Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Version 2.0
Installation Guide
GI11-8778-01
Tivoli Security Information and Event Manager
®
Version 2.0
Installation Guide
GI11-8778-01
Note
Before using this information and the product it supports, read the information in “Notices” on page 143.
This edition applies to version 2, release 0, modification 0 of IBM Tivoli Security Information and Event Manager
(product number 5724-Z13) and to all subsequent releases and modifications until otherwise indicated in new
editions.
© Copyright IBM Corporation 2010.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Figures . . . . . . . . . . . . . . . v Chapter 4. Installing Tivoli Security
Information and Event Manager . . . . 27
Tables . . . . . . . . . . . . . . . vii Planning the installation . . . . . . . . . . 28
Installation DVDs and CDs . . . . . . . . . 28
About this publication . . . . . . . . ix Installing in graphical mode . . . . . . . . . 29
Intended audience . . . . . . . . . . . . ix Installing in silent mode . . . . . . . . . . 42
What this publication contains . . . . . . . . ix Generating a response file for installation . . . 43
Publications . . . . . . . . . . . . . . xi The sample response file for installation . . . . 44
IBM Tivoli Security Information and Event Modifying the response file for installation . . . 46
Manager library . . . . . . . . . . . . xi Installing with a response file . . . . . . . 47
Prerequisite publications . . . . . . . . . xii Promoting a Standard Server to an Enterprise Server 48
Related publications . . . . . . . . . . xii Promoting a Log Management Server to an
Accessing terminology online . . . . . . . xii Enterprise Server . . . . . . . . . . . . 49
Accessing publications online . . . . . . . xiii
Ordering publications. . . . . . . . . . xiii Chapter 5. Configuration tasks . . . . 51
Accessibility . . . . . . . . . . . . . . xiii Registering a Standard Server with the Enterprise
Tivoli technical training . . . . . . . . . . xiii Server . . . . . . . . . . . . . . . . 51
Tivoli user groups . . . . . . . . . . . . xiii Scheduling the Consolidation Server to aggregate
Support information . . . . . . . . . . . xiv data . . . . . . . . . . . . . . . . . 53
Conventions used in this publication . . . . . xiv Updating the Java SDK policy files . . . . . . 54
Typeface conventions . . . . . . . . . . xiv Replacing the self-signed X.509 certificate with a
Operating system-dependent variables and paths xv CA-issued X.509 certificate . . . . . . . . . 55
IPv6 . . . . . . . . . . . . . . . . . 56
Chapter 1. Introduction to IBM Tivoli Configuring IPv6 . . . . . . . . . . . 57
Additional IPv6 information . . . . . . . . 58
Security Information and Event Manager 1
Converting an AIX or Linux system from dual
Product modules and components . . . . . . . 1
stack to IPv6 . . . . . . . . . . . . . 58
Log Management . . . . . . . . . . . . 1
Enabling network browsing on AIX systems . . . 59
Security Information Management (SIM) . . . . 2
Configuring the database for large workloads . . . 59
Server types and their functions . . . . . . . 3
Increasing the Java heap size on AIX and Linux
Event sources . . . . . . . . . . . . . 5
systems. . . . . . . . . . . . . . . . 60
Agents . . . . . . . . . . . . . . . 5
Sample deployments. . . . . . . . . . . . 5
Single server deployment . . . . . . . . . 5 Chapter 6. Upgrading to Tivoli Security
Multiple Log Management Servers deployment . . 6 Information and Event Manager . . . . 61
Single Tivoli Security Information and Event Upgrading a Tivoli Compliance Insight Manager
Manager Cluster deployment . . . . . . . . 8 Cluster . . . . . . . . . . . . . . . . 62
Multiple Tivoli Security Information and Event Upgrading from Tivoli Compliance Insight Manager
Manager Clusters deployment . . . . . . . 8 on Microsoft Windows systems . . . . . . . . 63
IPv6 support . . . . . . . . . . . . . . 10 The migration tool: cifmigrate . . . . . . . 67
What's new . . . . . . . . . . . . . . 10 Upgrading the Actuator for Windows systems. . . 72
Upgrading the Actuator for AIX systems . . . . 72
Chapter 2. System Requirements . . . 13 Upgrading the Actuator for Solaris systems. . . . 73
General requirements . . . . . . . . . . . 13 Upgrading the Actuator for HP-UX systems . . . 74
Hardware requirements . . . . . . . . . 13
Network ports . . . . . . . . . . . . 13 Chapter 7. Uninstalling Tivoli Security
Server requirements for AIX systems . . . . . . 14 Information and Event Manager . . . . 75
Server requirements for Linux systems . . . . . 17 Uninstalling in graphical mode . . . . . . . . 75
Server requirements for Windows systems . . . . 19 Uninstalling in silent mode . . . . . . . . . 77
Requirements for Web Applications (browser client) 21 The sample response file for uninstallation . . . 77
Requirements for the Tivoli Security Information Modifying the response file for uninstallation . . 78
and Event Manager agent . . . . . . . . . 21 Uninstalling using a response file . . . . . . 79
Determining disk space requirements. . . . . . 22
Chapter 8. The agent for Windows
Chapter 3. Road map . . . . . . . . 25 systems . . . . . . . . . . . . . . 81
© Copyright IBM Corp. 2010 iii
Installing the agent manually on a Windows system 81 Configuring browser caching in Firefox. . . . 114
Uninstalling the agent on a Windows system . . . 83 Turning off the "Show friendly HTTP error
messages" parameter in Internet Explorer . . . . 114
Chapter 9. The agent for AIX systems 85 Installing language files and fonts . . . . . . 115
Installing the agent for AIX . . . . . . . . . 85 Installing TrueType fonts . . . . . . . . 115
Installing the agent from the command line . . 85 Installing language files for Asian languages on
Installing the agent with the SMIT utility . . . 86 Windows 2003 systems . . . . . . . . . 116
Configuring the agent on an AIX system . . . . 88 Changing the system locale to support globalized
Setting the agent to start automatically . . . . . 88 domain names . . . . . . . . . . . . . 117
Uninstalling the agent for AIX systems . . . . . 89 Configuring the server locale for localized number
Stopping the agent . . . . . . . . . . . 89 formatting . . . . . . . . . . . . . . 118
Uninstalling the agent for AIX . . . . . . . 91
Appendix C. Account and password
Chapter 10. The agent for Solaris naming rules . . . . . . . . . . . 121
systems . . . . . . . . . . . . . . 95
Audit Settings . . . . . . . . . . . . . 95 Appendix D. Installation Paths . . . . 125
Starting and stopping the audit daemon . . . . 97
Accounting System . . . . . . . . . . . . 97 Appendix E. Limits . . . . . . . . . 127
Installing the agent for Solaris . . . . . . . . 97
Installing the agent with Admintool . . . . . 98
Appendix F. Using DR550 with Tivoli
Installing the agent with the pkgadd shell
command . . . . . . . . . . . . . . 99 Security Information and Event
Setting up the agent to restart automatically . . 100 Manager . . . . . . . . . . . . . 129
Uninstalling the agent for Solaris systems . . . . 100 Mounting the DR550 drive on AIX and Linux
Uninstalling the agent on Solaris systems using systems using CIFS . . . . . . . . . . . 129
the Admintool . . . . . . . . . . . . 101 Mounting the DR550 drive on Windows systems 130
Uninstalling the agent on Solaris systems from Using separate user accounts on the DR550 and
the command line . . . . . . . . . . . 101 Tivoli Security Information and Event Manager . 130
Creating the same user on the DR550 and Tivoli
Chapter 11. The agent for HP-UX Security Information and Event Manager
systems . . . . . . . . . . . . . . 131
systems. . . . . . . . . . . . . . 103
Managing Log Management Depot data with a
Installing the agent using the swinstall command 103
DR550 drive . . . . . . . . . . . . . . 132
Configuring the agent manually on HP-UX systems 105
Moving data between the DR550 drive and the
Starting the agent . . . . . . . . . . . . 105
Log Management Depot . . . . . . . . . 132
Uninstalling the agent for HP-UX using swremove 106
Relocating the Log Management Depot to the
DR550 shared drive on Windows . . . . . . 134
Appendix A. Accessibility . . . . . . 107 Relocating the Log Management Depot to the
DR550 shared drive on AIX and Linux . . . . 135
Appendix B. Configuring the web
browser and system for the Tivoli Appendix G. Installing Fast Connect 137
Integrated Portal . . . . . . . . . . 109 Installing AIX Fast Connect Server . . . . . . 137
Supported web browsers . . . . . . . . . 109 Installing AIX Fast Connect client . . . . . . 137
Screen resolution . . . . . . . . . . . . 109
Enabling JavaScript and ActiveX . . . . . . . 109 Appendix H. Sharing and mounting
Enabling ActiveX and configuring security remote depots . . . . . . . . . . . 139
settings in Internet Explorer . . . . . . . 109 User credentials . . . . . . . . . . . . 139
Configuring "Trusted sites" in Internet Explorer 110 Sharing the depot using Samba on Linux systems 140
Disabling Enhanced Security Configuration in Sharing the depot using Fast Connect on AIX
Windows 2003 Server . . . . . . . . . . . 111 systems . . . . . . . . . . . . . . . 141
Disabling Enhanced Security Configuration in Mounting the remote depot on an AIX or Linux
Windows 2008 Server . . . . . . . . . . . 111 Enterprise Server . . . . . . . . . . . . 142
Configuring encryption for Internet Explorer . . . 112
Configuring encryption for Firefox . . . . . . 112
Notices . . . . . . . . . . . . . . 143
Enabling cookies . . . . . . . . . . . . 112
Trademarks . . . . . . . . . . . . . . 145
Enabling cookies in Internet Explorer . . . . 113
Enabling cookies in Firefox . . . . . . . . 113
Enabling browser caching . . . . . . . . . 113 Index . . . . . . . . . . . . . . . 147
Configuring browser caching in Internet
Explorer . . . . . . . . . . . . . . 113
IBM Tivoli Security Information and Event Manager Installation Guide provides a
high-level overview of the IBM Tivoli Security Information and Event Manager
installation process, along with detailed instructions for deploying the Tivoli
Security Information and Event Manager system components and configuring the
network environment. In addition, this publication explains how to upgrade from
IBM Tivoli Compliance Insight Manager 8.5 and how to uninstall Tivoli Security
Information and Event Manager.
Intended audience
This information is designed for network planners, application administrators, and
system administrators.
This publication is also useful for system programmers whose roles include
security officer, security manager, EDP auditor, or one who monitors events in the
enterprise IT environment.
Publications
This section lists publications in the IBM Tivoli Security Information and Event
Manager library, the prerequisite publications, and the related publications. The
section also describes how to access Tivoli publications online and how to order
Tivoli publications.
You can obtain the publications from the IBM Tivoli Security Information and
Event Manager Information Center:
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/
com.ibm.tsiem.doc/welcome.html
Prerequisite publications
To use the information in this book effectively, you should have some knowledge
of related software products, which you can obtain from the following sources:
v IBM WebSphere® Application Server Version 6.1 Information Center:
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp
You can obtain PDF versions of the IBM WebSphere Application Server Version
6.1 documentation at:
http://ibm.com/software/webservers/appserv/was/library/v61/
Related publications
The Tivoli Software Library provides a variety of Tivoli publications such as white
papers, datasheets, demonstrations, Redbooks®, and announcement letters. The
Tivoli Software Library is available on the web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
http://ibm.com/software/globalization/terminology
xii Tivoli Security Information and Event Manager V2.0: Installation Guide
Accessing publications online
IBM posts publications for this and all other Tivoli products, as they become
available and whenever they are updated, to the Tivoli Documentation Central
website at:
http://ibm.com/tivoli/documentation
Note: If you print PDF documents on other than letter-sized paper, set the option
in the File → Print window that allows Adobe® Reader to print letter-sized pages
on your local paper.
Ordering publications
You can order many Tivoli publications online at
http://ibm.com/e-business/linkweb/publications/servlet/pbi.wss
Accessibility
Accessibility features help users with a physical disability, such as restricted
mobility or limited vision, to use software products successfully. With this product,
you can use assistive technologies to hear and navigate the interface. You can also
use the keyboard instead of the mouse to operate many features of the graphical
user interface.
Support information
If you have a problem with your IBM software, you want to resolve it quickly.
IBM provides the following ways for you to obtain the support you need:
Online
Access the Tivoli Software Support site at http://ibm.com/software/
sysmgmt/products/support/index.html?ibmprd=tivman
IBM Support Assistant
The IBM Support Assistant is a free local software serviceability workbench
that helps you resolve questions and problems with IBM software
products. The Support Assistant provides quick access to support-related
information and serviceability tools for problem determination. To install
the Support Assistant software, go to
http://ibm.com/software/support/isa
Troubleshooting Guide
For more information about resolving problems, see the IBM Tivoli Security
Information and Event Manager Troubleshooting Guide.
Typeface conventions
The following typeface conventions are used in this guide.
Bold
v Lowercase commands and mixed case commands that are otherwise
difficult to distinguish from surrounding text
v Interface controls (check boxes, push buttons, radio buttons, spin
buttons, fields, folders, icons, list boxes, items inside list boxes,
multicolumn lists, containers, menu choices, menu names, tabs, property
sheets), labels (such as Tip:, and Operating system considerations:)
v Keywords and parameters in text
Italic
v Citations (examples: titles of publications, diskettes, and CDs)
v Words defined in text (example: a nonswitched line is called a
point-to-point line)
v Emphasis of words and letters (words as words example: "Use the word
that to introduce a restrictive clause."; letters as letters example: "The
LUN address must start with the letter L.")
v New terms in text (except in a definition list): a view is a frame in a
workspace that contains data.
v Variables and values you must provide: ... where myname represents....
Monospace
xiv Tivoli Security Information and Event Manager V2.0: Installation Guide
v Examples and code examples
v File names, programming keywords, and other elements that are difficult
to distinguish from surrounding text
v Message text and prompts addressed to the user
v Text that the user must type
v Values for arguments or command options
When using the UNIX® command line, replace % variable% with $variable for
environment variables and replace each backslash (\) with a forward slash (/) in
directory paths. The names of environment variables are not always the same in
the Windows and UNIX environments. For example, %TEMP% in Windows
environments is equivalent to $TMPDIR in UNIX environments.
Note: If you are using the bash shell on a Windows system, you can use the UNIX
conventions.
Log Management
The Log Management module collects log data that is relevant to security auditing
and compliance monitoring. It stores the data on a central server, the Log
Management Server.
This module is the foundation of the product and can be deployed as a stand-alone
module. The module stores the collected log data in its native (raw) format, which
is called the Log Management Depot, or Depot.
Use the Log Management Server to monitor the log collection process through
collect history and log continuity reports. Use these reports to verify that the audit
trails are being correctly managed.
You install the forensics component with this module. The forensics component
provides consolidated log management reporting. It also runs the indexing and
searching processes that support the Depot Investigation tool. This tool enables
keyword searches on the data in the Depot. You can then generate reports on the
content of the collected log files. The Log Management Reporting feature uses the
indexing and search capability and the Tivoli Common Reporting services.
The SIM module monitors user behavior for compliance with various laws and
external and internal regulations and policies. It can compare behaviors that you
want users to exhibit against their observed behaviors, and report differences.
The SIM module can monitor user behavior on a wide range of end points (also
called platforms). These platforms include operating systems, middleware,
applications, and devices.
The SIM module builds on the Log Management module. The SIM function
consists of two parts: W7 normalization and W7 reporting.
W7 normalization
To test policy or run reports, the platform-specific, raw log data must be
normalized. Raw data is stored in flat files in the Log Management Depot
on the Log Management Server. When policy evaluation or reporting is
required, the data is normalized into a common format called W7. W7
normalization includes format normalization as well as normalization of
event type and object type semantics.
W7 reporting
Tivoli Security Information and Event Manager provides a set of packaged
reports for privileged-user monitoring and auditing that report against
normalized W7 data. It also provides a Web interface for you to define
custom W7-based reports.
Tivoli Security Information and Event Manager also provides Compliance
Management Modules. These modules contain reports that are designed to
monitor compliance with specific laws and regulations. The current
Compliance Management module suite consists of:
v Health Insurance Portability and Accountability Act (HIPAA)
v Sarbanes-Oxley (SOX)
v Basel II
v Gramm-Leach-Bliley Act (GLBA)
v Payment Card Industry Data Security Standard (PCI-DSS)
v International Standards Organization (ISO) 27001
v Federal Information Security Management Act of 2002 (FISMA)
v Control Objectives for Information and related Technology (COBIT)
v North American Electric Reliability Corporation Critical Infrastructure
Protection standards (NERC CIP)
To implement W7 normalization and reporting, you install SIM Servers, which can
be Standard Servers or Enterprise Servers.
The Enterprise Server provides centralized log management and forensic functions,
enabling these features to operate across multiple Standard Servers. The Enterprise
Server and the Standard Servers on which it reports are called a Tivoli Security
Information and Event Manager Cluster. The cluster contains one Enterprise Server
and up to three Standard Servers.
If you have more than one Server, the Servers are grouped into a Security Group.
In the Security Group, one of the servers is also a Security Server. The Security
Server performs user authentication and access authorization for all the servers in
the Security Group. A Security Group can contain multiple Tivoli Security
Information and Event Manager Clusters.
Forensics Consolidation
SIM
Log Management Base Normalization Standard
Server
Log Management
In summary, you can deploy three types of Tivoli Security Information and Event
Manager Servers.
The Log Management Server provides all Log Management functions, including
log collection, log storage, log retrieval, forensic search, and log management
reports. This server type is deployed to manage log data for which SIM functions,
such as W7 normalization and compliance reporting, are not required. If you did
not purchase the Security Information Module, you can deploy only Log
Management Servers.
The SIM Enterprise Server provides all Log Management Server functions as well
as all SIM functions such as W7 normalization and compliance reporting. In low
data volume environments (less than 15 GB of original log data per day), a single
Enterprise Server might be sufficient.
With higher data volumes, it is better to spread out the workload over clusters.
Clusters consist of one Enterprise Server and up to three attached SIM Standard
Servers. This configuration is the typical SIM deployment configuration. Log
Event sources
Tivoli Security Information and Event Manager provides event sources (end points)
to obtain and process activity data from various applications, devices, and
operating systems.
For information about installing and using the event sources provided with Tivoli
Security Information and Event Manager, see the IBM Tivoli Security Information and
Event Manager Event Source Guide.
Agents
An agent is a piece of software that collects audit log data from the targeted
platform.
Agent also refers to a network node where log data extracted from end points is
packaged and then transmitted to a Log Management Server or Standard Server.
