SSIM Database Extension Pack 4.0 for Oracle on Linux Installation Guide
SSIM Database Extension Pack 4.0 for Oracle on Linux Installation Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Legal Notice SYMANTEC PROPRIETARY/CONFIDENTIAL INTERNAL USE ONLY Copyright 2005 Symantec Corporation. All rights reserved.
Contents Chapter 1 Chapter 2 Appendix A Planning for installation About the SSIM Database Extension Pack 4.0 for Oracle on Linux... 5 Installation requirements... 6 Installation prerequisites... 7 Installing and configuring the database About the installation files... 9 Installation checklist... 9 Installing the JDK... 10 Installing the database... 10 Running the sesa-setup RPM... 11 Creating the database... 11 Installing the schema... 15 Configuring Oracle as the primary database for Information Manager... 16 Purging data About the DMU purge tool... 17 Using the GUI-based DMU utility to delete partitions... 18 Using the DMU command-line tool to delete partitions... 18 Automating partition purges... 20 Example 1... 20 Example 2... 21 Index
4 Contents
Chapter 1 Planning for installation This chapter includes the following topics: About the SSIM Database Extension Pack 4.0 for Oracle on Linux Installation requirements Installation prerequisites About the SSIM Database Extension Pack 4.0 for Oracle on Linux The SSIM Database Extension Pack 4.0 for Oracle on Linux enables Symantec Security Information Manager (Information Manager) customers to store event and incident data in an Oracle database that is installed on a separate server. It is designed for large enterprises with high volumes of security information. By storing Information Manager data on an Oracle database server, instead of on the Information Manager appliance, customers can do the following: Maximize the ability to receive and process high volumes of security information. Store up to 20 terabytes of security event data. Increase security event throughput. Archive data to meet regulatory compliance requirements. Utilize existing Oracle expertise in their organization.
6 Planning for installation Installation requirements Note: SSIM Database Extension Pack 4.0 for Oracle on Linux is an advanced solution that requires extensive Oracle knowledge and experience. It is recommended that an Oracle Database Administrator (Oracle DBA) be responsible for deploying and maintaining the solution. In addition, Symantec Consulting Services should be leveraged for the initial deployment. Installation requirements To install the SSIM Database Extension Pack 4.0 for Oracle on Linux, the Oracle database server must meet the following requirements: Operating system Oracle Red Hat Enterprise Linux 3, release 4; 32-bit; updated with the latest patches from Red Hat. 32-bit Oracle, version 10.1.0.4, updated with the latest patches from Oracle, and with Index Range Partitioning enabled. Ensure that you have installed the October 2005 Oracle Critical Patch Update. This patch addresses security issues with Oracle. For more information, see the Oracle Web site. Hardware Storage Disk layout Dell 6650 server, or the equivalent: dual processors, 8 GB RAM. Storage Area Network (SAN) or Network Attached Storage (NAS), Class 1 storage (such as Symmetrix DMX 3000). RAID 1+0 array consisting of 14 disks, each disk 133 GB. 13 disks are used for data storage and parity; one disk is used for backup: Volume 1 (> 400 GB) holds base event tables and other event table indexes. Volume 2 (> 200 GB) holds base event table indexes, user definition tables, and cache tables. Volume 3 (> 1000 GB) holds other event tables. Volume 4 (> 150 GB) holds log and tempdb. Volume 5 (> 100 GB) holds OS and software installations. Note: Symantec does not make available for sale or resale any Oracle product, including Oracle database software. You must purchase the Oracle database software and the Oracle Index Range Partitioning license separately.
Planning for installation Installation prerequisites 7 Installation prerequisites Before you install the SSIM Database Extension Pack 4.0 for Oracle on Linux, ensure that the following prerequisites have been met: Symantec Security Information Manager 4.0.1 is installed and configured. If Symantec Security Information Manager 4.0 is already installed, the 4.0.1 service pack should be applied. If not, Symantec Security Information Manager 4.0.1 should be installed and configured. The Oracle server meets operating system, hardware, and storage requirements. The RAID system is configured for the Oracle server. A supported version of Oracle is installed on the server. Oracle Index Range Partitioning is enabled on the Oracle server. Index Range Partitioning requires a license, which must be purchased from Oracle. The startup database is not installed on the Oracle server. Do not select the option to create a database when you install Oracle. Use the scripts that are provided in the database extension pack to create a database that is properly configured for use with Information Manager. The Oracle server can communicate with the Information Manager appliance over a network. The Oracle database and the Information Manager appliance communicate over normal unencrypted SQL*Net. Therefore, this connection should be on a private network. Access to the Oracle server should be available only to authorized users through a firewall. All required connection and authentication information is available during the installation and configuration process. Table 1-1 lists the connection information that is needed during installation. Table 1-1 Item Connection and authentication information required for installation Description IP address of the appliance LDAP listening port on the appliance If your installation includes multiple Information Manager appliances, this should be the appliance on which the directory service is configured. The default port number is 636.
