Tsiem20 Install

Tivoli Security Information and Event Manager
Version 2.0
Installation Guide

GI11-8778-01
®
Version 2.0
Installation Guide

GI11-8778-01
Note
Before using this information and the product it supports, read the information in “Notices” on page 143.
This edition applies to version 2, release 0, modification 0 of IBM Tivoli Security Information and Event Manager
(product number 5724-Z13) and to all subsequent releases and modifications until otherwise indicated in new
editions.
© Copyright IBM Corporation 2010.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Figures . . . . . . . . . . . . . . . v Chapter 4. Installing Tivoli Security
Information and Event Manager . . . . 27
Tables . . . . . . . . . . . . . . . vii Planning the installation . . . . . . . . . . 28
Installation DVDs and CDs . . . . . . . . . 28
About this publication . . . . . . . . ix Installing in graphical mode . . . . . . . . . 29
Intended audience . . . . . . . . . . . . ix Installing in silent mode . . . . . . . . . . 42
What this publication contains . . . . . . . . ix Generating a response file for installation . . . 43
Publications . . . . . . . . . . . . . . xi The sample response file for installation . . . . 44
IBM Tivoli Security Information and Event Modifying the response file for installation . . . 46
Manager library . . . . . . . . . . . . xi Installing with a response file . . . . . . . 47
Prerequisite publications . . . . . . . . . xii Promoting a Standard Server to an Enterprise Server 48
Related publications . . . . . . . . . . xii Promoting a Log Management Server to an
Accessing terminology online . . . . . . . xii Enterprise Server . . . . . . . . . . . . 49
Accessing publications online . . . . . . . xiii
Ordering publications. . . . . . . . . . xiii Chapter 5. Configuration tasks . . . . 51
Accessibility . . . . . . . . . . . . . . xiii Registering a Standard Server with the Enterprise
Tivoli technical training . . . . . . . . . . xiii Server . . . . . . . . . . . . . . . . 51
Tivoli user groups . . . . . . . . . . . . xiii Scheduling the Consolidation Server to aggregate
Support information . . . . . . . . . . . xiv data . . . . . . . . . . . . . . . . . 53
Conventions used in this publication . . . . . xiv Updating the Java SDK policy files . . . . . . 54
Typeface conventions . . . . . . . . . . xiv Replacing the self-signed X.509 certificate with a
Operating system-dependent variables and paths xv CA-issued X.509 certificate . . . . . . . . . 55
IPv6 . . . . . . . . . . . . . . . . . 56
Chapter 1. Introduction to IBM Tivoli Configuring IPv6 . . . . . . . . . . . 57
Additional IPv6 information . . . . . . . . 58
Security Information and Event Manager 1
Converting an AIX or Linux system from dual
Product modules and components . . . . . . . 1
stack to IPv6 . . . . . . . . . . . . . 58
Log Management . . . . . . . . . . . . 1
Enabling network browsing on AIX systems . . . 59
Security Information Management (SIM) . . . . 2
Configuring the database for large workloads . . . 59
Server types and their functions . . . . . . . 3
Increasing the Java heap size on AIX and Linux
Event sources . . . . . . . . . . . . . 5
systems. . . . . . . . . . . . . . . . 60
Agents . . . . . . . . . . . . . . . 5
Sample deployments. . . . . . . . . . . . 5
Single server deployment . . . . . . . . . 5 Chapter 6. Upgrading to Tivoli Security
Multiple Log Management Servers deployment . . 6 Information and Event Manager . . . . 61
Single Tivoli Security Information and Event Upgrading a Tivoli Compliance Insight Manager
Manager Cluster deployment . . . . . . . . 8 Cluster . . . . . . . . . . . . . . . . 62
Multiple Tivoli Security Information and Event Upgrading from Tivoli Compliance Insight Manager
Manager Clusters deployment . . . . . . . 8 on Microsoft Windows systems . . . . . . . . 63
IPv6 support . . . . . . . . . . . . . . 10 The migration tool: cifmigrate . . . . . . . 67
What's new . . . . . . . . . . . . . . 10 Upgrading the Actuator for Windows systems. . . 72
Upgrading the Actuator for AIX systems . . . . 72
Chapter 2. System Requirements . . . 13 Upgrading the Actuator for Solaris systems. . . . 73
General requirements . . . . . . . . . . . 13 Upgrading the Actuator for HP-UX systems . . . 74
Hardware requirements . . . . . . . . . 13
Network ports . . . . . . . . . . . . 13 Chapter 7. Uninstalling Tivoli Security
Server requirements for AIX systems . . . . . . 14 Information and Event Manager . . . . 75
Server requirements for Linux systems . . . . . 17 Uninstalling in graphical mode . . . . . . . . 75
Server requirements for Windows systems . . . . 19 Uninstalling in silent mode . . . . . . . . . 77
Requirements for Web Applications (browser client) 21 The sample response file for uninstallation . . . 77
Requirements for the Tivoli Security Information Modifying the response file for uninstallation . . 78