Agent function (though not the agent itself) is always installed with the Log
Management Server, Standard Server, and Enterprise Server. You can also install an
agent on a computer without an installed server. The agent can then collect data
from an end point and transmit it to a Tivoli Security Information and Event
Manager Server.
Sample deployments
There are many ways to deploy Tivoli Security Information and Event Manager.
Use the examples in this section to help decide how many Servers of each type
you want to install.
Collect Mappers
scripts
Agent
Indexer Indexes
LM UI Cfg UI Searcher
User
Mgt UI IView
Agent
Tivoli Directory
Actuators Server
In a large environment, you can set up your systems in either of the following
ways:
v Run each Log Management Server independently, with its own user and
entitlement store.
v Configure the servers to share a user and entitlement store.
Note: This choice is made during deployment and cannot be changed later.
Collect
eWAS / ISC
scripts
LM UI Searcher
Agent
User
Mgt UI Cfg UI
Agent
Actuators
SIM DB2
Auth
Agent Database
Daemon
IBM DB2
Tivoli Directory
Actuators Server
BlueBook
Actuators
SIM DB2
Auth
Database
Daemon
IBM DB2
Agent
Collect
scripts
Agent
Indexer
Actuators
Figure 4 shows this setup where the Enterprise Server also holds the user and
entitlement store.
Standard
Server
Agents DB2
Federated
Database Enterprise Server
(with user entitlement stores)
Authenticate
Manage Users
(Tivoli Directory Server)
Authenticate
Agents
Manage Users
(Tivoli Directory Server)
DB2 DB2
Federated Federated
Database Authenticate Database
Agents Manage Users
(Tivoli Directory Server)
Standard
Server
Agents
Standard
Server
These clusters can still use the same Tivoli Directory Server and entitlement store.
Figure 5 on page 9 shows this setup.
DB2
Federated
Agents Database Enterprise Server
(with user entitlement stores)
Authenticate
Manage Users
(Tivoli Directory Server)
DB2
Federated
Database
Authenticate
Agents Manage Users
(Tivoli Directory
Server) Authenticate
Manage Users
(Tivoli Directory
DB2
Server)
Federated
Database Standard
Server
Agents
Authenticate
Manage Users DB2
Standard
(Tivoli Directory Federated
Server Agents
Server) Database
CLUSTER B
Standard Authenticate
Server Authenticate Manage Users
Manage Users (Tivoli Directory
(Tivoli Directory Server)
Server)
DB2
Federated
Agents
Database
DB2
Federated
Agents Database
Enterprise
Server
Agents Standard
Server
For the product as a whole, all components can be deployed on the following
types of systems:
v IPv4-only systems
v Systems that provide both IPv4 and IPv6 connectivity (dual stack)
v IPv6-only systems
Note: The installation must be done in an IPv4-only or dual stack mode when
installing on AIX and Linux® systems. On AIX and Linux systems, you must
enable the IPv4 protocol before you install Tivoli Security Information and Event
Manager, even if you do not plan to use IPv4. After you successfully install Tivoli
Security Information and Event Manager, you can disable IPv4. See “Converting an
AIX or Linux system from dual stack to IPv6” on page 58 for details.
v For the Log Management module:
– Log files can be collected through both IPv6 and IPv4. Some collect
mechanisms might not be supported over IPv6, depending on the capabilities
of required third-party tools and APIs.
– IPv6 addresses that occur in the collected log files are correctly parsed and
visible in Log Management reports.
v For the SIM module:
IPv6 addresses that occur in the collected log files are correctly parsed and
visible in W7 reports.
What's new
Tivoli Security Information and Event Manager version 2.0 provides a number of
new features and functions.
New server platform support
Tivoli Security Information and Event Manager servers now run on the
64-bit versions of Microsoft Windows Server 2008, Microsoft Windows
This chapter describes the supported operating systems, disk space, memory, and
software prerequisites for the following components:
v Tivoli Security Information and Event Manager Standard Server
v Tivoli Security Information and Event Manager Enterprise Server
v Tivoli Integrated Portal
v Tivoli Security Information and Event Manager Web Applications (browser
client)
v Tivoli Security Information and Event Manager agent
General requirements
The following system requirements apply to all operating systems (AIX, Linux, and
Windows) on which Tivoli Security Information and Event Manager can be
installed.
Hardware requirements
The hardware requirements in this section are stated in terms of actual physical
hardware. Additional resources are needed when running in a virtual machine
(VM) environment.
Tivoli Security Information and Event Manager is processor, storage, and memory
intensive when operating under heavy load. Additional resources, such as more
memory or more processor power, are required to achieve adequate throughput
and performance when running in a virtual machine environment. Both IBM
PowerVM™ Hypervisor and VMware ESX are supported. Perform a thorough
capacity planning analysis to ensure that your VM environment is equivalent to
running on a dedicated physical machine.
For best results, ensure that the server components are the only non-operating
system software running on the system.
Network ports
The Tivoli Security Information and Event Manager Server and agent components
of Tivoli Security Information and Event Manager use a number of network ports
for communication.
The ports are used to enable the different devices and systems to communicate
with each other. Ensure that the systems hosting the Tivoli Security Information
and Event Manager components are connected to the Server through an Internet
Protocol network.
The Enterprise Server, Standard Server, and Log Management Server have the
following processor and RAM requirements:
Minimum Enterprise Server requirements
v Any system from the POWER® family of processors (64-bit)
v 8 GB RAM (+ 0.5 GB for each Reporting Database)
v The swap space must be at least equal to the amount of the RAM on
your system, or slightly more (such as 1.25 times the amount of RAM).
If you have a lot of RAM, then the amount of swap space can be
smaller. If you do not have a lot of RAM, then the amount of swap
space must be larger.
v Ensure that the following directories have at least the minimum amount
of space:
– 1 GB in /
– 1 GB in /usr
– 1 GB in /var
– 2 GB in /tmp
– 1 GB in /home
– 10 GB in /opt
v A minimum of 200 GB of free hard disk space is required. Specific
requirements depend on log volumes and types of log data. For
information about determining the required disk space, see
“Determining disk space requirements” on page 22.
Minimum Standard Server requirements
v Any system from the POWER family of processors (64-bit)
v 8 GB RAM (+ 0.5 GB for each Reporting Database)
v The swap space must be at least equal to the amount of the RAM on
your system, or slightly more (such as 1.25 times the amount of RAM).
If you have a lot of RAM, then the amount of swap space can be
smaller. If you do not have a lot of RAM, then the amount of swap
space must be larger.
v Ensure that the following directories have at least the minimum amount
of space:
– 1 GB in /
– 1 GB in /usr
– 1 GB in /var
– 2 GB in /tmp
– 1 GB in /home
– 10 GB in /opt
v A minimum of 200 GB of free hard disk space is required. Specific
requirements depend on log volumes and types of log data. For
information about determining the required disk space, see
“Determining disk space requirements” on page 22.
Minimum Log Management Server requirements
v Any system from the POWER family of processors (64-bit)
v 8 GB RAM
Software requirements
The Enterprise Server, Standard Server, and Log Management Server all require the
following software:
v One of the following operating systems:
– AIX 5.3 Service Pack 5300-04-01 (64-bit)
– AIX 6.1 (64-bit)
Configuration requirements
Before installing Tivoli Security Information and Event Manager, configure the AIX
system according to the following requirements.
Increase the number of active processes to 512.
1. Start SMIT.
2. Select System Environments.
3. Select Change/Show Characteristics of Operating System.
16 Tivoli Security Information and Event Manager V2.0: Installation Guide
4. In the Maximum number of PROCESSES allowed per user parameter,
change the default value from 128 to 512.
Note: There is a limit for the number of processes allowed per user on
AIX. The default value is 128 processes per user. This might not be
enough if there are more than 100 event sources defined on the server.
Increase the number of open files allowed per process.
Ensure that the number of open files allowed per process is set to at least
2048. Edit the /etc/security/limits file. Modify the lines in the default
stanza, or add these lines if they do not exist:
nofiles = 2048
nofiles_hard = 65536
Log off and log on again to reload the settings for the root user. You also
can restart the system to make the change effective for all users.
Install the AIX Fast Connect server and client.
For more information, see “Installing AIX Fast Connect Server” on page
137 and “Installing AIX Fast Connect client” on page 137.
Hardware requirements
The Enterprise Server, Standard Server, and Log Management Server have the
following processor and RAM requirements:
Minimum Enterprise Server requirements
v Quad Core Intel® Xeon® 3.0 GHz processor (64-bit)
v 8 GB RAM (+ 0.5 GB for each Reporting Database)
v Temp directory: 100 MB for the /tmp directory (during installation). The
temporary directory is the working directory for the installation
program.
v A minimum of 200 GB of free hard disk space is required. Specific
requirements depend on log volumes and types of log data. For
information about determining the required disk space, see
“Determining disk space requirements” on page 22.
Minimum Standard Server requirements
v Quad Core Intel Xeon 3.0 GHz processor (64-bit)
v 8 GB RAM (+ 0.5 GB for each Reporting Database)
v Temp directory: 100 MB for the /tmp directory (during installation). The
temporary directory is the working directory for the installation
program.
v A minimum of 200 GB of free hard disk space is required. Specific
requirements depend on log volumes and types of log data. For
information about determining the required disk space, see
“Determining disk space requirements” on page 22.
Minimum Log Management Server requirements
v Quad Core Intel Xeon 3.0 GHz processor (64-bit)
Software requirements
The Enterprise Server, Standard Server, and Log Management Server all require the
following software:
v One of the following operating systems:
– Red Hat Enterprise Linux 5.3 for x86-64 bit
– Red Hat Enterprise Linux 5.4 for x86-64 bit
v UTF-8 must be enabled as the default character encoding for the operating
system.
v Ensure that the sudo utility is installed.
v The Korn shell, provided in the pdksh rpm package, is required. Install the most
recent version available for your operating system.
v Ensure that the following packages are installed. These packages are usually
installed by default with the operating system.
compat-gcc
compat-gcc-c++
compat-libstdc++
compat-libstdc++-devel
glibc-devel
glibc-headers
glibc-kernheaders
Configuration requirements
The Enterprise Server, Standard Server, and Log Management Server all require the
following configuration:
Install libstdc++.so.5 rpm:
1. Mount the Red Hat Enterprise Linux 5 DVD (or CD 1). For example:
/media/cdrom.
2. Locate the appropriate compat-libstdc++-33-3.2.3-47.3.rpm file (or
later) for your system on the Red Hat Enterprise Linux 5 installation
DVD or CD. For example, you can use the command:
find "/media/cdrom" -name compat-libstdc++* -print
Note: After installing Tivoli Security Information and Event Manager, turn
Red Hat Enterprise Linux native security on by typing # setenforce 1.
Alternatively, you can turn on the native security by editing the
/etc/selinux/config file by modifying the parameter SELINUX=enabled.
Install Samba to enable Windows connectivity.
If you want to register a Standard Server on a Linux platform to an
Enterprise Server on a Windows platform, then you must install Samba to
enable the systems to communicate with each other. Install the following
packages (RPMs), located on the Red Hat Enterprise Linux installation
media:
v samba-common-3.0.33-3.7.el5
v system-config-samba-1.2.41-3.el5
v samba-3.0.33-3.7.el5
Log off and log on again to reload the settings for the root user. You also
can restart the system to make the change effective for all users. The ulimit
-a command can be used after a logoff or reboot to verify that the limit has
been changed.
Hardware requirements
The Enterprise Server, Standard Server, and Log Management Server have the
following processor and RAM requirements:
Minimum Enterprise Server requirements
v Quad Core Intel® Xeon® 3.0 GHz processor (64-bit)
v 8 GB RAM (+ 0.5 GB for each Reporting Database)
v Temp directory: 600 MB (during installation)
Software requirements
The Enterprise Server, Standard Server, and Log Management Server all require the
following software:
v One of the following operating systems:
– Microsoft Windows 2003 Server SP1 (or higher) for 64-bit
– Microsoft Windows 2008 Server for 64-bit
– In addition:
- NetBIOS enabled
- Internet Protocol network connection configured to all other systems
hosting Tivoli Security Information and Event Manager components
- NTFS file system
v To use a screen reader during installation, a JVM (version 1.5 or higher) and the
Java™ Access Bridge must be installed on the computer on which you are
installing Tivoli Security Information and Event Manager. See “Using screen
readers with the Tivoli Security Information and Event Manager installation and
uninstallation programs” on page 108.
v For SSH collect to work, PuTTY must be installed on the Windows agent,
Windows Tivoli Security Information and Event Manager Servers, and Windows
Log Management Servers involved in the collect operations. If PuTTY is not
installed, SSH collections from AIX, HP-UX, Linux, and Solaris systems do not
Hardware requirements
The Tivoli Security Information and Event Manager Standard Server or Enterprise
Server installed and configured.
Software requirements
The amount of disk space required for the log files on the audited systems
depends on several things:
v The amount of activity on the workstation
v The log settings, including the collect schedule and the frequency with which
the audit files are deleted
For guidelines for calculating disk space see “Determining disk space
requirements.”
Software requirements
The amount of data in the log depot and reporting databases determines the
required hard disk space. You can calculate the approximate disk space needed
using the following formula:
where:
daily_logs_in_GB
Total amount of data in the daily logs, in GB.
10 Compression factor for log data.
The disk size for the Enterprise Server depends on the number of Standard Servers
it manages. The Enterprise Server builds a depot index for each Standard Server.
Each depot index might be as large as the depot for the Standard Server. You can
calculate the required disk space for the Enterprise Server using the following
formula:
depot size of Standard Server 1
+ depot size of Standard Server 2
+ depot size of Standard Server 3
This road map provides an overview of the steps for a new installation of IBM
Tivoli Security Information and Event Manager.
Note: If you have the IBM Tivoli Compliance Insight Manager product installed
and want to upgrade to Tivoli Security Information and Event Manager, see
Chapter 6, “Upgrading to Tivoli Security Information and Event Manager,” on
page 61.
Procedure
1. Install the Security Server, which can be an Enterprise Server, Standard Server,
or Log Management Server. See “Installing in graphical mode” on page 29.
Note: You can install the Standard Servers before the Enterprise Server.
However, you must install the Enterprise Server before you can register the
Standard Servers on the Enterprise Server.
2. Install the Grouped Servers, which can be Enterprise Servers or Standard
Servers. See “Installing in graphical mode” on page 29.
3. Register all Standard Servers with the Enterprise Server. See “Registering a
Standard Server with the Enterprise Server” on page 51.
4. Add the systems to be audited and the event sources on those systems to the
Tivoli Security Information and Event Manager system. Use the Managing
Audited Machines and Managing Event Sources tasks in the product portal of
the Tivoli Integrated Portal. For information about supported event sources, see
the IBM Tivoli Security Information and Event Manager Event Source Guide. For
information about managing event sources and audited systems, see the system
maintenance information in the IBM Tivoli Security Information and Event
Manager Users Guide.
5. Optional: To set up auditing for your systems, install the agent on the systems
to be audited. See the following topics:
v Chapter 8, “The agent for Windows systems,” on page 81
v Chapter 9, “The agent for AIX systems,” on page 85
v Chapter 10, “The agent for Solaris systems,” on page 95
v Chapter 11, “The agent for HP-UX systems,” on page 103
What to do next
After you complete these steps, Tivoli Security Information and Event Manager can
audit and load collected data in the Reporting Databases and deliver reports
through the Tivoli Integrated Portal Web application.
You must have a Security Group, which contains a Security Server and can have
one or more Grouped Servers.
The use of a Security Group enables centralized user management. The Tivoli
Security Information and Event Manager servers in a Security Group authenticate
users and authorize access through a Lightweight Directory Access Protocol
(LDAP) directory on a designated server called the Security Server. The Security
Server is a Tivoli Security Information and Event Manager Standard Server,
Enterprise Server, or Log Management Server on which is also installed Tivoli
Directory Server. Tivoli Directory Server provides an LDAP server. The Security
Server authenticates the other servers in the Security Group. The Tivoli Security
Information and Event Manager servers that authenticate through the Security
Server are called Grouped Servers.
Both the Security Server and the Grouped Servers can be Standard Servers,
Enterprise Servers, or Log Management Servers.
Within the Security Group, a Tivoli Security Information and Event Manager
Cluster can contain an Enterprise Server and up to three Standard Servers. The
Standard Server performs basic security information management on audited
systems and devices. That is, the Standard Server collects log files, stores them in
the depot, normalizes them to W7, and performs compliance reporting.
The Enterprise Server provides centralized log management and forensic functions,
enabling these features to operate across multiple Standard Servers.
A Security Group can contain one or more Tivoli Security Information and Event
Manager Clusters. All of the Servers in a Tivoli Security Information and Event
Manager Cluster are members of the same Security Group.
In addition, you can install Log Management Servers, which can collect log files,
store them in the depot, and perform forensic functions.
For more information about Tivoli Security Information and Event Manager
Servers, see Chapter 1, “Introduction to IBM Tivoli Security Information and Event
Manager,” on page 1.
For additional information about Tivoli Security Information and Event Manager,
see the IBM Tivoli Security Information and Event Manager Users Guide.
Decide which computers you want to designate for the following purposes:
v Log Management Servers
v Standard Servers
v Enterprise Servers
In addition, decide which server you want to serve as the Security Server, and
which will be Grouped Servers.
Ensure that each server or workstation hosting Tivoli Security Information and
Event Manager components meets the system requirements outlined in Chapter 2,
“System Requirements,” on page 13.
The IBM Tivoli Security Information and Event Manager product provides the
following installation DVDs:
v IBM Tivoli Security Information and Event Manager v2.0 for Windows
v IBM Tivoli Security Information and Event Manager v2.0 for AIX
v IBM Tivoli Security Information and Event Manager v2.0 for Linux
Be sure that you understand the types of servers and know which type you are
installing.
For best results while installing the product, temporarily disable the firewall and
virus checking software on your computer.
During the installation process, the cifadmin user ID is created if it does not exist.
However, on AIX and Linux systems, the UID for the cifadmin user must be the
same on the Enterprise Server and the Standard Servers. If you plan to use a
cluster, you must create the cifadmin user on these systems before installing the
product. Set the cifadmin user's UID to the same value on all systems. You must
also create a cifusers group on each system and add the cifadmin user to that
group. Ensure that the PATH environment value is not set in the
/home/cifadmin/.profile file that is created as this might cause the product
installation to fail.
Note: An alternate method for ensuring that the cifadmin UID has the same UID
on all systems is to use LDAP for user management and authentication. Create the
cifadmin user as an LDAP user and ensure that all systems in the cluster use the
LDAP server.
