA Integration Successful panel. 11 To complete the SESA Integration Wizard, click Finish. Forcing a SESA Integration Package deployment If you have scheduled a deploy time in the Symantec management console that is not convenient, you can force a SESA Integration Package or Manager Extension deployment. To force a SESA Integration Package deployment 1 On the SESA Manager computer, in a supported Web browser, type the following URL: https ://<IP address of SESA Manager computer>/sipi/servlet/ sipi?action=indexinfo 2 When you are prompted to type a user name and password, type the user name and password for the SESA Domain Administrator. 3 On the SIP Service Web page, in the Package Info drop-down list, click Deploy Now, and then click Go. 4 Close the Web browser. Verifying a SESA Integration Package deployment status After you deploy or remove a SIP, you can verify the operation in a local SIP Service Web page. Verify a SESA Integration Package deployment On the SESA Manager computer, you can verify that the SIP deployment was successful. If a SIP deployment fails, you can view the SIP servlet logs for error information. You can also view audit reports on SIP installation and removal status in the Symantec management console.

235 After you install SESA Integrating security products with SESA 235 To verify a SIP deployment 1 On the SESA Manager computer, in a supported Web browser, type the following URL: address of SESA Manager computer>/sipi/servlet/ sipi?action=indexinfo 2 When you are prompted to type a user name and password, type the user name and password for the SESA Domain Administrator. 3 On the SIP Service Web page, in the Package Info drop-down list, click Installed Domain Packages, and then click Go. This detects SIPs that have been successfully deployed to the SESA administrative domain or domains. 4 In the Status table, in the Package Status column, ensure that all of the items display a status of Installed. If one or more items display a Failed status, or a Pending status stays without resolving to an Installed status after five minutes, you can view deployment or removal information in the SIP Servlet logs or the Symantec management console. For each product SIP that you deploy with another, you must wait an additional five minutes. For example, if you deploy four SIPs at once, you must wait 20 minutes before you can verify whether the SIP deployed successfully. 5 In the Package Info drop-down list, click Installed DataStore Packages, and then click Go. 6 If you have deployed or removed SESA Manager extensions using the Deploy/Remove SESA Manager Extensions Wizard in the Symantec management console, in the Package Info drop-down list, click Installed Computer Packages, and then click Go. SESA Manager extensions can be UI extensions, Relays, Bridges, or online Help modules. Online Help modules are deployed automatically. They do not require deployment with the Deploy/Remove SESA Manager Extensions Wizard. 7 In the Show All Packages Installed on the Computer table, ensure that the SESA Manager extension that you deployed or removed is listed. If the table lists the SESA Manager extension, the deployment was successful. If after five minutes no SESA Manager extension is listed, the deployment may have failed. For each additional SIP that was deployed with the SIP that contained the SESA Manager extensions, you must add an additional five minutes wait time.

236 236 After you install SESA Integrating security products with SESA For example, if you deployed six SIPs at once, and one of them contained SESA Manager extension, you must wait 30 minutes before you can determine whether the SESA Manager extension deployment was successful. You can view deployment or removal information in the SIP Servlet logs or the Symantec management console. 8 Close the Web browser. To view SIP Service logs 1 On the SESA Manager computer, navigate to the location of the SIP Servlet logs. On Windows computers, the default location is: SESA\<computer name>\sipi\logs On Solaris computers, the default location is: opt/symantec/sesa/<computer name>sipi/logs 2 In a text editor, open the appropriate log file. 3 Scan the log file for error messages. 4 Close the log file. To view SIP deployment or removal status in the Symantec management console 1 Log on to the Symantec management console. See Launching the Symantec management console on page On the Events view tab, in the navigation tree, expand System Events. 3 Under System Events, select one of the following reports, depending on whether you deployed or removed a SIP or SESA Manager extension: SIPI Fail Install Audit: Contains event information about failed SIP deployments, including SESA Manager extensions SIPI Success Install Audit: Contains event information about successful SIP deployments, including SESA Manager extensions SIPI Fail Uninstall Audit: Contains event information about failed SIP removals, including SESA Manager extensions SIPI Success Uninstall Audit: Contains event information about successful SIP removals, including SESA Manager extensions SIPI Package Audit: Contains all of the event information about successful and failed SIP deployments and removals, as reported in the other SIP Audit reports

237 After you install SESA Integrating security products with SESA 237 Verifying the master SIPI service The master SIPI service is the SESA Manager that serves as the Master SIPI service for the domain. This service is responsible for deploying and removing schemas to the SESA Directory and SESA DataStores in the domain. If more than one SESA Manager resides in a domain, the SESA Integrated Product Installer program nominates one of the SESA Manager servlets as the master SIPI service. This occurs automatically. You can check which SESA Manager is operating as the master SIPI service in the SIP Service Web page. If the SESA Manager computer that is hosting the master SIPI service is not operational, then the schemas will not be deployed. If this is the case, or you are no longer using the SESA Manager that was running the master SIPI service, you must configure the master SIPI service manually in the Symantec management console. For more information on configuring the master SIPI service option in the Symantec management console, see the Symantec management console online Help or the Symantec Management Console User s Guide. To verify the master SIPI service 1 On the SESA Manager computer, in a supported Web browser, type the following URL: address of SESA Manager computer>/sipi/servlet/ sipi?action=indexinfo 2 When you are prompted to type a user name and password, type the user name and password for the SESA Domain Administrator. 3 In the SIP Service Web page, in the Configuration Options drop-down box, select Master SIP, and then click Go. The page displays the current master SIPI service for the domain. 4 Exit the Web browser. About deleting and reinstalling SESA Agents If you delete a SESA Agent and then later reinstall it on the same security product computer, you must restart the Apache Tomcat server first. Restarting the Apache Tomcat server flushes the SESA Manager queues, which allows the SESA Agent to run again. You can restart the Apache Tomcat server on the SESA Manager computer that manages the reinstalled SESA Agent.

238 238 After you install SESA Uninstalling SESA Uninstalling SESA When uninstalling individual SESA components, it is important to remember that many components have dependencies on other components and on SESA infrastructure applications. As a matter of best practices, you should uninstall components in reverse of the order in which they were installed. In general, you will uninstall the SESA Manager first, then the SESA DataStore, and then the SESA Directory. Since portions of the uninstallation procedure may access information within the SESA Directory, it should always be uninstalled last. You can remove all components at once, or any individual component or component combinations. If you have distributed the SESA Manager, SESA Directory, and SESA DataStore across more than one computer, you must execute the uninstallation on each computer to uninstall the component. You should always use the Symantec Install Wizard to perform an uninstallation of individual components or all components. Do not remove components manually outside of the SESA Install Wizard because this will leave the SESA Install Wizard with incorrect information regarding the status of installed components. You launch the SESA Installation wizard as follows: On Windows computers, you use the Symantec Enterprise Security Architecture Components option in the Add/Remove Programs dialog box. On Solaris computers, you execute the uninstall.sh script in the default /opt/ Symantec/SESA/uninstall directory. Note: On Windows computers, always use the Symantec Enterprise Security Architecture Components option in the Add/Remove Programs dialog box to remove SESA components. This option launches the SESA uninstallation program, which reconfigures SESA appropriately for the components that you have removed. Do not use entries in the Add/Remove Programs dialog box for third-party components themselves. Once you have launched the SESA Install Wizard, you can uninstall the following components: All SESA components at once All SESA components and infrastructure SESA Directory Server IBM HTTP Server

239 After you install SESA Uninstalling SESA 239 SESA Key database files IBM DB2 Personal Edition SESA administrative domain or subdomain Only those components installed by the SESA Integrated Installer program (the SESA Installation Wizard) are uninstalled. SESA heartbeat service and uninstalling the SESA Manager and SESA Agent A SESA Agent is always installed along with the SESA Manager to facilitate its communication with all other SESA components. The SESA Directory communicates using LDAPS and the SESA DataStore communicates over JDBC, and therefore do not require the SESA agent for their communication. If you have installed the SESA Manager along with either the SESA DataStore or the SESA Directory on the same computer, a SESA Agent will be installed along with the SESA Manger. The SESA heartbeat service is always installed along with a SESA Manager and its Agent. If you uninstall the SESA Manager from a computer, the SESA Agent will also be uninstalled, and the heartbeat service along with it. If you wish to use the heartbeat service to monitor the remaining SESA DataStore or SESA Directory, you must reinstall the SESA Agent and the heartbeat service. See Installing the SESA Agent for heartbeat monitoring on page 196. Uninstalling SESA from a Windows computer On Windows computers, you use the Symantec Enterprise Security Architecture Component option to uninstall SESA components. To uninstall one or more SESA components on a Windows computer 1 On the computer on which the SESA DataStore is installed, on the Windows toolbar, click Start > Settings> Control Panel. 2 In the Control Panel window, double-click Add/Remove Programs. 3 In the Add/Remove Programs dialog box, click Symantec Enterprise Security Architecture Components. 4 Click Change/Remove. 5 In the Uninstall SESA panel, click Next.

240 240 After you install SESA Uninstalling SESA Uninstalling SESA on Solaris 6 In the SESA Uninstall Menu panel, select the component or components that you want to remove. Only the components that are installed on the computer on which you are running the uninstallation are available for selection. Components that are displayed but unavailable have other dependent programs still installed. You must remove the dependent programs before these components become available. 7 To remove the component or components, follow the on-screen instructions. 8 If you see a message that informs you that certain processes are currently running and locked, to turn off the processes and continue, click Yes. 9 In the Operation Complete panel, review the components that were successfully uninstalled, and then click Next. 10 In the SESA Uninstall Menu panel, do one of the following: To continue uninstalling additional components, select the next component that you want to uninstall, and then click Next. If you are done uninstalling components, click Exit SESA Uninstaller, and then click Next. 11 If you are prompted Are you sure you want to exit the installation, click Yes. 12 In the Reboot Required panel, to reboot the computer, click Finish. On Solaris platforms, you execute the uninstall.sh script in the default /opt/ Symantec/SESA/uninstall directory to launch the SESA Install Wizard. To uninstall one or more SESA components on a Solaris computer 1 On the computer on which the SESA component is installed, become superuser. 2 At the command prompt, change directories to the SESA installation directory. By default, the directory is: /opt/symantec/sesa/uninstall 3 At the command prompt, type the following command:./uninstall.sh 4 In the Uninstall SESA panel, click Next. 5 In the SESA Uninstall Menu panel, select the component or component combination that you want to remove, and then click Next.

241 After you install SESA Uninstalling SESA 241 Only the components installed on the computer on which you are running the uninstallation are available for selection. Components that are displayed but unavailable (dimmed) have other dependent programs still installed. You must remove the corresponding dependent programs before these components become available. 6 To remove the component or components, follow the on-screen instructions. 7 If you are uninstalling the SESA DataStore, you will be instructed to perform a manual procedure to remove the SESA user and data tables from the database. Follow the instructions and when complete, return to the SESA Install Wizard, and then click Next. 8 To drop the database, on the SESA DataStore computer, in a Terminal window, become the Oracle user, and then type the following command: dbshut 9 Delete all of the files in the Oracle database directory structure supporting the SESA DataStore that you are uninstalling. For example, if you use the default directory structure for a database named SESA, you would delete the files from the following directories: /u02/app/oracle admin/sesa/bdump /u02/app/oracle/admin/sesa/cdump /u02/app/oracle/admin/sesa/udump /u01/oradata/sesa /u02/oradata/sesa /u01/oradata/sesa/arch 10 If you see a message that informs you that certain processes are currently running and locked, to turn off the processes and continue, click Yes. 11 In the Operation Complete panel, review the components that were successfully uninstalled, and then click Next. 12 In the SESA Uninstall Menu panel, do one of the following: To continue uninstalling additional components, select the next component that you want to uninstall, and then click Next. If you are done uninstalling components, click Exit SESA Uninstaller, and then click Next. 13 If you are prompted Are you sure you want to exit the installation, click Yes. 14 In the Reboot Required panel, to reboot the computer, click Finish.

242 242 After you install SESA About reinstalling a SESA DataStore in Windows environments About reinstalling a SESA DataStore in Windows environments In Windows environments, SESA installs the SESA DataStore using the SESA alias. It also installs with an additional alias such as SES1, SES2, SES3, and so forth. You can view both of these alias entries in the DB2 Control Center. If you use the DB2 Control Center to drop the SESA DataStore or any of its aliases, DB2 removes the SESA data from the computer but does not reconcile the state of the other DB2 entry. You must therefore additionally right-click the remaining SESA entry and select Remove to eliminate that entry. After you drop a SESA DataStore, you cannot reinstall a SESA DataStore successfully until you do this. Note: When you drop and reinstall a SESA DataStore, you must also reinstall any security products that are associated with the SESA DataStore.

243 Chapter 6 Setting up failover support This chapter includes the following topics: About failover support Setting up SESA Agent-to-Manager failover support Setting up SESA Manager-to-Directory failover support Setting up SESA Manager-to-DataStore failover support About failover support SESA 2.0 is designed to have no single point of failure between the SESA Manager and the SESA Agent, SESA DataStore, and SESA Directory. You can set up replica SESA components in case one of the primary SESA components becomes unavailable. Once you have installed the replica SESA component, you can configure SESA to switch communications from the unavailable SESA component to an available replica one. This process of switching from one component to another is called failover. The process of switching from a failover component to a regularly working component is called failback. SESA 2.0 supports failback as well. The Symantec management console lets you configure failover replica components programmatically or manually. When you configure failover programmatically, the computer on which the component is installed selects the next-defined component in a failover list, and then attempts communication with it. When you configure failover manually, an administrator must intercede to change the component, and then distribute the configuration change. The availability of one SESA component to another is determined by network connectivity between the computers on which the components reside.

244 244 Setting up failover support Setting up SESA Agent-to-Manager failover support Setting up SESA Agent-to-Manager failover support When a SESA Agent detects that a primary SESA Manager is no longer available, it attempts to communicate with, or failover to, a secondary SESA Manager. The SESA Agent uses a list, configured in the Symantec management console, to determine the secondary SESA Manager computer to use as the failover component. SESA 2.0 allows up to 255 SESA Manager computers as failover components. If the secondary SESA Manager in the list also fails, the SESA Agent attempts to failover to the next SESA Manager in the list, and so on, as long as the list is configured with additional SESA Manager computers. As soon as a SESA Agent enters a failover mode, in which it has switched from a primary to secondary SESA Manager, SESA starts a failback thread. As long as the SESA Agent is in failover mode, the failback thread continuously monitors the primary SESA Manager. When the primary SESA Manager computer comes online again, the secondary SESA Manager computer immediately yields SESA Agent-to Manager communication to the primary SESA Manager computer, regardless of where in the list the secondary computer appears. For example, a secondary computer that is sixteenth in the list would relinquish communication control to the primary computer in exactly the same order as would the second or third computer in the list. Secondary computers do not follow a path to the primary computer when network connectivity is restored to the primary computer. Configuring SESA Agent-to-Manager failover support After you have installed all of the SESA Managers on computers in your network environment, you can configure SESA Agent-to-Manager failover support in the Symantec management console. To configure SESA Agent-to-Manager failover support 1 Log on to the Symantec management console. See Launching the Symantec management console on page In the Symantec management console, on the Configurations view tab, in the left pane, expand SESA v2.0 > Agent Connection Configurations > Default.

245 Setting up failover support Setting up SESA Agent-to-Manager failover support In the right pane, on the SESA Manager Failover tab, do the following: Primary Manager Enable automatic SESA Manager failover Primary SESA Manager Failover: Reconnect attempts before failover Click the browse button ( ), then select primary SESA Manager. Enable or disable automatic SESA Manager failover support. This option is disabled by default. Select the number of times that the SESA Agent should attempt to connect to the primary SESA Manager before it switches communication to a secondary SESA Manager. The default setting is 10 times. Primary Manager Failover: Seconds between reconnect attempts Select the number of seconds between each reconnection attempt that the SESA Agent makes with the primary SESA Manager. The default setting is 60 seconds. Secondary Manager Failover: Reconnect attempts before failover Select the number of times that the SESA Agent should attempt to connect to the secondary SESA Manager before it switches communication to the next secondary SESA Manager. If none are available, it reconnects to the primary SESA Manager. The default setting is 5 times. Secondary Manager Failover: Seconds between reconnect attempts Select the number of seconds between each reconnection attempt that the SESA Agent makes with the secondary SESA Manager. The default setting is 30 seconds. Secondary (failover) Managers Add/Remove Move Up/Move Down Enable automatic failback recovery Display an ordered list of secondary SESA Manager computers to which the SESA Agent can connect. Once a SESA Agent connects with the first computer in this list, the SESA Manager is in failover mode. If the first computer in the list goes offline, the SESA Agent fails over to the next computer in the ordered list, and so on, as long as Enable automatic Manager failover is checked. If Enable automatic Manager failover is disabled, you must manually select the computer. Add computers to and remove computers from the Secondary (failover) Managers list. The computers must already have SESA Managers installed on them. Change the order of SESA Managers in the Secondary (failover) Managers list. Enable or disable failback recovery, which allows the SESA Agent to switch communication from the secondary SESA Manager to the primary SESA Manager after it detects that the primary SESA Manager has come online again. This option is enabled by default.

246 246 Setting up failover support Setting up SESA Manager-to-Directory failover support Seconds between failback connection attempts Maximum failback retry period (minutes) Select the number of seconds between each reconnection attempt that the SESA Agent makes with the secondary SESA Manager. The default setting is 600 seconds. Select the maximum number of minutes to wait before the SESA Agent no longer attempts to reconnect (failback) to the primary SESA Manager. The default is 1440 minutes. Generate a Multiple Connection Failure Event: Number of connection failures that must occur Generate a Multiple Connection Failure Event: Time span during which connection failures occur Select the number of connection failures that must occur before a Multiple Connection Failure Event is created in the SESA DataStore. The default setting is 10 connection failures. Select the interval in seconds during which the specified number of connection failures must occur before a Multiple Connection Failure Event is created in the SESA DataStore. The default setting is 0, which indicates an unlimited time span. 4 Click Apply. 5 In the left pane under Agent Connection Configurations, right-click Default, and then click Distribute. Setting up SESA Manager-to-Directory failover support Like the SESA Agent-to-Manager failover process, a SESA Manager can detect that a primary SESA Directory is no longer available, and then switch communications, or failover to, an alternate, replica SESA Directory. However, instead of using a predefined list in the Symantec management console to determine selection order, SESA programmatically makes the choice of failover computer automatically, based on the suffix name of the replica SESA Directory. The SESA Manager switches to the replica SESA Directory with the closest suffix name match to the primary SESA Directory computer. For example, if a primary SESA Directory computer has the suffix name XYZ1, given the available replica candidates XYZ7 and XYZ3, the closest suffix match would be XYZ3. In failover mode, SESA components can retrieve information and configurations from a replica SESA Directory; however, no configuration changes can be written to the replica SESA Directory. Similarly, in the Symantec management console, an Administrator can only view SESA Directory information. While a

247 Setting up failover support Setting up SESA Manager-to-Directory failover support 247 replica SESA Directory is in use, Administrators cannot, for example, create new users, modify roles, or make other configuration changes. When a primary SESA Directory comes online again, the SESA Manager-to- Directory failback process works in much the same way as SESA Agent-to- Manager or SESA Manager-to-DataStore failback support. Warning: SESA 2.0 Directories do not support cross-platform failover operations. Installing a replica SESA Directory on a Windows computer You can use the SESA Installation Wizard to install as many replica SESA Directories as your SESA deployment requires. A master SESA Directory must already be installed before you can install a replica. See Installing the SESA Directory on page 161. You install a replica SESA Directory on a Windows computer using the SESA Installation Wizard. After you finish using the SESA Installation Wizard, you must also complete some manual tasks to configure the replica SESA Directory and the master SESA Directory. See Manually completing the replica SESA Directory installation on Windows computers on page 252. After you complete the manual tasks, you must configure failover settings for the replica SESA Directory in the Symantec management console. See Setting up SESA Manager-to-Directory failover support on page 246. Install a replica SESA Directory on a Windows computer To install a replica SESA Directory using the SESA Installation Wizard, you install the component in the following two phases: The first phase gathers information, and then prompts you to restart your computer. The second phase installs components and configurations, and provides instructions for completing the manual tasks required after installation.