8 Planning for installation Installation prerequisites Table 1-1 Item Connection and authentication information required for installation (continued) Description LDAP account name and password Domain name Database account name and password The LDAP directory administrator account, as configured on the appliance. The administrative domain, as configured on the appliance. The administrator account for the Information Manager database on the Oracle server. The default database account name is symcmgmt.
Chapter 2 Installing and configuring the database This chapter includes the following topics: About the installation files Installation checklist Installing the JDK Installing the database Configuring Oracle as the primary database for Information Manager About the installation files Installation checklist The SSIM Database Extension Pack 4.0 for Oracle on Linux includes the following components: sesa-jdk-1.5.0_04-1.i686.rpm This file includes the Java Development Kit (JDK) that is required for the installation. sesa-setup-2.5-ds25_only_<n>.i686.rpm In the file name, <n> represents the build number. This file includes the installation script. To install the SSIM Database Extension Pack 4.0 for Oracle on Linux, you must perform the following tasks:
10 Installing and configuring the database Installing the JDK 1. Ensure that all prerequisites have been met. See Installation prerequisites on page 7. 2. Install the Java Development Kit (JDK). See Installing the JDK on page 10. 3. Create the database and apply the schema. See Installing the database on page 10. 4. Configure Oracle as the primary database for Information Manager. See Configuring Oracle as the primary database for Information Manager on page 16. Installing the JDK Before you run the database setup program, you must install the JDK that is included in the database extension pack. To install the JDK 1 Copy the following RPM files to the Oracle server: sesa-jdk-1.5.0_04-1.i686.rpm sesa-setup-2.5-ds25_only_<n>.i686.rpm 2 To install the JDK, type the following command: rpm -ivh sesa-jdk-1.5.0_04.i636.rpm Installing the database To install and configure the database, you do the following: Run the sesa-setup RPM file that you previously copied to the Oracle server. See Running the sesa-setup RPM on page 11. Create the Information Manager database. See Creating the database on page 11. Install the appropriate schema to the database, and configure it with the necessary information to communicate with the Information Manager appliance. See Installing the schema on page 15.
Installing and configuring the database Installing the database 11 Running the sesa-setup RPM Creating the database Before you can create and configure the database, you must run the RPM file that installs the database installation script and related files. This is one of the two RPM files that you copied to the Oracle server before you installed the Java SDK. See Installing the JDK on page 10. To run the sesa-setup RPM Type the following command: rpm -ivh sesa-setup-2.5-ds25_only_<n>.i636.rpm --nodeps In the command, replace <n> with the actual build number in the RPM filename. To create the database, you run a shell script called create.sh. Before you run create.sh, you should edit the create.sh file to set certain parameters. For example, you should change the default values of variables that specify the database name and the default location of the data files in the Oracle database. See About create.sh on page 11. See Editing create.sh on page 12. See Running create.sh on page 13. See About running create.sql manually on page 14. About create.sh The create.sh script creates the database configuration files and the SQL script that is run to create the database. Table 2-1 lists and describes the files that are created by create.sh. Table 2-1 File name create.sql Files created by create.sh Description A SQL script that is used to create the <DBNAME> database. init<dbname>.ora listener.ora The configuration file that contains all of the initialization parameters for the <DBNAME> database. The configuration file for the Oracle listener that makes the database available over the network to the Manager and other clients.
12 Installing and configuring the database Installing the database Table 2-1 File name tnsnames.ora recreate.sql Files created by create.sh (continued) Description A sample tnsnames file that can be used by Oracle clients, such as SQL*Plus, to connect remotely. An SQL script that can be run manually to drop and recreate the SYMCMGMT database user, without having to drop and recreate the entire database. The create.sh script includes a number of variables that define the database name, Oracle version, data file path, and more. You should edit create.sh to set these variables as appropriate for your installation. See Editing create.sh on page 12. Editing create.sh In the create.sh file, the parameters that are most commonly changed are presented at the beginning of the file as variables with default values that can be edited. You should review the contents of the file before you run it. At minimum, you should set the appropriate values for the DBVERSION and ORACLE_HOME variables. Note: If you edit a path name prefix in create.sh, ensure that the directory path that you specify actually exists. By default, the SQL database creation script, which is called create.sql, is run automatically by create.sh. If you are an experienced user, you may want to change the RUN_SCRIPTS value to false, so that the create.sql file is not run automatically. You can then edit create.sql before you run it to create a configuration that takes full advantage of your hardware. Table 2-2 lists the most commonly edited variables in the create.sh file. For a complete list of these variables and their default values, review the contents of the file.