and Event Manager agent . . . . . . . . . 21 Uninstalling using a response file . . . . . . 79
Determining disk space requirements. . . . . . 22
Chapter 8. The agent for Windows
Chapter 3. Road map . . . . . . . . 25 systems . . . . . . . . . . . . . . 81
© Copyright IBM Corp. 2010 iii
Installing the agent manually on a Windows system 81 Configuring browser caching in Firefox. . . . 114
Uninstalling the agent on a Windows system . . . 83 Turning off the "Show friendly HTTP error
messages" parameter in Internet Explorer . . . . 114
Chapter 9. The agent for AIX systems 85 Installing language files and fonts . . . . . . 115
Installing the agent for AIX . . . . . . . . . 85 Installing TrueType fonts . . . . . . . . 115
Installing the agent from the command line . . 85 Installing language files for Asian languages on
Installing the agent with the SMIT utility . . . 86 Windows 2003 systems . . . . . . . . . 116
Configuring the agent on an AIX system . . . . 88 Changing the system locale to support globalized
Setting the agent to start automatically . . . . . 88 domain names . . . . . . . . . . . . . 117
Uninstalling the agent for AIX systems . . . . . 89 Configuring the server locale for localized number
Stopping the agent . . . . . . . . . . . 89 formatting . . . . . . . . . . . . . . 118
Uninstalling the agent for AIX . . . . . . . 91
Appendix C. Account and password
Chapter 10. The agent for Solaris naming rules . . . . . . . . . . . 121
systems . . . . . . . . . . . . . . 95
Audit Settings . . . . . . . . . . . . . 95 Appendix D. Installation Paths . . . . 125
Starting and stopping the audit daemon . . . . 97
Accounting System . . . . . . . . . . . . 97 Appendix E. Limits . . . . . . . . . 127
Installing the agent for Solaris . . . . . . . . 97
Installing the agent with Admintool . . . . . 98
Appendix F. Using DR550 with Tivoli
Installing the agent with the pkgadd shell
command . . . . . . . . . . . . . . 99 Security Information and Event
Setting up the agent to restart automatically . . 100 Manager . . . . . . . . . . . . . 129
Uninstalling the agent for Solaris systems . . . . 100 Mounting the DR550 drive on AIX and Linux
Uninstalling the agent on Solaris systems using systems using CIFS . . . . . . . . . . . 129
the Admintool . . . . . . . . . . . . 101 Mounting the DR550 drive on Windows systems 130
Uninstalling the agent on Solaris systems from Using separate user accounts on the DR550 and
the command line . . . . . . . . . . . 101 Tivoli Security Information and Event Manager . 130
Creating the same user on the DR550 and Tivoli
Chapter 11. The agent for HP-UX Security Information and Event Manager
systems . . . . . . . . . . . . . . 131
systems. . . . . . . . . . . . . . 103
Managing Log Management Depot data with a
Installing the agent using the swinstall command 103
DR550 drive . . . . . . . . . . . . . . 132
Configuring the agent manually on HP-UX systems 105
Moving data between the DR550 drive and the
Starting the agent . . . . . . . . . . . . 105
Log Management Depot . . . . . . . . . 132
Uninstalling the agent for HP-UX using swremove 106
Relocating the Log Management Depot to the
DR550 shared drive on Windows . . . . . . 134
Appendix A. Accessibility . . . . . . 107 Relocating the Log Management Depot to the
DR550 shared drive on AIX and Linux . . . . 135
Appendix B. Configuring the web
browser and system for the Tivoli Appendix G. Installing Fast Connect 137
Integrated Portal . . . . . . . . . . 109 Installing AIX Fast Connect Server . . . . . . 137
Supported web browsers . . . . . . . . . 109 Installing AIX Fast Connect client . . . . . . 137
Screen resolution . . . . . . . . . . . . 109
Enabling JavaScript and ActiveX . . . . . . . 109 Appendix H. Sharing and mounting
Enabling ActiveX and configuring security remote depots . . . . . . . . . . . 139
settings in Internet Explorer . . . . . . . 109 User credentials . . . . . . . . . . . . 139
Configuring "Trusted sites" in Internet Explorer 110 Sharing the depot using Samba on Linux systems 140
Disabling Enhanced Security Configuration in Sharing the depot using Fast Connect on AIX
Windows 2003 Server . . . . . . . . . . . 111 systems . . . . . . . . . . . . . . . 141
Disabling Enhanced Security Configuration in Mounting the remote depot on an AIX or Linux
Windows 2008 Server . . . . . . . . . . . 111 Enterprise Server . . . . . . . . . . . . 142
Configuring encryption for Internet Explorer . . . 112
Configuring encryption for Firefox . . . . . . 112
Notices . . . . . . . . . . . . . . 143
Enabling cookies . . . . . . . . . . . . 112
Trademarks . . . . . . . . . . . . . . 145
Enabling cookies in Internet Explorer . . . . 113
Enabling cookies in Firefox . . . . . . . . 113
Enabling browser caching . . . . . . . . . 113 Index . . . . . . . . . . . . . . . 147
Configuring browser caching in Internet
Explorer . . . . . . . . . . . . . . 113
iv Tivoli Security Information and Event Manager V2.0: Installation Guide