248 248 Setting up failover support Setting up SESA Manager-to-Directory failover support If you are installing the replica SESA Directory on a Windows computer, you can optionally install one of the following IBM DB2 database servers on the Windows computer to support the IBM Directory Server: IBM DB2 Workgroup Edition 7.2 with FixPak 5 IBM DB2 Enterprise Edition 7.2 with FixPak 5 IBM DB2 Enterprise Extended Edition 7.2 with FixPak 5 If an IBM DB2 database has not already been installed on the replica SESA Directory computer, the SESA Installation Wizard installs IBM DB2 Personal Edition. To install the replica SESA Directory on a Windows computer 1 To start the SESA Installation Wizard, insert the SESA Foundation Pack CD1 into the CD-ROM drive. 2 If the wizard does not start automatically, locate the folder that contains the SESA installation files, and then double-click CDStart.exe. 3 To start the installation, click Install SESA Components. 4 If a message informs you that the SDK is not installed, do the following: Click OK. In the SESA Installation Wizard panel, click Install SDK 1.3.1_09. Rerun the installation. 5 When you are prompted to supply a location for temporary installation files, do one of the following: Accept the default location as long as it has at least 75 MB of free hard disk space available. Type a location or click Browse to find a different location that has 75 MB of hard disk space available. 6 In the introductory wizard panels, review and type the requested information, and then click Next. 7 In the SESA Preinstallation Requirements Summary panel, confirm the following: The computer to which you are installing is running Windows 2000 Server or Advanced Server with Service Pack 3 or later. The SUN Development Kit (SDK) 1.3.1_09 is installed. In addition, the computer should already have an existing installation of IBM DB2 Workgroup Edition/Enterprise Edition/Enterprise Extended Edition 7.2 present. If no existing version is present, the SESA Installation Wizard installs IBM DB2 Personal Edition 7.2.

249 Setting up failover support Setting up SESA Manager-to-Directory failover support In the Select Working Directory panel, accept the default location or select another location. SESA requires a folder on your hard drive as a working directory and database storage location. The drive on which the folder resides should have approximately 20 MB of free space. 9 In the SESA Install Menu panel, click Advanced Options. 10 In the SESA Advanced Install Menu panel, click Install SESA Directory Replica. 11 If no previous installation of IBM DB2 Personal Edition/Workgroup Edition/ Enterprise Edition/Enterprise Extended Edition resides on the computer, do one of the following: Click Yes when you are prompted to continue. The SESA Installation Wizard installs IBM DB2 Personal Edition from the SESA Foundation Pack CD. Click No to stop the installation of IBM DB2 Personal Edition. You must install IBM DB2 WorkGroup Edition/Enterprise Edition/ Enterprise Extended Edition before you can continue with the installation. 12 In the Local SESA Directory Master panel, type the following information for the master SESA Directory installation: SESA Directory Administrator Password IP Address Directory port number The password for the SESAdmin account. The SESA Directory Administrator password must be between six and twelve alphanumeric characters. This is a maintenance account for top-level SESA administrators who need access to the entire SESA Directory tree for installing SESA DataStores and SESA Managers. You can use this account to log on to the Symantec management console after installation. IP address of the computer on which the master SESA Directory is installed. SESA Managers use this IP address to communicate with the SESA Directory. If connections to the master SESA Directory computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Secure listening port for the master SESA Directory (by default, 636). SESA Managers use this port to communicate with the SESA Directory.

250 250 Setting up failover support Setting up SESA Manager-to-Directory failover support 13 In the SESA Directory Replica panel, type the following information for the replica SESA Directory: Directory Server Path Administrator Name Directory Administrator Password IP Address Directory port number Directory path in which the replica SESA Directory program files reside. The default location is \Program Files\IBM\LDAP. Name for the IBM Directory Server administrator account in the form cn=<name> (by default, cn=root). Directory Administrator password. An account with a password is required. IP address of the computer on which the replica SESA Directory is installed. This must be the local installation computer. SESA Managers use this IP address to communicate with the replica SESA Directory. If connections to the replica SESA Directory computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Secure listening port for the replica SESA Directory (by default, 636). SESA Managers use this port to communicate with the replica SESA Directory. 14 To create the key database for self-signed SSL certificates, in the SESA Secure Communications panel, type the following information: Key Database Password Company Country Select host IP Address Password for the key database (six alphanumeric characters minimum). Company name. Company location. IP address of the computer on which the primary SESA Manager is installed. If connections to the primary SESA Manager computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address.

251 Setting up failover support Setting up SESA Manager-to-Directory failover support 251 Key size (bits) Encryption length in bits for the default, self-signed certificate that SESA uses to secure data communication. The default setting of 1024 bits is standard. The longer the length of the key size, the higher the security of the data encryption. However, the higher the security of the data encryption, the longer the length of time required to encrypt and decrypt data. 15 If an existing installation of IBM DB2 Workgroup Edition/Enterprise Edition/Enterprise Extended Edition is not present on the computer, in the DB2 Personal Edition Installation panel, type the requested logon and location information. 16 In the Web Server Installation panel, type the following information for a Windows 2000 user account: Web Server Directory Login Name Password Path for the IBM HTTP Server installation (by default, C:\Program Files\IBM Http Server). Login name for an existing Windows 2000 account of the computer on which the IBM HTTP Server is being installed. Password for the account. An account with a password is required. 17 In the Insert SESA CD dialog box, when you are prompted, select the location of the requested installation files, all of which are located on the SESA distribution media. The SESA Installation Wizard reports the status of components that are being installed using the specified logons, passwords, paths, and ports information. 18 If necessary, remove the SESA CD from the CD-ROM drive. 19 Restart the computer when you are prompted. The restart is required to initialize the replica SESA Directory.

252 252 Setting up failover support Setting up SESA Manager-to-Directory failover support To complete the replica SESA Directory installation on a Windows computer 1 After you restart your computer, in the Welcome to the SESA Installation panel, click Next. 2 Follow the on-screen instructions until you see the Operation Complete panel. 3 In the Operation Complete panel, review the text. The text contains the required instructions to manually complete the replica SESA Directory installation. You must complete these steps in the order provided. These instructions are also in the Replica.txt file, which is located in the root directory of the SESA Foundation Pack CD1. See Manually completing the replica SESA Directory installation on Windows computers on page In the SESA Install Menu panel, click Exit SESA Installer, and then click Next. 5 In the SESA Installation Successful panel, click Finish to exit the SESA Installation Wizard. Manually completing the replica SESA Directory installation on Windows computers After you run the SESA Installation Wizard to install the replica SESA Directory on a Windows computer, you must complete a number of manual tasks to configure the replica SESA Directory and its master SESA Directory. These tasks are also described in the Replica.txt file on the SESA Foundation Pack CD1 for Windows. Warning: You must complete the tasks in the order listed in Replica.txt or the replica SESA Directory will not run properly. To finish the replica SESA Directory installation, complete the following tasks in the order listed: On both the master and replica SESA Directory computers, set up certificates. On the master SESA Directory computer, back up the SESA Directory data for export to the replica SESA Directory. On the replica SESA Directory computer, import the master SESA Directory data.

253 Setting up failover support Setting up SESA Manager-to-Directory failover support 253 On the master SESA Directory computer, configure the replica SESA Directory. On master and replica SESA DataStore Solaris computers only, configure replication permissions. Note: To manually move data between the master SESA Directory and replica SESA Directory, administrative privileges must first be added to the Web Server account for SESA and the IBM HTTP Server must be restarted. After you complete the manual tasks, you can remove the administrative privileges and restart the IBM HTTP Server on the SESA Directory computer again. See Granting and removing local administrative privileges for the Web Server account on page 321. For more information on changing administrative privileges, see your Microsoft Windows documentation. Setting up certificates on the master and replica SESA Directory Windows computers The first manual task that you must perform is to extract certificates from each master SESA Directory computer and install them on each associated replica SESA Directory computer. You then repeat the process on the replica SESA Directory computers. To set up certificates on the master and replica SESA Directory Windows computers 1 On the master SESA Directory computer, log on to the computer with the appropriate administrative privileges. 2 On the Windows taskbar, click Start > Programs > IBM HTTP Server > Start IBM Key Management Utility. 3 In the IBM Key Management window, open the Key database. The default location is C:\Program Files\Common Files\Symantec Shared\SES\keydb\key.kdb. 4 If you are prompted, type the SESA Secure Communications password. See Logon accounts for SESA installation on page Under Personal Certificates, click SESA to make it the active item in the Personal Certificates list. 6 Click Extract Certificate.

254 254 Setting up failover support Setting up SESA Manager-to-Directory failover support 7 In the Extract Certificate to a File dialog box, type a name for the certificate file. The certificate is extracted from the master SESA Directory Key database and copied to the Key database on the master SESA Directory computer. As a best practice, give the certificate file a name that will identify it as a certificate that was generated and copied from the master SESA Directory computer. 8 Type or confirm the location of the certificate file. This location must be accessible by the other SESA Directory computer (whether master or replica). 9 Click OK to save the certificate file on the master SESA Directory computer. 10 On the replica SESA Directory Windows computer, log on to the computer with the appropriate administrative privileges. 11 Repeat steps 2 through 4 to launch the IBM Key Management utility on the replica SESA Directory Windows computer. 12 In the IBM Key Management window, click Personal Certificates, and then, in the resulting drop-down list, click Signer Certificates. 13 Click Add. 14 In the Add CA s Certificate from a File dialog box, type the location of the extracted certificate file on the master SESA Directory computer, and then click OK. You created this certificate in step In the Enter a Label dialog box, type a label for the certificate file, and then click OK. 16 Repeat steps 1 through 15, but this time on the replica SESA Directory computer. To repeat the process for the replica computer, on the replica SESA Directory computer, extract its certificate. Then, move to the master SESA Directory computer and add the extracted certificate from the replica SESA Directory computer. This completes the extracting and copying of each certificate file on its associated master or replica computer. Backing up the master SESA Directory data on Windows computers The second manual task that you must perform is to archive the master SESA Directory data for export to the replica SESA Directory.

255 Setting up failover support Setting up SESA Manager-to-Directory failover support 255 To back up master SESA Directory data for export to the replica SESA Directory on Windows computers 1 Close all Symantec management console sessions that are connected to the master SESA Directory. 2 On the master SESA Directory computer, log on with the appropriate privileges. 3 Stop the IBM Directory Server. See Starting and stopping the IBM Directory Server on page Back up the master SESA Directory data. See Backing up SESA Directory data on page 331. Importing the master SESA Directory data on Windows computers The third manual task that you must perform is to restore the master SESA Directory data on the replica SESA Directory. Import the master SESA Directory data on Windows computers Before you can restore the master SESA Directory data on a replica SESA Directory, you must first create the same suffixes on both computers. After you restore the data, you must run the Create Name Suffix batch file from the \Manager\Dir folder on the SESA Foundation Pack Windows CD1. To create name suffixes on both master and replica SESA Directory computers 1 On the replica SESA Directory Windows computer, log on using the appropriate administrative privileges. 2 On the replica SESA Directory Windows computer, stop the IBM Directory Server. See Starting and stopping the IBM Directory Server on page On the master SESA Directory Windows computer, in a text editor, open the Slapd32.conf configuration file. The default location is C:\Program Files\IBM\LDAP\etc\slapd32.conf. 4 In the configuration file, search for the section that begins with the following characters: dn: cn=directory 5 Locate the last three lines of this section. Each line starts with the text, ibm-slapdsuffix: This text represents the suffixes that are added by SESA.

256 256 Setting up failover support Setting up SESA Manager-to-Directory failover support 6 Copy and paste the three lines from the file on the master SESA Directory computer to the same location in the Slapd32.conf file on the replica SESA Directory computer. To restore the master SESA Directory data to the replica SESA Directory on a Windows computer 1 On the replica SESA Directory computer, in the IBM Directory Server Web Admin interface, restore (or import) the master SESA Directory backup data file to the replica SESA Directory using the following settings: Check Create backup directory as needed. Do not check Restore data and schema only (not configuration file). See Restoring SESA Directory data on page Ignore any warnings about missing schema during the restore operation. At this point in the process, the credentials for logging into the replica SESA Directory are the same as those of the master SESA Directory. 3 Start the IBM Directory Server. See steps 1 and 2 of Starting and stopping the IBM Directory Server on page In the IBM Directory Server Web Admin interface, in the left pane, expand Security > SSL, and then click Settings. 5 In the SSL settings right pane, click SSL On, click Update, and then click Restart the Server. To run the Create Name Suffix batch file 1 On the replica SESA Directory computer, in a text editor, open the Createns.bat file. The batch file is located in the SESA Foundation Pack CD1 \MANAGER\DIR folder. The batch file contains a series of commands to the ldapmodify program. 2 If necessary, edit the -D parameter in the bind DN and the -w parameter in the bind password to match the SESA Directory Administrator user name and password. 3 Run the Createns.bat file. If you see warning messages about entries that already exist, ignore them. 4 In the IBM Directory Server Web Admin interface, in the left pane, expand Security > SSL, and then click Settings. 5 In the SSL settings right pane, click SSL Only, click Update, and then click Restart the Server.

257 Setting up failover support Setting up SESA Manager-to-Directory failover support 257 Configuring the replica SESA Directory on the master SESA Directory Windows computer The fourth manual task that you must perform is to configure the master SESA Directory computer to recognize replica SESA Directory information. To configure the replica SESA Directory on the master SESA Directory Windows computer 1 On the master SESA Directory Windows computer, log on with the appropriate administrative privileges. 2 Restart the IBM Directory Server. See Starting and stopping the IBM Directory Server on page In the IBM Directory Server Web Admin interface, in the left pane, in the Directory Server tree, expand Replication > Replicas, and then click Add a replica. 4 In the Add a replica right pane, do the following: Common Name Host Name Type the host name of the replica SESA Directory computer. Type the IP address of the replica SESA Directory computer. Port Number Type 636. Authentication Use SSL Update Interval Master DN Password/Confirm Password Click Simple. Click Yes. Click Immediate. Type any valid DN value except the master SESA Directory DN (by default, this DN is the SESA Directory Administrator user name, which is cn=root). Type any valid password, except the password that is used by the SESA Directory Administrator account. 5 Click Update. 6 Make a note of the Master DN and password. You will need them to duplicate the configuration changes on the replica SESA Directory computer.

258 258 Setting up failover support Setting up SESA Manager-to-Directory failover support Configuring the master SESA Directory on the replica SESA Directory Windows computer The fifth manual task that you must perform is to configure the replica SESA Directory computer to recognize master SESA Directory information. To configure the master SESA Directory on the replica SESA Directory Windows computer 1 On the replica SESA Directory Windows computer, log on with the appropriate administrative privileges. 2 Restart the IBM Directory Server. See Starting and stopping the IBM Directory Server on page In the IBM Directory Server Web Admin interface, in the left pane, in the Directory Server tree, expand Replication > Settings. 4 In the right pane, do the following to match the master SESA Directory computer: Master DN Password/Confirm Password Referral Type any valid DN value except the master SESA Directory DN (by default, this DN is the SESA Directory Administrator user name, which is cn=root). Type any valid password, except the password that is used by the SESA Directory Administrator account. Type the URL of the master SESA Directory computer as follows: ldaps://<master SESA Directory computer IP address>:636 5 Click Update. Installing a replica SESA Directory on a Solaris computer You can use the SESA Installation Wizard to install as many replica SESA Directories on Solaris computers as your SESA deployment requires. A master SESA Directory must already be installed on a Solaris computer before you can install a replica. See Installing the SESA Directory on page 161. After you finish using the SESA Installation Wizard, you must also complete some manual tasks to configure the replica SESA Directory and the master SESA Directory. See Manually completing the replica SESA Directory installation on Solaris computers on page 263.

259 Setting up failover support Setting up SESA Manager-to-Directory failover support 259 After you complete the manual tasks, you must configure failover settings for the replica SESA Directory in the Symantec management console. See Configuring SESA Manager-to-Directory failover support on page 270. Install a replica SESA Directory on a Solaris computer To install a replica SESA Directory using the SESA Installation Wizard, you install it in the following phases: The first phase gathers information, and then prompts you to restart your computer. The second phase installs components and configurations, and provides instructions for completing the manual tasks that are required after installation. IBM DB2 Enterprise Edition must already be installed on the Solaris computer. See Preparing third-party software on Solaris platforms on page 98. To install the replica SESA Directory on a Solaris computer 1 Ensure that a local copy of the SESA Foundation Pack distribution media image has been copied to the replica SESA Directory computer and that the Solaris computer at which you are physically located has access to the replica SESA Directory computer. 2 On the Solaris computer at which you are physically located, become superuser. 3 To display a local Terminal window, right-click anywhere on the Solaris screen, and then click Tools > Terminal. If you are installing the replica SESA Directory on the computer at which you are physically located, the Terminal window displays the replica SESA Directory computer environment. 4 If you are installing the replica SESA Directory from a remote Solaris computer, initiate a Telnet session with the SESA Directory computer, and then set and export the remote display to the local computer. See Connecting to a remote Solaris computer and exporting its display on page 135. The Terminal window displays the environment of the replica SESA Directory Solaris computer. 5 To change directories to the SESA Foundation Pack installation image, in the SESA Directory computer Terminal window, type the following command: cd /<installation image location>

260 260 Setting up failover support Setting up SESA Manager-to-Directory failover support 6 To start the SESA Installation Wizard, type the following command: sh install.sh 7 When you are prompted to supply a location for temporary installation files, do one of the following: Accept the default location as long as it has at least 75 MB of free hard disk space available. Type a location or click Browse to find a location that has 75 MB of hard disk space available. 8 In the introductory wizard panels, review and type the requested information, and then click Next. 9 In the SESA Preinstallation Requirements Summary panel, confirm that the computer to which you are installing is running Sun Solaris version 8 (64- bit). In addition, the computer must already have IBM DB2 Enterprise Edition 7.2 installed. 10 In the Select Working Directory panel, accept the default location or select another location. SESA requires a folder on your hard drive as a working directory and database storage location. The drive on which the folder resides should have approximately 20 MB of free space. 11 In the SESA Install Menu panel, click Advanced Options. 12 In the SESA Advanced Install Menu panel, click Install SESA Directory Replica. 13 In the Local SESA Directory Master panel, type the following information for the master SESA Directory installation: SESA Directory Administrator Password The password for the SESAdmin account. The SESA Directory Administrator password must be between six and twelve alphanumeric characters. This is a maintenance account for top-level SESA administrators who need access to the entire SESA Directory tree for installing SESA DataStores and SESA Managers as appropriate. You can use this account to log on to the Symantec management console after installation.

261 Setting up failover support Setting up SESA Manager-to-Directory failover support 261 IP Address Directory port number IP address of the computer on which the master SESA Directory is installed. SESA Managers use this IP address to communicate with the SESA Directory. If connections to the master SESA Directory computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Secure listening port for the master SESA Directory (by default, 636). SESA Managers use this port to communicate with the SESA Directory. 14 In the SESA Directory Replica panel, type the following information for the replica SESA Directory: Directory Server Path Administrator Name Directory Administrator Password IP Address Directory port number Directory path in which the replica SESA Directory program files reside. The default location is \Program Files\IBM\LDAP. Name for the IBM Directory Server administrator account in the form cn=<name> (by default, cn=root). Directory Administrator password. An account with a password is required. IP address of the computer on which the replica SESA Directory is installed. This must be the local installation computer. SESA Managers use this IP address to communicate with the replica SESA Directory. If connections to the replica SESA Directory computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Secure listening port for the replica SESA Directory (by default, 636). SESA Managers use this port to communicate with the replica SESA Directory. 15 In the SESA Secure Communications panel, type the following information to create the key database for self-signed SSL certificates: Key Database Password Company Password for the key database of at least six alphanumeric characters. Company name.

262 262 Setting up failover support Setting up SESA Manager-to-Directory failover support Country Select host IP Address Key size (bits) Company location. IP address of the computer on which the primary SESA Manager is installed. If connections to the primary SESA Manager computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. Encryption length in bits for the default, self-signed certificate that SESA uses to secure data communication. The default setting of 1024 bits is standard. The longer the length of the key size, the higher the security of the data encryption. However, the higher the security of the data encryption, the longer the length of time required to encrypt and decrypt data. 16 In the Web Server Installation panel, type the location of the folder in which the Web server is to be installed or click Browse to navigate to the location. The default location is /opt. The SESA Installation Wizard reports the status of the components that are being installed using the specified logons, passwords, paths, and ports information. 17 In the Insert SESA CD dialog box, when you are prompted, select the location of the requested installation files, all of which are located in the SESA Foundation installation image. The SESA Installation Wizard continues to report installation progress. To complete the replica SESA Directory installation on a Solaris computer 1 In the Welcome to the SESA Installation panel, click Next. 2 Follow the on-screen instructions until you reach the Operation Complete panel. 3 In the Operation Complete panel, review the text. The text contains the required instructions to manually complete the replica SESA Directory installation. You must complete these steps in the order provided. These instructions are also in the Replica.txt file, which is located in the root directory of the SESA Foundation Pack CD1 for Solaris. See Manually completing the replica SESA Directory installation on Solaris computers on page 263.