Installing and configuring the database Installing the database 13 Table 2-2 Parameter RUN_SCRIPTS Commonly edited parameters in create.sh Description Default: true Set to false if you do not want create.sh to both generate and run the database creation script, which is called create.sql. You are then responsible for running create.sql manually. DBVERSION Default: 10.1.0 This variable is referenced in the ORACLE_HOME path. ORACLE_HOME Default: /u01/app/oracle/product/$dbversion/db_1 Set this to match the ORACLE_HOME path that was used when installing Oracle. JAVA Default: "$ORACLE_HOME/jdk/bin/java -cp." (This is a Solaris example.) Set to the location of the Java executable that is installed and used by Oracle. Unless the version of Java that is used by Oracle is installed to a non-default path, you do not need to change this. DBNAME Default: SESA Set to the name you want to use for the database instance. SGA_TARGET Default: 1600M Increase as necessary to take full advantage of your hardware. Running create.sh Once you have edited create.sh, you can run it to generate the database configuration files and to generate and run the database creation script, create.sql. Unless you have set RUN_SCRIPTS to false in the create.sh file, create.sql is run automatically.
14 Installing and configuring the database Installing the database To run create.sh 1 To give Oracle ownership of the installation files, in a shell, as superuser, type the following: chown -R oracle;oinstall /var/lib/symantec/files/sql/oracle/install 2 Edit the following shell script as necessary: /var/lib/symantec/files/sql/oracle/install/create.sh See Editing create.sh on page 12. 3 Ensure that the following command has been run: /u01/app/oracle/product/10.1.0/db_1/root.sh 4 Log on as oracle user, change to the local directory that contains the edited copy of create.sh, and then type sh create.sh By default, the database creation files are generated, and create.sql is run immediately to create a database. 5 When prompted, type the passwords to use for the following user accounts: SYMCMGMT SYSTEM SYS Information Manager administrative account for the new database. Oracle privileged administrative account for the new database. Oracle administrative account for the new database. If you set RUN_SCRIPTS to false in create.sh, you will not be asked to provide these passwords. Instead, when the create.sh operation is completed, you must run create.sql manually. See About running create.sql manually on page 14. About running create.sql manually If you set RUN_SCRIPTS to false in the create.sh file, the create.sql script will not be run automatically. If you run create.sql manually, you will not be prompted to create passwords for SYMCMGMT, SYSTEM, and SYS, as you are when create.sh runs create.sql automatically. Instead, the placeholder value for SYMCMGMT in the create.sql script, which is password, will be used for the new database. For SYSTEM and SYS, the Oracle default values will be used.
Installing and configuring the database Installing the database 15 Installing the schema Before you run create.sql, you can replace the value with the actual password you want to use. If you do so, however, you must re-edit the file immediately after running it to ensure that this unencrypted file is not stored with the actual password. Alternatively, you can use the default SYMCMGMT password when you create the database, and then immediately change the passwords for all three user accounts in Oracle, either from the SQL*Plus command line or in the Oracle Enterprise Manager. Once you have created the database, you need to install the appropriate schema for Information Manager. The installation script is called sesa-setup and it is installed to /usr/sbin. The sesa-setup command takes the following parameters: --datastore --device <device-name> --ldap-ip <IP-address> --ldap-domain <domain-name> --ldap-port <port-number> --ldap-user <user-name> --ldap-pass <password> --oracle-db --db-instance-name <instance-name> The type of component to install. The name of the device, such as eth0. The IP address of the LDAP directory. This should be the IP address of the Information Manager appliance. If your deployment includes multiple appliances, use the IP address of the appliance that is configured for directory service. The domain that is configured on the appliance. The port number on which the LDAP directory listens. By default, the port number is 636. The name of the account that has administrator privileges to the LDAP directory. The password for the LDAP user account. The type of database. The name of the database. This parameter is optional unless you change the default value of DBNAME when you edit the create.sh script. The default name is SESA. --no-raw --db-user symcmgmt The command that disallows the storage of binary data in RAW format. The name of the Information Manager administrative account for the database.