Figures
1. Types of Tivoli Security Information and Event 4. Medium or large business deployment with a
Manager Servers . . . . . . . . . . . 4 single cluster . . . . . . . . . . . . 8
2. Sample single server deployment . . . . . 6 5. Large business deployment with multiple
3. Deployment with multiple Log Management clusters . . . . . . . . . . . . . . 9
Servers . . . . . . . . . . . . . . 7
© Copyright IBM Corp. 2010 v

vi Tivoli Security Information and Event Manager V2.0: Installation Guide
Tables
1. Network ports for communication . . . . . 14 4. Tivoli Security Information and Event
2. Solaris flag settings to log success actions 96 Manager limits . . . . . . . . . . . 127
3. Solaris flag settings to log failure actions 96
© Copyright IBM Corp. 2010 vii

viii Tivoli Security Information and Event Manager V2.0: Installation Guide
About this publication
IBM® Tivoli® Security Information and Event Manager Version 2.0 provides
visibility into your security posture, controls the cost of demonstrating compliance,
and reduces the complexity of managing a heterogeneous IT infrastructure through
the use of centralized log management, event correlation, a policy compliance
dashboard, and a reporting engine.
IBM Tivoli Security Information and Event Manager Installation Guide provides a
high-level overview of the IBM Tivoli Security Information and Event Manager
installation process, along with detailed instructions for deploying the Tivoli
Security Information and Event Manager system components and configuring the
network environment. In addition, this publication explains how to upgrade from
IBM Tivoli Compliance Insight Manager 8.5 and how to uninstall Tivoli Security
Information and Event Manager.
Intended audience
This information is designed for network planners, application administrators, and
system administrators.
The target audience for this book includes:

v Network planners and individuals who must plan, implement, and maintain
security policy and a compliance strategy in their IT environment.
v Application administrators responsible for installing, managing and maintaining
the Tivoli Security Information and Event Manager software.
v System administrators responsible for the platforms to be audited using Tivoli
Security Information and Event Manager.
This publication is also useful for system programmers whose roles include
security officer, security manager, EDP auditor, or one who monitors events in the
enterprise IT environment.
Readers should have working knowledge of network security issues, audit

configuration on systems to be audited, SSH communications (keys and
certificates), and web services. They should also be able to perform routine
administrative tasks on both the operating systems of the audited systems and the
operating systems used to deploy Tivoli Security Information and Event Manager
components.
What this publication contains

This publication contains the following sections:
v Chapter 1, “Introduction to IBM Tivoli Security Information and Event
Manager,” on page 1.
Provides an introduction to the Tivoli Security Information and Event Manager
product.
v Chapter 2, “System Requirements,” on page 13.
Describes hardware and software prerequisites for installing Tivoli Security
v Chapter 3, “Road map,” on page 25.
© Copyright IBM Corp. 2010 ix

Provides high-level steps for installing and configuring Tivoli Security
v Chapter 4, “Installing Tivoli Security Information and Event Manager,” on page
27.
Provides the steps for installing Tivoli Security Information and Event Manager
through the installation program, which provides a graphical user interface
(GUI), or silently using a response file.
v Chapter 5, “Configuration tasks,” on page 51.
Provides information about configuring your Tivoli Security Information and
Event Manager installation.
v Chapter 6, “Upgrading to Tivoli Security Information and Event Manager,” on
page 61.
Provides instructions for upgrading Servers and agents from Tivoli Compliance
Insight Manager.
v Chapter 7, “Uninstalling Tivoli Security Information and Event Manager,” on
page 75.
Provides instructions for uninstalling Tivoli Security Information and Event
Manager.
v Chapter 8, “The agent for Windows systems,” on page 81.
Describes how to install and uninstall the agent on Windows® systems.
v Chapter 9, “The agent for AIX systems,” on page 85.
Describes how to install and uninstall the agent on AIX® systems.
v Chapter 10, “The agent for Solaris systems,” on page 95.
Describes how to install and uninstall the agent on Solaris systems.
v Chapter 11, “The agent for HP-UX systems,” on page 103.
Describes how to install and uninstall the agent on HP-UX systems.
v Appendix A, “Accessibility,” on page 107.
Describes the accessibility features of Tivoli Security Information and Event
Manager.
v Appendix B, “Configuring the web browser and system for the Tivoli Integrated
Portal,” on page 109.
Describes how to configure your web browser and system to use the Tivoli
Integrated Portal.
v Appendix C, “Account and password naming rules,” on page 121.
Lists the naming rules for user IDs and passwords used by Tivoli Security
v Appendix D, “Installation Paths,” on page 125.
Lists the installation paths for Tivoli Security Information and Event Manager
and components.
v Appendix E, “Limits,” on page 127.
Lists known limits in Tivoli Security Information and Event Manager.
v Appendix F, “Using DR550 with Tivoli Security Information and Event
Describes how to set up your system to use IBM System Storage® DR550 for
storing the Tivoli Security Information and Event Manager Log Management
Depot.
v Appendix H, “Sharing and mounting remote depots,” on page 139.
x Tivoli Security Information and Event Manager V2.0: Installation Guide

Provides information to help you ensure that Enterprise Servers can access the
depots of Standard Servers.
Publications
This section lists publications in the IBM Tivoli Security Information and Event
Manager library, the prerequisite publications, and the related publications. The
section also describes how to access Tivoli publications online and how to order
Tivoli publications.
IBM Tivoli Security Information and Event Manager library

The following documents are available in the IBM Tivoli Security Information and
Event Manager library:
v IBM Tivoli Security Information and Event Manager Quick Start Guide, GI11-8777-00
Provides instructions for getting started with Tivoli Security Information and
Event Manager.
v IBM Tivoli Security Information and Event Manager Installation Guide, GI11-8778-01
Provides an overview of the installation process and describes installing and
configuring each of the Tivoli Security Information and Event Manager
components and their prerequisite software.
v IBM Tivoli Security Information and Event Manager Event Source Guide,
SC23-9687-01
Provides information about configuring auditing for supported systems and
deploying event and user information sources.
v IBM Tivoli Security Information and Event Manager Users Guide, SC23-9689-01
Provides an overview of the Tivoli Security Information and Event Manager
components and processes and describes performing common management,
maintenance, and reporting tasks.
v IBM Tivoli Security Information and Event Manager Administrators Guide,
SC23-9688-01
Provides instructions for completing administration tasks that are required for
all deployments.
v IBM Tivoli Security Information and Event Manager User Reference Guide,
SC23-9691-01
Provides reference information about the General Scanning Language (GSL) and
the GSL Toolkit which is used to develop and analyze unique event sources
using Tivoli Security Information and Event Manager.
v IBM Tivoli Security Information and Event Manager Troubleshooting Guide,
SC23-9690-01
Provides troubleshooting information and instructions for problem solving.
v IBM Tivoli Basel II Management Module Installation Guide, GI11-8779-01
Provides an overview and installation information for the IBM Tivoli Basel II
Management Module.
v IBM Tivoli COBIT Management Module Installation Guide, GI11-8780-01
Provides an overview and installation information for the IBM Tivoli COBIT
Management Module.
v IBM Tivoli FISMA Management Module Installation Guide, GI11-9301-01
Provides an overview and installation information for the IBM Tivoli FISMA
Management Module.
About this publication xi