263 Setting up failover support Setting up SESA Manager-to-Directory failover support In the SESA Install Menu panel, click Exit SESA Installer, and then click Next. 5 In the SESA Installation Successful panel, click Finish to exit the SESA Installation Wizard. Manually completing the replica SESA Directory installation on Solaris computers After you run the SESA Installation Wizard to install the replica SESA Directory on a Solaris computer, you must complete some manual tasks to configure the replica SESA Directory and its master SESA Directory. These tasks are described in the Replica.txt file on the SESA Foundation Pack CD1 for Solaris. Warning: You must complete the tasks in the order listed in the Replica.txt instruction set or the replica SESA Directory will not run properly. To finish the replica SESA Directory installation, you must complete the following tasks in the order listed: On both the master and replica SESA Directory computers, set up certificates. On the master SESA Directory computer, back up the SESA Directory data for export to the replica SESA Directory. On the replica SESA Directory computer, import the master SESA Directory data. On the master SESA Directory computer, configure the replica SESA Directory. On master and replica SESA DataStore Solaris computers only, configure replication permissions. Setting up certificates on the master and replica SESA Directory Solaris computer The first manual task that you must perform is to extract certificates from each master SESA Directory Solaris computer and install them on each associated replica SESA Directory Solaris computer. You then repeat the process for the replica SESA Directory Solaris computers.

264 264 Setting up failover support Setting up SESA Manager-to-Directory failover support To set up certificates on the master and replica SESA Directory Solaris computers 1 Do one of the following: If you are physically located at the master SESA Directory Solaris computer, become superuser. If you are located at a remote Solaris computer, you must initiate a Telnet session with the master SESA Directory computer, and then export a display. See Connecting to a remote Solaris computer and exporting its display on page To launch the IBM HTTP Server Key Management utility, in the master SESA Directory Terminal window, type the following command: gsk5ikm 3 In the IBM Key Management window, open the Key database. The default location is /etc/symantec/ses/keydb/key.kdb. 4 If you are prompted, type the SESA Secure Communications password. See Logon accounts for SESA installation on page Under Personal Certificates, click SESA to make it the active item in the Personal Certificates list. 6 Click Extract Certificate. 7 In the Extract Certificate to a File dialog box, type a name for the certificate file. The certificate is extracted from the master SESA Directory computer key database and copied to the key database on the master SESA Directory computer. As a best practice, give the certificate file a name that identifies it as a certificate that was generated and copied from the master SESA Directory computer. 8 Type or confirm the location of the certificate file. This location must be accessible by the other SESA Directory computer (whether it is a master or replica). 9 Click OK to save the certificate file on the master SESA Directory computer.

265 Setting up failover support Setting up SESA Manager-to-Directory failover support Do one of the following: If you are physically located at the replica SESA Directory Solaris computer, become superuser. If you are located at a remote Solaris computer, you must initiate a Telnet session with the replica SESA Directory computer, and then export a display. See Connecting to a remote Solaris computer and exporting its display on page On the replica SESA Directory computer, start the IBM Key Management utility. 12 In the IBM Key Management window, click Personal Certificates, and then, in the resulting drop-down list, click Signer Certificates. 13 Click Add. 14 In the Add CA s Certificate from a File dialog box, type the location of the extracted certificate file on the master SESA Directory computer, and then click OK. You created this certificate in step In the Enter a Label dialog box, type a label for the certificate file, and then click OK. 16 To change directories to the key database, in the Terminal window, type the following command: cd /etc/symantec/ses/keydb 17 In the /etc/symantec/ses/keydb directory, to change ownership of the key.kdb file from root to ldap, type the following command: chown ldap key.kdb 18 Repeat step 17 for each of the following files in the key database directory: key.sth key.crl key.rdb 19 Repeat steps 1 through 18, but this time start on the replica SESA Directory computer. To repeat the process for the replica SESA Directory computer, start at the replica SESA Directory computer and extract its certificate. Then, move to the master SESA Directory computer and add the extracted certificate from the replica SESA Directory computer. This completes the extracting and copying of each certificate file on its associated master or replica computer.

266 266 Setting up failover support Setting up SESA Manager-to-Directory failover support Backing up the master SESA Directory data on Solaris computers The second manual task that you must perform is to archive the master SESA Directory data for export to the replica SESA Directory. To back up master SESA Directory data for export to the replica SESA Directory on Solaris computers 1 Close any Symantec management console sessions that are currently connected to the master SESA Directory computer. 2 On the master SESA Directory computer, become superuser. If you are located at a remote Solaris computer, you must initiate a Telnet session with the master SESA Directory computer, and then export a display. See Connecting to a remote Solaris computer and exporting its display on page On the master SESA Directory computer, in the IBM Directory Server Web Administration interface, stop the IBM Directory Server. See Starting and stopping the IBM Directory Server on page Update the IBM Directory server ldapdb2 password. See Updating the ldapdb2 password on page On the master SESA Directory computer, in the IBM Directory Server Web Administration interface, back up the master SESA Directory data. See Backing up SESA Directory data on page 331. Importing the master SESA Directory data on Solaris computers The third manual task that you must perform is to restore the master SESA Directory data on the replica SESA Directory. Import the master SESA Directory data on Solaris computers Before you can import the master SESA Directory data on a replica SESA Directory, you must first create the same suffixes on both computers. After you restore the data, you must run the Create Name Suffix script, which is located in the MANAGER\DIR directory on the SESA Foundation Pack Solaris CD1.

267 Setting up failover support Setting up SESA Manager-to-Directory failover support 267 To create the same name suffixes on both master and replica SESA Directory Solaris computers 1 Do one of the following: If you are physically located at the replica SESA Directory Solaris computer, become superuser. If you are located at a remote Solaris computer, you must initiate a Telnet session with the replica SESA Directory computer, and then export a display. See Connecting to a remote Solaris computer and exporting its display on page On the replica SESA Directory computer, stop the IBM Directory Server. See Starting and stopping the IBM Directory Server on page On the master SESA Directory computer, in a text editor, open the slapd32.conf configuration file. The default location is /opt/ibmldaps/etc/slapd32.conf. 4 Locate the last three lines in the section that starts with the following text: dn: cn=directory Each line starts with the text, ibm-slapdsuffix: This text represents the suffixes that are added by SESA. 5 Copy and paste the three lines from the slap32.conf file on the master SESA Directory computer to the same location in the slap32.conf file on the replica SESA Directory computer. 6 On the master SESA Directory computer, copy the master SESA Directory backup file to the same location on the replica SESA Directory computer. To restore the master SESA Directory data to the replica SESA Directory on Solaris computers 1 On the replica SESA Directory computer, update the ldapdb2 password for the replica SESA Directory. See Updating the ldapdb2 password on page 329. At this point, the credentials for logging in to the replica SESA Directory are the same as those for the master SESA Directory. 2 On the replica SESA Directory computer, in the IBM Directory Server Web Admin interface, restore (or import) the master SESA Directory backup data file to the replica SESA Directory by using the following settings: Check Create backup directory as needed. Do not check Restore data and schema only (not configuration file). See Restoring SESA Directory data on page 333.

268 268 Setting up failover support Setting up SESA Manager-to-Directory failover support 3 Ignore any warnings about missing schema files during the restore operation. At this point the credentials for logging on to the Directory Replica machine will be the same as those of the Directory Master. 4 Start the IBM Directory Server. See Starting and stopping the IBM Directory Server on page In the IBM Directory Server Web Admin interface, in the left pane, expand Security > SSL, and then click Settings. 6 In the SSL settings right pane, click SSL On, click Update, and then click Restart the Server. To run the Create Name Suffix script on the replica SESA Directory on Solaris computers 1 On the replica SESA Directory computer, in a file editor, open the createns.sh file. The script is located in the SESA Foundation Pack Solaris CD1 \MANAGER\DIR folder. The batch file contains a series of commands to the ldapmodify program. 2 If necessary, edit the -D parameter in the bind DN and the -w parameter in the bind password to match the SESA Directory Administrator user name and password. 3 Run the createns.sh file. If you see warning messages about entries that already exist, ignore them. 4 In the IBM Directory Server Web Admin interface, in the left pane, expand Security > SSL, and then click Settings. 5 In the SSL settings right pane, click SSL Only, click Update, and then click Restart the Server. Configuring the replica SESA Directory on the master SESA Directory Solaris computer The fourth manual task that you must perform is to configure the master SESA Directory computer to recognize replica SESA Directory information.

269 Setting up failover support Setting up SESA Manager-to-Directory failover support 269 To configure the replica SESA Directory on the master SESA Directory Solaris computer 1 Do one of the following: If you are physically located at the master SESA Directory Solaris computer, become superuser. If you are located at a remote Solaris computer, you must initiate a Telnet session with the replica SESA Directory computer, and then export a display. See Connecting to a remote Solaris computer and exporting its display on page Restart the IBM Directory Server. See Starting and stopping the IBM Directory Server on page In the IBM Directory Server Web Admin interface, in the left pane, in the Directory Server tree, expand Replication > Replicas, and then click Add a replica. 4 In the Add a replica right pane, do the following: Common Name Host Name Type the host name of the replica SESA Directory computer. Type the IP address of the replica SESA Directory computer. Port Number Type 636. Authentication Use SSL Update Interval Master DN Password/Confirm Password Click Simple. Click Yes. Click Immediate. Type any valid DN value except the master SESA Directory DN (by default, this DN is the SESA Directory Administrator user name, which is cn=root). Type any valid password, except the password that is used by the SESA Directory Administrator account. 5 Click Update. 6 Make a note of the Master DN and password. You will need them to duplicate the configuration changes on the replica SESA Directory computer.

270 270 Setting up failover support Setting up SESA Manager-to-Directory failover support Configuring the master SESA Directory on the replica SESA Directory Solaris computer The fifth manual task that you must perform is to configure the replica SESA Directory computer to recognize master SESA Directory information. To configure the master SESA Directory on the replica SESA Directory Solaris computer 1 Do one of the following: If you are physically located at the replica SESA Directory Solaris computer, become superuser. If you are located at a remote Solaris computer, you must initiate a Telnet session with the replica SESA Directory computer, and then export a display. See Connecting to a remote Solaris computer and exporting its display on page Restart the IBM Directory Server. See Starting and stopping the IBM Directory Server on page In the IBM Directory Server Web Admin interface, in the left pane, in the Directory Server tree, expand Replication > Settings. 4 In the right pane, do the following to match the master SESA Directory computer: Master DN Password/Confirm Password Referral Type any valid DN value except the master SESA Directory DN (by default, this DN is the SESA Directory Administrator user name, which is cn=root). Type any valid password, except the password that is used by the SESA Directory Administrator account. Type the URL of the master SESA Directory computer as follows: ldaps://<master SESA Directory IP address>:636 5 Click Update. Configuring SESA Manager-to-Directory failover support After you have installed all of the replica SESA Directories, you can configure failover support for the SESA Manager-to-Directory network connections.

271 Setting up failover support Setting up SESA Manager-to-Directory failover support 271 To configure SESA Manager-to Directory failover support 1 Log on to the Symantec management console. See Launching the Symantec management console on page In the Symantec management console, on the Configurations view tab, in the left pane, expand SESA v2.0 > Manager Connection Configurations > Default. 3 In the right pane, on the SESA Directory Failover tab, do the following: Enable automatic Directory failover Primary Directory Failover: Reconnect attempts before failover Enable or disable automatic (programmatic) SESA Directory failover support. This option is enabled by default. Select the number of times that the SESA Manager should attempt to connect to the primary SESA Directory before it switches communication to a secondary (replica) SESA Directory. The default setting is 10 times. Primary Directory Failover: Seconds between reconnect attempts Select the number of seconds between each reconnection attempt that the SESA Manager makes with the primary SESA Directory. The default setting is 60 seconds. Secondary Directory Failover: Reconnect attempts before failover Select the number of times that the SESA Manager should attempt to connect to the secondary (replica) SESA Directory before it switches communication to the next secondary (replica) SESA Directory, or if none is available, reconnects to the primary SESA Directory. The default setting is 5 times. Secondary Directory Failover: Seconds between reconnect attempts Select the number of seconds between each reconnection attempt that the SESA Manager makes with the secondary (replica) SESA Directory. The default setting is 60 seconds. Enable automatic failback recovery Seconds between failback connection attempts Enable or disable the SESA Manager to switch communication from the secondary (replica) SESA Directory to the primary SESA Directory after it detects that the primary SESA Directory has come online again. This option is enabled by default. Select the number of seconds between each reconnection attempt that the SESA Manager makes with the secondary (replica) SESA Directory. The default setting is 60 seconds. Write an event to the SESA DataStore when a failover occurs Enable or disable the creation of an event in the SESA DataStore when a SESA Directory goes into failover mode. This option is disabled by default.

272 272 Setting up failover support Setting up SESA Manager-to-Directory failover support Write an event to the local system log when a failover occurs Enable or disable the creation of an on-disk log entry (Windows NT event log or Solaris system log) when a SESA Directory goes into failover mode. This option is enabled by default. Generate an SNMP trap event when a failover occurs Enable or disable the creation of an SNMP trap when a SESA Directory goes into failover mode. The appropriate administrator must configure the SNMP Manager to allow the SNMP traps to be sent successfully. This option is disabled by default. Generate a Multiple Connection Failure Event: Number of connection failures that must occur Generate a Multiple Connection Failure Event: Time span during which connection failures occur Select the number of connection failures that must occur before a Multiple Connection Failure Event is created in the SESA DataStore. The default setting is 10 connection failures. Select the interval in seconds during which the specified number of connection failures must occur before a Multiple Connection Failure Event is created in the SESA DataStore. The default setting is 0, which indicates an unlimited time span. 4 Click Apply. Verifying a replica SESA Directory installation Because an important part of setting up a replica SESA Directory involves the critical task of exporting and exchanging of keys between the master and replica SESA Directory computers, you may want to verify that the task completed successfully. Verify a replica SESA Directory installation You can verify that the replica SESA Directory installation is working by creating a test user in the Symantec management console and then verifying that the replica SESA Directory recognizes the test user, both when you create and delete the user. To create a new test user In the Symantec management console, create and save a test user. You must use the Create a new User Wizard to create this test user. For more information on how to create a new user, see the section on creating a new user in the Symantec Management Console User s Guide.

273 Setting up failover support Setting up SESA Manager-to-Directory failover support 273 To verify that the new user is recognized by the replica SESA Directory 1 On the computer on which you installed the SESA Directory, to launch the Directory Management Tool (DMT), do one of the following: On a Windows computer, on the Windows taskbar, click Start > Programs > IBM Directory Server 4.1 > Directory Management Tool. On a Solaris computer, in a Terminal window for the replica SESA Directory, change directories to the binary directory of the replica SESA Directory, and then type./dmt The default location is opt/ibmldapc/bin. During SESA Directory installation, you have the option to specify another location. If you receive errors when you open the Directory Management Tool (DMT), SSL may not be enabled to open the SESA Directory. See Configuring the Directory Management Tool to connect via SSL on page In the Directory Management Tool window, in the left pane, under Server, click Rebind. 3 In the right pane, type the SESA Directory user name and password, then click OK. The user name is a root user in the form cn=<name>. You supplied this user name and password in the SESA Installation Wizard during SESA installation. 4 In the left pane, under Directory, click Browse tree. 5 In the Browse tree right pane, expand the suffix for the SESA domain in which the test user was created. The domain suffix has the following format: dc=[sesa_domain_name], dc=ses,0=symc_ses [SESA_Domain_Name] is the name of your SESA domain. 6 Under the domain suffix, expand ou=people. 7 Verify that the test user you created is listed under ou=people. 8 To close the DMT, in the left pane, click Exit. To delete the test user In the Symantec management console, create and save a test user. For more information on how to delete a user, see the section on deleting a user in the Symantec Management Console User s Guide.

274 274 Setting up failover support Setting up SESA Manager-to-Directory failover support To verify that the deletion is recognized by the replica SESA Directory 1 On the computer on which you installed the SESA Directory, to launch the Directory Management Tool (DMT), do one of the following: On a Windows computer, on the Windows taskbar, click Start > Programs > IBM Directory Server 4.1 > Directory Management Tool. On a Solaris computer, in a Terminal window for the replica SESA Directory, change directories to the binary directory of the replica SESA Directory, and then type./dmt The default location is opt/ibmldapc/bin. During SESA Directory installation, you have the option to specify another location. If you receive errors when you open the Directory Management Tool (DMT), SSL may not be enabled to open the SESA Directory. See Configuring the Directory Management Tool to connect via SSL on page 313. If you receive errors when you open the Directory Management Tool (DMT), SSL may not be enabled to open the SESA Directory. See Configuring the Directory Management Tool to connect via SSL on page In the Directory Management Tool window, in the left pane, under Server, click Rebind. 3 In the right pane, type the SESA Directory user name and password, then click OK. The user name is a root user in the form cn=<name>. You supplied this user name and password in the SESA Installation Wizard during SESA installation. 4 In the left pane, under Directory, click Browse tree. 5 In the Browse tree right pane, expand the suffix for the SESA domain in which the test user was created. The domain suffix has the following format: dc=[sesa_domain_name], dc=ses,0=symc_ses [SESA_Domain_Name] is the name of your SESA domain. 6 Under the domain suffix, expand ou=people. 7 Verify that the test user you created is listed under ou=people. 8 To close the DMT, in the left pane, click Exit.

275 Setting up failover support Setting up SESA Manager-to-DataStore failover support 275 Setting up SESA Manager-to-DataStore failover support When a SESA Manager detects that a SESA DataStore is no longer available, it attempts to communicate with, or failover to, a secondary SESA DataStore. Like SESA Agent-to-Manager failover support, the SESA Manager uses a predefined list of SESA DataStores in the Symantec management console to determine the order of selection for the secondary SESA DataStores. You can have up to 255 SESA DataStores used for failover support. If the selected secondary SESA DataStore in the list also fails, the SESA Manager attempts to failover to the next SESA DataStore in the list, and so on, as long as the list is configured with additional SESA DataStores. As soon as a SESA Manager switches to failover mode, SESA starts a failback thread. The failback thread continuously monitors the primary SESA DataStore. When the primary SESA DataStore comes online again, the secondary SESA DataStore immediately yields SESA Manager-to-DataStore communication to the primary SESA DataStore, just as with SESA Agent-to-Manager failover support. Depending on the volume of data, its value to your organization, and the computer resources available in your networking environment, you can install and set up the following types of secondary SESA DataStores: An empty SESA DataStore: You can install a SESA DataStore on an Oracle 9i IBM DB2 database server without configuring replication between the primary and secondary database servers. Although this type of installation is relatively easy to set up, one of its possible disadvantages is that the secondary SESA DataStore will not be able to accurately report the amount or status of events in the SESA environment when a failover does occur. When a primary SESA DataStore fails over to a secondary SESA DataStore, all thresholds for triggering events in the secondary SESA DataStore begin at 0 again, which creates only a partial picture of the state and amount of events that are processed by SESA. Therefore, you can only view a subset of events and alerts in the Symantec management console after failover occurs. Similarly, when failback occurs, the primary SESA DataStore will not be able to report the events in the secondary SESA DataStore. A SESA DataStore installed on a replicating database server: When you install the Oracle 9i or IBM DB2 database servers, you can specify a replication rate between primary and alternate database servers according to your organization s requirements for maintaining near realtime reporting of event data. If a replication rate of every half hour is specified, for example, a primary SESA DataStore and a secondary SESA DataStore will have synchronized data repositories once every half hour. On the other

276 276 Setting up failover support Setting up SESA Manager-to-DataStore failover support hand, if data has been configured to replicate every 10 seconds, the secondary SESA DataStore will more closely be able to report events in real time. However, the performance burden on your networking environment grows as replication intervals decrease, making the value of the data to your organization a mitigating factor in setting up a replication scheme. Configuring SESA Manager-to-DataStore failover support After you have installed the alternate database servers and SESA DataStores in your network environment, you can configure SESA Manager-to-DataStore failover support in the Symantec management console. To configure SESA Manager-to-DataStore failover support 1 Log on to the Symantec management console. See Launching the Symantec management console on page In the Symantec management console, on the Configurations view tab, in the left pane, expand SESA v2.0 > Manager Connection Configurations > Default. 3 In the right pane, on the SESA DataStore Failover tab, do the following: Primary DataStore Enable automatic DataStore failover Primary DataStore Failover: Reconnect attempts before failover Click the browse button ( ), then select SESA DataStore. Enable or disable automatic SESA DataStore failover support. This option is disabled by default. Select the number of times that the SESA Manager should attempt to connect to the primary SESA DataStore before it switches communication to a secondary SESA DataStore. The default setting is 10 times. Primary DataStore Failover: Seconds between reconnect attempts Select the number of seconds between each reconnection attempt that the SESA Manager makes with the primary SESA DataStore. The default setting is 30 seconds. Secondary DataStore Failover: Reconnect attempts before failover Select the number of times that the SESA Manager should attempt to connect to the secondary SESA DataStore before it switches communication to the next SESA DataStore, or if none is available, reconnects to the primary SESA DataStore. The default setting is 5 times. Secondary DataStore Failover: Seconds between reconnect attempts Select the number of seconds between each reconnection attempt that the SESA Manager makes with the secondary SESA DataStore. The default setting is 30 seconds.