On AIX, Linux, and Windows systems, ensure that you have the proper fonts
installed.
Note:
1. On Windows systems, installation fails if you attempt to access the installation
software through a Universal Naming Convention (UNC) name (such as
\\host_name\path\). Instead, you must specify the letter of a mapped drive.
2. In the following situations, DB2 does not deploy during installation:
v You are using a locale where the Windows Administrator account has been
translated and includes non-Western characters, such as Russian.
v You are using a custom account with Administrator privileges whose name
includes non-Western characters.
To install the product in either of these cases:
a. Create a temporary user with no non-Western characters (for example,
Administrator) and add the user to the Administrators group.
b. Log on as the user you created.
c. Start the installation.
After you finish installing the product, you can remove the temporary user that
you created.
Follow these steps each time you install a Log Management, Standard, or
Enterprise Server. Use the road map to be sure that you install Servers in the
correct order. See Chapter 3, “Road map,” on page 25.
Several user IDs and passwords are created during installation. Be sure that all
user IDs and passwords conform to the rules described in Appendix C, “Account
and password naming rules,” on page 121.
Procedure
1. Log on to the system where you wish to install Tivoli Security Information
and Event Manager.
On Windows systems:
Log on as a member of the Administrators group, such as
Administrator.
On AIX and Linux systems:
Log in as the root user.
2. Ensure that the host name and IP address of the system can be resolved.
a. Open a command window.
b. Use the hostname command to obtain the host name of the system.
For example:
# hostname
tsiemserver.example.com
c. If a fully qualified domain name (FQDN) is returned, verify that the host
name can be resolved using the ping command.
For example:
# ping tsiemserver.example.com
PING tsiemserver.example.com (192.168.4.24) 56(84) bytes of data.
64 bytes from tsiemserver.example.com (192.168.4.24): icmp_seq=1 ttl=64 time=0.121 ms
64 bytes from tsiemserver.example.com (192.168.4.24): icmp_seq=2 ttl=64 time=0.026 ms
64 bytes from tsiemserver.example.com (192.168.4.24): icmp_seq=3 ttl=64 time=0.037 ms
If the host name and IP address of the system cannot be resolved, the
installation fails unexpectedly. Resolve any name resolution issues before
continuing with the installation.
3. Access the installation DVD.
On Windows systems:
a. Insert the Tivoli Security Information and Event Manager DVD.
Note:
1) The mount point cannot contain any spaces.
2) Ensure that the entire mount point is readable and executable
by everyone. If only the root user has access, the installation
fails unexpectedly.
3) If the DVD is automatically mounted on a Linux system, the
noexec option is applied by default for removable media. This
option prevents executing files on the mounted file system and
causes the installation to fail. To correct this problem, remount
the DVD with the exec option. For example:
mount -o remount,exec /media/TSIEM20
b. On AIX systems, type ./install.aix
On Linux systems, type ./install.linux
The installation program starts and displays the Tivoli Security Information
and Event Manager window.
Note:
– On AIX systems, the first directory specified in the path name must be
three characters or less in length. This restriction is due to a problem
with DB2.
For example, a path name of /ibm/tivoli/tsiem works as expected, but
a path name of /products/ibm/tsiem causes a problem, because products
is more than three characters long.
– On Windows systems, the following groups of characters cannot occur
anywhere in the path name. This restriction is due to a problem with
Tivoli Common Reporting.
\nnn where nnn is an octal number
\xnnn where nnn is a hexadecimal number
\Xnnn where nnn is a hexadecimal number
The Choose Install Set window is displayed.
9. In the Choose Install Set window, select the distribution you want to install on
this computer from the following list and click Next.
Click Next.
16. If the installation program displays the Server Database Connection window,
complete the following fields and click Next:
Security Server Username
Type the name of the Tivoli Security Information and Event Manager
database owner or accept the default name, cifowner. This database
account is used to run the Security Server database.
This user name must conform to the rules for database account names.
See Appendix C, “Account and password naming rules,” on page 121.
Note: This account is granted access to all databases that are created
during installation.
Security Server Password
Type the password for the Tivoli Security Information and Event
Manager database owner.
Confirm Security Server Password
Type the password again for confirmation.
17. If the installation program displays the OS Account window, complete the
following fields and click Next:
Note: Your responses specify which operating system account runs Tivoli
Security Information and Event Manager. If this account does not exist, the
installation program creates it.
OS Username
Type the name of the operating system account or accept the default.
The name can be for a new or an existing account. If the account does
not yet exist, the installation program creates it with the password you
specify. If the account exists, be sure to specify the name correctly. The
default is cifadmin.
This user name must conform to the rules for operating system
account names. See Appendix C, “Account and password naming
rules,” on page 121.
Note: If you want to store the depot on a DR550 drive, be sure that
you have set up the correct user IDs and mounted the drive. See
Appendix F, “Using DR550 with Tivoli Security Information and
Event Manager,” on page 129. The following paths are examples of
the path to a DR550 drive:
– \\192.168.236.22\test\export\ if you created a DR550 user ID
that is identical to the user ID on the Tivoli Security Information
and Event Manager system. See “Creating the same user on the
DR550 and Tivoli Security Information and Event Manager
systems” on page 131.
Note: Leave both fields empty if you do not want email alerts or you want to
configure email alerts later from the product Portal.
SMTP Host
Type the name of the SMTP host sending the email alerts.
Email Address
Type the email address or addresses to which the alerts on collection
failures are sent. If you type multiple email addresses, separate them
by semicolons (;) or spaces ( ).
21. In the Server Maintenance Schedule window, specify the time at which you
want the server to run maintenance. Type the appropriate times in the Hour
and Minute fields and click Next.
The server shuts down and restarts during the maintenance activity. Specify a
time during which Tivoli Security Information and Event Manager is not in
use. The maintenance activity takes no more than 5 minutes to run.
22. If the installation program displays the Tivoli Security Information and Event
Manager 2.0 Server Time zone window, complete the following fields and
click Next:
Time zone Name
Select the time zone that you want the Server to use from the list.
By default, the time zone of the computer on which the Server is
installed is used, but you can change the time zone information.
After selecting a time zone, the GMT Offset: hours and GMT Offset:
minutes fields are updated. You can further adjust the time zone
offset by changing those values.
GMT Offset: hours
To specify an offset from the time zone for this Server, select the
number of hours by which you want to offset. The range is from -12
to 12 hours.
GMT Offset: minutes
To specify an offset from the time zone for this Server, select the
number of minutes by which you want to offset.
23. If the installation program displays the Indexes Location window, specify the
location where you want to store the depot indexes in the Indexes Location
field, or accept the default location.
Windows
%TSIEM_HOME%\sim\Indexes
AIX and Linux
$TSIEM_HOME/sim/Indexes
What to do next
You have installed Tivoli Security Information and Event Manager on this
computer. Install Tivoli Security Information and Event Manager on any other
computers that are part of your Tivoli Security Information and Event Manager
Cluster by repeating the previous steps.
Note:
v On Windows 2008 systems only, if a member of the Administrators group on the
Server computer also needs to manage Tivoli Security Information and Event
Manager, the user must also be a member of the DB2ADMNS operating system
group. The DB2ADMNS group is created during installation. If the administrator
is not a member of this group, the administrator receives SQL5005C errors
because of insufficient permissions on the DB2 files.
v On AIX systems only, you must log in again to your CDE (Common Desktop
Environment) after installing the product. If you are using VNC (Virtual
Network Computing), then you must restart the VNC session. This is because
Tivoli Security Information and Event Manager supports only the CDE graphical
user interface on AIX systems.
Be sure that you understand the types of servers and know which type you are
installing.
For best results while installing the product, temporarily disable the firewall and
virus checking software on your computer.
Note: Installation fails if you attempt to access the installation software through a
Universal Naming Convention (UNC) name (such as \\host_name\path\). Instead,
you must specify the letter of a mapped drive. The path to the installation files
cannot contain blanks.
When you install Tivoli Security Information and Event Manager in graphical
mode, you can save your installation panel responses in a response file. Use the
following steps to start the installation program and specify the name of the
response file.
Procedure
1. Perform the following steps:
On Windows systems:
a. Log on as a member of the Administrators group.
b. Insert the Tivoli Security Information and Event Manager DVD. (If the
installation program starts automatically, stop it.)
c. Open a command prompt window and access the DVD drive. For
example, type D: at the command prompt.
d. Type the following command at the command prompt:
install -r path_to_response_file
where path_to_response_file is the full path and file name of the file
in which to save your responses.
On AIX and Linux systems:
a. Log in as root.
b. Insert and mount the DVD for your operating system:
v For AIX systems, IBM Tivoli Security Information and Event
Manager v2.0 for AIX
v For Linux systems, IBM Tivoli Security Information and Event
Manager v2.0 for Linux
What to do next
Modify the response file for the computer where you plan to install Tivoli Security
Information and Event Manager silently the next time. Then install the product on
the computer, using the response file.
Note: The passwords you specified are hidden in the generated response file. Be
sure to edit the response file and update the passwords before you use the
response file to install Tivoli Security Information and Event Manager silently.
You can find the sample response file on the following product installation DVDs:
v AIX: IBM Tivoli Security Information and Event Manager v2.0 for AIX
v Linux: IBM Tivoli Security Information and Event Manager v2.0 for Linux
v Windows: IBM Tivoli Security Information and Event Manager v2.0 for Windows
The file name on the DVD is installer.properties.template.
#----
#---- Set Silent License Acceptance
#---- Accept license agreement: remove # sign
#---- example: LICENSE_ACCEPTED=true
#---- Silent Uninstall: do not define the LICENSE_ACCEPTED,
#---- leave it commented out, commented out means having # sign in front of it
#---- if the LICENSE_ACCEPTED is anything other then true the installation will exit
#---- no log will be produced, no indication of failure provided
#----
#---- By removing the # sign before #LICENSE_ACCEPTED=false and changing false to true
#---- you have signified acceptance of the Tivoli Security Information Event Manager 2.0 license agreement
LICENSE_ACCEPTED=true
IAGLOBAL_LANGUAGE=en
# The CHOSEN_INSTALL_FEATURES should be set if ’Custom’ INSTALL_SET is chosen. Edit the feature list to suit your needs.
# CHOSEN_INSTALL_FEATURES_LIST=SIMBase,SIMMod,SIMLM,SIMCon
# SIMBase = TSIEM SIM base component, minimum selection
# SIMMod = TSIEM SIM module / Normalization component. Need SIMBase
# SIMLM = TSIEM SIM Log Manager / Forensics component. Need SIMBse
# SIMCon = TSIEM SIM Consolidation / Enterprise Server. Need SIMBase + SIMMod
#
#CHOSEN_INSTALL_FEATURES_LIST=SIMBase,SIMMod,SIMLM,SIMCon
#
# Define type of Server:
# IAGLOBAL_COI_GROUPED_SERVER=yes|no
# yes = Grouped Server (you will need a Security Server available to add this Grouped Server to)
# no = Security Server
IAGLOBAL_COI_GROUPED_SERVER=yes
#
#
# DB2 properties of the Security Server
# only needed for GROUPED SERVER (IAGLOBAL_COI_GROUPED_SERVER=yes)
#
# Server where LDAP server is running
IAGLOBAL_SECDB2_HOSTNAME=<your Security Server servername eg. 192.168.78.142>
# port where TSIEM DB2 instance is listening
IAGLOBAL_SECDB2_PORT=31001
IAGLOBAL_SECDB2_DATABASE=CIFDB
# enf of DB2 properties of the Security Server
#
#
# SIM Server DB2 properties (local DB2 instance of TSIEM server)
IAGLOBAL_SIMDB2_COPY=CIFCOPY
IAGLOBAL_SIMDB2_DATABASE=CIFDB
IAGLOBAL_SIMDB2_HOSTNAME=localhost
IAGLOBAL_SIMDB2_INSTANCE=CIFINST
IAGLOBAL_SIMDB2_INSTANCE_LOCATION=<full path to DB instance location eg. C\:\\IBM\\TSIEM\\CIFINST or /opt/IBM/tsiem/CIFINST>
IAGLOBAL_SIMDB2_PORT=31001
# TSIEM SIM admin user (DB user)
IAGLOBAL_SIMDB2_USERNAME=cifowner
IALOCAL_SIMDB2_PASSWORD=<your password here>
IALOCAL_SIMDB2_PASSWORD_CONFIRM=<your password here>
# SIM DB2 administrator
IAGLOBAL_SIMDB2_ADMIN_USERNAME=cifdbadm
IALOCAL_SIMDB2_ADMIN_PASSWORD=<your password here>
IALOCAL_SIMDB2_ADMIN_PASSWORD_CONFIRM=<your password here>
# TSIEM SIM admin user (OS user)
IAGLOBAL_SIM_OS_ACCOUNT=cifadmin
IALOCAL_SIM_OS_PASSWORD=<your password here>
IALOCAL_SIM_OS_PASSWORD_CONFIRM=<your password here>
#
# SIM Server properties
IAGLOBAL_SIM_SERVERNAME=<your servername here eg. win2k3-64bit-14>
IAGLOBAL_SIM_HOSTNAME=<your servername here eg. win2k3-64bit-14>
IAGLOBAL_SIM_PORT=5992
IAGLOBAL_SIM_DEPOT_LOCATION=<full path to depot folder eg. C\:\\IBM\\TSIEM\\sim\\depot or /opt/IBM/tsiem/sim/depot>
IAGLOBAL_SIM_INDEXES_LOCATION=<full path to indexes folder eg. C\:\\IBM\\TSIEM\\sim\\Indexes or /opt/IBM/tsiem/sim/Indexes>
# name of depot as seen as network share on this server
IAGLOBAL_SIM_DEPOT_NAME=cifdepot
IAGLOBAL_SIM_ALERT_SMTPHOST=<your SMTP hostname, or leave it empty>
Decide which components you want to install. See “Installing in graphical mode”
on page 29 for help with the information you must provide.
In the response file, a comment sign (#) at the beginning of a line indicates that
you do not want to install the component shown in that line. Remove the comment
Procedure
1. In the response file, be sure that the LICENSE_ACCEPTED=true line does not have
a comment sign (#) in front of it and that true is specified.
2. Remove the comment (#) from each line that contains a component you want to
install.
3. On the lines without comment signs, specify any required information.
Note:
v Several user IDs and passwords are created during installation. Ensure that
all user IDs and passwords specified in the response file conform to the rules
described in Appendix C, “Account and password naming rules,” on page
121.
v Passwords in the response files are in plain text, which introduces a potential
security risk. To minimize this risk:
– Protect the response file by setting the correct file permissions:
- On Windows systems, grant read and write permission to only the
Administrators group.
- On AIX and Linux systems, set the permission to 660.
– Add the passwords to the file as late as possible (for example, just before
running the silent installation).
– Remove the passwords from the response file when the silent installation
finishes.
What to do next
Install Tivoli Security Information and Event Manager using the modified response
file. See “Installing with a response file.”
Be sure that you have a response file that you have edited to install the
components you want with the correct parameters.
Use the steps in the following procedure to install Tivoli Security Information and
Event Manager using the response file.
Procedure
The installation program installs the components specified in the response file.
What to do next
For security purposes, remove the passwords from the response file when the
silent installation finishes.
You have installed Tivoli Security Information and Event Manager on this
computer. You can install the product on any other computers that are part of the
Tivoli Security Information and Event Manager Cluster, either through the GUI or
silently, using a response file.
On the computer where the Standard Server is installed, start the installation
program. See “Installing in graphical mode” on page 29.
Procedure
1. Run the installation program.
2. In the Choose Install Set window, click Custom.
3. Select the Log Management Forensics and Consolidation Component options,
and click Next.
4. Follow the instructions in “Installing in graphical mode” on page 29 to
complete installation.
What to do next
1. Register the Standard Servers in the cluster with the new Enterprise Server. See
“Registering a Standard Server with the Enterprise Server” on page 51.
2. Schedule the Consolidation Server to aggregate the data from the Standard
Servers. See “Scheduling the Consolidation Server to aggregate data” on page
53.
On the computer where the Log Management Server is installed, start the
installation program. See “Installing in graphical mode” on page 29.
Procedure
1. Run the installation program.
2. In the Choose Install Set window, click Custom.
3. Select the Normalization Component and Consolidation Component and Log
Management Base options, and click Next.
4. Follow the instructions in “Installing in graphical mode” on page 29 to
complete installation.
What to do next
1. Register the Standard Servers in the cluster with the new Enterprise Server. See
“Registering a Standard Server with the Enterprise Server” on page 51.
You must register the Standard Servers with the Enterprise Server and configure
the schedule for the Consolidation Server to aggregate data. By performing these
tasks, you enable the Enterprise Server to consolidate the data from all the
Standard Servers in the Tivoli Security Information and Event Manager Cluster.
Note: Run the Tivoli Security Information and Event Manager tools and utilities
using the cifadmin user created during the installation process. To run these tools
and utilities under a different user ID, or as root, you must update that user's
environment to access the Tivoli Security Information and Event Manager libraries.
Perform the following steps on the Enterprise Server for each Standard Server in
the cluster.
Note: You can also use these steps to add a Log Management Server to a Tivoli
Security Information and Event Manager Cluster. Run the registration command
shown in the procedure and register the Log Management Server.
Procedure
1. On the Enterprise Server, open a command prompt.
2. Navigate to the appropriate directory:
v On Windows systems:
cd %TSIEM_HOME%\sim\consolidation\bin
v On AIX and Linux systems:
cd $TSIEM_HOME/sim/consolidation/bin
3. To add the Standard Server, do one of the following steps:
v Type the registration command at the command prompt.
v The registration command, which is correct except for the passwords, is
saved to a text file during the Standard Server installation process. The saved
file is:
Windows
%TSIEM_HOME%\sim\addToEnterpriseServer.txt
AIX and Linux
$TSIEM_HOME/sim/addToEnterpriseServer.txt
To avoid typing the command, do the following steps:
a. Retrieve and edit the text file.
b. Modify the password values as required.
c. Paste the command at the command prompt.
The registration command is:
v On Windows systems:
beat.bat -setsrv host_name TCPport data_server DB_cifowner_user
DBcifownerpwd OS-user OS-user_password path_to_remote_depot
v On AIX and Linux systems:
beat.sh -setsrv host_name TCPport data_server DB_cifowner_user
DBcifownerpwd OS-user OS-user_password path_to_remote_depot
where:
v host_name is the hostname of the Standard Server system on which
data_server is installed.
v TCPport is the TCP port that the Standard Server database uses to
communicate. (The default value is 31001.)
v data_server is the database server where the engine for the Standard Server to
be registered resides.
v DB_cifowner_user is the user account that owns the database on the Standard
Server. During installation, this name was specified in one of the following
fields. (The default name is cifdbadm.)