v IBM Tivoli GLBA Management Module Installation Guide, GI11-9302-01
Provides an overview and installation information for the IBM Tivoli GLBA
Management Module.
v IBM Tivoli HIPAA Management Module Installation Guide, GI11-9303-01
Provides an overview and installation information for the IBM Tivoli HIPAA
Management Module.
v IBM Tivoli ISO27001 Management Module Installation Guide, GI11-9304-01
Provides an overview and installation information for the IBM Tivoli ISO27001
Management Module.
v IBM Tivoli NERC CIP Management Module Installation Guide, GI11-9306-01
Provides an overview and installation information for the IBM Tivoli NERC CIP
Management Module.
v IBM Tivoli PCI-DSS Management Module Installation Guide, GI11-9307-01
Provides an overview and installation information for the IBM Tivoli PCI-DSS
Management Module.
v IBM Tivoli Sarbanes-Oxley Management Module Installation Guide, GI11-9308-01
Provides an overview and installation information for the IBM Tivoli
Sarbanes-Oxley Management Module.
You can obtain the publications from the IBM Tivoli Security Information and
Event Manager Information Center:
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/
com.ibm.tsiem.doc/welcome.html
Prerequisite publications
To use the information in this book effectively, you should have some knowledge
of related software products, which you can obtain from the following sources:
v IBM WebSphere® Application Server Version 6.1 Information Center:
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp
You can obtain PDF versions of the IBM WebSphere Application Server Version
6.1 documentation at:
http://ibm.com/software/webservers/appserv/was/library/v61/
Related publications
The Tivoli Software Library provides a variety of Tivoli publications such as white
papers, datasheets, demonstrations, Redbooks®, and announcement letters. The
Tivoli Software Library is available on the web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Accessing terminology online

The IBM Terminology website consolidates the terminology from IBM product
libraries in one convenient location. You can access the Terminology website at:
http://ibm.com/software/globalization/terminology
xii Tivoli Security Information and Event Manager V2.0: Installation Guide
Accessing publications online
IBM posts publications for this and all other Tivoli products, as they become
available and whenever they are updated, to the Tivoli Documentation Central
website at:
http://ibm.com/tivoli/documentation
Note: If you print PDF documents on other than letter-sized paper, set the option
in the File → Print window that allows Adobe® Reader to print letter-sized pages
on your local paper.
Ordering publications
You can order many Tivoli publications online at
http://ibm.com/e-business/linkweb/publications/servlet/pbi.wss
You can also order by telephone by calling one of these numbers:

v In the United States: 800-879-2755
v In Canada: 800-426-4968
In other countries, contact your software account representative to order Tivoli

publications. To locate the telephone number of your local representative, perform
the following steps:
1. Go to http://ibm.com/e-business/linkweb/publications/servlet/pbi.wss
2. Select your country from the list and click Go.
3. Click About this site in the main panel to see an information page that
includes the telephone number of your local representative.
Accessibility
Accessibility features help users with a physical disability, such as restricted
mobility or limited vision, to use software products successfully. With this product,
you can use assistive technologies to hear and navigate the interface. You can also
use the keyboard instead of the mouse to operate many features of the graphical
user interface.
For additional information, see Appendix A, “Accessibility,” on page 107.
Tivoli technical training

For Tivoli software training information, refer to the IBM Tivoli Education website
at http://ibm.com/software/tivoli/education
Tivoli user groups

Tivoli user groups are independent, user-run membership organizations that
provide Tivoli users with information to assist them in the implementation of
Tivoli Software solutions. Through these groups, members can share information
and learn from the knowledge and experience of other Tivoli users. Tivoli user
groups include the following members and groups:
v 23,000+ members
About this publication xiii

v 144+ groups
Access the link for the Tivoli Users Group at http://www.tivoli-ug.org.
Support information
If you have a problem with your IBM software, you want to resolve it quickly.
IBM provides the following ways for you to obtain the support you need:
Online
Access the Tivoli Software Support site at http://ibm.com/software/
sysmgmt/products/support/index.html?ibmprd=tivman
IBM Support Assistant
The IBM Support Assistant is a free local software serviceability workbench
that helps you resolve questions and problems with IBM software
products. The Support Assistant provides quick access to support-related
information and serviceability tools for problem determination. To install
the Support Assistant software, go to
http://ibm.com/software/support/isa
Troubleshooting Guide
For more information about resolving problems, see the IBM Tivoli Security
Information and Event Manager Troubleshooting Guide.
Conventions used in this publication