277 Setting up failover support Setting up SESA Manager-to-DataStore failover support 277 Enable automatic failback recovery Secondary (failover) DataStores Add/Remove Move Up/Move Down Out of band notification Seconds between failback connection attempts Enable or disable the SESA Manager to switch communication from the secondary SESA DataStore to the primary SESA DataStore after it detects that the primary SESA DataStore has come online again. This option is enabled by default. Display an ordered list of secondary SESA DataStore computers to which the SESA Manager can connect. Once a SESA Manager connects with the first computer in this list, the SESA DataStore is in failover mode. If the first computer in the list goes offline, the SESA Manager fails over to the next computer in the ordered list, and so on, as long as Enable automatic DataStore failover is checked. If Enable automatic DataStore failover is unchecked, you must manually select the computer. Add computers to and remove computers from the Secondary (failover) DataStores list. The computers must already have replica database servers and replica SESA DataStores installed on them. Change the order of SESA DataStore computers in the Secondary (failover) DataStores list. Select, for each computer in the Secondary (failover) DataStores list, who to send notifications to if the primary SESA DataStore goes into failover mode. Like SESA Alert notifications, you can specify that notifications be sent via SMTP or SNPP. Select the number of seconds between each reconnection attempt that the SESA Manager makes with the secondary SESA DataStore. The default setting is 60 seconds. Write an event to the SESA DataStore when a failover occurs Write an event to the local system log when a failover occurs Enable or disable the creation of an event in the SESA DataStore when a SESA DataStore goes into failover mode. This option is disabled by default. Enable or disable the creation of an on-disk log entry (Windows NT event log or Solaris system log) when a SESA Directory goes into failover mode. This option is enabled by default. Generate an SNMP trap event when a failover occurs Enable or disable the creation of an SNMP trap when a SESA DataStore goes into failover mode. The appropriate administrator must configure the SNMP Manager to allow the SNMP traps to be sent successfully. This option is disabled by default.

278 278 Setting up failover support Setting up SESA Manager-to-DataStore failover support Generate a Multiple Connection Failure Event: Number of connection failures that must occur Generate a Multiple Connection Failure Event: Time span during which connection failures occur Select the number of connection failures that must occur before a Multiple Connection Failure Event is created in the SESA DataStore. The default setting is 10 connection failures. Select the interval in seconds during which the specified number of connection failures must occur before a Multiple Connection Failure Event is created in the SESA DataStore. The default setting is 0, which indicates an unlimited time span. 4 Click Apply.

279 Chapter 7 Changing your security configuration This chapter includes the following topics: About required SESA information for SSL upgrades Making SESA security choices Upgrading to authenticated, self-signed certificates Upgrading to authenticated, CA-signed certificates Configuring SESA to use a new certificate Verifying the SSL upgrade Configuring the Directory Management Tool to connect via SSL About required SESA information for SSL upgrades To upgrade your SSL security from the default SESA anonymous SSL, the upgrade process requires you to supply the logon accounts that are listed in Table 7-1.

280 280 Changing your security configuration About required SESA information for SSL upgrades Table 7-1 Account SESA Directory SESA Domain Administrator SESA Secure Communications Required accounts for SSL upgrades Description User name (in the form cn=<name>) and password for IBM Directory Server. Use this user name and password to connect to an already installed SESA Directory when you install other SESA components and perform IBM Directory Server maintenance outside of SESA. The SESA Directory account is independent of any Windows account. Logon name and password that the SESA Installer creates in the SESA Directory. Use the Domain Administrator name and password to log on to the SESA Manager after SESA installation is complete. The SESA Directory account is independent of any Windows account. Password, company name, key size (512 or 1024 bits), and company location for the key database that SESA is to use for self-signed certificates. Web Server (Windows only) Java Trust Store password User name and password for a Windows 2000 account that is required to install the IBM HTTP Server and Apache Tomcat servlet engine. The Windows 2000 account user name is case sensitive when used to log on to the IBM HTTP server. As a best practice, use a local account other than the local administrator account. Default password that was supplied at Java (J2RE/SDK) installation. By default, SESA uses <changeit>, but you can change the password as necessary for security purposes. Note: Internet Explorer ships with a Symantec Root CA Certificate. This certificate is not relevant to any type of SSL upgrade for SESA. SESA does not require the certificate.

281 Changing your security configuration Making SESA security choices 281 Making SESA security choices SESA is flexible with the categories of Secure Sockets Layer (SSL) technology that it lets you use to secure SESA data. Table 7-2 lists the types of SSL that are available with SESA. Table 7-2 SSL technology available with SESA SSL technology Anonymous, self-signed SSL Authenticated, self-signed SSL Installation status Installed by default Upgradeable Description Provides data encryption and data integrity between the SESA Manager computer and computers that host the Symantec management console and SESA Agents. When the SESA Directory is installed remotely from the SESA Manager computer, data encryption and data integrity are also provided between the computers. Anonymous, self-signed certificates use the IP address of the host computer for identification. Authenticates through a self-signed certificate. You must install a certificate for the SESA Manager and, if you installed the SESA Directory on a different computer than the SESA Manager, the SESA Directory as well. A SESA Manager self-signed certificate authenticates the SESA Manager computer to the computers that host the SESA Directory, Symantec management console, and SESA Agents. In the case of a stand-alone SESA Directory, a SESA Directory self-signed certificate authenticates the computer on which you installed the Directory to the SESA Manager. Self-signed certificates also provide data encryption on and data integrity between computers.

282 282 Changing your security configuration Making SESA security choices SSL technology Certificate Authority-signed SSL Installation status Upgradeable Description Authenticates through a certificate that is digitally signed by a Certificate Authority (CA). You must install a certificate for the SESA Manager and, if you installed the SESA Directory on a different computer than the SESA Manager, the SESA Directory as well. A SESA Manager CA-signed certificate authenticates the SESA Manager computer to the computers on which you installed the SESA Directory, Symantec management console, and SESA Agents. In the case of a stand-alone SESA Directory, a SESA Directory CAsigned certificate authenticates the computer on which you installed the Directory to the SESA Manager. Self-signed certificates also provide data encryption on and data integrity between computers. Note: Do not disable SSL in SESA. If you do, SESA passes data in clear text between the SESA components over the network. About upgrading your security During installation, SESA installs one or two default, self-signed certificates, depending on whether the SESA Manager and SESA Directory reside on different computers. Table 7-3 describes the function of the certificates. Table 7-3 SESA component SESA Manager SESA Directory Default, self-signed certificates in SESA SSL security function The default, self-signed certificate on the Manager ensures data encryption and data integrity between Agent and Manager computers, and Symantec management console and Manager computers. The default, self-signed certificate on the Directory ensures data encryption and data integrity between Directory and Manager computers. When the Directory and Manager reside on the same computer, only one certificate is required to secure communication between this computer and the other computers that host the SESA Agents or Symantec management consoles.

283 Changing your security configuration Making SESA security choices 283 Figure 7-1 shows the relationship among the Manager, Directory, Agent, Symantec management console, and the two types of self-signed certificates. Figure 7-1 Use of anonymous, self-signed SSL certificates When the SESA Directory is installed on a different computer than the SESA Manager Symantec management console SESA Directory SESA Manager By default, SESA installs an anonymous, self-signed certificate for the SESA Manager computer, which secures communication between the SESA Manager, SESA Agents, and Symantec SESA also installs an anonymous, selfsigned SSL certificate on the SESA Directory computer SESA Agent The subject and issuer fields of the default, self-signed certificate specify the IP address of the computer or computers on which you installed the SESA Manager or SESA Directory. The use of an IP address in the subject and issuer fields triggers SESA to use anonymous, self-signed SSL for connections between the following: SESA Manager computer and SESA Agent (client) computers SESA Manager computer and computers hosting remote Symantec management consoles SESA Manager computer and the SESA Directory computer, if the SESA Directory computer is not installed on the same computer as the SESA Manager Clients include any computer to which the SESA Manager authenticates its communication. Anonymous, self-signed SSL encrypts data and ensures data integrity, but does not provide authentication.

284 284 Changing your security configuration Making SESA security choices Required tasks to upgrade to authenticated, self-signed SSL To add standard SSL authentication, you can upgrade to authenticated, selfsigned SSL. You can create authenticated, self-signed SSL certificates manually and install them on the servers on which you installed the SESA Managers and Directories, as well as on the SESA Agent (client) computers on which you installed the SESA Agents. Authenticated, self-signed certificates use computer common names (a host name plus a domain), also known as fully qualified domain names (FQDNs), rather than IP addresses in their subject and issuer fields. If you want to upgrade to authenticated, self-signed SSL, perform the following tasks in the order indicated: Upgrading to authenticated, self-signed certificates Configuring SESA to use a new certificate Verifying the SSL upgrade Required tasks to upgrade to authenticated, CA-signed SSL Your organization may require completely secure authentication of servers to SESA Agents. If this is the case, you can upgrade from anonymous, self-signed SSL to authenticated, Certificate Authority-signed SSL (CA-signed SSL). When you use authenticated, CA-signed SSL, a Certificate Authority digitally signs your server certificates, which adds an extra layer of security. If you want to upgrade to authenticated, CA-signed SSL, perform the following tasks in the order indicated: Upgrading to authenticated, CA-signed certificates Configuring SESA to use a new certificate Verifying the SSL upgrade Viewing certificate expiration dates By default, the SESA anonymous, self-signed SSL certificates expire 365 days after they are created. Regardless of the type of certificate that you use, you will need to track certificate expiration dates and regenerate new certificates as necessary.

285 Changing your security configuration Making SESA security choices 285 When a SESA certificate is close to reaching its expiration date, SESA generates events at the following intervals: 90, 60, 30, and 14 days before expiration 7 days before expiration and each day thereafter 12 hours before expiration As the expiration date approaches, the severity of the SESA events increases. After a certificate expires, you cannot view current data in the Symantec management console. The SESA Agents can no longer connect to the SESA Managers. Similarly, SESA Managers can no longer connect to the SESA Directory. View certificate expiration dates You can choose from any of the following methods to check the expiration date of a certificate: Use the IBM Directory Server Start Key Management Utility (IKEYMAN). Access the Symantec management console (only if you have not already installed the certificate to the Trusted Root CA Store). Use Internet Explorer. Use Netscape Navigator. To use IKEYMAN to view the expiration date 1 On the SESA Manager computer, on the Windows taskbar, click Start > Programs > IBM HTTP Server > Start Key Management Utility. 2 In the IBM Key Management window, on the Key Database File menu, click Open. 3 In the Open dialog box, browse to the location of the Key database that SESA installed. The default location is C:\Program Files\Common Files\Symantec Shared\SES\KeyDB. 4 In the Password Prompt dialog box, type the password for the Key database. You supplied the Key database password when you specified the SESA Secure Communications password in the SESA Installation Wizard. A wizard screen prompted you for a password, company name, location, and Key size for the Key database. 5 In the IBM Key Management window, click View/Edit. 6 In the View/Edit dialog box, view the Valid from and to dates.

286 286 Changing your security configuration Making SESA security choices To access the Symantec management console to check the expiration date 1 In Internet Explorer, type the following URL: address, host name, or FQDN of the SESA Manager computer>/sesa/ssmc If connections to SESA Manager computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. 2 Log on to the Symantec management console as the SESA Domain Administrator. You supplied the Domain Administrator user name and password during SESA installation. A wizard screen prompted you for a Domain Administrator name and password. 3 In Internet Explorer, on the File menu, click Properties. 4 In the Properties dialog box, do one of the following, depending on the version of Internet Explorer: On the Security tab, view the Valid from and to dates. Click Certificates, then view the Valid from and to dates. To use Internet Explorer to view the expiration date 1 In an Internet browser, type the following URL: address, host name, or FQDN of the SESA Manager computer>/sesa/ssmc If connections to SESA Manager computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. 2 In the Security Alert dialog box, click View Certificates. 3 In the View Certificates dialog box, on the General tab, view the Valid from and to dates.

287 Changing your security configuration Upgrading to authenticated, self-signed certificates 287 To use Netscape Navigator to view the expiration date 1 In Netscape Navigator, type the following URL: address, host name, or FQDN of the SESA Manager computer>/sesa/ssmc If connections to SESA Manager computer are made using authenticated SSL, you must type the host name or FQDN of the computer instead of the IP address. 2 Log on to the Symantec management console as the SESA Domain Administrator. You supplied the Domain Administrator user name and password during SESA installation. A wizard screen prompted you for a Domain Administrator name and password. 3 In Netscape Navigator, in the menu bar, click Security. 4 In the Security dialog box, click View Certificate. 5 In the View Certificate dialog box, view the Valid from and to dates. Upgrading to authenticated, self-signed certificates To upgrade from anonymous, self-signed SSL to authenticated, self-signed SSL, you must perform the following tasks: Generating a new, self-signed certificate in the Key database Configuring SESA to use a new certificate You must generate a self-signed certificate in the Key database of the SESA Manager computer. If the SESA Directory is installed on a different computer than the SESA Manager, you must also generate a self-signed certificate in the Key database for the SESA Directory computer. After a certificate is generated, you can use it to configure the SESA components that authenticate to SESA Agents to use the new certificate. These SESA components include the following: HTTP Server on the SESA Manager (and SESA Directory, if installed remotely from the SESA Manager) Java Trust Stores (J2RE and SDK) on the SESA Manager (and SESA Directory, if installed remotely from the SESA Manager) SESA configuration (through the Symantec management console) SESA Directory After you configure the SESA components, you complete the upgrade process by installing the new, self-signed certificate to the J2RE Trust Stores on the SESA

288 288 Changing your security configuration Upgrading to authenticated, self-signed certificates Agent (client) computers and updating the SESA Agent configuration. You can then verify the upgrade. See Verifying the SSL upgrade on page 311. If the upgrade is successful, SESA Agents can now connect and send events over authenticated, self-signed SSL. Generating a new, self-signed certificate in the Key database To begin the upgrade process, you can use the IBM Key Management Utility (IKEYMAN) to generate a new, self-signed certificate and add it to the Key database on the Manager computer. If the SESA Directory is installed on a separate computer, you must also use IKEYMAN on the SESA Directory computer to generate another self-signed certificate for the SESA Directory computer. The old anonymous, self-signed certificate specified the IP address of the Manager in its subject and issuer fields. Instead of using the SESA computer IP address in its subject and issuer fields, the new certificate will contain the common name (host name) of the SESA Manager or SESA Directory computer, which is usually the fully qualified domain name (FQDN) of the computer. You add the new certificate to the existing Key database (Key.kdb) on the computer, which SESA created at installation. If necessary, you can create a new Key database, but extra steps are required. You may find that using the existing Key database is more convenient. See the IKEYMAN online Help for more information on creating a new Key database. To generate a new, self-signed certificate in the Key database 1 On the SESA Manager computer, on the Windows task bar, click Start > Programs > IBM HTTP Server > Start Key Management Utility. 2 In the IBM Key Management window, on the Key Database File menu, click Open. 3 In the Open dialog box, browse to the location of the existing Key database (Key.kdb) that SESA installed. The default location is C:\Program Files\Common Files\Symantec Shared\SES\KeyDB. 4 Click Open.

289 Changing your security configuration Upgrading to authenticated, self-signed certificates In the Password Prompt dialog box, type the password for the Key database, then click OK. You supplied the Key database password when you specified the SESA Secure Communications password in the SESA Installation Wizard. A wizard screen prompted you for a password, company name, location, and Key size for the Key database. If you do not remember the password, you must create a new Key database. To create a new Key database, see the IKEYMAN online Help. 6 In the IBM Key Management window, click New Self Signed. 7 In the Create New Self-Signed Certificate dialog box, type the requested information, but leave all of the other options at their default settings unless the security policy at your organization requires otherwise. Key Label Common Name Organization Validity period Type a label for the Key that you are creating, for example, SESA-SSL. Never use the word SESA alone because the anonymous, self-signed certificate already uses a label called SESA. Make note of this Key label because you will need it for other SSL configuration options. See Updating IBM Directory Server to use the new certificate on page 303. Type or confirm the fully qualified domain name (FQDN) of the SESA Manager computer, one that computers on the network can recognize. Type a value for your organization, for example, Symantec. Type the length of time that the certificate is valid. By default, SESA uses 365 days. See the online Help to understand other value properties. 8 When you are prompted to set the key as the default in the database, click No. 9 Click OK to add the self-signed certificate to the list of personal certificates. Under Personal Certificates, you now see a certificate with the name you typed for the Key label. 10 Select the certificate that you created, then click Extract Certificate.

290 290 Changing your security configuration Upgrading to authenticated, CA-signed certificates 11 In the Extract Certificate to file dialog box, do the following: Type a certificate name. For example, the Key label name. IKEYMAN appends an.arm extension to the filename. Select Base64-Encoded ASCII data. You can save the certificate in the same location as the Key.kdb file. For example, \Program Files\Common Files\Symantec Shared\SES\KeyDB. Remember the location of this file. You will need it when you install the certificate to the SESA Agent (client) computers. See Installing the new certificate on the SESA Agent (client) computers on page Click OK to extract the certificate. 13 If the SESA Directory is installed on a different computer than the SESA Manager, repeat steps 1 through 12 for the SESA Directory computer. 14 Continue the upgrade procedure by configuring SESA to use the self-signed certificate. See Configuring SESA to use a new certificate on page 296. Upgrading to authenticated, CA-signed certificates When you upgrade from anonymous, self-signed SSL to authenticated SSL, you use authenticated, signed certificates to identify SESA servers to their SESA Agent (client) computers. These certificates are issued by Certificate Authorities, of which there are many. Some common Certificate Authorities are VeriSign (a Trusted Source), Microsoft Certificate Server, Thawte, and Java. In general, you do the following to upgrade to authenticated, CA-signed certificates: Generate a certificate request and submit it to a Certificate Authority. If the SESA Manager and SESA Directory are installed on different computers, you must generate and submit request certificates for each computer. After you receive the digitally-signed certificate or certificates from the CA, update your SESA Manager computer (and Directory computer, if necessary) to use the certificate or certificates. Install the certificate on the SESA Agent (client) computers. Depending on which Certificate Authority you use, specific tasks may vary. The instructions that come with SESA for upgrading to authenticated, CA-signed certificates use VeriSign as the Certificate Authority. See Upgrading to an authenticated, signed certificate on page 291.

291 Changing your security configuration Upgrading to authenticated, CA-signed certificates 291 Upgrading to an authenticated, signed certificate To get an authenticated, CA-signed certificate from VeriSign and use it with SESA, you must perform the following tasks: Generating a certificate request Submitting your request Importing the CA-signed certificate into a SESA Key database Configuring SESA to use a new certificate These tasks cover the process of requesting and installing a 14-day trial certificate. To obtain a purchased certificate, you must perform similar tasks. A few more steps are involved in obtaining a trial certificate. Generating a certificate request You must request a CA-signed certificate from VeriSign by generating a Certificate Server Request (CSR) using the IBM Key Management Utility (IKEYMAN) on the IBM HTTP Server. You can generate the request in the existing Key database (Key.kdb), which SESA created at installation. If necessary, you can create a new Key database, but extra steps are required. You may find that using the existing Key database is more convenient. To create a new Key database, see the IKEYMAN online Help. To generate a request for a signed certificate 1 On the SESA Manager computer, on the Windows taskbar, click Start > Programs > IBM HTTP Server > Start Key Management Utility. 2 In the IBM Key Management window, on the Key Database file menu, click Open. 3 In the Open dialog box, browse to the location of the existing Key database (Key.kdb) that SESA installed. The default location is C:\Program Files\Common Files\Symantec Shared\SES\KeyDB. 4 Click Open. 5 In the Password Prompt dialog box, type the password for the Key database, and then click OK. You supplied the Key database password when you specified the SESA Secure Communications password in the SESA Installation Wizard. A wizard screen prompted you for a password, company name, location, and Key size for the Key database.

292 292 Changing your security configuration Upgrading to authenticated, CA-signed certificates 6 In the IBM Key Management window, in the Key database content group box, ensure that Personal Certificates appears in bold. If Personal Certificate Requests or Signer Certificates appears instead, click on the selection, and then select Personal Certificates. 7 On the Create menu, click New Certificate Request. 8 In the New Certificate Request dialog box, type the required information to request a certificate. Key Label Keysize Common Name Organization State/Province Country Certificate Name Type a label for the Key that you are creating, for example, SESA-SSL. Never use the word SESA alone because the anonymous, self-signed SSL certificate that SESA automatically installs during installation already uses a label called SESA. Make note of this Key label because you need to use it for other SSL configuration options. See Updating IBM Directory Server to use the new certificate on page 303. Accept the setting of 1024 unless you have other requirements. See the online Help for more information on Key sizes. Type the fully qualified domain name (FQDN) of the SESA Manager computer, one that computers on the network can recognize. Type a value for your organization, for example, Symantec. Type the complete name of your state, for example, California (not CA). Select your country. Type a name and location of the certificate request file. For example, VeriSignCertReq.arm. 9 Click OK. 10 When you see a message that a new certificate request has been saved, click OK. The certificate request is stored in the specified location. It appears in the IBM Key Management window, under Personal Certificate Requests. 11 Submit the certificate request to VeriSign. See Submitting your request on page If the SESA Directory is installed on a separate computer, repeat steps 1 through 11 for the SESA Directory computer.