– If you reused an existing DB2 database, the DB2 System User field of the
SIM Database Administrator Account window.
Note: When the command runs, the Tivoli Security Information and Event
Manager checks to see if the parameters are valid. If the parameters are not
valid, the Standard Server is not registered. This verification can succeed only if
both the Enterprise Server and the Standard Server to be registered are
running.
Example
v On a Windows system:
beat.bat -setsrv sedco 31001 CIFDB cifowner consul cifadmin
cifpasswd \\sedco\cifdepot
v On an AIX or Linux system:
./beat.sh -setsrv sedco 31001 CIFDB cifowner consul cifadmin
cifpasswd /mnt/sedco/cifdepot
What to do next
Continue using this procedure until you have registered all Standard Servers in the
cluster with the Enterprise Server. The Enterprise Server can then collect and
consolidate data from the Standard Servers.
After each successful consolidation, Tivoli Security Information and Event Manager
flushes aggregated data in each Reporting Database to prevent the data from being
consolidated again.
The consolidation process is run by the Tivoli Security Information and Event
Manager Server AuthDaemon. The AuthDaemon is a background process that does
various tasks such as running the consolidation process once a day. By default, the
Consolidation Server is configured to run the consolidation process at 8:00 AM
daily. To change the time when the consolidation process is run, change the value
of consolidation_start_time in the auth.ini file.
Procedure
1. On the Enterprise Server, edit the auth.ini file.
Windows
%TSIEM_HOME%\sim\server\run\auth.ini
AIX or Linux
$TSIEM_HOME/sim/server/run/auth.ini
2. Change the value of consolidation_start_time in the auth.ini file to the time
you want the consolidation process to run. The key uses 24-hour notation; to
set the time at 10:15 PM, for example, set consolidation_start_time to 22:15.
Note: To run the Consolidation Server manually, use the following command:
Windows
%TSIEM_HOME%\consolidation\bin\beat.bat
AIX or Linux
$TSIEM_HOME/consolidation/bin/beat.sh
What to do next
See the IBM Tivoli Security Information and Event Manager Users Guide for
information about viewing aggregated data.
The unrestricted JCE policy files that are provided in the policy file update can
ensure that you have the correct algorithms for CA-issued certificates.
What to do next
Continue with “Replacing the self-signed X.509 certificate with a CA-issued X.509
certificate.”
Before you begin this task, complete the steps in “Updating the Java SDK policy
files” on page 54.
Use this task to replace this default certificate with a CA-issued certificate.
Procedure
1. Request and receive a signed certificate from a certificate authority. You can
make a request to a Certificate Authority (CA) using any method you choose.
WebSphere Application Server has built-in tools that enable you to request and
receive certificates that are issued by a CA. For more information, see the topics
about creating certificate authority requests in the WebSphere Application
Server information center:
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp
2. Delete the default certificate:
a. Log in to the Tivoli Integrated Portal. The default administration ID is
tipadmin.
Use that ID to display the keystore management tasks.
b. Click SSL certificate and key management → Key stores and certificates →
NodeDefaultKeyStore → Personal certificates.
c. Select the default key.
d. Click Delete.
3. Import the new certificate into a keystore:
a. Click SSL certificate and key management → Key stores and certificates →
NodeDefaultKeyStore → Personal certificates → Import certificates from a
key file.
b. Click Import.
c. Enter the key file name.
Ensure that the key is on the local file system of the server.
d. Select the key type.
e. Click Get key file aliases, if it is required for the key type.
f. Select the key alias you want to import from your keystore
g. Enter the alias name default for the key.
h. Click OK.
4. Confirm selections, save selections, and restart the server:
a. In the key table, confirm that the key you imported is listed. Also confirm
that the attributes match the key.
b. Click Save to save the configuration.
c. Restart the Tivoli Integrated Portal service. On Windows, restart the service.
On AIX or Linux, restart the service by using the following initd script:
/etc/init/tsiem_tip_service.sh restart
IPv6
Tivoli Security Information and Event Manager can be directly installed on an IPv6
Microsoft Windows system. However, Tivoli Security Information and Event
Manager can be installed only on an IPv4 or dual stack AIX or Linux system. After
installing the product, you can convert the AIX or Linux system to IPv6-only.
As a result, when using Tivoli Security Information and Event Manager on AIX
and Linux, note the following restrictions:
v When installing an agent to a Windows system using plain IPv6, you must
manually install the agent. To use the automatic agent installation feature, add
the system using a nickname that is appropriate for the specified IP address.
Then add the IP address to the DNS on the Tivoli Security Information and
Event Manager server.
v When applying an audit profile to Windows system that uses an IPv6 plain
address, you must use the manual policy setting.
Configuring IPv6
To use IPv6 for data transfer between a Server and an agent, configure the IPv6
protocol on both the Server and the agent.
For more information about starting and stopping services, see the appendices in
the IBM Tivoli Security Information and Event Manager Administrators Guide.
Procedure
1. Stop Tivoli Security Information and Event Manager by entering the following
command in a terminal:
/etc/init.d/tsiem_sim_service.sh stop
2. Stop the Tivoli Integrated Portal by entering the following command in a
terminal:
/etc/init.d/tsiem_tip_service.sh stop
3. Stop DB2 by entering the following command in a terminal:
/etc/init.d/tsiem_db2_service.sh stop
4. Stop LDAP by entering the following command in a terminal:
/etc/init.d/tsiem_ldap_service.sh stop
5. Set the variable DB2FCMCOMM=TCPIP6 for the Tivoli Security Information and
Event Manager DB2 instance by entering the following command in a
terminal:
/home/<Database Admin Name>/sqllib/adm/db2set - g DB2FCMCOMM=TCPIP6
For example:
/home/cifdbadm/sqllib/adm/db2set - g DB2FCMCOMM=TCPIP6
6. Set the variable DB2FCMCOMM=TCPIP6 for the Tivoli Security Information and
Event Manager LDAP DB2 instance by entering the following command in a
terminal:
/home/<ITDS_instance_name>/sqllib/adm/db2set -g DB2FCMCOMM=TCPIP6
For example:
/home/idsinst/sqllib/adm/db2set -g DB2FCMCOMM=TCPIP6
7. Add the host name to the /etc/hosts file so that the host name is resolved as
an IPv6 address.
8. Convert the dual stack machine to IPv6.
9. Start LDAP by entering the following command in a terminal:
Results
After you have converted the system from dual stack to IPv6, the system should
resolve cross-names in IPv6 format.
Procedure
1. Open the SMITTY interface.
2. Click Communications Applications and Services → TCP/IP → Configure IP
Security → Advanced IP Security Configuration → Configure IP Security Filter
Rules → Add an IP Security Filter Rule.
3. Add permit rules for the following services.
* netbios-ns 137/udp
* netbios-dgm 138/udp
* netbios-ssn 139/tcp
* microsoft-ds 445/tcp
* microsoft-ds 445/udp
Also add permit rules for any UDP port numbers that the master browser uses
to send query packets with nmblookup.
By default, the Tivoli Security Information and Event Manager database (CIFDB)
uses the following DB2 log file settings:
Log file size (4KB) (LOGFILSIZ) = 16384
Number of primary log files (LOGPRIMARY) = 20
Number of secondary log files (LOGSECOND) = 80
In enterprise environments where the amount of raw log data exceeds 30 GB per
day, adjust the DB2 log file settings. Failure to adjust the settings might result in
the following error:
Procedure
1. Connect to the Tivoli Security Information and Event Manager database,
CIFDB.
2. Set the log file size to 65536.
update db cfg for db_name using LOGFILSIZ 65536
3. Increase the number of secondary log files to 160.
update db cfg for db_name using LOGSECOND 160
4. Restart the DB2 service.
db2stop
db2start
Example
update db cfg for CIFDB using LOGFILSIZ 65536
update db cfg for CIFDB using LOGSECOND 160
Procedure
1. Locate the $TSIEM_HOME/sim/server/tcr/bin/searchman.py file on the system.
2. Edit the file and search for the following section.
args = [install_dir + ’jre/jre/bin/java’+java_ext,
’-Xms32M’,
’-Xmx1536M’,
’-cp’,
3. Change the heap size value from 1536M to 2G.
args = [install_dir + ’jre/jre/bin/java’+java_ext,
’-Xms32M’,
’-Xmx2G’,
’-cp’,
4. Save the file.
You can upgrade to Tivoli Security Information and Event Manager version 2.0
from the following products:
v IBM Tivoli Compliance Insight Manager version 8.5
v IBM Tivoli Security Information and Event Manager version 1.0
v IBM Tivoli Event Log Manager version 1.0 PRPQ
Note: After the upgrade, the following roles are assigned only to the cifowner
user, but not to other users:
v Unlock policy
v Management scoping
These roles are new in Tivoli Security Information and Event Manager version 2.0
and cannot be upgraded. See the IBM Tivoli Security Information and Event Manager
Administrators Guide for information about roles.
Be sure that the computers where you upgrade to Tivoli Security Information and
Event Manager version 2.0 meet all hardware, software, storage, memory, and
browser requirements. See Chapter 2, “System Requirements,” on page 13.
This procedure is a high-level task that shows only the order in which you must
upgrade Servers. For detailed information about upgrading each Server in the
following steps, see “Upgrading from Tivoli Compliance Insight Manager on
Microsoft Windows systems” on page 63.
Procedure
1. Upgrade the Security Server.
2. Upgrade the Enterprise Server (if it is not the Security Server).
3. Upgrade all Standard Servers in the Tivoli Compliance Insight Manager Cluster.
What to do next
After you upgrade the Servers, Tivoli Security Information and Event Manager is
operational. However, before you change the system configuration, for best results,
Note: For instructions for upgrading the Actuator for z/OS, see the information
about upgrading an existing agent in the most recent version of the IBM Tivoli
zSecure Suite: CARLa-Driven Components Installation and Configuration Manual.
Procedure
See “The migration tool: cifmigrate” on page 67 for more information about
using the migration tool.
c. Take the Tivoli Compliance Insight Manager version 8.5 system offline.
4. Optional: Use the migration tool in showconfig mode to view the configuration
of the Tivoli Compliance Insight Manager version 8.5 system. You can run the
tool on any system that has access to the location where the data was exported.
Use the following steps:
a. Go to the Drive_or_path\migration directory. Drive_or_path is one of the
following locations:
v The drive letter of the product installation DVD (for example, E:)
v The full path of the location where you downloaded and unpacked the
product installation files
b. Type the following command and press Enter:
cifmigrate showconfig path_to_export_location
This step shows the configuration that was recorded during export. It does not
modify the exported data. You can use the information when installing Tivoli
Compliance Insight Manager on the 64-bit Windows system. (See step 6 on
page 65).
See “The migration tool: cifmigrate” on page 67 for more information about
using the migration tool.
Note: If you do not change the host name and IP address, two major problems
occur:
v The centralized authentication for the Security Group is broken. As a result,
all Tivoli Security Information and Event Manager and Tivoli Compliance
Insight Manager Servers in the Security Group no longer function and you
cannot upgrade them.
v Agents that are connected to the Tivoli Compliance Insight Manager version
8.5 Server no longer function if the hostname of the new (Tivoli Security
Information and Event Manager version 2.0) Server is not the same.
Note:
a. If you upgraded from Tivoli Compliance Insight Manager version 8.0 (or
earlier) to Tivoli Compliance Insight Manager version 8.5 before upgrading
to Tivoli Security Information and Event Manager version 2.0 and you did
not remove or disable the Oracle Self Audit Event source, you must disable
this event source after the upgrade.
b. If you used PuTTY for SSH collect in Tivoli Compliance Insight Manager
version 8.5, you must run the PuTTY client and connect to the remote hosts
to store remote hosts hash values in the registry.
Upgrade the next computer in the cluster. Use the order in “Upgrading a Tivoli
Compliance Insight Manager Cluster” on page 62.
The migration tool modifies the Tivoli Compliance Insight Manager 8.5 data to be
used on a Tivoli Security Information and Event Manager 2.0 system. It cannot,
therefore, be used as a backup and restore tool.
The migration tool must be run from the Drive_or_path\migration directory. (That
is, you must be in the Drive_or_path\migration directory when you run the
migration tool.) Drive_or_path is one of the following locations:
v The drive letter of the product installation DVD (for example, E:)
v The full path of the location where you downloaded and unpacked the product
installation files
where
v mode is one of four modes in which the tool can run. The modes are: calculate,
export, migrate, and showconfig.
For modes other than showconfig, the user name and password for the database
owner must be specified after the mode.
v args is zero or more arguments that are specific to the mode.
To run the migration tool in calculate mode, use the following command from the
Drive_or_path\migration directory:
cifmigrate calculate path_to_export_location
user_name password
[depot_in_place] [indexes_in_place]
where
v Drive_or_path is one of the following locations:
– The drive letter of the product installation DVD (for example, E:)
If the required file space is sufficient, a message tells you that you can continue
with the export. However, if the available file space is less than the estimated
needed file space, the migration tool displays the following information:
v The file space required, in MB.
v The file space available, in MB.
In export mode, the migration tool exports data from the Tivoli Compliance Insight
Manager 8.5 system to a location that you specify. The data can then be imported
into a Tivoli Security Information and Event Manager version 2.0 system.
To run the migration tool in export mode, use the following command from the
Drive_or_path\migration directory:
cifmigrate export path_to_export_location
user_name password
[depot_in_place] [indexes_in_place]
where
v Drive_or_path is one of the following locations:
– The drive letter of the product installation DVD (for example, E:)
– The full path of the location where you downloaded and unpacked the
product installation files.
v path_to_export_location is the location where you want to store the exported data.
Note: The export fails if you specify this location as a UNC name such as
\\migrate\c$\export. You must export to a mapped drive such as z:\export
(where z: is mapped to \\migrate\c$).
v user_name is the user name of the database owner for the Server you are
upgrading, such as cifowner.
v password is the password for the specified database owner.
v depot_in_place is an optional parameter. If you use this option, the depot is not
included in the export. You can then import directly from the old location of the
depot or mount the file system containing the depot on the Tivoli Security
Information and Event Manager 2.0 computer without migrating the depot.
Note:
1. Be aware of the following interaction between running the migration tool in
export mode and running the tool in migrate mode:
In migrate mode, the migration tool imports the data that was exported from the
Tivoli Compliance Insight Manager 8.5 system into the Tivoli Security Information
and Event Manager 2.0 system.
To run the migration tool in migrate mode, use the following command from the
Drive_or_path\migration directory:
where
v Drive_or_path is one of the following locations:
– The drive letter of the product installation DVD (for example, E:)
– The full path of the location where you downloaded and unpacked the
product installation files.
v path_to_export_location is the location where the exported data is stored.
v user_name is the user name of the database owner for the Server you are
upgrading, such as cifowner.
v password is the password for the specified database owner.
v depot_in_place and depot_from:location are optional, mutually exclusive
parameters.
If you use the depot_in_place option, the depot is not included in the import.
Use this option if you have mounted the file system containing the Tivoli
Compliance Insight Manager 8.5 depot in the location specified during Tivoli
Security Information and Event Manager 2.0 installation.
If you use the depot_from:location parameter, the migration tool loads the
depot from the location specified in location rather than from the exported
location. If this location does not exist, the migration tool displays a message
and stops. If you use this parameter successfully, the migration tool removes the
existing depot.
Note:
1. Be aware of the following interaction between running the migration tool in
export mode and running the tool in migrate mode:
– If you run the migration tool in export mode using the depot_in_place
option, then you must also run the migration tool in migrate mode using
either the depot_in_place or the depot_from option. If you do not use one
of these options, the command to run the migration tool in migrate mode
will fail.
– If you run the migration tool in export mode without using the
depot_in_place option, then you must also run the migration tool in
migrate mode without using the depot_in_place option. If you use the
depot_in_place option, the migrated system will not have access to the
audit-log data collected by Tivoli Compliance Insight Manager version 8.5.
In this case the migration tool will not fail, but it will write a warning
message to the log file.
If you need to recover from this error, manually make the audit-log data
collected by Tivoli Compliance Insight Manager version 8.5 available to
Tivoli Security Information and Event Manager version 2.0. To make the
data available, move the Tivoli Compliance Insight Manager version 8.5
depot to the location where Tivoli Security Information and Event
Manager version 2.0 searches for it.
2. Do not mount the file system containing the depot on the Tivoli Security
Information and Event Manager version 2.0 computer until after you run the
migration tool in migrate mode.
The reason is that during (and after) installation of Tivoli Security
Information and Event Manager version 2.0, the installed system begins to
collect chunks and write them to the depot. If you have already mounted the
In showconfig mode, the migration tool shows the configuration of the exported
data.
To run the migration tool in showconfig mode, use the following command from
the Drive_or_path\migration directory on the Tivoli Compliance Insight Manager
8.5 system after exporting the data:
cifmigrate showconfig path_to_export_location
where:
v Drive_or_path is one of the following locations:
– The drive letter of the product installation DVD (for example, E:)
– The full path of the location where you downloaded and unpacked the
product installation files.
v path_to_export_location is the location where the exported data was stored.
The migration tool shows the contents of a file that it created while running in
export mode. This file contains the current installation values. You can use this
information when you install the Tivoli Security Information and Event Manager
2.0 system on the 64-bit Windows system. In this way, you can be sure that you are
specifying the correct values for the new system, thus minimizing the risk of
problems during migration.
To take advantage of improvements to the Actuators and event sources that were
made for Tivoli Security Information and Event Manager 2.0, upgrade the
Windows Actuator to a Tivoli Security Information and Event Manager 2.0 agent.
Procedure
1. Uninstall the Tivoli Compliance Insight Manager Actuator. See the installation
documentation for Tivoli Compliance Insight Manager.
2. Use the Tivoli Security Information and Event Manager Portal to configure the
agent and generate a configuration file. See the IBM Tivoli Security Information
and Event Manager Administrators Guide.
3. Install the Tivoli Security Information and Event Manager agent. See Chapter 8,
“The agent for Windows systems,” on page 81.
What to do next
Create new event sources for the Windows audited systems. See the IBM Tivoli
Security Information and Event Manager Event Source Guide.
To take advantage of improvements to the Actuators and event sources that were
made for Tivoli Security Information and Event Manager 2.0, upgrade the AIX
Actuator to a Tivoli Security Information and Event Manager 2.0 agent.
The collection process for the AIX event source includes the original audit logs in
the collected data. Collection of original audit logs is explained in the IBM Tivoli
Security Information and Event Manager Administrators Guide.