This publication uses several conventions for special terms and actions, operating
system-dependent commands and paths.
Typeface conventions
The following typeface conventions are used in this guide.
Bold
v Lowercase commands and mixed case commands that are otherwise
difficult to distinguish from surrounding text
v Interface controls (check boxes, push buttons, radio buttons, spin
buttons, fields, folders, icons, list boxes, items inside list boxes,
multicolumn lists, containers, menu choices, menu names, tabs, property
sheets), labels (such as Tip:, and Operating system considerations:)
v Keywords and parameters in text
Italic
v Citations (examples: titles of publications, diskettes, and CDs)
v Words defined in text (example: a nonswitched line is called a
point-to-point line)
v Emphasis of words and letters (words as words example: "Use the word
that to introduce a restrictive clause."; letters as letters example: "The
LUN address must start with the letter L.")
v New terms in text (except in a definition list): a view is a frame in a
workspace that contains data.
v Variables and values you must provide: ... where myname represents....
Monospace
xiv Tivoli Security Information and Event Manager V2.0: Installation Guide
v Examples and code examples
v File names, programming keywords, and other elements that are difficult
to distinguish from surrounding text
v Message text and prompts addressed to the user
v Text that the user must type
v Values for arguments or command options
Operating system-dependent variables and paths

This publication uses the Windows convention for specifying environment
variables and for directory notation.
When using the UNIX® command line, replace % variable% with $variable for
environment variables and replace each backslash (\) with a forward slash (/) in
directory paths. The names of environment variables are not always the same in
the Windows and UNIX environments. For example, %TEMP% in Windows
environments is equivalent to $TMPDIR in UNIX environments.
Note: If you are using the bash shell on a Windows system, you can use the UNIX
conventions.
About this publication xv

xvi Tivoli Security Information and Event Manager V2.0: Installation Guide
Chapter 1. Introduction to IBM Tivoli Security Information and
Event Manager
IBM Tivoli Security Information and Event Manager (Tivoli Security Information
and Event Manager) is an enterprise-wide auditing program for monitoring
internal computer activity.
Tivoli Security Information and Event Manager provides continuous, non-intrusive

assurance and documentary evidence that data and systems are being managed in
accordance with and comply with company policies.
This section includes information about the following topics:

v “Product modules and components”
v “Sample deployments” on page 5
v “IPv6 support” on page 10
Product modules and components

Tivoli Security Information and Event Manager is composed of two modules, three
types of servers, event sources, and agents.
This section describes the following modules and components:

v The “Log Management” module
v The “Security Information Management (SIM)” on page 2 module
v “Server types and their functions” on page 3
v “Event sources” on page 5
v “Agents” on page 5
Log Management
The Log Management module collects log data that is relevant to security auditing
and compliance monitoring. It stores the data on a central server, the Log
Management Server.
This module is the foundation of the product and can be deployed as a stand-alone
module. The module stores the collected log data in its native (raw) format, which
is called the Log Management Depot, or Depot.
Use the Log Management Server to monitor the log collection process through
collect history and log continuity reports. Use these reports to verify that the audit
trails are being correctly managed.
You install the forensics component with this module. The forensics component
provides consolidated log management reporting. It also runs the indexing and
searching processes that support the Depot Investigation tool. This tool enables
keyword searches on the data in the Depot. You can then generate reports on the
content of the collected log files. The Log Management Reporting feature uses the
indexing and search capability and the Tivoli Common Reporting services.
© Copyright IBM Corp. 2010 1

Security Information Management (SIM)
The SIM module evaluates and reports on user-oriented events and evaluates them
against predetermined policy.
The SIM module provides after-the-fact policy-based analysis and compliance

reporting on the event logs collected by the Log Management module. The SIM
module requires the Log Management module as a prerequisite. It gathers much of
the data from logs such as UNIX Syslog and Microsoft® logs. With the SIM
module, you can understand user activity through a security compliance
dashboard that summarizes event data. Using the dashboard, you can quickly:
v Gain an overview of security compliance activities.
v Understand user activities and security events.
v Compare and report on these activities and events in relation to regulatory and
acceptable-use frameworks.
v Monitor privileged user activity and security events.
The SIM module monitors user behavior for compliance with various laws and
external and internal regulations and policies. It can compare behaviors that you
want users to exhibit against their observed behaviors, and report differences.
The SIM module can monitor user behavior on a wide range of end points (also
called platforms). These platforms include operating systems, middleware,
applications, and devices.
The SIM module builds on the Log Management module. The SIM function
consists of two parts: W7 normalization and W7 reporting.
W7 normalization
To test policy or run reports, the platform-specific, raw log data must be
normalized. Raw data is stored in flat files in the Log Management Depot
on the Log Management Server. When policy evaluation or reporting is
required, the data is normalized into a common format called W7. W7
normalization includes format normalization as well as normalization of
event type and object type semantics.
W7 reporting
Tivoli Security Information and Event Manager provides a set of packaged
reports for privileged-user monitoring and auditing that report against
normalized W7 data. It also provides a Web interface for you to define
custom W7-based reports.
Tivoli Security Information and Event Manager also provides Compliance
Management Modules. These modules contain reports that are designed to
monitor compliance with specific laws and regulations. The current
Compliance Management module suite consists of:
v Health Insurance Portability and Accountability Act (HIPAA)
v Sarbanes-Oxley (SOX)
v Basel II
v Gramm-Leach-Bliley Act (GLBA)
v Payment Card Industry Data Security Standard (PCI-DSS)
v International Standards Organization (ISO) 27001
v Federal Information Security Management Act of 2002 (FISMA)
v Control Objectives for Information and related Technology (COBIT)
v North American Electric Reliability Corporation Critical Infrastructure
Protection standards (NERC CIP)
2 Tivoli Security Information and Event Manager V2.0: Installation Guide