293 Changing your security configuration Upgrading to authenticated, CA-signed certificates 293 Submitting your request After you create a certificate request, you can submit it to the Certificate Authority for processing (in this case, the VeriSign Web site). You can submit a request for a trial certificate, or use the request to purchase a non-trial, CAsigned certificate from the Certificate Authority. Note: After the trial certificate expires, SESA does not work. Therefore, ensure that you obtain a non-trial, CA-signed certificate before the trial period ends. To submit your request 1 On the computer on which you generated the request, in an Internet browser, type the following URL: 2 On the VeriSign Web page, under Secure Site Services, click Try. 3 Complete the form that appears, and then click Submit. 4 On the Enrollment page, under Before you Start, read the information, then click Continue. 5 To complete the Certificate Server Request (CSR), follow the on-screen instructions. The server software vendor is IBM (IBM Directory Server). When you submit the CSR, you open the certificate request that you generated on the SESA computer (the file with the.arm extension). You paste the contents of the certificate request file into the VeriSign Submit Web page. Ensure that all of the information on the form and in the certificate request is correct before you submit the CSR. VeriSign issues only one certificate per trial period. When you have completed the submittal successfully, VeriSign notifies you to await an message from them, which will include the signed certificate. Note: If you need to submit another certificate request within the same 14-day trial period, type different technical contact information in the VeriSign CSR form. If you do not, VeriSign will not issue the certificate.

294 294 Changing your security configuration Upgrading to authenticated, CA-signed certificates After you have received the message from VeriSign (or your CA) that contains the CA-signed certificate, you can import the certificate into a SESA Key database. See Importing the CA-signed certificate into a SESA Key database on page 294. Importing the CA-signed certificate into a SESA Key database When you receive the signed certificate that you requested from VeriSign, you can import it into a SESA Key database. The SESA Key database is either the default Key.kdb database or a new Key database that you created. Import the CA-signed certificate into a SESA Key database You can import a purchased certificate or a 14-day trial certificate into a Key database. However, you must perform some additional steps to prepare your Internet browser to use the trial certificate. Complete the following tasks, as necessary, to import the signed certificate: Prepare your Internet browser by installing a Test CA Root for the certificate if you are importing a 14-day trial certificate. You must prepare all Internet browsers that remotely connect to the SESA Manager computer. Create a certificate file based on the Certificate Key that is provided in the VeriSign message. If you requested one certificate each for a Manager computer and a Directory computer, you must create two certificate files. Import the certificate file into the Key database file for the SESA Manager computer. If the SESA Directory is installed on the different computer, you must also import the other certificate file you received for it in the Key database file for the SESA Directory computer. If you are importing a purchased certificate, you do not have to install a Test CA Root. To install a Test CA Root for a trial certificate 1 Open the VeriSign message. It contains the certificate key and instructions. The certificate key is a string that is generated by VeriSign. It is based on your submitted CSR. After you place the certificate key into a file and save it, the file becomes the CAsigned certificate. 2 In the VeriSign message, click the link to download the Test CA Root. The VeriSign Web page that contains instructions for installing the Test CA Root appears.

295 Changing your security configuration Upgrading to authenticated, CA-signed certificates Follow the instructions for your specific Internet browser. 4 Repeat steps 1 through 3 for each Internet browser that connects to the computer on which you installed the SESA Manager. To create a signed certificate file 1 If you have not already done so, open the VeriSign message. 2 At the end of the VeriSign message, copy the text of the Certificate Key. The Key begins with BEGIN CERTIFICATE and ends with END CERTIFICATE. Include these beginning and end lines as well. 3 Open a text editor and paste the text into a new ASCII file. 4 Save the file with an.arm extension, preferably in the same location as the default Key database file, Key.kdb. For example, \Program Files\Common Files\Symantec Shared\SES\KeyDB\VerisignCert.arm. 5 If necessary, repeat steps 1 through 4 for the other VeriSign message. To import the CA-signed certificate 1 On the SESA Manager computer, on the Windows taskbar, click Start > Programs > IBM HTTP Server > Start Key Management Utility. 2 In the IBM Key Management window, on the Key Database file menu, click Open. 3 In the Open dialog box, browse to the location of the Key database that you used to create the certificate and certificate request. The default location is C:\Program Files\Common Files\Symantec Shared\SES\KeyDB. If you created your own SESA Key database, the location is different. 4 Click Open. 5 In the Password Prompt dialog box, type the password for the Key database, and then click OK. You supplied the Key database password when you specified the SESA Secure Communications password in the SESA Installation Wizard. A wizard screen prompted you for a password, company name, location, and Key size for the Key database. 6 In the IBM Key Management window, under Key database content, select Personal Certificates. 7 Click Receive. 8 Select Base64-Encoded ASCII Data.

296 296 Changing your security configuration Configuring SESA to use a new certificate 9 Click Browse, select the certificate file with the.arm extension that you just created, click OK, then click OK again to close the dialog box. 10 When you are prompted to make the file a default Key, click No. A new Key label is displayed. This Key label is based on the Key label that you typed when you created the request. 11 In the IBM Key Management window, select the new certificate entry. 12 Click Extract to extract the new certificate to a new.arm file on a disk that is in X.509 format. For example, VerisignCertX509.arm. 13 If you have a CA-signed certificate for a separately installed SESA Directory computer, repeat steps 1 through Continue the upgrade procedure by configuring SESA to use the signed certificate. See Configuring SESA to use a new certificate on page 296. Configuring SESA to use a new certificate After you have generated or obtained your certificate, you must configure the SESA components to use the new certificate. You must perform the following tasks to configure SESA to use the new certificate: Updating the HTTP Server to use the new certificate Installing the new certificate to the Java Trust Stores Updating the SESA configuration to use the new certificate Updating IBM Directory Server to use the new certificate Installing the new certificate on the SESA Agent (client) computers Updating the SESA Agent configuration Updating the SESA Directory to use the new URI Updating the SESA Manager on disk configuration After you configure SESA for the upgrade in security, you must verify the upgrade. See Verifying the SSL upgrade on page 311. Updating the HTTP Server to use the new certificate You must configure the SESA HTTP Server on the SESA Manager computer to include information about the new certificate in the Key database. If you

297 Changing your security configuration Configuring SESA to use a new certificate 297 installed the SESA Manager and SESA Directory on the same computer, they share the same new certificate. If you installed the SESA Manager and SESA Directory on different computers, each must use a different certificate. Therefore, you must also configure the SESA HTTP Server on the SESA Directory computer to use the other certificate. Update the HTTP Server on the SESA Manager computer to use the new certificate To update the HTTP Server on the SESA Manager computer or SESA Directory computer, perform the following tasks: Set up a virtual host structure for the HTTP Server. Set up a virtual host document root for the HTTP Server. Enable SSL and select the mode of client authorization. To set up a virtual host structure for the HTTP Server 1 On the computer on which you installed the SESA Manager or SESA Directory, in an Internet browser, type the following URL: address or FQDN of the SESA computer> 2 On the IBM HTTP Server interface, click Configure server. 3 If an IBM HTTP Server Web page appears informing you that your user name or password cannot be authenticated, follow the online instructions, and then continue with step 4. 4 Log on to the IBM Administration server as the Administrator using the Web Server account user name and password. The user name is case sensitive. You supplied the Web Server user name and password when you used the SESA Installation Wizard to install the IBM HTTP Server. A wizard screen prompted you for an existing Windows 2000 user name and password. 5 In the left pane of the Internet browser, expand the Configuration Structure folder, and then click Create Scope. 6 In the right pane, ensure that <Global> is selected. 7 Under Select a valid scope to insert within the scope selected in right panel, click VirtualHost. 8 Under Virtual host IP address or fully qualified domain name, type the FQDN of the SESA Manager computer. This is the Common Name that you used when you generated or obtained the new certificate. 9 Under Virtual host port (optional), type 443

298 298 Changing your security configuration Configuring SESA to use a new certificate 10 Under Server name, type the FQDN of your SESA computer again. Leave the alternate names blank unless you need them. 11 Click Submit. 12 If necessary, repeat steps 1 through 11 for the SESA Directory computer. To set up a virtual host document root for the HTTP Server 1 In the Internet browser, in the left pane of the IBM Administration Server interface, expand Basic Settings, then click Core Settings. 2 In the Core Settings right pane, click Scope. 3 In the Global directory tree, select the branch that represents the computer on which you installed the SESA Manager. This branch has the following format: <VirtualHost.FQDN:443 (Servername)> 4 In the right pane, in the Server name text box, type the FQDN of the SESA Manager computer. 5 Under Document root directory name, click Browse, then locate and expand Htdocs. The location is usually C:/Program Files/IBM HTTP Server/Htdocs. 6 Under the Error log name, click Browse, then locate and expand Logs. The location is usually C:/Program Files/IBM HTTP Server/Logs. 7 In the File Browser dialog box, in the right pane, click error.log. 8 Click Submit. 9 If necessary, repeat steps 1 through 8 for the SESA Directory computer. To enable SSL and select the mode of client authorization 1 In the Internet browser, in the left pane of the IBM HTTP Server interface, expand Security, then click Host Authorization. 2 In the Host Authorization right pane, click Scope. 3 In the Global directory tree, select the branch that represents the computer on which you installed the SESA Manager. This branch has the following format: <VirtualHostServer.FQDN:443 (Servername)> 4 In the right pane, next to Enable SSL, check Yes. 5 Next to Mode of client authentication to be used, check None.

299 Changing your security configuration Configuring SESA to use a new certificate Next to Server certificate to use for this virtual host, type the Key label of the new certificate. You specified this label when you used IKEYMAN to generate a new, selfsigned certificate or a request for a CA-signed certificate. 7 Click Submit. The updated settings are applied after you restart the HTTP Server at the end of the SSL upgrade. 8 If necessary, repeat steps 1 through 7 for the SESA Directory computer. 9 Continue the upgrade procedure by updating the Java Trust Stores, or Java Keystores. See Installing the new certificate to the Java Trust Stores on page 299. Installing the new certificate to the Java Trust Stores After you update the HTTP Server configuration, you can install the new certificate to the Java Trust Stores, or Java Keystores on the SESA Manager computer. The Java Trust Stores store certificates. The Java Runtime Environment (J2RE) and the SUN Development Kit (SDK) each have their own Java Trust Stores, both of which are used by the SESA Manager. You must install the new certificate to both the SDK and J2RE Java Trust Stores. If the SESA Manager and SESA Directory are installed on separate computers, the certificates must be swapped. That is, you must install the certificate for the SESA Manager computer in the Java Trust Stores for the SESA Directory computer. Alternately, you must install the certificate for the SESA Directory in the Java Trust Stores for the SESA Manager computer. Install the new certificate to the Java Trust Stores You can skip installing the new certificate to the Java Trust Stores if the Java Trust Stores already trust the certificate. If your new certificate is already trusted, as are the certificates from the more common CAs, you can also skip installing the certificate on SESA Agent (client) computers. However, if you are using a self-signed certificate, you must install it to the Java Trust Stores. To determine if the Java Trust Stores trust your new certificate, use the List command for the Java Trust Stores. If your new certificate is not in the certificate chain of a built-in Java certificates, you must install it to the Java Trust Stores. Check for Java certificates in both the J2RE and SDK. The SESA Agent only uses the J2RE.

300 300 Changing your security configuration Configuring SESA to use a new certificate To determine if the Java Trust Stores trust your new certificate 1 On the computer on which you installed the SESA Manager, change directories to the location of the Keytool utility in the J2RE home directory. <J2RE Home> is usually in C:\Program Files\JavaSoft\J2RE\1.3.1_09. The Keytool utility is usually in C:\Program Files\JavaSoft\J2RE\1.3.1_0\bin. 2 At the command prompt, type the following command: keytool -list -keystore <J2RE Home>\lib\security\cacerts 3 If you are prompted to type the keystore password, type the following, which is the default password that Java installed: changeit The List command displays the Java certificates and certificate chains that Java already trusts. 4 Search the list for your certificate. 5 Do one of the following: If your certificate appears in the list or is in an existing trusted certificate chain, do not install it to the Java Trust Stores. See Updating the SESA configuration to use the new certificate on page 302. You can also skip installing the new certificate on the client computers. If your new certificate does not appear in the list or is not in an existing trusted certificate chain, install the certificate to the Java Trust Stores. If the SESA Manager and SESA Directory are installed on separate computers, you must install the certificate from the SESA Manager computer to the Java Trust Stores for the SESA Directory computer, and conversely, the certificate from the SESA Directory computer in the Java Trust Stores of the SESA Manager computer. 6 If necessary, on the computer on which you installed the SESA Manager, change directories to the Keytool utility in the SDK home directory. <SDK Home> is usually in C:\Sdk1.3.1_09\. The Keytool utility is usually in C:\Sdk1.3.1_09\bin. 7 If you are prompted to type the keystore password, type the following, which is the default password that Java installed: changeit The List command displays the Java certificates and certificate chains that Java already trusts.

301 Changing your security configuration Configuring SESA to use a new certificate At the command prompt, type the following command: keytool -list -keystore <SDK Home>\lib\security\cacerts This command displays the built-in Java certificates and certificate chains that Java already trusts. 9 Repeat steps 4 and 5. To install the new certificate to the Java Trust Stores 1 If you are swapping certificates between the Java Trust Stores on the SESA Manager computer and Java Trust Stores on the SESA Directory computer, copy each certificate to the Key database directory on the other computer. The default location of the Key database is C:\Program Files\Common Files\Symantec Shared\SESA\keydb. 2 To update the SDK Trust Stores on the computer on which you installed the SESA Manager, at the command prompt, type the following command: <SDK Home>\bin keytool -import -keystore <SDK Home> \J2RE\lib\security\cacerts -storepass <changeit> -alias <SESAKey> -trustcacerts -file "C:\program files\common files\symantec shared\ses\keydb\<certname.arm> Change the following parameters as necessary: <Java Home> <changeit> <SESAKey> <certname.arm> Location in which the SDK is installed. For example, C:\SDK1.3.1_09. Default password that was supplied at Java installation. If your password is different, change it as necessary. Suggested name that specifies the Key label, or alias of the database Key. Use any name but SESA, because SESA is the Key label for the default, anonymous SSL certificate. File name of the new certificate file that you extracted from IKEYMAN. For example, VerisignCertX509.arm. Use the default location, C:\Program Files\Common Files\Symantec Shared\SES\keydb\, if you did not change it. When you use long file names, always surround the location with quotes. For example, "C:\Program Files\JavaSoft\J2RE\1.3.1_09\bin". Otherwise, use DOS alias naming conventions. For example, C:\Progra~1\JavaSoft\J2RE\1.3.1_09\bin. 3 When you are prompted to trust this certificate, type yes

302 302 Changing your security configuration Configuring SESA to use a new certificate 4 On the computer on which the SESA Manager is installed, at the command prompt, type the following command to update the J2RE Trust Stores: <J2RE Home>\bin keytool -import -keystore <J2RE Home> \lib\security\cacerts -storepass <changeit> -alias <SESAKey> - trustcacerts -file "C:\program files\common files\symantec shared\ses\keydb\certname.arm" Change the following parameters as necessary: <Java Home> <changeit> <SESAKey> <certname.arm> Location in which the J2RE is installed. For example, C:\Program Files\JavaSoft\J2RE\1.3.1_09. Default password that was supplied at Java installation. If your password is different, change it as necessary. Suggested name that specifies the Key label, or alias of the database Key. Use any name but SESA, because SESA is the Key label for the default, anonymous SSL certificate. File name of the new certificate file that you extracted from IKEYMAN. For example, VerisignCertX509.arm. Use the default location, C:\Program Files\Common Files\Symantec Shared\SES\keydb\, if you did not change it. When you use long file names, always surround the location with quotation marks. 5 When you are prompted to trust this certificate, type yes 6 If you installed SESA Directory on a computer other than the one on which you installed the SESA Manager, repeat steps 1 through 5 on the computer on which you installed the Directory. 7 Continue the upgrade procedure by updating the SESA configuration. See Updating the SESA configuration to use the new certificate on page 302. Updating the SESA configuration to use the new certificate After you update the Java Trust Stores, you must access the Symantec management console to update the SESA configuration with the new information in the certificate.

303 Changing your security configuration Configuring SESA to use a new certificate 303 To update the SESA configuration to use the new certificate 1 In an Internet browser, type the following URL: address or FQDN of the SESA Manager computer>/sesa/ssmc 2 Log on to the Symantec management console as the SESA Domain Administrator. You supplied the SESA Domain Administrator user name and password during SESA installation. A wizard screen prompted you for a Domain Administrator user name and password. 3 In the Symantec management console, on the System view tab, expand the desired top-level domain. 4 Under the domain name, click Directories. 5 In the right pane, select the computer on which you installed the SESA Directory, and then right-click Properties. 6 In the Directory dialog box, on the Connection tab, under URI, change the IP address portion of the URI to the new certificate Common Name, which is typically the FQDN of the SESA Manager computer. 7 Click Apply. 8 To return to the System view tab on the Symantec management console, click OK. 9 Continue the upgrade procedure by updating the SESA Directory Key label. See Updating IBM Directory Server to use the new certificate on page 303. Updating IBM Directory Server to use the new certificate If the SESA Directory is on the same computer as the SESA Manager, you must update IBM Directory Server to reference the new Key label in the Key database. If you installed the IBM Directory Server on a different computer than the SESA Manager, and you are transitioning it to have its own new certificate, you must also update the Directory to reference the new Key label in the Key database. Update IBM Directory Server Key to use the new certificate To update the IBM Directory Server to use the new certificate, you must perform the following tasks on the IBM Directory Server Web Administration interface, IKEYMAN, the Windows Services panel, and the Symantec management console, as required: Update the Directory Key label: Use the IBM Directory Server Web Administration interface to update the Key label to reflect the new Key label.

304 304 Changing your security configuration Configuring SESA to use a new certificate Set the new certificate as the default certificate: Use IKEYMAN to make the new certificate the default certificate. Restart the SESA services: Restart the IBM Directory, Apache Tomcat, and HTTP Server services in the Windows Services panel. To update the Directory Key label 1 On the SESA Directory computer, in an the Internet browser, type the following URL: address or FQDN of the SESA Directory computer>/ldap 2 On the IBM Directory Server Web Admin interface, log on using the SESA Directory user name and password. The user name is a root user in the form cn=<name>. You supplied this user name and password during SESA installation. 3 In the left pane of the Directory Server Web Administration interface, in the Directory Server tree, expand Security > SSL. 4 Under SSL, click Settings. The information that appears in the right pane, including the location of the Key database, was set by the SESA installation. 5 Update the Key label to reflect the new Key label that you created when you generated or requested the new certificate. Self-signed certificate See Generating a new, self-signed certificate in the Key database on page 288. CA-signed certificate See Generating a certificate request on page Verify that the other information is correct, then click Update. Leave the password information as is. To set the new certificate as the default certificate 1 On the SESA Manager computer, on the Windows taskbar, click Start > Programs > IBM HTTP Server > Start Key Management Utility. 2 In the IBM Key Management window, on the Key Database File menu, click Open. 3 In the Open dialog box, browse to the location of the SESA Key database (Key.kdb) that SESA installed. The default location is C:\Program Files\Common Files\Symantec Shared\SES\KeyDB. 4 Click Open.

305 Changing your security configuration Configuring SESA to use a new certificate In the Password Prompt dialog box, type the password for the Key database, and then click OK. You supplied the Key database password when you specified the SESA Secure Communications password in the SESA Installation Wizard. A wizard screen prompted you for a password, company name, location, and Key size for the Key database. 6 In the IBM Key Management window, select the new certificate. 7 Click View/Edit. 8 In the Key Information for <Certificate Key label> dialog box, check Set the certificate as the default, then click OK. An asterisk is displayed next to the new certificate in the IBM Key Management window to indicate that it is the default certificate. 9 Exit IKEYMAN. To restart SESA services 1 On the computer or computers on which you installed the SESA Manager and SESA Directory, on the Windows taskbar, click Start > Programs > Administrative Tools > Services. 2 In the Services dialog box, restart the following services in the indicated order: IBM Directory Server V4.1 Apache Tomcat IBM HTTP Server If the SESA Manager and Directory are on different computers, you must restart the IBM Directory Server V4.1 service on the Directory computer first. Then, on the Manager computer, you must restart the Apache Tomcat and IBM HTTP Server services, respectively. 3 Exit the Control Panel. 4 Continue the upgrade procedure by updating the SESA Agent configuration. See Updating the SESA Agent configuration on page 308. Installing the new certificate on the SESA Agent (client) computers After you have finished with the SESA Manager and SESA Directory configurations, you can distribute and install the new certificate to the computers on which you installed the SESA Agents.