During the upgrade process, the existing event sources continue to work. However,
the original audit logs are collected only after the entire upgrade process is
complete.
Procedure
1. Uninstall the Tivoli Compliance Insight Manager Actuator. See the installation
documentation for Tivoli Compliance Insight Manager.
2. Use the Tivoli Security Information and Event Manager Portal to configure the
agent and generate a configuration file. See the IBM Tivoli Security Information
and Event Manager Administrators Guide.
3. Install the Tivoli Security Information and Event Manager agent. See Chapter 9,
“The agent for AIX systems,” on page 85.
What to do next
Create new event sources for the AIX audited systems. See the IBM Tivoli Security
Information and Event Manager Event Source Guide.
Be sure that the target system meets the hardware, software, storage, memory, and
browser requirements for installing and running the agent. See Chapter 2, “System
Requirements,” on page 13.
To take advantage of improvements to the Actuators and event sources that were
made for Tivoli Security Information and Event Manager 2.0, upgrade the Solaris
Actuator to a Tivoli Security Information and Event Manager 2.0 agent.
Procedure
1. Uninstall the Tivoli Compliance Insight Manager Actuator. See the installation
documentation for Tivoli Compliance Insight Manager.
2. Use the Tivoli Security Information and Event Manager Portal to configure the
agent and generate a configuration file. See the IBM Tivoli Security Information
and Event Manager Administrators Guide.
What to do next
Create new event sources for the Solaris audited systems. See the IBM Tivoli
Security Information and Event Manager Event Source Guide.
To take advantage of improvements to the Actuators and event sources that were
made for Tivoli Security Information and Event Manager 2.0, upgrade the HP-UX
Actuator to a Tivoli Security Information and Event Manager 2.0 agent.
Procedure
1. Uninstall the Tivoli Compliance Insight Manager Actuator. See the installation
documentation for Tivoli Compliance Insight Manager.
2. Use the Tivoli Security Information and Event Manager Portal to configure the
agent and generate a configuration file. See the IBM Tivoli Security Information
and Event Manager Administrators Guide.
3. Install the Tivoli Security Information and Event Manager agent. See
Chapter 11, “The agent for HP-UX systems,” on page 103.
What to do next
Create new event sources for the HP-UX audited systems. See the IBM Tivoli
Security Information and Event Manager Event Source Guide.
When you uninstall Tivoli Security Information and Event Manager, you can
choose to leave the depot on the computer.
You can uninstall using the GUI uninstallation program, or you can uninstall
silently using a response file.
Note: If the initial installation of Tivoli Security Information and Event Manager
failed, the uninstallation program might not be available. If the program is not
available, see the "Recovering from a failed installation" section of the Tivoli
Security Information and Event Manager Troubleshooting Guide.
Uninstalling Tivoli Security Information and Event Manager removes the entire
product. You can, however, leave the depot on the computer when you uninstall
the product.
Procedure
1. Start the uninstallation program.
Note: To use a screen reader with the uninstallation program, see “Using
screen readers with the Tivoli Security Information and Event Manager
installation and uninstallation programs” on page 108.
v On Windows systems, use one of the following methods:
– Uninstall from the Control Panel:
a. From the Control Panel, double-click Add or Remove Programs.
b. Click Tivoli Security Information and Event Manager and click
Remove.
– Run the uninstall.exe command from the %TSIEM_HOME%\_uninst\
TSIEMInstall folder.
v On AIX or Linux systems, go to the $TSIEM_HOME/_uninst/TSIEMInstall
directory and type uninstall.
On AIX and Linux systems, the original versions of the /etc/profile and
/etc/.login files are saved as:
/etc/profilennnnnnnnnn
/etc/.loginnnnnnnnnnn
What to do next
You have uninstalled Tivoli Security Information and Event Manager. If you want
to install the product again, see Chapter 4, “Installing Tivoli Security Information
and Event Manager,” on page 27.
You can obtain a response file from the product installation DVD. See “The sample
response file for uninstallation.”
You can find the sample response file on the following product installation DVDs:
v AIX: IBM Tivoli Security Information and Event Manager v2.0 for AIX
v Linux: IBM Tivoli Security Information and Event Manager v2.0 for Linux
v Windows: IBM Tivoli Security Information and Event Manager v2.0 for Windows
The file name on the DVD is uninstaller.properties.template.
IAGLOBAL_LANGUAGE=en
Make a copy of the sample response file. See “The sample response file for
uninstallation” on page 77.
Modify the response file to contain the correct user IDs and passwords.
Procedure
1. In the response file, check the following line: IAGLOBAL_UNINSTALL_SIM_DEPOT=0
Be sure that this property is set to the correct setting:
v 0 if you want to leave the depot installed
v 1 if you want to remove the depot
2. Specify the correct user IDs and passwords in the appropriate lines in the file.
Note: Passwords in the response file are in plain text, which introduces a
security risk. To minimize this risk:
What to do next
Uninstall Tivoli Security Information and Event Manager using the modified
response file. See “Uninstalling using a response file.”
Be sure to use a response file that you have modified to contain the correct
information. See “Modifying the response file for uninstallation” on page 78.
Use the steps in the following procedure to uninstall Tivoli Security Information
and Event Manager using the response file.
Procedure
1. Go to the _uninst\TSIEMInstall or _uninst/TSIEMInstall subdirectory of the
directory where Tivoli Security Information and Event Manager is installed. By
default this directory is:
v On Windows systems, C:\IBM\TSIEM\_uninst\TSIEMInstall
v On AIX systems, /opt/IBM/tsiem/_uninst/TSIEMInstall
v On Linux systems, /opt/ibm/tsiem/_uninst/TSIEMInstall
2. Type one of the following commands:
v On Windows systems:
uninstall.exe -f response_file
v On AIX or Linux systems:
uninstall.sh -f response_file
where response_file is the full path to the response file.
Uninstallation proceeds.
3. On Windows systems, you must shut down and reboot the system. On Linux
systems, you must log off and then log in again.
On AIX and Linux systems, the original versions of the /etc/profile and
/etc/.login files are saved as:
/etc/profilennnnnnnnnn
/etc/.loginnnnnnnnnnn
What to do next
You have uninstalled Tivoli Security Information and Event Manager from the
computer.
For security purposes, remove the passwords from the response file when the
silent uninstallation finishes.
Install an agent when the audit configuration requires the agent to collect data
from Windows systems.
When you add a computer through the Managing Audited Machines task in the
Tivoli Integrated Portal, you can select one of two ways to install an agent
remotely: Automatic or Manual. If you select the Automatic installation type, you
specify the following information:
v The installation path for the agent software.
v The user credentials under which the agent will run.
v The administrator credentials under which the agent will be installed on the
remote system. This administrator must be a domain administrator or local
built-in administrator.
Note:
1. Before using Automatic installation, be sure to establish a network connection
that allows the Server to copy files on remote Windows hosts. For example, be
sure that no firewalls or antivirus programs prevent automatic installation.
2. Tivoli Security Information and Event Manager does not support Automatic
agent installation if both of the following are true:
v The machine name is an IPv6 address.
v One or both computers are running a version of the Windows operating
system that is lower than Windows 2008.
Therefore, if you use an IPv6 address as the machine name when performing
an automatic installation, both computers (the Server and the audited
computer) must use the Windows 2008 operating system.
If you select the Manual installation type for the remote agent, you must install
the agent after you add the audited computer. See “Installing the agent manually
on a Windows system.”
See the IBM Tivoli Security Information and Event Manager Administrators Guide for
information about creating an audited computer and about installing the agent
automatically.
Note: If you are upgrading an Actuator from a previous version, see “Upgrading
the Actuator for Windows systems” on page 72 for information about the steps you
must follow.
Procedure
1. Log on to the target system as a member of the Administrators group.
2. Insert the CD labeled IBM Tivoli Security Information and Event Manager v2.0 for
Agents into the CD-ROM drive.
3. Run the Setup.exe program in the x86_nt_4 directory on the CD. The Welcome
window of the Setup program is displayed.
4. In the Welcome window, click Next.
5. In the Target Directory window, do one of the following steps to specify the
directory for the Setup program to install the agent components:
v Accept the default value C:\IBM\TSIEM by clicking Next.
v Type the complete path to another directory and click Next.
v Click Browse and navigate to the directory you want to use and click Next.
A Target Directory window is displayed for confirmation.
6. Verify that the directory where you want to install the agent is displayed, and
click Next.
7. In the Select Configuration File window, do one of the following steps:
v To use a configuration file for the agent configuration parameters, specify the
name of the configuration file that the Server created when this agent was
configured in the Tivoli Integrated Portal. You can specify the file name in
one of the following ways:
– In the Configuration File Location field, type the complete path and file
name and click Next.
– Click Browse and navigate to the directory containing the configuration
file and click Next.
Note: Do not use a Universal Naming Convention (UNC) name for this
path. Instead, either specify the letter of a mapped drive or copy the
configuration file to a local disk.
v To specify the agent configuration parameters manually, select the Manual
Configuration check box and click Next.
8. In the OS Account window, type the name and password for the operating
system account that will run the agent, and click Next.
What to do next
Before you can use the agent, use the procedures in the IBM Tivoli Security
Information and Event Manager Event Source Guide to configure the audit settings for
the appropriate Windows operating system.
Note: If you are upgrading an Actuator from a previous version, see “Upgrading
the Actuator for AIX systems” on page 72 for information about the steps you
must follow.
Use one of the following methods to install the agent on an AIX system:
v The command line. See “Installing the agent from the command line.”
v The SMIT utility. See “Installing the agent with the SMIT utility” on page 86.
Before you install the agent for AIX, perform the following tasks:
1. Make sure that each target system meets the hardware, software, storage,
memory, and browser requirements for installing and running the agent on the
AIX operating system. See Chapter 2, “System Requirements,” on page 13 for
more information.
2. Before you install the agent on a target system, you must configure the agent
using the Tivoli Integrated Portal. See the IBM Tivoli Security Information and
Event Manager Administrators Guide.
3. If you are installing the agent on a computer that previously had an agent
attached to another Server, explicitly remove the agent from the old Server. If
you do not, the old Server might try to establish a connection with the agent
and the new agent might not work correctly.
If you prefer to install the agent on an AIX system using SMIT, see “Installing the
agent with the SMIT utility” on page 86.
Procedure
1. Log on as root to the system where you are installing the agent for AIX.
2. Insert the CD labeled IBM Tivoli Security Information and Event Manager v2.0 for
Agents into the CD-ROM drive.
3. To obtain the CD-ROM device name, type:
lsdev -Cc cdrom
or
mount -o ro /dev/cd0 /my_cdrom
Note:
a. For CD-ROM_device_name, specify either the name or physical path of the
CD-ROM.
b. -o ro means Read Only
c. Replace /my_cdrom with the mount path that you want to use.
6. Go to the /usr/sys/inst.images directory on the CD.
7. To begin the installation, run the following command:
installp -acgNq -d . ibm.tsiem.actuator
The agent installation begins.
What to do next
When the agent installation is finished, import the agent configuration file, as
described in “Configuring the agent on an AIX system” on page 88.
You also must set up auditing on the target system, as described in the IBM Tivoli
Security Information and Event Manager Event Source Guide. You can complete the
agent installation and configuration and platform configuration in any order, but
both tasks must be complete before you run the agent.
Before you install the agent for AIX, perform the following tasks:
1. Make sure that each target system meets the hardware, software, storage,
memory, and browser requirements for installing and running the agent on the
AIX operating system. See Chapter 2, “System Requirements,” on page 13 for
more information.
2. Before you install the agent on a target system, you must configure the agent
using the Tivoli Integrated Portal. See the IBM Tivoli Security Information and
Event Manager Administrators Guide.
3. If you are installing the agent on a computer that previously had an agent
attached to another Server, explicitly remove the agent from the old Server. If
you do not, the old Server might try to establish a connection with the agent
and the new agent might not work correctly.
If you prefer to install the agent on an AIX system using the command line, see
“Installing the agent from the command line” on page 85.
Procedure
1. Log on to the target system as root.
2. Insert the CD labeled IBM Tivoli Security Information and Event Manager v2.0 for
Agents into the CD-ROM drive.
3. To obtain the CD-ROM device name, type:
lsdev -Cc cdrom
4. If necessary, unmount a previously mounted CD by typing:
umount CD-ROM_device_name
or
mount -o ro /dev/cd0 /mycdrom
Note:
a. For CD-ROM_device_name, specify either the name or physical path of the
CD-ROM.
b. - o ro means Read Only
c. Replace /mycdrom with the mount path you want to use.
6. Start SMIT by typing smit.
7. In SMIT, click Software Installation and Maintenance → Install and Update
Software → Install and Update from ALL Available Software.
8. When prompted for the INPUT device /directory of the software, click the
list to display a selection of input devices. Then click the CD-ROM device that
contains the CD with the agent.
9. In the first window, click OK to confirm the input device you selected.
10. In the Customization window, click OK to begin the installation. An
installation progress window is displayed. Installation might take some time.
11. Click Cancel to close the installation process and return to the SMIT main
menu.
12. To exit SMIT, click File → Exit.
13. To exit the root shell and return to the original user shell, type exit.
The agent is now installed.
What to do next
When the agent installation is finished, import the agent configuration file, as
described in “Configuring the agent on an AIX system” on page 88.
You also must set up auditing on the target system, as described in the IBM Tivoli
Security Information and Event Manager Event Source Guide. You can complete the
Note: If you use ftp to send the agent configuration file to the AIX system, be
sure that you use the ASCII mode of the ftp session.
To configure the agent, import the configuration file that the Tivoli Integrated
Portal created when you configured this agent on the Server. Use the following
steps.
Procedure
1. Log in as root.
2. Go to the directory that contains the agent setup programs and start the setup
program:
cd /opt/IBM/tsiem/actuator
./install/setup.sh agent_configuration_file
where agent_configuration_file is the path and file name of the configuration file
on the AIX system. For example:
./install/setup.sh /tmp/aix_config.cfg
The agent configuration begins. When configuration is complete, the message
The actuator should now be installed and started is displayed.
What to do next
Configure the audit settings on the target system that is being audited by this
agent. See the IBM Tivoli Security Information and Event Manager Event Source Guide.
Procedure
1. In the vi text editor, open the file /etc/inittab.
2. Find the line that starts TCP/IP. (This line typically starts with /etc/rc.net.)
Type the following command after the line:
TSIEMact:2:respawn:/etc/ibm.tsiem.actuator >/dev/console 2>&1
# Startup of the agent
3. Save the /etc/inittab file and exit the text editor.
4. From the command line, run the command to apply changes to the system:
telinit q
After you have added the restart line, the agent starts at every change to run
level 2.
What to do next
If you do not stop the agent before uninstalling it, you cannot activate it after you
reinstall it.
If the agent is configured to restart automatically, you must reset the respawn
option for TSIEMact in the /etc/inittab file.
Procedure
1. Open the /etc/inittab file in the vi text editor.
# vi /etc/inittab
What to do next
After you have applied the changes, you can stop the agent from the command
line or the SMIT utility.
If the agent is configured to restart automatically, reset the respawn option in the
etc/inittab file.
Procedure
1. Log on as the root user.
2. To start SMIT, type: smit
3. Access the Remove a Process option:
a. In SMIT, click Processes & Subsystems.
b. In Processes & subsystems, click Processes.
c. Click Remove a Process.
4. To stop the process:
a. In the window that asks for SIGNAL type and PROCESS ID, leave
SIGNAL type set to SIGTERM.
b. For PROCESS ID, click List to display all running processes.
c. Select the agent process. The process number displays in the PROCESS ID
field.
d. Click OK to stop the process.
5. Click Cancel until you return to the SMIT System Management menu.
What to do next
If the agent is configured to restart automatically, reset the respawn option in the
etc/inittab file.
Attention: Stopping the agent prevents the Server from collecting and removing
audit trail files from the /var/log/eprise directory. If you do not stop the audit
subsystem, these files eventually fill up the entire hard disk of the target system.
When you stop the audit subsystem, you also stop auditing activity on the target
system.
If you plan to remove the agent temporarily (for example, to upgrade), do not stop
the audit subsystem.
If you plan to remove the agent for several days, do one of the following actions:
v Stop the audit subsystem. Selecting this option means that no data is collected
for the period when the audit subsystem is stopped.
v Edit the /etc/security/audit/bincmds file to prevent writing the audit trail files.
Selecting this option means that no data is collected until you edit the
/etc/security/audit/bincmds file to enable writing of the audit trail files.
v Move audit trail files to another system or archive them on disk. Selecting this
option allows you to continue collecting data while the agent is inactive.
You can also use the cron daemon to automatically remove old audit trail files at
regular intervals. For example, add the following line to a cron file to remove all
audit trail files more than seven days old. The action occurs each day at 8 minutes
after midnight:
# This line deletes audit trails from /var/log/eprise when they are one
week old. 8 0 * * * find/var/log/eprise -type f -mtime +7 -exec rm {} \\\;
For more information about using cron, see the UNIX documentation on the
Information CD provided with your AIX system.
Procedure
1. Log on as the root user.
2. To find the process ID (PID) of the agent, run the ps -af command.
Information like the following example is displayed:
UID PID PPID C STIME TTY TIME CMD
root 11078 1 0 May 27 pts/2 5:36 ../bin/agent 12.1.103
The process ID in this example is the PID value 11078.
3. To stop the agent, run the following command:
kill PID
For example, to stop the agent using the process in step 2, type:
kill 11078
4. Run the ps -af command again to confirm that the agent has stopped.
What to do next
After you stop the agent, you can safely uninstall the agent.
See “Uninstalling the agent for AIX using SMIT” on page 92 or “Uninstalling the
agent for AIX from the command line” on page 92.
If you prefer to uninstall the agent on an AIX system using the command line, see
“Uninstalling the agent for AIX from the command line.”
Procedure
1. Log in as the root user.
2. To start SMIT, type smit.
3. In the System Management panel, click Software Installation and
Maintenance.
4. In Software Installation and Maintenance, click Software Maintenance and
Utilities.
5. Click Remove Installed Software. A window is displayed asking for the name
of the software you want to uninstall.
6. From the list of all installed software packages, click ibm.tsiem.actuator.
7. In the first window, set the PREVIEW only option to No. Click OK to confirm
your selection.
8. Click OK in the next window to confirm the uninstallation you selected. A
new window is displayed, showing the progress of the uninstallation.
9. If the removal completed successfully, select Done on the last window to
return to the Remove Software Products option.