You can access reports interactively through a Web interface that supports
extensive drill-down capabilities. You can also define a schedule to
distribute reports through email.
To implement W7 normalization and reporting, you install SIM Servers, which can
be Standard Servers or Enterprise Servers.
The Standard Server performs basic security information management on audited

systems and devices. That is, the Standard Server collects log files, stores them in
the depot, normalizes them to W7, and performs compliance reporting.
The Enterprise Server provides centralized log management and forensic functions,
enabling these features to operate across multiple Standard Servers. The Enterprise
Server and the Standard Servers on which it reports are called a Tivoli Security
Information and Event Manager Cluster. The cluster contains one Enterprise Server
and up to three Standard Servers.
If you have more than one Server, the Servers are grouped into a Security Group.
In the Security Group, one of the servers is also a Security Server. The Security
Server performs user authentication and access authorization for all the servers in
the Security Group. A Security Group can contain multiple Tivoli Security
Information and Event Manager Clusters.
Server types and their functions

This section describes the types of servers and the functions they perform.
The three types of Servers are shown in Figure 1 on page 4.
Chapter 1. Introduction to IBM Tivoli Security Information and Event Manager 3

SIM Enterprise Server
Forensics Consolidation
SIM
Log Management Base Normalization Standard
Server
Log Management
Figure 1. Types of Tivoli Security Information and Event Manager Servers
In summary, you can deploy three types of Tivoli Security Information and Event
Manager Servers.
The Log Management Server provides all Log Management functions, including
log collection, log storage, log retrieval, forensic search, and log management
reports. This server type is deployed to manage log data for which SIM functions,
such as W7 normalization and compliance reporting, are not required. If you did
not purchase the Security Information Module, you can deploy only Log
Management Servers.
The SIM Enterprise Server provides all Log Management Server functions as well
as all SIM functions such as W7 normalization and compliance reporting. In low
data volume environments (less than 15 GB of original log data per day), a single
Enterprise Server might be sufficient.
With higher data volumes, it is better to spread out the workload over clusters.
Clusters consist of one Enterprise Server and up to three attached SIM Standard
Servers. This configuration is the typical SIM deployment configuration. Log

collection, W7 normalization, and compliance reporting are performed by the
Standard Servers; forensic search and log management reporting are performed by
the Enterprise Server. The Enterprise Server also provides a consolidated view of
normalized W7 data on the attached Standard Servers. This view consists of
trending information and summarized incident reporting. A SIM Standard Server
provides log collection, log storage, log retrieval, W7 normalization, and
compliance reporting, but no forensic search or log management reports. If you do
not require forensic search, log management reports, or a consolidated W7 view,
you can choose to deploy only Standard Servers.
Event sources
Tivoli Security Information and Event Manager provides event sources (end points)
to obtain and process activity data from various applications, devices, and
operating systems.
Event sources have a Log Management component and an optional SIM

component. The Log Management component allows raw events to be stored into
the Log Management Depot and allows Log Management reports to be created.
The SIM component provides full W7 support.
For information about installing and using the event sources provided with Tivoli
Security Information and Event Manager, see the IBM Tivoli Security Information and
Event Manager Event Source Guide.
Agents
An agent is a piece of software that collects audit log data from the targeted
platform.
Agent also refers to a network node where log data extracted from end points is
packaged and then transmitted to a Log Management Server or Standard Server.
Agent function (though not the agent itself) is always installed with the Log
Management Server, Standard Server, and Enterprise Server. You can also install an
agent on a computer without an installed server. The agent can then collect data
from an end point and transmit it to a Tivoli Security Information and Event
Manager Server.
Sample deployments
There are many ways to deploy Tivoli Security Information and Event Manager.
Use the examples in this section to help decide how many Servers of each type
you want to install.
This section provides information about the following types of deployments:

v “Single server deployment”
v “Multiple Log Management Servers deployment” on page 6
v “Single Tivoli Security Information and Event Manager Cluster deployment” on
page 8
v “Multiple Tivoli Security Information and Event Manager Clusters deployment”
on page 8
Single server deployment

A proof-of-concept or small business deployment might require only a single Tivoli
Security Information and Event Manager Server.

This Server contains all product components and all required middleware,
including Tivoli Directory Server. Figure 2 shows a sample of a single-server
deployment.
Tivoli Security Information Tivoli Security Information

and Event Manager Agents and Event Manager
Collect Mappers
scripts
Agent
Indexer Indexes
Actuators Depot eWAS / ISC
LM UI Cfg UI Searcher
User
Mgt UI IView
Agent
Audit SIM DB2

Controller Auth Database
Daemon
Collect
scripts IBM DB2
Tivoli Directory
Agent BlueBook Server
DB2 DB
Tivoli Directory
Actuators Server
Figure 2. Sample single server deployment
Multiple Log Management Servers deployment

Large environments might require multiple Log Management Servers to handle the
log file indexing workload.
In a large environment, you can set up your systems in either of the following
ways:
v Run each Log Management Server independently, with its own user and
entitlement store.
v Configure the servers to share a user and entitlement store.
Note: This choice is made during deployment and cannot be changed later.
Figure 3 on page 7 shows a deployment with two Log Management servers

sharing user and entitlement stores.

Tivoli Security Information Tivoli Security Information and Event Manager
and Event Manager Agents Log Management Server
Collect
eWAS / ISC
scripts
LM UI Searcher
Agent
User
Mgt UI Cfg UI
Agent
Actuators
SIM DB2
Auth
Agent Database
Daemon
IBM DB2
Collect Tivoli Directory

scripts Server
DB2 DB
BlueBook
Agent
Tivoli Directory
Actuators Server

Log Management Server
Collect eWAS / ISC

scripts
LM UI Searcher
Agent
User
Mgt UI Cfg UI
BlueBook
Actuators
SIM DB2
Auth
Database
Daemon
IBM DB2
Agent
Collect
scripts
Agent
Indexer
Actuators
Figure 3. Deployment with multiple Log Management Servers

Single Tivoli Security Information and Event Manager Cluster
deployment
A medium to large business might require a Tivoli Security Information and Event
Manager Cluster.
Figure 4 shows this setup where the Enterprise Server also holds the user and
entitlement store.
Standard
Server
Agents DB2
Federated
Database Enterprise Server
(with user entitlement stores)
Authenticate
Manage Users
(Tivoli Directory Server)
Authenticate
Agents
Manage Users
DB2 DB2
Federated Federated
Database Authenticate Database
Agents Manage Users
Standard
Server
Agents
Standard
Server
Figure 4. Medium or large business deployment with a single cluster
Multiple Tivoli Security Information and Event Manager

Clusters deployment
Large corporations often require multiple Tivoli Security Information and Event
Manager Clusters.
These clusters can still use the same Tivoli Directory Server and entitlement store.
Figure 5 on page 9 shows this setup.