306 306 Changing your security configuration Configuring SESA to use a new certificate If the new certificate is already trusted by the Java Trust Stores on the SESA Agent (client) computers, you can skip installing the certificate on the computers. See To determine if the Java Trust Stores trust your new certificate on page 300. Install the new certificate on the SESA Agent (client) computers To roll out the certificates, you must perform the following tasks: Use the software distribution strategy of your organization (for example, login scripts) to distribute the new certificate to the SESA Agent (client) computers. Import the signed certificate into the Java Trust Stores at each SESA Agent (client) computer on which you installed a SESA Agent. The SESA Agents reference the certificates in the Java Trust Stores of the J2RE. Verify that the SESA Agents can connect securely to their SESA Manager or Managers. Note: As shown in the Symantec management console, SESA Agents have primary and secondary SESA Managers. When a SESA Agent is not able to connect to a primary Manager, it uses the secondary Manager instead. Ensure that certificates for both the primary and secondary managers are installed on the SESA Agent (client) computer in the Java Trust Stores (J2RE). To distribute the new certificates to SESA Agent (client) computers Copy the new certificate from its location on the SESA Manager computer to a location on each SESA Agent (client) computer. For example, from C:\Program Files\Common Files\Symantec Shared\SES\Keydb\VerisignCertX509.arm on the SESA Manager computer to C:\Temp\VerisignCertX509.arm on each of the SESA Agent computers. Certificates that you create using the IBM HTTP Server Key Management Utility have the extension.arm. Depending on the software distribution policies of your organization, you may want to install the certificate using a batch job, or manually by placing it on a floppy disk.

307 Changing your security configuration Configuring SESA to use a new certificate 307 To import the certificate into the Java Trust Stores on each SESA Agent 1 On the SESA Agent (client) computer on which you installed the SESA Agent, at the command prompt, type the following command: <Java Home>\bin keytool -import -keystore <Java Home>\lib\security\cacerts -storepass <changeit> -alias <SESA> - trustcacerts -file <c:\certname.arm> Change the following parameters as necessary: <Java Home> <changeit> <SESAKey> <c:\certname.arm> Location in which the J2RE is installed. For example, C:\Program Files\JavaSoft\J2RE\1.3.1_09. Default password that was supplied at Java installation. If your password is different, change it as necessary. Suggested name that specifies the Key label, or alias of the database Key. Use any name but SESA, because SESA is the Key label for the default, anonymous SSL certificate. File name of the new certificate file. Certificates that are created using the IBM HTTP Server Key Management Utility have an.arm extension. 2 When you are prompted to trust this certificate, ensure that the Common Name that the message displays matches the Common Name of the SESA Manager, then click Yes. To verify that the SESA Agents can connect securely to their SESA Manager or Managers 1 On the SESA Agent (client) computer on which you installed the SESA Agent, in the SESA Agent working directory, in a text editor, open the Configprovider.cfg file you installed. By default the SESA Agent working directory is C:\SESA\Agent. 2 In the Configprovider.cfg file, if necessary, change the MgmtServer setting to the new certificate Common Name, typically the FQDN of the SESA Manager computer, as follows: MgmtServer=<Common Name as specified in the certificate> 3 Ensure that the other settings are configured as follows: MgmtPort=443 UseSSL=1 4 If you made changes, restart the SESA Agent. You can restart the Agent by restarting the SESA AgentStart service in Windows For general instructions, see To restart SESA services on page 305.

308 308 Changing your security configuration Configuring SESA to use a new certificate The SESA Agent should be able to connect and send events to the SESA Manager over a secure SSL connection using the new certificate. You can now verify the upgrade to secure SSL. See Verifying the SSL upgrade on page 311. Updating the SESA Agent configuration The final task to is to update the SESA Agent configuration. Update the SESA Agent configuration To update the SESA Agent configuration, you must perform the following tasks in the Symantec management console: Update the SESA Agent configuration: Use the Symantec management console to change the IP address of the SESA Manager computer to the new certificate Common Name, which is typically the FQDN. If there are two or more SESA Managers that share the same SESA Agent configuration, skip this task. When multiple Managers share the same SESA Agent configuration (for example, as with the Default Agent configuration), the Symantec management console leaves the field that you would have changed here blank. You will verify this setting later in the upgrade process. See To verify that the SESA Agents can connect securely to the SESA Manager on page 312. Push out the updated configurations: Distribute the updated configurations to the SESA Agents on the SESA Agent (client) computers. To update the SESA Agent configuration on the Symantec management console 1 In an Internet browser, type the following URL: address or FQDN of the SESA Manager computer>/sesa/ssmc 2 Log on to the Symantec management console as the SESA Domain Administrator. You supplied the Domain Administrator user name and password during SESA installation. A wizard screen prompted you for a Domain Administrator name and password. 3 In the left pane, on the Configurations view tab, expand SESA 2.0 Agent Configuration.

309 Changing your security configuration Configuring SESA to use a new certificate Do one of the following: If the computers on which the SESA Agents reside are associated with the Default configuration, select it. Click the configuration that your SESA Agents use. Create a new SESA Agent configuration and associate the computers that will use the upgraded certificate with it. Then edit the new configuration. 5 In the right pane, on the Common tab, in the Primary manager server text box, type the new certificate Common Name, which is typically the FQDN of the SESA Manager computer. 6 Click Apply. 7 When you are prompted to distribute the settings, click No. To distribute the configurations to the SESA Agents on the client computers 1 In the Symantec management console left pane, on the System view tab, expand the desired top-level domain. 2 Under the domain, expand Organizational Units > Managers. 3 In the right pane, right-click the Manager computer or computers that connect to the SESA Agent (client) computers on which you installed the SESA Agents, then click Distribute. 4 When you are prompted to distribute the product configurations to the selected computers, click Yes. SESA distributes the configuration updates to the configuration files of the SESA Agents on the client computers. Finish the upgrade procedure by distributing the new certificate to SESA Agent (client) computers. See Installing the new certificate on the SESA Agent (client) computers on page 305.

310 310 Changing your security configuration Configuring SESA to use a new certificate Updating the SESA Directory to use the new URI You can use the IBM Directory Management Tool (DMT) to update the SESA Directory to use the new URI. To update the SESA Directory to use the URI 1 On the computer on which you installed the SESA Directory, to launch the Directory Management Tool (DMT), do one of the following: On a Windows computer, on the Windows taskbar, click Start > Programs > IBM Directory Server 4.1 > Directory Management Tool. On a Solaris computer, in a Terminal window for the replica SESA Directory, change directories to the binary directory of the replica SESA Directory, and then type./dmt The default location is opt/ibmldapc/bin. During SESA Directory installation, you have the option to specify another location. If you receive errors when you open the Directory Management Tool (DMT), SSL may not be enabled to open the SESA Directory. See Configuring the Directory Management Tool to connect via SSL on page In the Directory Management Tool window, in the left pane, under Server, click Rebind. 3 In the right pane, type the SESA Directory user name and password, then click OK. The user name is a root user in the form cn=<name>. You supplied this user name and password in the SESA Installation Wizard during SESA installation. 4 In the left pane, under Directory, click Browse tree. 5 In the Browse tree right pane, expand the suffix for a SESA domain in which SSL was upgraded. The domain suffix has the following format: dc=[sesa_domain_name], dc=ses,0=symc_ses [SESA_Domain_Name] is the name of your SESA domain. 6 Under the domain suffix, expand ou=administration > cn=ses > cn=directories. 7 Under cn=directories, click a text string. The text string, called a software access point (SAP), contains information about the SESA Directory and its domains and subdomains on a particular host computer. 8 In the Browse Tree right pane, click Edit.

311 Changing your security configuration Verifying the SSL upgrade In the Edit and LDAP Entry dialog box, in the labeled URI text box, type the Directory s new certificate Common Name (typically the FQDN) in place of the IP address that was defined in the default SESA installation. For example, ldaps://myserver.mydnsalias.com: Repeat steps 7 through 9 for each Directory entry. 11 Click OK. 12 To close the DMT, in the left pane, click Exit. Updating the SESA Manager on disk configuration To update the SESA Manager on disk configuration to use the new URI to contact the SESA Directory, you must edit the Ses.common.xml file. To update the SESA Manager on disk configuration 1 On the server on which you installed the SESA Manager, in a text editor, open Ses_common.xml. This file is located in the SESA working directory. On Windows computers, the default location is C:\SESA. On Solaris computers, the default location is /opt/symantec/sesa. 2 Locate the URI Key and verify that its value reflects the new certificate Common Name of the SESA Directory, which is typically the FQDN. For example, ldaps://myserver.mydnsalias.com:636. You can locate the URI Key by searching on the word ldaps. 3 Correct the value to reflect the new URI. If the value still reflects an IP address or another value, the configuration may be retrieving the incorrect information from the Directory. Ensure that the SESA Directory is configured with the correct URI. Verifying the SSL upgrade After you upgrade from anonymous SSL, always verify that the upgrade completed successfully. Verify the SSL upgrade To verify that the upgrade from anonymous SSL is successful, you must do the following: Verify that the SESA Agent is connecting to the correct URL to contact the SESA Directory. Verify that the SESA Agents can connect securely to the SESA Manager.

312 312 Changing your security configuration Verifying the SSL upgrade To verify that the SESA Agent is connecting to the correct URL 1 On the server on which you installed the SESA Manager, in an Internet browser, type the following URL: name that is listed in the new certificate >/sesa/ssmc The Common Name is typically the FQDN. 2 Log on to the Symantec management console as the SESA Domain Administrator. You supplied the Domain Administrator user name and password during SESA installation. A wizard screen prompted you for a Domain Administrator name and password. 3 On the Symantec management console Configurations tab, in the left pane, expand SESA 2.0 Agent Configuration. 4 Do one of the following: If the computers on which the SESA Agents reside are located in the Default configuration, select it. Select the computer configuration that your SESA Agents use. 5 In the right pane, on the Common tab, in the Primary manager server text box, verify that the value matches the Common Name in the new certificate, which is usually the FQDN. For example, managerserver.mydnsalias.com. 6 If necessary, update the setting. 7 Click Apply. 8 If necessary, when you are prompted to distribute the settings, click Yes. SESA distributes the configuration updates to the configuration files of the SESA Agents on the client computers. To verify that the SESA Agents can connect securely to the SESA Manager 1 On the SESA Agent (client) computer on which you installed the SESA Agent, in the SESA Agent working directory, open Configprovider.cfg in a text editor. By default, the SESA Agent working directory is C:\SESA\Agent. 2 Verify that the MgmtServer setting is as follows: MgmtServer=<Common Name in the new certificate> The Common Name is typically the FDQN.

313 Changing your security configuration Configuring the Directory Management Tool to connect via SSL Ensure that the other settings are configured as follows: MgmtPort=443 UseSSL=1 4 If you made changes, restart the SESA Agent. You can restart the Agent by restarting the SESA AgentStart service in Windows See To restart SESA services on page 305. Configuring the Directory Management Tool to connect via SSL If you get errors when you attempt to open the IBM Directory Server Management Tool, it may not be configured correctly to connect to the SESA Directory via SSL. SESA installs with anonymous SSL enabled by default. Therefore, nonsecure connections to the SESA Directory through the DMT are not possible. You must configure the DMT to access the SESA Directory through a secure connection, via SSL. Configure the DMT to connect to the SESA Directory via SSL To connect securely to the SESA Directory, the DMT requires a key database in JKS file format. The file must include an embedded copy of the certificate file that SESA uses for SSL communication. To obtain a copy of the SESA certificate file, you can extract a copy from the Key database. You can then create the new key database file in JKS format and configure the DMT to use it. During installation, SESA creates a default certificate file in the Key database (Key.kdb) that is labeled SESA. If your SESA installation currently uses anonymous SSL, you must extract a copy of the SESA certificate file before you can create the new DMT key database. If you have upgraded from the SESA default anonymous SSL to either authenticated self-signed or CA-signed certificates, you must extract a copy of the new certificate that you created during the upgrade process.

314 314 Changing your security configuration Configuring the Directory Management Tool to connect via SSL Perform the following tasks to configure the DMT to connect to the SESA Directory via SSL: Extract a copy of the certificate file that SESA is using. Configure the IBM Key Management Utility for use with the DMT. Create a new key database in JKS format for the DMT. Configure the DMT to use the new DMT key database file to connect to the SESA Directory. Access the DMT using SSL. To create a new self signed certificate of the certificate file that SESA is using 1 On the SESA Directory computer, on the Windows taskbar, click Start > Programs > IBM HTTP Server > Start Key Management Utility. 2 In the IBM Key Management window, on the Key Database File menu, click Open. 3 In the Open dialog box, browse to the location of the existing Key database (Key.kdb) that SESA installed. The default location is C:\Program Files\Common Files\Symantec Shared\SES\KeyDB. 4 Click Open. 5 In the Password Prompt dialog box, type the password for the Key database, then click OK. You supplied the Key database password when you specified the SESA Secure Communications password in the SESA Installation Wizard. A wizard screen prompted you for a password, company name, location, and Key size for the Key database. 6 In the IBM Key Management window, under Personal Certificates, select the certificate that the SESA Directory is currently using. If SESA is using anonymous SSL, the default certificate label is SESA. Make a note of the label of the certificate. The DMT requires it when you create a new DMT key database. 7 Click Extract Certificate.

315 Changing your security configuration Configuring the Directory Management Tool to connect via SSL In the Extract Certificate to file dialog box, do the following: Make sure that Base64-Encoded ASCII data is selected. Leave the certificate file name as is. Confirm or retype the location of the Key database. The default location on Windows computers is C:\Program Files\Common Files\Symantec Shared\SES\KeyDB. You can save the certificate in the same location as the Key.kdb file. 9 Click OK to extract the certificate. An extracted copy of the certificate file (by default, Cert.arm) is stored in the location that you specified. To configure the IBM Key Management Utility for use with the DMT 1 On the SESA Directory computer, move the following files to a different directory: <drive>:\program Files\IBM\Ldap\Jre\Lib\Ext\Imbjcaprovider.jar 2 In a text editor, open the following Java security file: <drive>:\program Files\IBM\Ldap\Jre\Lib\Security\Java.security 3 In the Java.security file, locate the following statement: security.provider.2=com.ibm.crypto.provider.ibmjca 4 Edit the statement to reflect the following: security.provider.2=com.ibm.crypto.provider.ibmjce 5 Save and close the file. 6 Do one of the following to ensure that the Java executable file in <drive>:\program Files\IBM\Ldap\Jre\Bin is used in this session: Modify PATH to include the directory path. At the command prompt, switch directories to <drive>:\program Files\IBM\Ldap\Jre\Bin. To create a new key database for the DMT 1 To start the IBM Key Management Utility, at the command prompt, type the following: java com.ibm.ikeyman.ikeyman 2 In the IBM Key Management window, in the Key Database File menu, click New.

316 316 Changing your security configuration Configuring the Directory Management Tool to connect via SSL 3 In the New dialog box, do the following: 4 Click OK. Leave JKS as the key database type. Type a file name for the new key database, leaving a.jks extension. Type the location for the new key database. You can store the new key database in any location, including the default location of the SESA key database. The default location on Windows computers is C:\Program Files\Common Files\Symantec Shared\SES\KeyDB. 5 In the Password Prompt dialog box, type a password for the new DMT key database. 6 Confirm the password, and then click OK. 7 In the IBM Key Management window, make sure that Signer Certificates is selected at the top of the certificate list. 8 Click Add. 9 In the Add CA s Certificate from a File dialog box, do the following: Make sure that Base64-Encoded ASCII data is selected. Click Browse to navigate to the location of the cert.arm file that you confirmed in step 8 of To create a new self signed certificate of the certificate file that SESA is using on page 314. Leave the location as is. 10 In the Enter a Label dialog box, type the label used by cert.arm. If SESA is using anonymous, default SSL, the label is SESA. If you have upgraded to authenticated, self-signed SSL, it is the label you specified in step 7 of To generate a new, self-signed certificate in the Key database on page 288. If you are using an authenticated, CA-signed certificate, this is the label you specified in step 8 of To generate a request for a signed certificate on page To display a pull-down menu, click the certificate category on top of the list box, and then click Personal Certificates. 12 Click New Self-Signed.

317 Changing your security configuration Configuring the Directory Management Tool to connect via SSL In the Create New Self-Signed Certificate dialog box, do the following: 14 Click OK. Type a new label name. You must type a different label name than the one you typed in step 10. Consider a name that relates the certificate to the new DMT key database. Type the name of your organization. Leave all other default settings as is. 15 In the list of Personal Certificates, select the certificate you just added, then click View/Edit. 16 In the Key Information dialog box, record the serial number, and then click OK. 17 In the IBM Key Management window, in the list of Personal Certificates, select the newly added certificate again, and then click Extract Certificate. 18 In the Extract Certificate to file dialog box, do the following: Make sure that Base64-Encoded ASCII data is selected. Type the name that you used in step 13, but retain the.arm file extension. Confirm or type the location of the new certificate. You can save the certificate anywhere, including the default location of the SESA key database. The default location on Windows computers is C:\Program Files\Common Files\Symantec Shared\SES\KeyDB. 19 Click OK to extract the certificate. An extracted copy of the certificate file (by default, Cert.arm) is stored in the location that you specified. 20 Move the jcaprovidcer.jar file to its original location in <drive>:\program Files\IBM\Ldap\ jre\lib\ext. To configure the DMT to use the new key database to connect to the SESA Directory 1 On the computer on which you installed the SESA Directory, on the Windows taskbar, click Start > Programs > IBM Directory Server 4.1 > Directory Management Tool. If the Directory Management Tool is currently open, you must close it and reopen it now. Ignore any error messages. 2 In the Directory Management Tool window, click Add Server.

318 318 Changing your security configuration Configuring the Directory Management Tool to connect via SSL 3 In the Add Server dialog box, in the Server name box, type the IP address or FQDN of the SESA Directory computer. 4 To update the port and change to LDAPS communication, check Use SSL. 5 To set authentication, click Simple. 6 In the User DN box and User password box, type the SESA Directory user name and password, respectively. The user name is a root user in the form cn=<name>. You supplied this user name and password in the SESA Installation Wizard. 7 In the Keystore file name box, type the path and file name of the new DMT key database in JKS format. For example, C:\Program Files\Common Files\Symantec Shared\SES\Keydb\sesadmt.jks. 8 In the Keystore file password box, type the password that you specified for the new DMT key database. 9 In the Keystore file type box, type jks 10 In the Truststore file name, Truststore file password, and Truststore file type boxes, type the same values you typed for the Keystore file name, Keystore file password, and Keystore file type, respectively. 11 Click OK. The left navigation pane appears, which allows you to access the DMT. To access the DMT using SSL 1 If you have not already opened the DMT, on the computer on which you installed the SESA Directory, on the Windows taskbar, click Start > Programs > IBM Directory Server 4.1 > Directory Management Tool. 2 In the Directory Management Tool window, in the left pane, under Server, click Rebind. 3 In the right pane, click Authenticated. 4 Type the SESA Directory user name and password. The user name is a root user in the form cn=<name>. You supplied this user name and password in the SESA Installation Wizard. 5 Click OK.

319 Chapter 8 Maintaining the SESA Directory This chapter includes the following topics: SESA Directory administration SESA Directory backup and recovery SESA Directory performance tuning SESA Directory administration Some of the more common administrative tasks that you can do to maintain the SESA Directory are the following: Starting and stopping the IBM Directory Server Granting and removing local administrative privileges for the Web Server account Reconfiguring the SESA Directory computer after an IP address change Changing the SESA Directory port Changing the SESA Directory DN and password Updating the ldapdb2 password Changing the SESLDAP account password Ensuring that SESA user passwords stay encrypted

320 320 Maintaining the SESA Directory SESA Directory administration Starting and stopping the IBM Directory Server The IBM Directory Server Web Administration interface lets you stop and start the IBM Directory Server as necessary. To start or stop the IBM Directory Server 1 Do one of the following: If the replica SESA Directory is installed on a Windows computer, log on to the computer using the appropriate administrative privileges. If the replica SESA Directory is installed on a Solaris computer, become superuser. If you are located at a remote Solaris computer, you must initiate a Telnet session with the replica SESA Directory computer, and then export a display. See Connecting to a remote Solaris computer and exporting its display on page To launch the IBM Directory Server Web Administration interface, in an Internet browser, do one of the following: If you are physically located at the SESA Directory computer, type the following URL: If you are remotely located from the SESA Directory computer, type the following URL: address of SESA Directory computer>/ldap 3 In the IBM Directory Server Web Administration interface, log on using the SESA Directory user name and password. The user name is a root user in the form cn=<name>. You supplied this user name and password during SESA installation. See Logon accounts for SESA installation on page Click Logon. 5 In the Logon left pane, click Current State. 6 In the Current State right pane, click Start/Stop. 7 Click Start or Stop to start or stop the IBM Directory Server as necessary. On Windows computers, if clicking Stop doesn t stop the service, try stopping the IBM Directory Server 4.1 service in the Windows Services Panel.