10. Click Cancel.
11. On the SMIT main menu, click File → Exit.
12. To remove all files and catalogs from the /opt/IBM/tsiem/actuator/ directory,
type the following command:
rm -r /opt/IBM/tsiem/actuator/
13. Exit the root shell and return to the original user shell by typing exit.
What to do next
After you remove the agent, you can install a new version. For instructions, see
“Installing the agent for AIX” on page 85.
If you prefer to uninstall the agent on an AIX system using SMIT, see “Uninstalling
the agent for AIX using SMIT.”
What to do next
After you remove the agent, you can install a new version. For instructions, see
“Installing the agent for AIX” on page 85.
You must install the agent for Solaris in either of the following cases:
v When you need to audit event sources that run on Solaris systems that do not
support remote collect of audited events.
v When the audit configuration requires an agent to collect data from Solaris
systems.
Chunk logs can be generated based on a schedule or by a direct call through the
Tivoli Integrated Portal. The agent records a timestamp each time it generates a
chunk log. When a new chunk log is generated, only log records that were
generated after the last extraction are added to the new chunk log.
Audit configuration settings on the target system determine the types of events
that the agent logs. Because logging every event consumes too many resources,
configure the target system to log only events that expose security threats and
weaknesses. The goal is to select audit settings that provide both acceptable
security and acceptable use of resources.
The agent is designed to limit any security risk it can pose to a targeted system;
you must therefore configure it to run with the minimal required permissions.
However, on the Solaris operating system, the system calls needed to access the log
require the root user ID to operate properly. The agent is capable only of reading
logs; it is therefore questionable whether using the root user ID poses any security
risk.
Note: If you are upgrading an Actuator from a previous version, see “Upgrading
the Actuator for Solaris systems” on page 73 for information about the steps you
must follow.
Audit Settings
The Audit Subsystem collects all data about events that happen on a specific
system. The agent communicates the data to the Server.
When this line is present, the BSM is active; otherwise you must type the following
command:
bsmconv rootdir
Another way to see whether the BSM is active is to use the following command:
grep "c2audit" [rootdir]/etc/system
For more information about the BSM, see "bsmconv (1M)" (in the Solaris Reference
Manual Collection).
The Auditing System should start automatically when the system starts. Therefore
the file /etc/security/audit_startup must be present. An example of a valid file
is:
#!/bin/sh
auditconfig -conf
auditconfig -setpolicy none
auditconfig -setpolicy +cnt
auditconfig -setfsize 1000000
For information about enabling extended logging, see the IBM Tivoli Security
Information and Event Manager Event Source Guide.
Table 2 and Table 3 list the flag settings required in the file /etc/security/
audit_control for logging success and failure actions.
Table 2. Solaris flag settings to log success actions
Short Name Long Name Short Description
The Audit System writes the audit logs to the directory /var/audit.
Use the following commands to start and stop the audit daemon on a Solaris
system.
For more detailed information, see the documentation in the Solaris System
Administrator Collection.
Procedure
1. To start the audit daemon, type the following command: /usr/sbin/auditd
Note: If you run the command audit -s, the daemon reads the audit_control
file again.
2. To stop the audit daemon, type the following command: audit -t
What to do next
Accounting System
The accounting system monitors the usage of system resources and login times. It
is not necessary to activate or configure the accounting system for the agent.
Several accounting files are generated and updated automatically by Solaris. Tivoli
Security Information and Event Manager uses the /var/adm/wtmpx file.
The wtmpx log contains records that indicate user logins, system startups, and
system events. The records of the wtmpx log are in utmp format.
This file is one of the key logs for the mapping process. Its absence does not affect
the agent, except to lessen the information it can gather. The /var/adm/wtmpx file is
readable for any user. Therefore, no special privileges are needed to access this file.
To use the Admintool to install the agent for Solaris, see “Installing the agent with
Admintool” on page 98.
If you prefer a graphical interface, you can use Admintool to install the agent on a
Solaris system.
Procedure
1. Log in as root.
2. Insert the CD labeled IBM Tivoli Security Information and Event Manager v2.0 for
Agents into the CD-ROM drive.
3. To start Admintool, click Applications on the front panel and then click
Application manager → System_Admin → Admintool.
4. When Admintool starts, click Browse → Software.
5. Click Edit → Add.
6. Admintool asks for a CD path. Type the following path and click OK:
/cdrom/cdrom0/
Note: For information about the agent and Server parameters, see the product
Portal online helps. For HOP parameters, use the same values as for the
Server.
When you finish typing the configuration file location or entering
configuration parameters, Admintool asks you to confirm your work. Type y
and then press Enter.
Installation begins.
10. When the Installation successful message is displayed at the bottom of the
window, press Enter. The Admintool Software window opens. The agent is
not listed yet. The name is displayed after you exit Admintool and reopen it.
What to do next
You have now successfully installed the agent. To run the agent, configure your
Solaris settings if you have not already done so.
If you prefer using shell commands, you can use the pkgadd command to install
the agent on a Solaris system.
Procedure
1. Log in as root.
2. Insert the CD labeled IBM Tivoli Security Information and Event Manager v2.0 for
Agents into the CD-ROM drive.
3. Type the following command:
pkgadd -d /cdrom/cdrom0 TSIEMac
4. The program asks you for the location of the agent configuration file. This
configuration file was created when you registered this agent in the Tivoli
Integrated Portal.
Note: For information about agent and Server parameters, see the product
online help in the Tivoli Integrated Portal. For HOP parameters, use the same
values that you used for the Server.
6. Installation begins. When it finishes, an Installation successful message is
displayed at the bottom of the window.
What to do next
You have now successfully installed the agent. To run the agent, configure your
Solaris settings if you have not already done so.
You can use the watchdog timer to set up the agent to restart automatically.
Procedure
To start the watchdog timer so that the agent is automatically restarted after it is
terminated, use the following command:
/etc/init.d/CEAWatchdog start
What to do next
100 Tivoli Security Information and Event Manager V2.0: Installation Guide
To use the Admintool to uninstall an agent on a Solaris system, see “Uninstalling
the agent on Solaris systems using the Admintool.”
Before attempting to uninstall the agent, you must stop the agent. Otherwise, you
cannot activate a new agent after you install it.
If the Admintool is present on your version of Solaris, you can use it to uninstall
the agent. If you do not have the Admintool, use the pkgrm shell command.
Procedure
1. Stop the agent using the following steps:
a. Log in as root.
b. From the Common Desktop Environment, click the Front panel.
c. Click the Tools subpanel.
d. Click Find Process.
e. Click the process with the name Agent.
f. From the Process menu, click Kill. Now the agent has been stopped and you
can uninstall it.
2. Uninstall the agent using the following steps:
a. Log in as root.
b. Select the Applications subpanel from the Front Panel. Click Applications.
c. Click the System-Administrator icon.
d. Click the Admintool icon.
e. Click Browse → Software → Actuator.
f. From the Edit pull-down, click Delete. Then, confirm the delete action.
g. Click Enter twice.
h. From the File pull-down, click Exit.
What to do next
After you uninstall the agent the name is still visible in the Admintool software
survey. This name is gone after you close the menu.
To install a new version of the agent for Solaris, see “Installing the agent for
Solaris” on page 97.
Before attempting to uninstall the agent, you must stop the agent. Otherwise, you
cannot activate a new agent after you install it.
If the Admintool is present on your version of Solaris, you can use it to uninstall
the agent. If you do not have the Admintool, use the procedure that follows.
Procedure
1. Type the command pkgrm TSIEMac.
2. At the Do you want to delete? prompt, type Y.
The pkgrm utility stops the watchdog timer, kills the agent processes, and then
removes the agent package from the system.
What to do next
The agent for Solaris is now uninstalled.
To install a new version of the agent for Solaris, see “Installing the agent for
Solaris” on page 97.
102 Tivoli Security Information and Event Manager V2.0: Installation Guide
Chapter 11. The agent for HP-UX systems
Use this information to install and uninstall the agent for HP-UX systems.
There are installation and configuration steps on the client and the Server.
Note: If you are upgrading an Actuator from a previous version, see “Upgrading
the Actuator for HP-UX systems” on page 74 for information about the steps you
must follow.
Procedure
1. Insert the CD labeled IBM Tivoli Security Information and Event Manager v2.0 for
Agents into the CD-ROM drive.
2. Before you can mount the CD, the pfs_mountd and pfs daemons must be
running.
104 Tivoli Security Information and Event Manager V2.0: Installation Guide
v When prompted for the agent configuration file, accept the default setting,
manual configuration. Then see “Configuring the agent manually on HP-UX
systems.”
What to do next
Procedure
1. At the prompt for the configuration file, press Enter instead of specifying a file
name.
agent configuration file (default: manual configuration):
<Enter>
2. The installation program prompts you to enter four configuration parameters
for the agent, three parameters for the Server, and three parameters for the
HOP. For the agent and Server parameters, see the online help for the product
in the Tivoli Integrated Portal. For the HOP parameters, provide the same
values specified for the Servers.
The following are examples of these configuration parameters:
Agent ID (default: ""): 12.1.118
Agent IP address (default: ""): 172.16.1.3
Agent port (default: ""): 5992
Installation password (default: ""): 96820F8CE6
Server ID (default: ""): 12.1.1
Server IP address (default: ""): 172.31.1.2
Server port (default: ""): 5992
HOP ID (default: "12.1.1"): 12.1.1
HOP IP address (default "crme13.example.com"): 172.31.1.2
HOP port (default: "5992"): 5992
3. After you enter the 10 configuration parameters, the installation process
prompts you to confirm or change the parameters you entered:
Agent ID: 12.1.118
Agent IP address: 172.16.1.3
Agent port: 5992
Installation password: 96820F8CE6
Server ID: 12.1.1
Server IP address: 172.31.1.2
Server port: 5992
HOP ID: 12.1.1
HOP IP address: 172.31.1.2
HOP port: 5992
Do you want to change any of these data [y,n]? n
What to do next
After you specify the configuration parameters, the installation process begins.
When the process finishes, the message *Execution succeeded is displayed.
You can start the agent manually, and you can also set the agent up to restart
automatically when it is terminated.
Procedure
1. To start the agent manually, go to the directory of the agent. (The default is
/opt/IBM/tsiem/actuator.) At the command line, run the following command:
./start-client
2. To restart the agent automatically when it is terminated, start the watchdog
timer:
/sbin/init.d/cea.watchdog start
What to do next
Procedure
1. Verify that Tivoli Security Information and Event Manager is installed by using
the shell command swlist:
# swlist | grep TSIEM
If Tivoli Security Information and Event Manager is installed, the output looks
as follows:
TSIEMact 2.0.0.0 IBM Tivoli Security Information and Event Manager
2. Use the shell command swremove to uninstall the Tivoli Security Information
and Event Manager software:
# swremove TSIEMact
What to do next
106 Tivoli Security Information and Event Manager V2.0: Installation Guide
Appendix A. Accessibility
Accessibility features help users with physical disabilities, such as restricted
mobility or limited vision, to use software products successfully. Tivoli Security
Information and Event Manager is not fully accessible.
The list of items that are not accessible includes, but is not limited to, the following
examples:
v Not all images in the Tivoli Security Information and Event Manager
Management Console have alternate text provided.
v Some action items in the Tivoli Security Information and Event Manager
Management Console are provided as non-text context only and might not be
able to be manipulated using assistive technologies.
v Not all image maps in the product provide alternative text and not all maps can
be navigated using equivalent text links.
v Assistive technologies might not automatically detect changes to information
and structures in the Tivoli Security Information and Event Manager
Management Console. In addition not all captions, labels, and tables are
correctly interpreted by assistive technologies.
v Some items in the Tivoli Security Information and Event Manager Management
Console are differentiated solely through the use of color.
v Not all functions in the Tivoli Security Information and Event Manager
Management Console can be performed by only using the keyboard.
v Not all table cells, relationships between cells, primary natural languages of Web
units, and user interface components can be programmatically determined.
v Timeouts cannot always be adjusted by the user.
v Titles and accessible frame sources are not provided for all frames.
v Errors in information typed by the user are not always identified, described in
text, and presented to the user.
The product documentation was modified to include the following features to aid
accessibility:
v All documentation is available in both HTML and convertible PDF formats to
give the maximum opportunity for users to apply screen-reader software.
v All images in the documentation are provided with alternative text so that users
with vision impairments can understand the contents of the images.
Not all interfaces can be navigated using just the keyboard. For those interfaces
that can be, the product uses the standard shortcut and accelerator keys provided
by the operating system. Refer to the documentation provided by your operating
system for more information.
You can enlarge information on the product windows using facilities provided by
the operating systems on which the product is run. For example, in a Microsoft
Windows environment, you can lower the resolution of the screen to enlarge the
Taking into account the limitations on accessibility in the product, users can use
screen readers that rely on the Java Access Bridge. Job Access With Speech (JAWS)
is such a screen reader. See http://java.sun.com/javase/technologies/accessibility/
accessbridge/ for information about the Java Access Bridge.
A JVM (version 1.5 or higher) and the Java Access Bridge must be installed on the
computer on which you are installing Tivoli Security Information and Event
Manager.
For more information, search for article Q200311 entitled "How to Use JAWS with
InstallAnywhere" at http://www.flexerasoftware.com/
108 Tivoli Security Information and Event Manager V2.0: Installation Guide
Appendix B. Configuring the web browser and system for the
Tivoli Integrated Portal
Tivoli Security Information and Event Manager uses the Tivoli Integrated Portal, a
web-based application, for performing administrative, configuration, and reporting
functions. In order for the features in Tivoli Security Information and Event
Manager to function properly in the web browser and reports, you must use a
supported web browser and configure your web browser and system.
The Tivoli Integrated Portal is compatible with the following web browsers:
Microsoft Windows systems
v Microsoft Internet Explorer Version 6.0 Service Pack 2 (SP2)
v Microsoft Internet Explorer Version 7.0
v Mozilla Firefox versions 2.0, 3.0, and 3.1
Linux systems
Mozilla Firefox versions 2.0, 3.0, and 3.1
Other versions of these web browsers are not compatible with the Tivoli Integrated
Portal.
Screen resolution
The minimum screen resolution is 1024 x 768.
Ensure that Internet Explorer Version 6.0 Service Pack 2 or Internet Explorer
Version 7.0 is installed.
Procedure
1. Open Internet Explorer.
2. Click Tools.
3. Click Internet Options.
4. Click the Security tab.
5. Select Custom Level.... The Security Settings window opens.
6. In the Security Settings window, ensure that the following settings are
enabled.
v Ensure that the radio button for Script ActiveX controls marked safe for
scripting is set to Enable.
v Ensure that the radio button for Active scripting is set to Enable.
v Ensure that the radio button for Display mixed content is set to Enable.
7. Click OK to exit the Security Settings window.
8. Click the General tab.
9. In the Browsing history section, click Settings. The Temporary Internet Files
and History Settings page opens.
10. In the Temporary Internet Files section, ensure that the radio button for
Check for newer versions of stored pages: is set to Every time I visit the
webpage.
11. Click OK to exit the Temporary Internet Files and History Settings page.
12. Click OK to exit the Internet Options window.
13. Restart Internet Explorer for the settings to take effect.
Ensure that Internet Explorer Version 6.0 Service Pack 2 or Internet Explorer
Version 7.0 is installed.
In order for Tivoli Integrated Portal to display correctly, you must add the system
where Tivoli Security Information and Event Manager is installed and about:blank
to the "Trusted sites" list in Internet Explorer.
Procedure
1. Open Internet Explorer.
2. Click Tools.
3. Click Internet Options.
4. Click the Security tab.
5. Click Trusted sites.
6. Click Sites....
110 Tivoli Security Information and Event Manager V2.0: Installation Guide
7. In the Add this website to the zone field, add the following sites to the
Trusted sites list.
v Enter the IP address or the URL for the system where Tivoli Security
Information and Event Manager is installed.
v Enter about:blank.
8. Click OK to exit the Trusted sites window.
9. In the section, Security Level for this zone, click Custom Level.
10. Ensure that the slider is set to Medium-low.
11. Click OK to exit the Internet Options window.
What to do next
If you are running the Tivoli Integrated Portal on Windows 2003 Server or
Windows 2008 Server, you must also disable the Internet Explorer Enhanced
Security Configuration. For more information, see “Disabling Enhanced Security
Configuration in Windows 2003 Server” and “Disabling Enhanced Security
Configuration in Windows 2008 Server.”
Ensure that Internet Explorer Version 6.0 Service Pack 2 or Internet Explorer
Version 7.0 is installed.
Procedure
1. Open the Control Panel.
2. Click Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. Select Internet Explorer Enhanced Security Configuration.
5. Click Details.
6. Unselect the option for the user group running Tivoli Integrated Portal on
Internet Explorer.
Ensure that Internet Explorer Version 6.0 Service Pack 2 or Internet Explorer
Version 7.0 is installed.
Appendix B. Configuring the web browser and system for the Tivoli Integrated Portal 111
About this task
Procedure
1. Open the Server Manager administrative tool.
2. Navigate to the Security Information section.
3. Click Configure Internet Explorer Enhanced Security Configuration.
4. Disable Internet Explorer Enhanced Security Configuration for the user group
running Tivoli Integrated Portal on Internet Explorer.
Procedure
1. Open Internet Explorer.
2. Click Tools.
3. Click Internet Options.
4. In the Advanced tab, scroll down to the Security section.
5. Select the check box for Use TLS 1.0.
6. Click OK.
Procedure
1. In the browser menu, click Tools.
2. Click Options. The Options window opens.
3. Click the Advanced icon.
4. Click the Encryption tab.
5. In the Protocols section, select the Use TLS 1.0 check box.
6. Click OK to close the Options window.
Enabling cookies
To access the Tivoli Integrated Portal, cookies must be enabled in the browser.
112 Tivoli Security Information and Event Manager V2.0: Installation Guide
Enabling cookies in Internet Explorer
Enabling cookies in Internet Explorer allows Tivoli Security Information and Event
Manager to remember your settings.
Ensure that Internet Explorer Version 6.0 Service Pack 2 or Internet Explorer
Version 7.0 is installed.
Procedure
1. Open Internet Explorer.
2. Click Tools.
3. Click Internet Options. The Internet Options window opens.
4. In the Privacy tab, move the settings slide to Low or Accept All Cookies.
5. Click OK.
Procedure
1. Open Firefox
2. Click Tools.
3. Click Options. The Options window opens.
4. Click the Privacy icon.
5. In the Firefox will: field, select Use custom settings for history.
6. Ensure that the check box for Accept cookies from sites is selected.
7. Ensure that the check box for Accept third-party cookies is selected.
8. In the Keep until: field, select they expire.
9. Click OK.
Appendix B. Configuring the web browser and system for the Tivoli Integrated Portal 113
Before you begin
Ensure that Internet Explorer Version 6.0 Service Pack 2 or Internet Explorer
Version 7.0 is installed.