16 Installing and configuring the database Configuring Oracle as the primary database for Information Manager --db-pass <password> The password for the symcmgmt account. To install the schema To run the installation script, type the following command: /usr/sbin/sesa-setup --datastore --device <device-name> --ldap-ip <IP-address> --ldap-domain <domain-name> --ldap-port <port-number> --ldap-user <user-name> --ldap-pass <password> --oracle-db --db-instance-name <instance-name> --no-raw --db-user symcmgmt --db-pass <password> Replace the variable values, such as <domain-name>, with the actual values for your installation. Configuring Oracle as the primary database for Information Manager You configure Information Manager to use the Oracle database in the Information Manager Console. To configure Oracle as the primary database for Information Manager 1 In the Information Manager Console, press F4 to access the Configurations Viewer. 2 In the left pane of the Configurations Viewer, expand SESA 2.5 > Manager Connection Configurations, and then click Default. 3 In the right pane, in the SESA DataStore Failover tab, from the Primary DataStore drop-down list, select the Oracle database, and then click Save. 4 To distribute the configuration, on the toolbar, click Distribute.
Appendix A Purging data This appendix includes the following topics: About the DMU purge tool Using the GUI-based DMU utility to delete partitions Using the DMU command-line tool to delete partitions Automating partition purges About the DMU purge tool The SSIM Database Extension Pack 4.0 for Oracle on Linux installs a Database Maintenance Utility (DMU) on the Oracle server. The DMU deletes inactive partitions from the database. Just as database partitioning improves the speed of event insertion and report generation, partition-based purging of data is faster and more efficient in high-volume environments. Partitions are created at regular intervals, and events are stored in a partition based on the event time. Deleting the oldest partition avoids the overhead associated with issuing complex queries to the database, and ensures that the oldest data is purged first. A consecutive range of partitions can be deleted, from the oldest inactive partition up to a specified inactive partition. The active partition is never deleted. The same tablespace is never used by two different partitions. When a partition is deleted, all tablespaces that are associated with the partition are also deleted. You can use a simple, GUI-based DMU utility to purge partitions, or you can use the DMU command-line tool. The command-line option is applicable when you want to automate the purge process, and when the Oracle server does not have a graphical desktop interface.
18 Purging data Using the GUI-based DMU utility to delete partitions Note: The DMU requires you to provide the necessary credentials to authenticate to the manager on the Information Manager appliance. The network environment must enable the DMU to contact the manager. Using the GUI-based DMU utility to delete partitions The GUI-based DMU utility is located in the following path: /opt/symantec/sesa/dmu/sesadmu.sh To use the GUI-based DMU utility to delete partitions 1 To launch the DMU, on the Oracle server, in a shell, type the following: /opt/symantec/sesa/dmu/sesadmu.sh 2 In the Logon panel, provide the following information: Name Password Domain The Information Manager Administrator account. Password for the logon account. Name of the administrative domain. This field is optional. SESA Manager IP/Hostname Host name or IP address of the Information Manager appliance. 3 In the Database Operation Selection panel, select the database from the drop-down list. 4 In the Partition Purge panel, select one or more inactive partitions, starting with the oldest. The oldest partition is located at the top of the list. At minimum, the oldest partition must be selected. All selected partitions must be in a single, continuous range. The active partition cannot be selected. 5 To delete the selected partitions, click Execute. Using the DMU command-line tool to delete partitions The DMU command-line tool is located in the following directory path: /opt/symantec/sesa/dmu/sesadmucmd.sh You can use sesadmucmd.sh to perform the following operations, which are performed consecutively in the order listed:
Purging data Using the DMU command-line tool to delete partitions 19 List Databases Lists all databases that are managed by a specified Manager. The name of the database and the name of the database host are listed. Partition List Lists all partitions for a specified database on a specified host. The partition name is in the form PRT_<n>. Partition Purge Purges the specified partition. The partition is deleted, along with any older partitions that may exist. Partitions are purged in order, from oldest to newest. The sesadmucmd.sh command has the following syntax: List Databases operation Partition List operation Partition Purge operation sesadmucmd.sh --user <admin-name> --password <admin-pass> --managerhost <hostname-or-ip> --operation "List Databases" sesadmucmd.sh --user <admin-name> --password <admin-pass> --managerhost <hostname-or-ip> --databasehost <hostname> --databasename <db-name> --operation "Partition List" sesadmucmd.sh --user <admin-name> --password <admin-pass> --managerhost <hostname-or-ip> --databasehost <hostname> --databasename <db-name> --purgetopartition <partition-name> --operation "Partition Purge" The sesadmucmd.sh command takes the following parameters: --user <admin-name> The Information Manager Administrator account. Required. --password <admin-pass> Password for the logon account. Required. --domain <domain-name> Name of the administrative domain. Optional. --managerhost <hostname-or-ip> Host name or IP address of the Information Manager appliance. Required.