321 Maintaining the SESA Directory SESA Directory administration 321 Granting and removing local administrative privileges for the Web Server account Any time that you modify the configuration of a SESA Directory or replica SESA Directory that is installed on a Windows computer, you must first grant local administrative privileges to the Web Server account. Grant or remove local administrative privileges to the Web Server account Any time you add local administrative privileges to the Web Server account, always remove administrative privileges from the Web Server account after you have completed the SESA Directory modification. This preserves SESA Directory security. In addition, always restart the IBM HTTP Server after you add or remove privileges. To grant local administrative privileges to the SESA Web Server account 1 On the Windows computer, on the Windows taskbar, click Start > Control Panel. 2 In the Control Panel, double-click Administrative Tools. 3 In the Administrative Tools window, double-click Computer Management. 4 In the Computer Management window, in the left pane, expand Local Users and Groups. 5 Under Local Users and Groups, click Groups. 6 In the right pane, double-click Administrators. 7 In the Administrators Properties dialog box, click Add. 8 Under Name, select httpadmin, then click Add. 9 Click OK. 10 In the Administrator Properties dialog box, click Apply, and then click Close. 11 Restart the IBM HTTP Server. See Starting and stopping the IBM HTTP Server on page 393. To remove local administrative privileges to the SESA Web Server account 1 On the Windows computer, on the Windows taskbar, click Start > Control Panel. 2 In the Control Panel, double-click Administrative Tools. 3 In the Administrative Tools window, double-click Computer Management.

322 322 Maintaining the SESA Directory SESA Directory administration 4 In the Computer Management window, in the left pane, expand Local Users and Groups. 5 Under Local Users and Groups, click Groups. 6 In the right pane, double-click Administrators. 7 In the Administrators Properties dialog box, select httpadmin, and then click Remove. 8 Click Apply, and then click Close. 9 Restart the IBM HTTP Server. See Starting and stopping the IBM HTTP Server on page 393. Reconfiguring the SESA Directory computer after an IP address change If you have changed the static IP address of the computer on which the SESA Directory is installed, you must perform the following tasks to reconfigure the SESA Directory to recognize the new IP address: Creating a new self-signed certificate using the new IP address Updating the SESA Directory IP address information on SESA Directory computers Updating the SESA Directory IP address on SESA Manager computers Updating the SESA Manager IP address information Perform this task only if the SESA Directory and SESA Manager reside on the same computer, or if the IP address of the SESA Manager computer has also been changed. See Reconfiguring the SESA Manager computer to use a new IP address on page 394. Restarting the SESA Manager and SESA Agents Before you make any modifications to the SESA Directory, make sure to grant local administrative privileges to the SESA Web Server account. When you have completed the IP address update, remove the local administrative privileges. See Granting and removing local administrative privileges for the Web Server account on page 321. Creating a new self-signed certificate using the new IP address The first task in reconfiguring a SESA Directory or SESA Manager computer to accept a new IP address is to create a new self-signed certificate that uses the

323 Maintaining the SESA Directory SESA Directory administration 323 new IP address. You must use the IBM Key Management Utility (IKEYMAN) to generate the new self-signed certificate. If you have changed the IP address on a computer that contains both the SESA Directory and SESA Manager, you only have to perform this procedure once. If the SESA Directory and SESA Manager reside on two different computers, and both computers have changed IP addresses, you must perform this procedure on each computer. To create a new self-signed certificate using the new IP address 1 Do one of the following: If the SESA Directory or SESA Manager is installed on a Windows computer, log on to the computer using the appropriate administrative privileges. If the SESA Directory or SESA Manager is installed on a Solaris computer, become superuser. If you are located at a remote Solaris computer, you must export a display and a Telnet session with the SESA computer. See Connecting to a remote Solaris computer and exporting its display on page To launch the IBM Key Management Utility, do one of the following: If the SESA Directory or SESA Manager is installed on a Windows computer, on the Windows task bar, click Start > Programs > IBM HTTP Server > Start Key Management Utility. If the SESA Directory or SESA Manager is installed on a Solaris computer, in the /opt/ibm/gsk5/bin directory, launch gsk5ikm. 3 In the IBM Key Management window, on the Key Database File menu, click Open. 4 In the Open dialog box, browse to the location of the existing Key database (Key.kdb) that SESA installed. The default location on Windows computers is C:\Program Files\Common Files\Symantec Shared\SES\KeyDB\Key.kdb. The default location on Solaris computers is /etc/symantec/ses/keydb/ key.kdb. 5 Click Open.

324 324 Maintaining the SESA Directory SESA Directory administration 6 In the Password Prompt dialog box, type the password for the Key database, and then click OK. You supplied the Key database password when you specified the SESA Secure Communications password in the SESA Installation Wizard. A wizard screen prompted you for a password, company name, location, and Key size for the Key database. 7 In the IBM Key Management window, delete the existing certificate. The default, self-signed certificate (anonymous SSL) is called SESA. 8 On the Key Database File menu, click Create > New Self-Signed Certificate. 9 In the Create New Self-Signed Certificate dialog box, do one of the following: Key Label Common Name Organization Type a label for the Key label in the certificate that you just deleted. If you are using anonymous, default SSL, the Key label is SESA. Type the new IP address of the SESA Directory computer. Type a value for your organization, for example, Symantec. Leave all of the other options at their default settings unless the security policy at your organization requires otherwise. See the online Help to understand other value properties. 10 When you are prompted to set the key as the default in the database, click Yes. 11 Click OK to add the self-signed certificate to the list of personal certificates. Under Personal Certificates, you now see a certificate with the name that you typed for the Key label. 12 Restart the IBM HTTP Server. See Starting and stopping the IBM HTTP Server on page 393. Updating the SESA Directory IP address information on SESA Directory computers If the IP address changed on the computer on which the SESA Directory is installed, you must update the SESA Directory IP address information. If you have changed the IP address on a computer that contains both the SESA Directory and SESA Manager, you must perform this task in addition to updating the SESA Manager IP address information.

325 Maintaining the SESA Directory SESA Directory administration 325 To update the SESA Directory IP address information on SESA Directory computers 1 On the computer on which you installed the SESA Directory, to launch the Directory Management Tool (DMT), do one of the following: On a Windows computer, on the Windows taskbar, click Start > Programs > IBM Directory Server 4.1 > Directory Management Tool. On a Solaris computer, in a Terminal window for the replica SESA Directory, change directories to the binary directory of the replica SESA Directory, and then type./dmt The default location is opt/ibmldapc/bin. During SESA Directory installation, you have the option to specify another location. If you receive errors when you open the Directory Management Tool (DMT), SSL may not be enabled to open the SESA Directory. See Configuring the Directory Management Tool to connect via SSL on page In the Directory Management Tool window, in the left pane, under Server, click Rebind. 3 In the right pane, type the SESA Directory user name and password, then click OK. The user name is a root user in the form cn=<name>. You supplied this user name and password in the SESA Installation Wizard during SESA installation. 4 In the left pane, under Directory, click Browse tree. 5 In the Browse tree right pane, expand the suffix for the SESA domain which contains the computer on which the IP address was changed. The domain suffix has the following format: dc=[sesa_domain_name], dc=ses,0=symc_ses [SESA_Domain_Name] is the name of your SESA domain. 6 Under the domain suffix, expand ou=administration > cn=ses > cn=directories. 7 Under cn=directories, click the text string. The text string, called a software access point (SAP), contains information about the SESA Directory and its domains and subdomains on a particular host computer. 8 In the Browse Tree right pane, click Edit. 9 In the Edit an LDAP Entry dialog box, in the labeled URI box, type the new IP address in the following format: ldaps://new IP Address:636

326 326 Maintaining the SESA Directory SESA Directory administration 10 Click OK. 11 To close the DMT, in the left pane, click Exit. Updating the SESA Directory IP address on SESA Manager computers The SESA Manager computers that use the SESA Directory contain files in their working SESA directories that must be updated with the new IP address. To update the SESA Directory IP address information on the SESA Manager computers 1 On the SESA Manager computer that is connected to the SESA Directory computer, change directories to the SESA working directory. On Windows computers, the default working directory is C:/SESA. On Solaris computers, the default working directory is \opt\symantec\sesa. 2 In a text editor, edit the IP address in the following files: ses_common.xml FailsafeDirectoryCache.xml FailsafeDataStoreCache.xml 3 Save and close the files. Updating the SESA Manager IP address information If you have changed the IP address on a computer that contains both the SESA Manger and SESA Directory, you must update the SESA Agent configuration on all SESA Agent client computers and SESA Manager computers that use the SESA Directory computer. To update the SESA Manager IP address information 1 On each client computer on which a SESA Agent is installed, and that passes data to the SESA Manager computer with a new IP address, change directories to the SESA Agent directory. 2 In a text editor, open the configprovider.cfg file. 3 In configprovider.cfg, update the value for PrimaryMgmtServer and MgmtServer properties to reflect the new IP address. 4 Save and close configprovider.cfg. 5 Repeat steps 1 through 4 for the SESA Manager computer with a changed IP address.

327 Maintaining the SESA Directory SESA Directory administration 327 Restarting the SESA Manager and SESA Agents The final task in reconfiguring a SESA Directory or SESA Manager computer to recognize a new IP address is to restart the SESA Manager computer and all of the client computers on which SESA Agents are installed and that report to the particular SESA Manager computer. Changing the SESA Directory port By default, the SESA Directory uses port 636 for secure communications and port 389 for nonsecure communications. After installation, you may want to set up secure communications over a different port. For example, you may want traffic to pass across a firewall, but the default port is blocked. Change the SESA Directory port To change the SESA Directory port to a value other than 636 or 389, you must perform the following tasks: Update the SESA Directory port configuration in the Symantec management console. Distribute the updated configuration to the SESA Managers. Configure the port in the IBM Directory Server Web Administration interface. To update the SESA Directory port configuration in the Symantec management console 1 In an Internet browser, type the following URL: address or FQDN of the SESA Manager computer>/sesa/ssmc 2 Log on to the Symantec management console using the rights of the SESA Domain Administrator. 3 In the Symantec management console, on the System view tab, expand the desired top-level domain. 4 Under the domain name, click Directories. 5 In the right pane, select the computer on which you installed the SESA Directory, and then right-click Properties. 6 In the Directory dialog box, on the Connection tab, under URI, append or change the new port number to the IP address portion of the URI. For example: ldaps:// :555 7 Click Apply, and then click OK.

328 328 Maintaining the SESA Directory SESA Directory administration To distribute the updated port configuration to the SESA Managers 1 If you have not already done so, in an Internet browser, type the following URL: address or FQDN of the SESA Manager computer>/sesa/ssmc 2 Log on to the Symantec management console using the rights of the SESA Domain Administrator. 3 In the Symantec management console, on the System view tab, expand Organizational Units > Managers. 4 Right-click Managers, and then click Distribute. 5 When you are prompted to distribute the changes, click Yes. To configure the port in the IBM Directory Server Web Administration interface 1 On the server on which you installed the SESA Directory, in an Internet browser, type the following URL: address or FQDN of the SESA Directory computer>/ldap 2 In the IBM Directory Server Web Administration interface, log on using the SESA Directory Administrator user name and password. The user name is SESAdmin. You supplied a password for this user name during the SESA installation. 3 In the left pane, in the Directory Server tree, expand Security > SSL > Settings. 4 In the SSL Settings right pane, in the Secure port text box, type the new port number. 5 Click Update. 6 To restart the server, do one of the following: At the top of the right pane, click Restart the server. At the top right of the right pane, click the Restart Server icon. 7 Close the IBM Directory Server Web Administration interface. You can log on to the Symantec management console to verify that the port change was made. See Launching the Symantec management console on page 203. Changing the SESA Directory DN and password You can use the IBM Directory Server ldapcfg command to change the SESA Directory DN and password.

329 Maintaining the SESA Directory SESA Directory administration 329 To change the SESA Directory DN and password 1 On the computer on which you installed the SESA Directory, at the command prompt, type the following command: ldapcfg -u cn=root -pnewpassword cn=root is the new DN and newpassword is the new password. 2 Restart the IBM Directory Server V4.1 service. Updating the ldapdb2 password The ldapdb2 password is the IBM DB2 database password that is used to access the IBM Directory Server repository. If an IBM Directory Server is installed on a Solaris computer, you must update the ldapdb2 password before you can access the IBM Directory Server with the IBM Directory Server Configuration utility. To update the ldapdb2 password 1 On the SESA Directory Solaris computer, become superuser. If you are located at a remote Solaris computer, you must initiate a Telnet session with the SESA Directory computer, and then export a display. See Connecting to a remote Solaris computer and exporting its display on page In the SESA Directory Terminal window, launch the IBM Directory Server Configuration utility. 3 In the IBM Directory Server Configuration window, click Database > Settings. 4 In the Database Settings right pane, type a new password for the ldap2 user, confirm the password, and then click Update. 5 Close the utility. Changing the SESLDAP account password When SESA installs the IBM Directory Server, the SESA Directory creates an underlying Windows 2000 account. This account is transparent to you during SESA installation, but Windows 2000 lists it as an account. The SESLDAP account does not interact with any other Windows or SESA logon accounts. The SESA installation program creates a random password for the SESLDAP account, which you can change.

330 330 Maintaining the SESA Directory SESA Directory administration Change the SESLDAP account password To change the SESLDAP account password, you must perform the following tasks: Change the SESLDAP account password in Windows Change the database user account password in the IBM Directory Server Web Administration interface. To change the SESLDAP account password in Windows On the computer on which you installed the SESA Directory, use Windows 2000 to access the Windows 2000 accounts. 2 Select the SESLDAP account, and then reset the password. See the Microsoft Windows 2000 documentation if necessary. To change the database user account password in the IBM Directory Server Web Administration interface 1 On the server on which you installed the SESA Directory, in an Internet browser, type the following URL: address or FQDN of the SESA Directory computer>/ldap 2 In the IBM Directory Server Web Administration interface, log on using the SESA Directory user name and password. The user name is a root user in the form cn=<name>. You supplied this user name and password during SESA installation. 3 In the left pane, in the Directory Server tree, expand Database > Settings. 4 In the Database Settings right pane, type a new password, and then retype the password to confirm it. You can use up to 14 characters in the password, including embedded blank spaces. 5 Click Update. 6 In the upper-right corner of the right pane, click the Restart Server icon. Ensuring that SESA user passwords stay encrypted IBM Directory Server password encryption is on by default in SESA. If you add a user in the Symantec management console while IBM Directory Server password encryption is turned off, the user password will not be encrypted on disk. You cannot encrypt the password retroactively. Therefore, you must ensure that IBM Directory Server password encryption is on whenever you create users and passwords in the Symantec management console.

331 Maintaining the SESA Directory SESA Directory backup and recovery 331 To ensure that IBM HTTP server password encryption is on 1 On the server on which you installed the SESA Directory, in an Internet browser, type the following URL: address or FQDN of the SESA Directory computer>/ldap 2 In the IBM Directory Server Web Administration interface, log on using the SESA Directory user name and password. The user name is a root user in the form cn=<name>. You supplied this user name and password during SESA installation. 3 In the left pane, in the Directory Server tree, expand Settings > General. 4 In the General Settings right pane, ensure that Password encryption is set to an option other than None. 5 Click Update if necessary. 6 Close the IBM Directory Server Web Administration interface. SESA Directory backup and recovery Some of the more common administrative tasks that you can do to maintain the SESA Directory are the following: Backing up SESA Directory data Restoring SESA Directory data Backing up SESA Directory data On Windows or Solaris SESA Directory computers, you can use the IBM Directory Server Web Administration interface to back up SESA Directory data. A large SESA Directory database may take a long time to archive. To restore the SESA Directory, you can import the data. See Restoring SESA Directory data on page 333. Backup SESA Directory data To back up SESA Directory data, you must do the following: If the SESA Directory is installed on a Windows computer, temporarily grant administrative privileges to the SESA Web Server account. Stop the IBM Directory Server. Back up the SESA Directory DB2 database and export the LDIF file.

332 332 Maintaining the SESA Directory SESA Directory backup and recovery If necessary, remove the administrative privileges of the SESA Web Server account. Restart the IBM Directory Server. To grant administrative privileges to the SESA Web Server account On the Windows computer on which the SESA Directory is installed, add the httpadmin user to the local administrators group. See Granting and removing local administrative privileges for the Web Server account on page 321. To stop the IBM Directory Server On the Windows or Solaris computer on which the SESA Directory is installed, stop the IBM Directory server. See Starting and stopping the IBM Directory Server on page 320. To back up SESA Directory data 1 Do one of the following: If the SESA Directory (or replica SESA Directory) is installed on a Windows computer, log on to the computer using the appropriate administrative privileges. If the SESA Directory (or replica SESA Directory) is installed on a Solaris computer, become superuser. If you are located at a remote Solaris computer, you must initiate a Telnet session with the replica SESA Directory computer, and then export a display. See Connecting to a remote Solaris computer and exporting its display on page To launch the IBM Directory Server Web Administration interface, in an Internet browser, do one of the following: If you are physically located at the SESA Directory computer, type the following URL: If you are remotely located from the SESA Directory computer, type the following URL: address of SESA Directory computer>/ldap 3 In the IBM Directory Server Web Admin interface, log on using the SESA Directory user name and password. The user name is a root user in the form cn=<name>. You supplied this user name and password during SESA installation.

333 Maintaining the SESA Directory SESA Directory backup and recovery In the left pane, expand Database > DB2 backup. 5 In the DB2 backup right pane, click Create backup directory as needed. 6 If necessary, change the default path and file name of the backup file. 7 Click Backup. 8 Wait until a message in the right pane reports that the task completed successfully. 9 In the Directory Server tree, expand Database. 10 In the left pane of the Directory Server Web Admin interface, under Database, click Export LDIF. 11 In the Export LDIF right pane, type a new path or file name for the LDIF file. 12 Click Export. 13 Wait until a message in the right pane reports that the task completed successfully. To remove administrative privileges to the SESA Web Server account On the Windows computer on which the SESA Directory is installed, remove the httpadmin user from the local administrators group. See Granting and removing local administrative privileges for the Web Server account on page 321. To restart the IBM Directory Server Restoring SESA Directory data On the Windows or Solaris computer on which the SESA Directory is installed, restart the IBM Directory server. See Starting and stopping the IBM Directory Server on page 320. On Windows or Solaris SESA Directory computers, you can use the IBM Directory Server Web Administration interface to restore backup files of SESA Directory data. The data must have been backed up the same way that you are restoring it. See Backing up SESA Directory data on page 331.

334 334 Maintaining the SESA Directory SESA Directory backup and recovery Restore SESA Directory data To restore SESA Directory data, you must do the following: If the SESA Directory is installed on a Windows computer, temporarily grant administrative privileges to the SESA Web Server account. Stop the IBM Directory Server. Restore the SESA Directory DB2 database and import the LDIF file. Restart the IBM Directory Server. If necessary, remove the administrative privileges of the SESA Web Server account. To grant administrative privileges to the SESA Web Server account On the Windows computer on which the SESA Directory is installed, add the httpadmin user to the local administrators group. See Granting and removing local administrative privileges for the Web Server account on page 321. To stop the IBM Directory Server On the Windows or Solaris computer on which the SESA Directory is installed, stop the IBM Directory server. See Starting and stopping the IBM Directory Server on page 320. To restore SESA Directory data 1 Do one of the following: If the SESA Directory (or replica SESA Directory) is installed on a Windows computer, log on to the computer using the appropriate administrative privileges. If the SESA Directory (or replica SESA Directory) is installed on a Solaris computer, become superuser. If you are located at a remote Solaris computer, you must initiate a Telnet session with the replica SESA Directory computer, and then export a display. See Connecting to a remote Solaris computer and exporting its display on page 135.