Procedure
1. Open Internet Explorer.
2. Click Tools.
3. Click Internet Options.
4. In the Temporary Internet Files section, click Settings.
5. Below Check for new versions of stored pages, click Every visit to the page.
6. Click OK twice to save and apply the new settings.
Procedure
1. Open Firefox.
2. In the address bar, enter about:config.
3. Scroll to the preference network.http.use-cache.
v If the value equals true, then browser caching is enabled.
v If the value equals false, then browser caching is disabled. To enable browser
caching, right-click network.http.use-cache and select Toggle. The value
switches to true.
4. Close the browser tab.
Ensure that Internet Explorer Version 6.0 Service Pack 2 or Internet Explorer
Version 7.0 is installed.
Procedure
1. Open Internet Explorer.
2. Click Tools.
114 Tivoli Security Information and Event Manager V2.0: Installation Guide
3. Click Internet Options.
4. In the Advanced tab, scroll down to the Browsing section.
5. Unselect the check box for Show friendly HTTP error messages.
6. Click OK.
7. Restart Internet Explorer.
You might need to collect audit data from systems in different countries that use
different languages. For example, an international organization might want to
collect audit data from England, Brazil, and Japan. If the appropriate fonts are
installed on the Tivoli Security Information and Event Manager Server, then Tivoli
Security Information and Event Manager can generate reports in the Compliance
Dashboard that display data in the respective languages.
The TrueType fonts are typically located on the installation CDs for the operating
system.
For example, if your enterprise is monitoring systems that include both Japanese
and Russian languages, then both Japanese and Russian TrueType fonts must be
installed on the client system so that you can view the multilingual report in the
Compliance Dashboard using your Web browser. If you wanted to generate a PDF
of that report, then both Japanese and Russian TrueType fonts must be installed on
the server so that Tivoli Security Information and Event Manager can generate the
multilingual PDF report.
Appendix B. Configuring the web browser and system for the Tivoli Integrated Portal 115
Procedure
1. Install the TrueType fonts.
v AIX systems:
a. Install the fonts located on the AIX distribution media in package
X11.fnt.ucs.ttf (AIX and Windows Unicode TrueType Fonts).
b. Verify that the fonts were installed into the following directories:
– /usr/X11R6/lib/X11/fonts/TrueType, which resolves to the real path
/usr/lpp/X11/lib/X11/fonts/TrueType
– /usr/openwin/lib/X11/fonts/TrueType
– /usr/share/fonts/default/TrueType
– /usr/X11R6/lib/X11/fonts/ttf
v Linux systems:
a. Install the fonts located on the Linux operating system media.
b. Verify that the fonts were installed into the following directories:
– /Library/Fonts
– /System/Library/Fonts
– /usr/X11R6/lib/X11/fonts/TrueType
v Windows systems:
a. Install the fonts located on the Windows operating system media.
b. Verify that the fonts were installed into the following directories:
– C:/windows/fonts
– C:/winnt/fonts
– D:/windows/fonts
– D:/winnt/fonts
2. Restart the Tivoli Integrated Portal:
/etc/rc.d/init.d/tsiem_tip_service.sh restart
What to do next
Tivoli Security Information and Event Manager can now generate multilingual PDF
reports, and the Compliance Dashboard can now display multilingual reports.
The font is installed on Windows 2008 systems by default. To install the font on
Windows 2003 systems, follow these instructions.
Procedure
1. In Windows 2003, open the Control Panel.
2. Click Regional and Language Options.
3. Click the Languages tab.
116 Tivoli Security Information and Event Manager V2.0: Installation Guide
4. Select Install files for East Asian languages. Installing the Chinese, Japanese,
and Korean language files requires 230 MB of available disk space.
5. Click Apply.
6. Click OK.
If your network includes globalized domain names (that is, domain names in other
languages), then the default encoding on the domain controller system must be the
same as the encoding on the target machine (that is, the system on which Tivoli
Security Information and Event Manager is installed). If the encoding is not the
same, then the domain name might not display correctly in the Domain or
Workgroup section of the Choose Audited Machine page in the Create Machine
Wizard.
Procedure
1. In Windows, log in as Administrator.
2. Click Start.
3. Open the Control Panel.
4. Click Regional and Language Options. The Regional and Language Options
window opens.
5. Select the Advanced tab.
6. In the Language for non-Unicode programs section, select a language to match
the language version of the non-Unicode programs you want to use.
7. In the Default user account settings section, select the check box to apply these
settings to all user accounts on the Windows system.
8. Click Apply.
9. Click the X in the top right corner of the Regional and Language Options
window to exit.
What to do next
After you have changed the system locale on your system, you should update
these settings for all Tivoli Security Information and Event Manager users in the
cifusers and cifadmins groups. To do so, you must log in as each user and manually
update the settings.
Appendix B. Configuring the web browser and system for the Tivoli Integrated Portal 117
Configuring the server locale for localized number formatting
The server locale controls how Tivoli Security Information and Event Manager web
applications (such as Tivoli Integrated Portal and the Compliance Dashboard)
formats numbers according to local custom.
Different countries use different formats for numbers. For example, the number
one thousand five can be written in several different ways. In European countries,
people might write "1.005". In North American countries, people tend to write
"1,000" and so on.
The way that Tivoli Security Information and Event Manager displays numbers is
controlled by the server locale on the system where Tivoli Security Information and
Event Manager is installed. The formatting is not controlled by the browser locale.
Thus, if the server locale is set to one format, but the browser locale is set to a
different format, then the Tivoli Security Information and Event Manager web
applications will display numbers based on the server locale.
Procedure
http://publib.boulder.ibm.com/infocenter/aix/v6r1/
index.jsp?topic=/com.ibm.aix.cmds/doc/aixcmds3/locale.htm
Linux
1. Log on to the Tivoli Security Information and Event Manager server as
the root user.
2. Click System → Administration → Language.
3. Select the desired language and click OK.
4. Restart the system to make your changes effective.
Windows
1. Click Start.
2. Click Control Panel.
118 Tivoli Security Information and Event Manager V2.0: Installation Guide
3. Click Regional and Language Options.
4. In the Regional Options tab, go to the Standards and formats section.
Select your country from the menu.
5. Click OK.
Results
Tivoli Security Information and Event Manager uses the updated settings when
formatting numbers in web applications.
Appendix B. Configuring the web browser and system for the Tivoli Integrated Portal 119
120 Tivoli Security Information and Event Manager V2.0: Installation Guide
Appendix C. Account and password naming rules
During installation, the installation program creates a number of user ID and
password combinations. These user IDs and passwords must conform to certain
rules. In addition, there are rules for the names, instance names, and user accounts
for the databases that the product uses.
The following rules apply to operating system account names and passwords used
by Tivoli Security Information and Event Manager:
Operating system account names
v Names must begin with an alphabetic character.
v Must contain at least 3 characters but no more than 20 characters
v User names cannot contain spaces.
v On Windows systems, names can include:
– Letters in uppercase, lowercase, and mixed-case
– Letters a–z and A–Z. When used in most names, characters a through
z are converted from lowercase to uppercase.
– Numbers 0–9
– Special characters: ! % ( ) { }. – ^ ~ _ @ # $ \
v On AIX systems, names can include:
– Only letters in lowercase
– Letters a–z
– Numbers 0–9
– Special characters: ! % ( ) { }. – ^ ~ _ @ # $ \
v On Linux systems, names can include:
– Only letters in lowercase
– Letters a–z
– Special characters _ and -
v User names cannot be equal to any of the following:
– The name of any Reporting Database
– eprisedb
– aggrdb
– beat
– lmdb
– clmdb
Operating system passwords
v An operating system account password cannot include the user name.
v An operating system account password can include only the following
characters:
– Letters a–z and A–Z
– Numbers 0–9
– Special characters: % { } - ~ _ @ # $ ` * + = [ ] .
The following rules apply to Windows domain names and passwords used by
Tivoli Security Information and Event Manager:
v Domain names must begin with an alphabetic character.
v Domain names must be in the following format: <domain>\<user_name>
v Domain names can include:
– Letters in uppercase, lowercase, and mixed-case
– Letters a–z and A–Z
– Numbers 0–9
– Special characters: ! % ( ) { }. – ^ ~ _ @ # $ \
The following rules apply to database account names and passwords used by
Tivoli Security Information and Event Manager:
Database account names
v Database account names must contain at least 3 characters.
v On Windows systems, database account names can contain up to 30
characters.
v On AIX and Linux systems, database account names can contain up to 8
characters.
v The database account names:
– Must begin with an alphabetic character.
– Cannot begin with a number or with any of the following special
characters: ! % ( ) { } - ~ _ @ # $
– Cannot be USERS, ADMINS, GUESTS, PUBLIC, LOCAL, or any SQL
reserved word.
– Cannot begin with IBM, SQL, or SYS.
– Cannot contain spaces.
– Cannot be equal to any of the following:
- The name of any Reporting Database
- eprisedb
- aggrdb
- beat
- lmdb
- clmdb
v The database account names can include only the following characters:
– Letters a–z and A–Z
– Numbers 0–9
– On Windows and AIX systems, database account names can include
the following special characters: ! % ( ) { } . - ^ ~ _ @ # $
122 Tivoli Security Information and Event Manager V2.0: Installation Guide
– On Linux systems, database account names can include only the
following special characters: _ -
Database account passwords
v The database account password can include only the following
characters:
– Letters a–z and A–Z
– Numbers 0–9
– Special characters: % { } - ~ _ @ # $ ` * + = [ ] .
v The database account password must start with an alphabetic character.
v The database account password cannot include the user name.
v The password must be a minimum of 6 characters in length.
v On AIX and Linux systems, the maximum password length is 8
characters. On Windows systems, the maximum password length is 14
characters.
The following rules apply to database instance and database names used by Tivoli
Security Information and Event Manager:
v On Windows systems, names can be in uppercase, lowercase, and mixed-case.
v On AIX and Linux systems, names must be in lowercase.
v Names can include only the following characters:
– Letters A–Z. When used in most names, characters a through z are converted
from lowercase to uppercase.
– Numbers 0–9
– Special characters: % { } – ~ _ \
v The instance or database name cannot start with a number or any of the
following special characters: % { } – ~ _ \
v The instance or database name cannot be USERS, ADMINS, GUESTS, PUBLIC,
LOCAL, or any SQL reserved word.
v The instance or database name cannot begin with IBM, SQL, or SYS.
v Database names must be unique within the location in which they are cataloged.
On AIX and Linux implementations of the DB2 database manager, this location
is a directory path. On Windows implementations of the DB2 database manager,
the location is a logical disk.
v Databases, database aliases, and database instance names can have up to 8 bytes.
(8 bytes are not necessarily the same as eight characters. This distinction is
important for multi-byte languages such as Chinese.)
v On Windows systems, no database instance can have the same name as a service
name.
126 Tivoli Security Information and Event Manager V2.0: Installation Guide
Appendix E. Limits
There are limits in Tivoli Security Information and Event Manager. For example,
there are limits on the amounts of data that can be processed and the number of
Standard Servers in a Tivoli Security Information and Event Manager Cluster.
Table 4 shows some known limits in Tivoli Security Information and Event
Manager.
Table 4. Tivoli Security Information and Event Manager limits
Description Limit
Maximum number of Standard Servers in one Tivoli Security Information and 3
Event Manager Cluster
Maximum number of event sources that can be added to one Tivoli Security 5,000
Information and Event Manager Cluster Server
Maximum number of processes that can be loaded in parallel on a 1
two-processor core
Maximum amount of uncompressed original data in depot processed daily 60 GB
(mapping/loading/aggregation) in GB
Maximum amount of uncompressed original data in depot processed per 40 MB
minute by Tivoli Common Reporting reports in MB
Maximum number of messages that can be collected in real time per second 30,000
(syslog, SNMP, and so on)
Maximum number of real-time event sources per server with * as source 10
address
Before you start working with a DR550 shared drive, you must make the drive
available to Tivoli Security Information and Event Manager. See “Mounting the
DR550 drive on AIX and Linux systems using CIFS” and “Mounting the DR550
drive on Windows systems” on page 130.
You can then manage the Log Management Depot using the DR550 shared drive.
See “Moving data between the DR550 drive and the Log Management Depot” on
page 132.
Mounting the DR550 drive on AIX and Linux systems using CIFS
A DR550 drive can be accessed through either NFS or CIFS. These instructions
explain how to access the drive from an AIX system or a Linux system using CIFS.
Be sure that the "write once read many" policy is not enabled on the DR550 drive.
Note: On AIX systems, the runtime for SMBFS must be installed. The SMBFS
runtime is found in the bos.cifs_fs fileset (bos.cifs_fs.rte).
Tivoli Security Information and Event Manager uses several user accounts to access
the Tivoli Integrated Portal, Reporting Databases, and the Tivoli Directory Server.
The DR550 drive by default will assign a UID and GID of 0 to files in the mount
point. Tivoli Security Information and Event Manager by default runs under the
cifadmin user and cifusers group. In order for Tivoli Security Information and
Event Manager to read and write to the DR550, it must be mounted using the UID
and GID of the cifadmin user and cifusers group.
Procedure
1. Login to Tivoli Security Information and Event Manager as the root user.
2. Create a mount point.
For example:
$ mkdir /dr550mount
3. Mount the DR550 drive.
v On AIX, use the mkcifsmnt command.
The syntax for the mkcifsmnt command is:
mkcifsmnt -f MountPoint -d RemoteShare -h RemoteHost
-c user [-p password] [-m MountTypeName] [-A|-a] [-I|-B|-N]
[-t {rw|ro}] [-u uid] [-g gid] [-x fmode] [-w wrkgrp]
For example:
What to do next
You can now export the data from the depot to the DR550 or relocate the depot to
the DR550 using the mount point.
Be sure that the "write once read many" policy is not enabled on the DR550.
Tivoli Security Information and Event Manager uses several user accounts to access
the Tivoli Integrated Portal, databases, and Tivoli Directory Server. The DR550 also
uses different user accounts to access the file system. If you use DR550 storage for
the Tivoli Security Information and Event Manager depot, the account used by the
Tivoli Security Information and Event Manager service must have access rights to
store files on the DR550. For convenience, you can make the Tivoli Security
Information and Event Manager and DR550 accounts independent of each other.
You can then run the Tivoli Security Information and Event Manager service with
the user account it normally uses and still access the DR550, while the Tivoli
Security Information and Event Manager account has no rights on the DR550. Use
the following steps to create this setup.
130 Tivoli Security Information and Event Manager V2.0: Installation Guide
Procedure
1. Create a network drive, using the following command on the Tivoli Security
Information and Event Manager system:
net use drive_letter: \\computer_name\path_to_dr550_drive password
/user:user_name
where
v \\computer_name\path _to_dr550_drive is the path to DR550 shared network
drive.
v user_name and password are the DR550 user account credentials to access the
shared DR550 drive.
2. Make this network drive permanent
a. Create a batch file that contains the net use command shown in step 1.
b. Create a Windows scheduler task to run the batch file as the Windows
SYSTEM account each time the computer starts. Schedule a short delay
before the task runs, about 5-10 seconds.
After the computer is restarted, the computer network drive is available to
Tivoli Security Information and Event Manager.
What to do next
After you mount the DR550 drive, you can export the data from the depot to the
DR550 or relocate the depot to the DR550 using the network drive that you
created.
Be sure that the Write Once Read Many (WORM) policy is not enabled on the
DR550.
Tivoli Security Information and Event Manager uses several user accounts to access
the Tivoli Integrated Portal, databases, and Tivoli Directory Server. The DR550 also
uses different user accounts to access the file system. If you use DR550 storage for
the Tivoli Security Information and Event Manager Log Management Depot data,
the account used by the Tivoli Security Information and Event Manager service
must have access rights to store files on the DR550. You can create a user ID on the
DR550 system with the same user name and password as an account used by
Tivoli Security Information and Event Manager.
Procedure
1. Choose a user ID on the Tivoli Security Information and Event Manager that
can access the Tivoli Integrated Portal (for example, cifadmin).
2. On the DR550 system, create an operating system user ID with the same user
name and password.
Appendix F. Using DR550 with Tivoli Security Information and Event Manager 131
3. Map the DR550 shared drive on the Tivoli Security Information and Event
Manager system. Refer to the network drive as a common drive (for example,
\\192.168.236.22\test\export\).
What to do next
You can now export the data from the depot to the DR550 or relocate the depot to
the DR550 using the network drive that you created.
You must export and import the Log Management Depot data.
v To export data, see “Exporting data from the Log Management Depot to the
DR550 drive.”
v To import data, see “Importing data from the DR550 drive to the Log
Management Depot” on page 133.
132 Tivoli Security Information and Event Manager V2.0: Installation Guide
v See the information about archiving audit data in the IBM Tivoli Security
Information and Event Manager Administrators Guide.
You can store Log Management Depot data on the DR550 shared drive by using
the Tivoli Integrated Portal.
Procedure
1. Log on to Tivoli Security Information and Event Manager.
2. In the Tivoli Integrated Portal navigation panel, expand the Tivoli Security
Information and Event Manager topic.
3. Expand the Configuration and Management topic.
4. Expand the Archive Tools topic.
5. Click Export Audit Data. The Export Audit Data page opens.
6. Complete all required fields to set up a schedule for exporting data to the
DR550. In the Export logs to path on Server field, type the path to the shared
DR550 drive. The following paths are examples of the path you might type in
this field:
v On AIX and Linux systems:
– /dr550mount/coalbrook
v On Windows systems:
– \\192.168.236.22\test\export\ if you created a DR550 user ID that is
identical to the user ID on the Tivoli Security Information and Event
Manager system.
– z:\depot\ if you mounted the DR550 drive specifying a DR550 user.
7. Click OK to begin exporting the data.
What to do next
You can also import the data from the DR550 drive to the depot to the Log
Management Depot.
Appendix F. Using DR550 with Tivoli Security Information and Event Manager 133
v See the information about archiving audit data in the IBM Tivoli Security
Information and Event Manager Administrators Guide.
After you store Log Management Depot data on the DR550 shared drive, you can
use the Tivoli Integrated Portal to import the data.
Procedure
1. Log on to Tivoli Security Information and Event Manager.
2. In the Tivoli Integrated Portal navigation panel, expand the Tivoli Security
Information and Event Manager topic.