20 Purging data Automating partition purges --operation ["List Databases" "Partition List" "Partition Purge"] Type of operation to perform. Use one of the three options that are specified. Required. --databasehost <hostname> Host name of the database computer, as specified by the output of the "List Databases" operation. Required with --operation "Partition List" and --operation "Partition Purge". --databasename <db-name> Name of the database, as specified by the output of the "List Databases" operation. Required with --operation "Partition List" and --operation "Partition Purge". --purgetopartition <partition-name> Name of the partition to purge, as specified by the output of the "Partition List" operation. Required with --operation "Partition Purge". Automating partition purges You can automate the deletion of partitions. In a shell script, more than one approach can be used to specify the partition name value in the sesadmucmd.sh purgetopartition parameter. Note: To automate the partition purge process, you must store the Information Manager Administrator password in the script file. Be sure to store the file securely. Example 1 #!/bin/sh # run the command line version of the DMU # set the java command PARTITION_PREFIX=PRT_ PARTITION=1 FILE=partition.txt USER=administrator
Purging data Automating partition purges 21 PASSWORD=password MANAGER=10.1.1.1 DATABASE_HOST=testmachince DATABASE_NAME=SESA #see if file with next partition to remove exists if [-e $FILE] then if [-r $FILE -a -w $FILE] then PARTITION='cat $FILE' else echo "$FILE must be writable and readable by current process." exit -1 fi else echo $PARTITION > $FILE fi echo "Deleting up to partition->$partition_prefix$partition"./sesadmucmd.sh -user $USER -password $PASSWORD -managerhost $MANAGER -databasehost $DATABASE_HOST -databasename -$DATABASE_NAME -operation "Partition Purge" -purgetopartition $PARTITION_PREFIX$PARTITION let PARTITION=PARTITION+1 echo $PARTITION > $FILE Example 2 #!/bin/sh # run the command line version of the DMU # set the java command PARTITION_PREFIX=PRT_ USER=administrator PASSWORD=password MANAGER=10.1.1.1 DATABASE_HOST=testmachince DATABASE_NAME=SESA
22 Purging data Automating partition purges PARTITION= FILE=partitions.txt./sesadmucmd.sh -user $USER -password $PASSWORD -managerhost $MANAGER -databasehost $DATABASE_HOST -databasename -$DATABASE_NAME -operation "Partition List" > $FILE #see if file with next partition to remove exists if [-e $FILE] then if [-r $FILE] then PARTITION='cat $FILE grep $PARITION_PREFIX cut -f2 -d'_' head -1' else echo "$FILE must be writable and readable by current process." exit -1 fi else echo $PARTITION > $FILE fi echo "Deleting up to partition->$partition_prefix$partition"./sesadmucmd.sh -user $USER -password $PASSWORD -managerhost $MANAGER -databasehost $DATABASE_HOST -databasename -$DATABASE_NAME -operation "Partition Purge" -purgetopartition $PARTITION_PREFIX$PARTITION
Index C connection information 8 create.sh editing 12 files created by 11 running 13 create.sql 14 D database configuring as primary Information Manager database 16 creating 10 creating manually 14 listing name and host 19 listing partitions 19 partitions 17 purging partitions automated 20 from command line 18 using GUI 18 schema installation 15 SYMCMGMT account 14 Database Maintenance Utility. See DMU DBNAME 13 DBVERSION 13 Dell 6650 6 DMU about 17 command-line 18 GUI 18 H hardware requirements 6 I Index Range Partitioning 6 init<dbname>.ora 11 installation checklist 9 installation (continued) database 10 database schema 15 files 9 Java Development Kit (JDK) 10 prerequisites 7 requirements 6 J Java Development Kit (JDK) 10 L LDAP connection information 7 listener.ora 11 O operating system requirements 6 Oracle configuration files 11 configuring in Information Manager Console 16 user accounts 14 version 6 ORACLE_HOME 13 P partitions about 17 listing 19 purging automated 20 from command line 18 using GUI 18 prerequisites for installation 7 R RAID array 6 recreate.sql 12 Red Hat Linux 6 requirements for installation 6
24 Index RUN_SCRIPTS 13 S sesa-setup command parameters 15 sesadmu.sh 18 sesadmucmd.sh 18 parameters 19 SGA_TARGET 13 storage requirements 6 Symantec Security Information Manager connection information 8 version required 7 SYMCMGMT database account 14 T tsnames.ora 12