CLUSTER A Standard
Server
DB2
Federated
Agents Database Enterprise Server
(with user entitlement stores)
Authenticate
Manage Users
DB2
Federated
Database
Authenticate
Agents Manage Users
(Tivoli Directory
Server) Authenticate
Manage Users
(Tivoli Directory
DB2
Server)
Federated
Database Standard
Server
Agents
Authenticate
Manage Users DB2
Standard
(Tivoli Directory Federated
Server Agents
Server) Database
CLUSTER B
Standard Authenticate
Server Authenticate Manage Users
Manage Users (Tivoli Directory
Server)
DB2
Federated
Agents
Database
DB2
Federated
Agents Database
Enterprise
Server
Agents Standard
Server
Figure 5. Large business deployment with multiple clusters

IPv6 support
Tivoli Security Information and Event Manager accepts Internet Protocol version 6
(IPv6) enabled environments. IPv6 is tolerated but not used in Tivoli Security
For the product as a whole, all components can be deployed on the following
types of systems:
v IPv4-only systems
v Systems that provide both IPv4 and IPv6 connectivity (dual stack)
v IPv6-only systems
Note: The installation must be done in an IPv4-only or dual stack mode when
installing on AIX and Linux® systems. On AIX and Linux systems, you must
enable the IPv4 protocol before you install Tivoli Security Information and Event
Manager, even if you do not plan to use IPv4. After you successfully install Tivoli
Security Information and Event Manager, you can disable IPv4. See “Converting an
AIX or Linux system from dual stack to IPv6” on page 58 for details.
v For the Log Management module:
– Log files can be collected through both IPv6 and IPv4. Some collect
mechanisms might not be supported over IPv6, depending on the capabilities
of required third-party tools and APIs.
– IPv6 addresses that occur in the collected log files are correctly parsed and
visible in Log Management reports.
v For the SIM module:
IPv6 addresses that occur in the collected log files are correctly parsed and
visible in W7 reports.
The following items are not provided:

v For the Log Management module:
– The product does not apply audit profiles using IPv6.
– The product does not remotely install the agent for Windows systems using
IPv6.
– The product does not search log files for IPv6 addresses.
v For the SIM Module:
– The product does not reconcile different textual representations of a single
IPv6 address, showing them as a single address in the Log Management and
W7 reports.
– The product does not provide W7 grouping rules for IPv6 addresses and
address ranges.
– The product does not send SNMP or email alerts over IPv6.
– The product does not distribute W7 reports by email using an IPv6-only mail
host.
What's new
Tivoli Security Information and Event Manager version 2.0 provides a number of
new features and functions.
New server platform support
Tivoli Security Information and Event Manager servers now run on the
64-bit versions of Microsoft Windows Server 2008, Microsoft Windows

Server 2003, IBM AIX versions 6.1 and 5.3, and Red Hat Enterprise Linux
versions 5.3 and 5.4. IBM WebSphere Application Server is used as the
application infrastructure. These changes provide you with better
scalability and performance.
New and updated compliance management modules
IBM Tivoli COBIT Management Module
A new module that helps you manage your adherence to Control
Objectives for Information and related Technology. COBIT is a set
of best practices for managing information technology assets and
policy.
IBM Tivoli NERC CIP Management Module
A new module that helps you manage your adherence to the North
American Electric Reliability Corporation Critical Infrastructure
Protection standards. NERC CIP is a set of security procedures that
United States-based energy suppliers must take to protect the
energy grid.
IBM Tivoli PCI-DSS Management Module
Support for Payment Card Industry Data Security Standard
(PCI-DSS) Version 1.2 has been added.
Many new event sources and user information sources
You can collect audit data from many new sources, including Tivoli Access
Manager for Enterprise Single Sign-On, Tivoli Key Lifecycle Manager,
Tivoli Access Manager for e-business version 5.1, Tivoli Federated Identity
Manager, Microsoft Windows Server 2008, and Microsoft Windows Server
2008 Active Directory. Additional support for syslog-based devices and
Linux for System z is also provided.
New language support
Tivoli Security Information and Event Manager is translated into these
languages:
v Brazilian Portuguese
v French
v German
v Hungarian
v Italian
v Japanese
v Korean
v Polish
v Russian
v Spanish
v Simplified Chinese
v Traditional Chinese
Web-based administration
You can seamlessly manage multiple Tivoli Security Information and Event
Manager servers from one web browser.
Enhanced reporting capabilities
Using the capabilities provided by Tivoli Common Reporting, you can
produce new reports and design your own. Near real-time analytics
provide insider threat analysis and alerting. You can then act on alerts for
important events such as multiple logon failures.