3. Expand the Configuration and Management topic.
4. Expand the Archive Tools topic.
5. Click Import Audit Data. The Import Audit Data page opens.
6. In the User ID and Password fields, type the user ID and password of the user
that you configured with DR550 write/read permission.
v On AIX and Linux systems:
– Type the user ID and password of the Tivoli Integrated Portal user. The
default user ID is cifowner.
v On Windows systems:
– Type the user ID and password of the user you configured with DR550
write/read permission.
7. In the Import logs from path on Server field, type the path to the shared
DR550 drive. The following paths are examples of the path you might type in
this field:
v On AIX and Linux systems:
– /dr550mount/coalbrook/20100818
v On Windows systems:
– \\192.168.236.22\test\export\ if you created a DR550 user ID that is
identical to the user ID on the Tivoli Security Information and Event
Manager system.
– z:\depot\ if you mounted the DR550 drive specifying a DR550 user.
8. Click OK to begin importing the data.
Results
When the import completes successfully, the log information has been restored to
the depot.
What to do next
134 Tivoli Security Information and Event Manager V2.0: Installation Guide
Before you begin
This task is needed only if you specified a non-DR550 drive as the location for the
depot during installation, and you want to move the depot to a DR550 shared
drive.
Procedure
1. Create a folder named install in the %TSIEM_HOME%\sim\server folder.
2. Copy the following files to the folder you created:
v db2asc.exe
v asc2db.exe
These files are originally located in the %TSIEM_HOME%\sim\server\bin folder.
3. Open a Command Prompt window and go to the install folder you created.
4. Type cd ..\run and press the Enter key.
5. Type ..\install\db2asc.exe blrec ..\install\blrec.asc and press the Enter
key.
6. Open the blrec.asc file in the install folder with a text editor.
7. Change the depot path in the blrec.asc file in the line containing the string
Chunklog Depot Path. For example:
((string)"Chunklog Depot Path") = (((objval) ((string) "\\192.168.236.22\test\depot\*")))
8. Save the blrec.asc file.
9. Return to the command window.
10. Type ..\install\asc2db.exe blrec ..\install\blrec.asc and press the Enter
key.
11. Restart the IBM TSIEM - SIM Server service.
All collected chunks will now be written to the DR550 shared drive.
12. On the Enterprise Server, modify the depot location in the
%TSIEM_HOME%\sim\consolidation\ini\beat.ini file to reflect the new location
of the depot.
13. On the Enterprise Server, restart the appropriate indexer process.
What to do next
Appendix F. Using DR550 with Tivoli Security Information and Event Manager 135
About this task
This task is needed only if you specified a non-DR550 drive as the location for the
depot during installation, and you want to move the depot to a DR550 shared
drive.
Procedure
1. Login to the Tivoli Security Information and Event Manager system as the
cifadmin user.
2. Create a new directory named install using the following command:
$ mkdir $TSIEM_HOME/sim/server/install
3. Copy the db2asc and asc2db programs to the directory that you just created:
$ cd $TSIEM_HOME/sim/server/install
$ cp ../bin/db2asc .
$ cp ../bin/asc2db .
4. Run the db2asc command to dump the configuration information to a file:
$ cd $TSIEM_HOME/sim/server/run
$ ../install/db2asc blrec ../install/blrec.asc
5. Edit the blrec.asc file to change the location of the depot to a directory on the
DR550. Change the line containing the Chunklog Depot Path:
$ cd $TSIEM_HOME/sim/server/install
$ vi blrec.asc
For example:
((string) "Chunklog Depot Path") = (((objval) ((string) "/dr550mount/coalbrookdepot/")))
6. Run the asc2db command to update the configuration information:
$ cd $TSIEM_HOME/sim/server/run
$ ../install/asc2db blrec ../install/blrec.asc
7. Login to the Tivoli Security Information and Event Manager system as the root
user and restart the SIM server:
$ cd /etc/rc.d/init.d
$ ./tsiem_sim_service.sh stop
$ ./tsiem_sim_service.sh start
8. On the Enterprise Server, modify the depot location in the beat.ini file to
show the new location of the depot and then restart the appropriate indexer
process.
$ cd $TSIEM_HOME/sim/consolidation/ini
$ vi beat.ini
What to do next
136 Tivoli Security Information and Event Manager V2.0: Installation Guide
Appendix G. Installing Fast Connect
This section explains how to install the Fast Connect server and Fast Connect client
on AIX systems.
Obtain a copy of AIX Fast Connect 3.2x. You can download a demo copy of Fast
Connect for AIX 5.x, from:
https://www14.software.ibm.com/webapp/iwm/web/
preLogin.do?source=aixbp&lang=en_US
To access the download pack programs, you must register and log in to the IBM
website.
You also can order a Fast Connect server CD from the website. The description of
the CD for AIX 6.1 is: CD 5765-E72 - Fast Connect V3.2.1 for AIX (10/2009)
LCD4-1069-06.
If you downloaded a copy of Fast Connect in the tar.Z format, install it using the
following procedure.
If you ordered the Fast Connect CD, install it using the instructions on the CD.
Procedure
1. Run mkdir /tmp/cifs.
2. Run cp cifs.tar.Z/tmp/cifs.
3. Run cd /tmp/cifs.
4. Run uncompress cifs.tar.Z.
5. Run tar -xvf cifs.tar.
6. Run inutoc installp/ppc.
7. Run cd installp/ppc.
8. Run smitty to install or use the installp command.
What to do next
After you have installed the Fast Connect Server, install the Fast Connect Client.
Ensure that you have the AIX operating system installation media. A copy of Fast
Connect for AIX is available on the AIX installation CDs.
Procedure
1. Mount the AIX CD using SMIT or the command line.
2. Install the Fast Connect client using either method:
v Using SMIT: Use smitty to install the bos.cif_fs package.
v Using command line: Run the installp -acgXY bos.cif_fs command.
138 Tivoli Security Information and Event Manager V2.0: Installation Guide
Appendix H. Sharing and mounting remote depots
Before you register a Standard Server with the Enterprise Server, you must ensure
that the depot on the Standard Server can be accessed by the Enterprise Server.
When adding a Standard Server to a cluster, you must share the depot folder so
that it is accessible to the indexer and searcher processes on the Enterprise Server.
To share the depot of an AIX or Linux Standard Server with a Windows Enterprise
Server, you must use the CIFS protocol.
On Linux systems, you can share the depot folder by creating a Samba share. See
“Sharing the depot using Samba on Linux systems” on page 140. On AIX systems,
you can share the depot folder by creating a Fast Connect share. See “Sharing the
depot using Fast Connect on AIX systems” on page 141.
Note: The increased security provided by Windows Server 2008 requires that
network communications be performed using NTLM protocol 2, or later, by
default. To interoperate with AIX and Linux systems in a cluster, you might need
to adjust the network security settings on the Windows server.
User credentials
There are two ways to be sure that the user on the Enterprise Server is authorized
to access the depot on the Standard Server.
v The Enterprise Server and the Standard Server can be members of one domain
(use the same user storage). For best results in this case, the indexer and
searcher processes must run under the same domain user. Samba on Linux or
Fast Connect on AIX can use domain user authentication (ADS or Domain for
Samba, LDAP for Fast Connect user authentication mode).
v The indexer and searcher processes on the Enterprise Server can be authorized
to access a folder that was shared using Samba on Linux or Fast Connect on
AIX. In this case, these processes must run as the operating system user under
which the Standard Server runs. By default this user is cifadmin. Otherwise you
must create a Samba or Fast Connect user with the same credentials as
Enterprise Server cifadmin user has. The new Samba or Fast Connect user is set
Note:
v If the Enterprise Server runs on a Windows system, the Samba or Fast Connect
user must have the same credentials as the Enterprise Server user has. These
credentials are important because the indexer and searcher processes access the
share with exactly these credentials.
v For Fast Connect, it is always necessary to create a Fast Connect user and map it
to the AIX user (cifadmin by default).
The Samba software rereads configuration changes every minute. For best results,
edit a copy of the smb.conf file. Then replace the /etc/samba/smb.conf file with the
copy when you have finished making all the changes.
Procedure
1. Choose a user authentication mode such as ADS, Domain, Server, or USER. You
can use ADS, Domain, or Server if the Enterprise Server and Standard Servers
use the same user storage (are members of one domain). If the servers do not
use the same storage, you must use the USER authentication mode. To set the
authentication mode, add the following line to the [global] section of the
smb.conf file:
security = USER
2. If you are using the Samba USER authentication mode, be sure that password
encryption is on. (Windows NT 4.0 and higher operating systems encrypt SMB
passwords.) Add the following lines to the /etc/samba/smb.conf file:
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
3. If you are using USER authentication mode or if the servers are not in one
domain, add a Samba user. Map this user to the operating system account
under which Tivoli Security Information and Event Manager runs by modifying
the smbusers file. By default, the user is cifadmin. You can use either the
command line or the Samba Server Configuration tool to update the smbusers
file and add a password for the new user.
The new user must have the same credentials as the Windows Enterprise
Server user (cifadmin by default). smb_username == windows_username ==
cifadmin
v If you are using the command line:
The smbusers file has following format:
smb_username = windows_username
140 Tivoli Security Information and Event Manager V2.0: Installation Guide
Add a password for the Samba user, using the following command:
smbpasswd –a cifadmin
v If you are using the Samba Server Configuration tool:
a. Start the tool.
b. Select Preferences -> Samba Users and click Add User.
c. Complete the fields in the Create New Samba User window.
4. Share the depot on the Standard Server.
v To use the command line, add the new share definition to the appropriate
section of the /etc/samba/smb.conf file. In this example, the share is named
depot.
[depot]
comment = any comment; for example, "Tivoli Security Information and Event Manager depot"
path = path to the depot folder
valid users = cifadmin (cifadmin domain user or the samba user added)
public = no
writable = no
v You can also use the Samba Server Configuration tool:
a. Start the tool.
b. Click Add.
c. Complete the fields in the Edit Samba Share window.
5. Restart the Samba service:
service smb restart
What to do next
For best results, use password encryption. Use the following command:
net config /encrypt_passwords:2
All Fast Connect configuration changes can be made using the /usr/sbin/net
command or through a Web interface. This procedure uses the net command.
Procedure
1. No matter what authentication mode is used, you must create a Fast Connect
user with the same credentials as the user who runs Tivoli Security Information
and Event Manager on the Enterprise Server. By default, this user is cifadmin.
Use the following command:
net user /add username -p /active:yes /comment:”comment describing the user”
For example:
net user /map cifadmin cifAIXadmin
3. Share the depot using the following command:
net share /add /netname:share_name path_to_share_folder /desc:description /mode:0
What to do next
Be sure that the depot has been shared on the Standard Server.
There are several ways to mount the depot if both the Enterprise Server and the
Standard Server are running on AIX or Linux. Only one way is shown in this
procedure.
Procedure
1. On Linux systems, use the following command:
mount.cifs -o username=cifadmin //hostname/depot /mnt/hostname/cifdepot
Then register the depot to automount after the operating system is restarted.
2. On AIX systems, use the following command:
mount -v cifs -n hostname/cifadmin/password /depot /mnt/hostname/cifdepot
142 Tivoli Security Information and Event Manager V2.0: Installation Guide
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user's responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not grant you
any license to these patents. You can send license inquiries, in writing, to:
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law: INTERNATIONAL
BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"
WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE. Some states do not allow disclaimer of express or implied warranties in
certain transactions, therefore, this statement may not apply to you.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement or any equivalent agreement
between us.
All statements regarding IBM's future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
If you are viewing this information softcopy, the photographs and color
illustrations may not appear.
144 Tivoli Security Information and Event Manager V2.0: Installation Guide
Trademarks
IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of
International Business Machines Corporation in the United States, other countries,
or both. If these and other IBM trademarked terms are marked on their first
occurrence in this information with a trademark symbol (® or ™), these symbols
indicate U.S. registered or common law trademarks owned by IBM at the time this
information was published. Such trademarks may also be registered or common
law trademarks in other countries. A current list of IBM trademarks is available on
the Web at Copyright and trademark information (www.ibm.com/legal/
copytrade.shtml).
Adobe, the Adobe logo, PostScript®, and the PostScript logo are either registered
trademarks or trademarks of Adobe Systems Incorporated in the United States,
and/or other countries.
Intel, Intel logo, Intel Inside®, Intel Inside logo, Intel® Centrino®, Intel Centrino
logo, Celeron®, Intel Xeon, Intel SpeedStep®, Itanium®, and Pentium® are
trademarks or registered trademarks of Intel Corporation or its subsidiaries in the
United States and other countries.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the
United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Notices 145
146 Tivoli Security Information and Event Manager V2.0: Installation Guide
Index
A agent, Windows (continued)
when required 81
command line (continued)
uninstalling (continued)
accessibility xiii AIX agent for Solaris 102
description 107 agent uninstalling agent for HP-UX 106
features 107 See AIX agent Compliance Management Modules
non-accessible items 107 mounting CD 86, 87 modules provided 2
accounting system, Solaris 97 starting agent automatically 88 component 1
Actuator, upgrading stopping running process forensics 1
AIX 72 command line 90 configuring
HP-UX 74 SMIT 90 agent for AIX 88
Solaris 73 unmounting CD 86, 87 agent for HP-UX 105
Windows 72 upgrading Actuator 72 Consolidation Server 53
Admintool AIX agent IPv6 57
installing agent for Solaris 98 configuring 88 Consolidation Server
uninstalling agent for Solaris 101 installation methods 85 configuring 53
agent installing using command line 85 schedule setup 54
description 5 installing using SMIT 86 conventions
supported operating systems 21 starting automatically 88 typeface xiv
agent, AIX stopping, reasons 89
configuring 88 stopping, using command line 90
installation methods 85
installing
stopping, using SMIT 90
supported operating systems 21
D
command line 85 deployment, sample 5
uninstallation methods 91
SMIT 86 directory names, notation xv
uninstalling using command line 92
starting automatically 88 disk space requirements, determining 22
uninstalling using SMIT 92
stopping 89 domain controller 117
when required 85
stopping, using command line 90 DR550
audit daemon
stopping, using SMIT 90 exporting data from Log Management
starting on Solaris 97
supported operating systems 21 Depot 132
stopping on Solaris 97
uninstallation methods 91 importing data to Log Management
audit settings, Solaris 95
uninstalling Depot 133
automatic installation, Windows
command line 92 managing Log Management Depot
agent 81
SMIT 92 data 132
when required 85 moving data to and from the Log
agent, HP-UX Management Depot 132
configuring manually 105 B relocating depot to 135
installing with swinstall 103 books setup using identical user
registering in Tivoli Integrated See publications accounts 131
Portal 103 setup using separate user
starting 106 accounts 130
supported operating systems 21 C using to store depot data 129
uninstalling with swremove 106 CA-issued certificates
when required 103 replacement to self-signed 55
agent, Solaris certificates E
installation methods 97, 101 replacing 55 education
installing cifmigrate See Tivoli technical training
Admintool 98 calculate mode 67 Enterprise Server
pkgadd 99 description 67 description 3
starting automatically 100 export mode 68 functions 4
supported operating systems 21 migrate mode 69 promoting from Log Management
uninstallation methods 101 showconfig mode 71 Server 49
uninstalling using 67 promoting from Standard Server 49
Admintool 101 collect history reports 1 registering Standard Server 51
command line 102 command line environment variables, notation xv
pkgrm 102 installing event source, description 5
when required 95 agent for AIX 85 example deployment 5
agent, Windows installing agent for HP-UX 103
installing installing agent for Solaris 99
automatic 81
manual 82
stopping process, AIX 90
uninstalling
F
supported operating systems 21 Firefox
agent for AIX 92
uninstalling 83 browser caching 114
148 Tivoli Security Information and Event Manager V2.0: Installation Guide
sample response file
installation 44
Tivoli Integrated Portal
configuring 109
V
uninstallation 77 Tivoli Security Information and Event variables, notation for xv
scheduling Consolidation Server 53 Manager virtual machine considerations 13
screen reader, using during components 1 VMware ESX 13
installation 20, 108 description 1
Security Group installing
description 3 CDs 28 W
Security Information Management DVDs 28 W7
module 2 overview 27 normalization 2
Security Server planning 28 reporting 2
description 3 modules 1 watchdog timer 100
server new features 10 web browser
functions 3 software requirements 20 See also Firefox
prerequisites 13 supported operating systems 20 See also Internet Explorer
types 3 uninstalling browser caching 113
silent installation 42 GUI 75 cookies 113
SIM module 2 silently 77 enabling JavaScript and ActiveX 109
SIM Server types 3 upgrading to 61 Windows
SMIT Tivoli Security Information and Event agent
installing agent for AIX 86 Manager Cluster See Windows agent
stopping process, AIX 90 description 3, 4 upgrading Actuator 72
uninstalling agent for AIX 92 number of event sources 127 Windows agent
software requirements number of servers 3, 4, 127 installing automatically 81
agent operating systems 21 Tivoli technical training xiii installing manually 82
for SSH collect 20 Tivoli user groups xiii supported operating systems 21
PuTTY 20 training, Tivoli technical xiii uninstalling 83
server 20 typeface conventions xiv when required 81
supported operating systems 20
web browsers 21
Solaris
accounting system 97
U Z
unattended installation 42 z/OS
agent
uninstalling 77 mainframe auditing setup 26
See Solaris agent
agent for AIX
audit settings 95
command line 92
starting agent automatically 100
SMIT 92
starting audit daemon 97
uninstallation methods 91
stopping audit daemon 97
agent for HP-UX 106
upgrading Actuator 73
agent for Solaris
watchdog timer 100
Admintool 101
Solaris agent
command line 102
installation methods 97
agent for Windows 83
installing using Admintool 98
silently 79
installing using pkgadd 99
Tivoli Security Information and Event
supported operating systems 21
Manager
uninstallation methods 101
silently 77
uninstalling using Admintool 101,
through GUI 75
102
using response file 77
when required 95
using response file 79
SSL, using CA-issued certificates 55
unmounting CD, AIX 86, 87
Standard Server
upgrading
adding 52
Actuator for AIX 72
description 3
Actuator for HP-UX 74
functions 5
Actuator for Solaris 73
promoting to Enterprise Server 49
Actuator for Windows 72
registering with Enterprise Server 51
cluster 62
swinstall 103
definition 61
swremove 106
from Tivoli Compliance Insight
system locale 117
Manager version 8.5 63
system requirements 13
limitations 61
order 62
supported upgrade paths 61
T user groups, Tivoli xiii
Tivoli Compliance Insight Manager, user ID naming rules 121
upgrading from 61
Tivoli Information Center xiii
Index 149
150 Tivoli Security Information and Event Manager V2.0: Installation Guide
Printed in USA
GI11-8778-01