335 Maintaining the SESA Directory SESA Directory backup and recovery To launch the IBM Directory Server Web Administration interface, in an Internet browser, do one of the following: If you are physically located at the SESA Directory computer, type the following URL: If you are remotely located from the SESA Directory computer, type the following URL: address of SESA Directory computer>/ldap 3 In the IBM Directory Server Web Administration interface, log on using the SESA Directory user name and password. The user name is a root user in the form cn=<name>. You supplied this user name and password during SESA installation. 4 In the left pane, expand Database > DB2 restore. 5 In the DB2 restore right pane, click Restore data and schema only (not configuration file). 6 If necessary, change the default path and file name of the backup file. You must first have manually copied the backup file to this location. 7 Click Restore. 8 Wait until a message in the right pane reports that the task completed successfully. 9 In the Directory Server tree, expand Database. 10 In the left pane of the Directory Server Web Admin interface, under Database, click Import LDIF. 11 In the Import LDIF right pane, type a new path or file name for the LDIF file. 12 Click Import. 13 Wait until a message in the right pane reports that the task completed successfully. To remove administrative privileges to the SESA Web Server account On the Windows computer on which the SESA Directory is installed, remove the httpadmin user to the local administrators group. See Granting and removing local administrative privileges for the Web Server account on page 321.

336 336 Maintaining the SESA Directory SESA Directory performance tuning To restart the IBM Directory Server On the Windows or Solaris computer on which the SESA Directory is installed, start the IBM Directory server. See Starting and stopping the IBM Directory Server on page 320. SESA Directory performance tuning Some of the more common administrative tasks that you can do to maintain the SESA Directory are the following: Maintaining consistent SESA Directory performance Optimizing SESA Directory performance Maintaining consistent SESA Directory performance To ensure that the performance of the SESA Directory does not degrade over time, you can periodically update statistical information in the DB2 database component of the SESA Directory. You can do this by performing a DB2 Reorgchk operation. Ensure that you perform a Reorgchk operation on the DB2 database component after you install and begin to run security products with SESA. To maintain consistent SESA Directory performance 1 On the computer on which you installed the SESA Directory, on the Windows taskbar, click Start > Programs > IBM DB2 > Command Window. 2 In the Command window, at the system prompt, type the following command: set db2instance=ldapdb2 3 Type the following command: db2 connect to ldapdb2 4 To perform a Reorgchk operation, type the following command: db2 reorgchk on table all 5 Close the Command window. Optimizing SESA Directory performance You can improve the performance of the SESA Directory through the IBM Directory Server Web Administration interface. You only see performance improve when a large number of SESA Directory objects are managed.

337 Maintaining the SESA Directory SESA Directory performance tuning 337 Optimize SESA Directory performance To optimize SESA Directory performance, you can stop the IBM Directory Server V4.1 service. You then optimize performance in the IBM Directory Server Web Administration interface. To stop the IBM Directory Server 4.1 service 1 On the computer on which you installed the SESA Directory, on the Windows taskbar, click Start > Settings > Control Panel. 2 In the Control Panel, double-click Administrative Tools. 3 In the Administrative Tools window, double-click Services. 4 In the Services dialog box, right-click the IBM Directory Server V4.1 service, and then click Stop. To optimize SESA Directory performance 1 On the server on which you installed the SESA Directory, in an Internet browser, type the following URL: address or FQDN of the SESA Directory computer>/ldap 2 In the IBM Directory Server Web Administration interface, log on using the SESA Directory user name and password. The user name is a root user in the form cn=<name>. You supplied this user name and password during SESA installation. 3 In the left pane, in the Directory Server tree, expand Database > DB2 Optimize. 4 In the DB2 Optimize right pane, click Optimize. 5 Close the IBM Directory Server Web Administration interface. 6 Restart the IBM Directory Server V4.1 service.

338 338 Maintaining the SESA Directory SESA Directory performance tuning

339 Chapter 9 Maintaining the SESA DataStore This chapter includes the following topics: Data backup and recovery SESA Data Maintenance Tool Using SESA scripts for the Oracle database Data maintenance IBM DB2 database performance tuning Oracle database performance tuning Data backup and recovery Many backup and recovery methods exist for both IBM DB2 Universal database servers and Oracle database servers. Full backup and recovery processes are one way to back up and recover SESA DataStores. For more backup and recovery methods, see your Oracle 9i or IBM DB2 documentation. Backing up the Oracle 9i database server Note: Before you perform any maintenance task on the SESA DataStore, ensure that you close any Symantec management console or other consoles that are actively accessing data in the SESA DataStore.

340 340 Maintaining the SESA DataStore Data backup and recovery Oracle Recovery Manager offers a wide array of backup and restore capabilities, allowing backup at the whole database level, the tablespace level, and the datafile level, as well as online and incremental backups. For more information, see the Oracle Recovery Manager User's Guide. You can use either of the following types of backup methods to restore the SESA DataStore to a previous state and roll it forward: Online (inconsistent backup): Requires extra recovery time during the restoration, but you are not required to shut it down during an inconsistent backup. The database must be running in ARCHIVELOG mode to perform online backups. You can enable ARCHIVELOG mode when you create the Oracle database or at any point thereafter. See Creating an Oracle 9i database on page 122. See Enabling redo log archival on page 132. Offline (consistent backup): Requires that you shut down the database server while performing the backup operation. To back up the Oracle 9i database server 1 To start the Oracle Recovery Manager client on the Oracle server, type the following command: rman target / 2 If the backup is to be an offline backup, disable the Apache Tomcat service on all SESA Managers using the SESA DataStore. In addition, to shut down the database and start it up mounted but not open, type the following commands: shutdown immediate startup mount 3 To configure the disk or tape backup media, type the appropriate command. For example, to limit the backup disk file size to 2 GB, type the following command: configure channel device type disk maxpiecesize = 2G 4 To back up to disk or tape, type the appropriate backup command. For example, for disk backup, type the following command: backup database format = /uo1/oradata/sesa/backup/sesa_db_%u%p%c plus archivelog; Or, for example, for tape backup, type the following command: backup device type sbt database plus archivelog See the tape system documentation for configuration details.

341 Maintaining the SESA DataStore Data backup and recovery If the backup was an offline backup, to open the database to outside connections after the backup is complete, type the following command: alter database open; 6 Restart the Apache Tomcat service on all SESA Managers using the SESA DataStore. Restoring an Oracle SESA DataStore to its last backup image To restore a SESA DataStore running on a Solaris system, you return the Oracle 9i database to its previous state when a backup image of it was created. To return the Oracle database to the state that it was in at any given time, you must configure it to run in ARCHIVELOG mode. ARCHIVELOG mode uses an archival logon with database log files to reapply any or all changes that you have made to a SESA DataStore since its last backup. Restore an Oracle SESA DataStore to its last backup image When restoring an Oracle database, Oracle Recovery Manager restores it by default to the last available backup. If log archival is enabled, it also applies available archived redo logs to restore transactions archived since the last backup. Oracle Recovery Manager also supports recovery to a particular point in time and to a particular transaction. Transactions are identified by Oracle System Change Numbers (SCNs), which can be obtained from redo logs using Oracle Log Miner. To restore the database to the last backup available, including transactions from archived redo logs 1 To start the Oracle Recovery Manager client on the Oracle server, type the following command: rman target / 2 Disable the Apache Tomcat service on all SESA Managers using the SESA DataStore. In addition, to shut down the database and start it up mounted but not open, type the following commands: shutdown immediate startup mount 3 To restore and recover the database, type the following commands: restore database; recover database;

342 342 Maintaining the SESA DataStore Data backup and recovery 4 After the recovery is complete, to open the database to outside connections, type the following command: alter database open; 5 Restart the Apache Tomcat service on all SESA Managers using the SESA DataStore. To restore the database up to a particular point in time, or to a particular Oracle transaction identified by SCN 1 To ensure that Oracle environment variables are set for parsing dates and times before starting RMAN, type the following commands: NLS_LANG=american_america.us7ascii export NLS_LANG NLS_DATE_FORMAT= Mon DD YYYY HH24:MI:SS export NLS_DATE_FORMAT rman target / 2 Disable the Apache Tomcat service on all SESA Managers using the SESA DataStore. In addition, to shut down the database and start it up mounted but not open, type the following commands: shutdown immediate startup mount 3 To specify the point in time or transaction to which you want to recover, type the recovery commands in a run block with a set until command. For example, to recover to a particular point in time (in this case, 8 p.m. on June 17, 2003), type the following command: run { set until time Jun :00:00 ; restore database; recover database; } Or, for example, to recover to a particular SCN (in this case, 1234), type the following command: run { set until scn 1234; restore database; recover database; }

343 Maintaining the SESA DataStore Data backup and recovery After the recovery is complete, to open the database to outside connections, type the following command: alter database open resetlogs; 5 With the database mounted, it is recommended that you perform an immediate backup. See Backing up the Oracle 9i database server on page Once the database is fully available, restart the Apache Tomcat service on all SESA Managers using the SESA DataStore. Backing up the IBM DB2 database You can back up an IBM DB2 database to move it to a different computer. This task requires several steps at both the source of the original SESA DataStore and at the target for the new SESA DataStore. You should also be aware of the following: The SESA DataStore must be installed using the SESA Installation Wizard from the SESA Foundation Pack Windows CD1. Use the default size for the new target SESA DataStore. The size will be increased automatically, if necessary. You must carry over the installation path that was used in the source SESA DataStore to the new SESA DataStore. If you have spanned the SESA DataStore across drives, the other symnc_data folders will be recreated when you restore the database. Back up an IBM DB2 database To back up an IBM DB2 database, you must do the following: Back up the original SESA DataStore on the source computer. Stop the Apache Tomcat service. Restart the Apache Tomcat service. To back up the original SESA DataStore on the source computer 1 On the source computer, open the IBM DB2 Command Line Processor. 2 To verify the current database manager instance, type the following command: get instance You should see the following message: The current database manager instance is:db2

344 344 Maintaining the SESA DataStore Data backup and recovery 3 To connect to the SESA DataStore as administrator, type the following command: connect to SESA user <administrator> using <password> 4 To list all running applications, type the following command: list applications 5 If tomcat.exe appears in the list of running applications, stop the Apache Tomcat Service. The Apache Tomcat service in Administrative Tools will only be present if the SESA Manager is on the same computer or if it was preinstalled. If it is not present as a service, the force applications all method has to be used. This method may have to be executed several times until the Apache Tomcat service no longer appears when you execute the list applications command. Also, if Symantec Incident Manager is installed on the same computer, the InfoManager service must be stopped before you can stop the Apache Tomcat service. 6 To disconnect db2bp.exe, type the following command: force applications all 7 To list all running applications, type the following command: list applications You should see the following message: SQL1611W No data was returned by Database System Monitor. SQLSTATE: To ensure that the database manager is active, type the following command: db2start 9 To back up the SESA DataStore to the C drive, type the following command: backup db SESA to C You should create the backup on the root of the drive. The SESA.0 folder on the source computer needs to be copied to the target computer and must use the same path as is used to create the backup. If you select the default location, the backup is created in Program Files\SQLLIB\bin\SESA When the backup is finished, record the timestamp information as it appears in the on-screen message. The message is similar to the following: Backup successful. The timestamp for this backup image is: The timestamp in this example translates to April 28, :02:47 PM. 11 If the Apache Tomcat service was stopped in step 4, restart it.

345 Maintaining the SESA DataStore Data backup and recovery 345 To stop the Apache Tomcat service 1 On the computer on which you installed the SESA Manager, on the Windows taskbar, click Start > Settings > Control Panel. 2 In the Control Panel window, double-click Administrative Tools. 3 In the Administrative Tools window, double-click Services. 4 In the Services dialog box, right-click the Apache Tomcat service, and then click Stop. To restart the Apache Tomcat service 1 On the computer on which you installed the SESA Manager, on the Windows taskbar, click Start > Settings > Control Panel. 2 In the Control Panel window, double-click Administrative Tools. 3 In the Administrative Tools window, double-click Services. 4 In the Services dialog box, right-click the Apache Tomcat service, and then click Restart. Restoring an IBM DB2 database You can move a SESA DataStore to a different computer by restoring the backup image. However, you must have taken the appropriate steps to back up the original SESA DataStore. See To back up the original SESA DataStore on the source computer on page 343. To restore a SESA DataStore, you must do the following: Stop the Apache Tomcat service. See To stop the Apache Tomcat service on page 345. Restore the original SESA DataStore on the target computer. Restart the Apache Tomcat service. See To restart the Apache Tomcat service on page 345.

346 346 Maintaining the SESA DataStore Data backup and recovery To restore the original SESA DataStore on the target computer 1 On the target computer, copy and paste the SESA.0 folder and all of its contents to the same path as the one that was used when it was created (see step 7 in To back up the original SESA DataStore on the source computer on page 343). 2 Install the SESA DataStore from the SESA Foundation Pack CDs. Do not install the SESA Directory. This will create two different SESA networks. Warning: You must install the target SESA DataStore to the same folders and drives as the source SESA DataStore and they must be the same size. You can expand the SESA DataStore on the target computer after it has been restored. 3 Open the IBM DB2 Command Line Processor. 4 To verify the current database manager instance, type the following command: get instance You should see the following message: The current database manager instance is:db2 5 To connect to the SESA DataStore as administrator, type the following command: connect to SESA user <administrator> using <password> 6 To list all of the running applications, type the following command: list applications If tomcat.exe appears in the list of running applications, stop the Apache Tomcat Service. See To stop the Apache Tomcat service on page To disconnect db2bp.exe, type the following command: force applications all 8 To list all of the running applications, type the following command: list applications You should see the following message: SQL1611W No data was returned by Database System Monitor. SQLSTATE: To ensure that the database manager is active, type the following command: db2start

347 Maintaining the SESA DataStore SESA Data Maintenance Tool To restore the SESA DataStore to the C drive, type the following command: restore db SESA from C taken at <insert timestamp here> to c:\sesa\symc_data The following message appears: SQL2532W Warning! Restoring to an existing database that is different from the database on the backup image, but have matching names. The target database will be overwritten by the backup version. The roll-forward recovery logs associated with the target database will be deleted. Do you want to continue? (y/n) 11 Type Y for yes. The restore should complete and display the following message: The RESTORE DATABASE command completed successfully. 12 Open the Symantec management console and ensure that all of the events from the SESA DataStore appear. You may have to reinstall the SIPs that had been previously installed into the source SESA DataStore to continue to receive future events from SESA clients. 13 If the source SESA DataStore still appears in the Symantec management console, remove it by doing one of the following: Remove the SESA DataStore from the SESA network using the Symantec Enterprise Architecture Components in Add/Remove Programs. Delete both entries for the source SESA DataStore in the directory using the DMT for the IBM Directory Server. There are two entries: one under the domain and the other under the system. 14 To back up the SESA DataStore to the C drive, type the following command: backup db SESA to C SESA Data Maintenance Tool The SESA Data Maintenance Tool, which is provided on the SESA Foundation Pack CD set, is a utility that lets you purge, copy, or move events and alerts from your SESA DataStore (Oracle 9i or IBM DB2). You can purge, copy, or move data by product type, event type, severity, and many other filtering criteria to make data operation as broad or as specific as you want. The SESA Data Maintenance Tool purges, copies, and moves data by table row. The SESA Data Maintenance Tool gives you the option of saving purging, copying, or moving criteria to a file called a filter. You can then run the filter

348 348 Maintaining the SESA DataStore SESA Data Maintenance Tool from the SESA Manager computer command line, or insert it in any data scripts used to maintain databases in your organization. You can run as many instances of the SESA Data Maintenance Tool as you like, each with a different filter. When to use the SESA Data Maintenance Tool Table 9-1 describes some of the ways that you can use the SESA Data Maintenance Tool to delete events and alerts from a SESA DataStore. Warning: Before you delete events or alerts from a SESA DataStore, make sure that you archive the data that you are purging. For more information on archiving a SESA DataStore, see the Symantec Management Console User s Guide. Table 9-1 Common use Common ways to use the SESA Data Maintenance Tool Description Scheduled maintenance You can use the SESA Data Maintenance Tool to configure and save a purge, copy, or move filter, which you can schedule to run with a script that you use to maintain the SESA DataStore. Every three months, for example, you may run a tool or script to automatically back up the oldest three months of data in the SESA DataStore. You can modify the script to include the command for the SESA Data Maintenance Tool and add a purge filter as a parameter of the command. That way, every three months, the same data that is archived will also be purged from the SESA DataStore. To create a purge filter that will delete the oldest three months of data, in the SESA Data Maintenance Tool user interface, on the Dates tab, you can select the older than (n) days option, and then specify a value of 90 for n. See Configuring and saving a filter on page 356.

349 Maintaining the SESA DataStore SESA Data Maintenance Tool 349 Common use Company infrastructure has changed Description If you have used organizational units in the Symantec Management Console to reflect the organizational infrastructure of your company (for example, organizational units that represent company sites), you can use the SESA Data Maintenance Tool to delete events from organizational units when an organizational unit is no longer used or no longer reflects the organizational infrastructure of your company. The SESA Data Maintenance Tool contains an Organizational Units tab that lets you select the organizational units for which events can be deleted. Before you purge any events, make sure to back up any event data in the SESA DataStore. When you execute a purge, copy, or move operation in the SESA Data Maintenance Tool, the selected operation begins immediately. However, you can also configure and save configuration files, which you can run later from the SESA Manager computer command line to purge the SESA DataStore. Note: If you select to purge events, the SESA Data Maintenance Tool does not purge events in the SESA DataStore that are currently associated with alerts. Launching the SESA Data Maintenance Tool You must launch the SESA Data Maintenance Tool from the directory that contains the utility. The tool is located on the SESA Foundation Pack CD1 for Solaris or Windows in the Utils\DBtools\DMT directory. Launch the SESA Data Maintenance Tool You can run the SESA Data Maintenance Tool on both Windows and Solaris platforms. In Windows environments, you use the Sesadmt.bat tool. In Solaris environments, you use the sesadmt.sh tool. If you are running the tool from a command line or as part of a maintenance script, you use Sesadmtcmd.bat and sesadmtcmd.sh for Windows and Solaris environments respectively. See Running the SESA Data Maintenance Tool from the command line on page 357.

350 350 Maintaining the SESA DataStore SESA Data Maintenance Tool To launch the SESA Data Maintenance Tool on a Windows computer 1 On the SESA Manager computer, insert CD1 in the CD-ROM drive. 2 On CD1, change directories to the \Utils\DBtools\DMT. 3 At the command prompt, type the following: sesadmt 4 In the SESA Data Maintenance Tool Log On dialog box, type the logon name for the Symantec Domain Administrator account for the domain in which the SESA DataStore is associated. 5 Type the password for the logon name. 6 Type the name of the SESA domain to which the SESA DataStore is associated. If only one SESA domain is installed, you can leave this field blank. 7 In the SESA Manager box, do one of the following: If SESA is using default, anonymous SSL communications, type the IP address of the computer on which the SESA Manager is installed. If SESA is using authenticated SSL communications, type the host name of the SESA Manager computer. For example, mycomputer.com. 8 Click Log on. To launch the SESA Data Maintenance Tool on a Solaris computer 1 Ensure that a local copy of the SESA Foundation Pack Solaris distribution media image has been copied to the SESA Manager computer and that the Solaris computer at which you are physically located has access to the computer. 2 On the Solaris computer at which you are physically located, become superuser. 3 To display a local Terminal window, right-click anywhere on the Solaris screen, and then click Tools > Terminal. If you are installing the IBM DB2 database server on the computer at which you are physically located, your local Terminal window displays the SESA Directory computer environment.

351 Maintaining the SESA DataStore SESA Data Maintenance Tool If you are launching the SESA Data Management Tool from a remote Solaris computer, initiate a Telnet session with the SESA Manager computer, and then set and export the remote display to the local computer. See Connecting to a remote Solaris computer and exporting its display on page 135. The Terminal window displays the environment of the SESA Manager computer. 5 In the Terminal window, type sesadmt 6 In the SESA Data Maintenance Tool Log On dialog box, type the logon name for the Symantec Domain Administrator account for the domain in which the SESA DataStore is associated. 7 Type the password for the logon name. 8 Type the name of the SESA domain to which the SESA DataStore is associated. If only one SESA domain is installed, you can leave this field blank. 9 In the SESA Manager box, do one of the following: If SESA is using default, anonymous SSL communications, type the IP address of the computer on which the SESA Manager is installed. If SESA is using authenticated SSL communications, type the host name of the SESA Manager computer. For example, mycomputer.com. 10 Click Log on. Running an immediate database purge, copy, or move operation You can use the SESA Data Maintenance Tool to configure and run a database operation immediately.

352 352 Maintaining the SESA DataStore SESA Data Maintenance Tool To run an immediate database purge, copy, or move operation 1 Launch the SESA Data Maintenance Tool. See Launching the SESA Data Maintenance Tool on page In the SESA Data Maintenance Tool dialog box, under Source DataStore selection, select the SESA DataStore on which to perform the purge, copy, or move operation. 3 If you are copying or moving data from the selected SESA DataStore, under Destination DataStore selection, select the SESA DataStore to which to copy or move the data. 4 Under Select action, select one of the following: Purge: Purges events or alerts from the selected SESA DataStore Copy: Copies events from the one selected SESA DataStore to another Move: Moves events or alerts from one selected SESA DataStore to another