Chapter 2. System Requirements
You must make sure that your environment meets the minimum system
requirements described in this section before you can successfully install Tivoli
Security Information and Event Manager.
This chapter describes the supported operating systems, disk space, memory, and
software prerequisites for the following components:
v Tivoli Security Information and Event Manager Standard Server
v Tivoli Security Information and Event Manager Enterprise Server
v Tivoli Integrated Portal
v Tivoli Security Information and Event Manager Web Applications (browser
client)
v Tivoli Security Information and Event Manager agent
General requirements
The following system requirements apply to all operating systems (AIX, Linux, and
Windows) on which Tivoli Security Information and Event Manager can be
installed.
Hardware requirements
The hardware requirements in this section are stated in terms of actual physical
hardware. Additional resources are needed when running in a virtual machine
(VM) environment.
Tivoli Security Information and Event Manager is processor, storage, and memory
intensive when operating under heavy load. Additional resources, such as more
memory or more processor power, are required to achieve adequate throughput
and performance when running in a virtual machine environment. Both IBM
PowerVM™ Hypervisor and VMware ESX are supported. Perform a thorough
capacity planning analysis to ensure that your VM environment is equivalent to
running on a dedicated physical machine.
For best results, ensure that the server components are the only non-operating
system software running on the system.
Network ports
The Tivoli Security Information and Event Manager Server and agent components
of Tivoli Security Information and Event Manager use a number of network ports
for communication.
The default ports are described in Table 1 on page 14.
The ports are used to enable the different devices and systems to communicate
with each other. Ensure that the systems hosting the Tivoli Security Information
and Event Manager components are connected to the Server through an Internet
Protocol network.

If the default base port (5992) and the next sequential port (5993) are unavailable,
specify a different base port number during installation. The installation program
verifies whether the ports are available.
1. Ensure that the base port and the base port + 1 are available locally on the
Server and agent.
2. Verify that any network devices, such as routers and firewalls, that are located
between the Server and the agent permit two-way network traffic over the base
port.
Note: The following event sources require certain TCP ports:

v Monitored Windows event sources require TCP port 139 with a one-way
connection.
v Monitored UNIX SSH event sources require TCP port 22 (by default) with a
one-way connection.
Table 1. Network ports for communication
Port Purpose Port Number
Base port Used for two-way communication between 5992 (default)
agent and Server. Requires a two-way
connection on the base port between the
Tivoli Security Information and Event
Manager Server and the agent.
Base port + 1 Used by the Tivoli Integrated Portal to 5993 (default)
connect to the server (but always locally on
a server or an agent).
Web Applications Used for non-secure communications 16315
(http) between the Tivoli Integrated Portal (which
acts as a web server) and the client web
browser.
Web Applications Used for secure communications between 16316
(https) the Tivoli Integrated Portal and the client
web browser.
Other local ports Used for internal communication of the 49152-65535 (assigned
Tivoli Security Information and Event dynamically). The
Manager Server. software detects and
skips ports that are
already in use.
DB2® Used between: 31000 and 31001 (default).
v Tivoli Directory Server (or LDAP) and You can specify different
the back-end database for Tivoli ports during installation.
Directory Server (port 31000)
v Tivoli Security Information and Event
Manager Servers and their back-end DB2
databases (port 31001)
Tivoli Directory Windows systems only: Used for 389
Server (LDAP) authentication requests sent to Tivoli
Directory Server.
Server requirements for AIX systems

On AIX systems, the following hardware, software, and configuration requirements
must be met for the Enterprise Server, Standard Server, and Log Management
Server to work properly.

The Enterprise Server, Standard Server, and Log Management Server have the
following processor and RAM requirements:
Minimum Enterprise Server requirements
v Any system from the POWER® family of processors (64-bit)
v 8 GB RAM (+ 0.5 GB for each Reporting Database)
v The swap space must be at least equal to the amount of the RAM on
your system, or slightly more (such as 1.25 times the amount of RAM).
If you have a lot of RAM, then the amount of swap space can be
smaller. If you do not have a lot of RAM, then the amount of swap
space must be larger.
v Ensure that the following directories have at least the minimum amount
of space:
– 1 GB in /
– 1 GB in /usr
– 1 GB in /var
– 2 GB in /tmp
– 1 GB in /home
– 10 GB in /opt
v A minimum of 200 GB of free hard disk space is required. Specific
requirements depend on log volumes and types of log data. For
information about determining the required disk space, see
“Determining disk space requirements” on page 22.
Minimum Standard Server requirements
v Any system from the POWER family of processors (64-bit)
of space:
– 1 GB in /
– 1 GB in /usr
– 1 GB in /var
– 2 GB in /tmp
– 1 GB in /home
– 10 GB in /opt
Minimum Log Management Server requirements
v Any system from the POWER family of processors (64-bit)
v 8 GB RAM
Chapter 2. System Requirements 15

of space:
– 1 GB in /
– 1 GB in /usr
– 1 GB in /var
– 2 GB in /tmp
– 1 GB in /home
– 10 GB in /opt
Software requirements
The Enterprise Server, Standard Server, and Log Management Server all require the
following software:
v One of the following operating systems:
– AIX 5.3 Service Pack 5300-04-01 (64-bit)
– AIX 6.1 (64-bit)
Note: Technology level 6100-04-00-0943, or later, must be installed when

using an AIX 6.1 Enterprise Server with one or more standard servers
running Windows Server 2008.
v Ensure that the sudo and seq utilities are available by installing the following
packages:
sudo-1.6.7p5-3
coreutils-5.2.1-2
v For the forensic search function, the AIX Fast Connect component must be
installed on any AIX Log Management Server or AIX Enterprise Servers. This
installation is not performed by the installation program and must be performed
separately. For more information, see “Installing AIX Fast Connect Server” on
page 137 and “Installing AIX Fast Connect client” on page 137.
v For SSH collect, OpenSSH for AIX must be installed on the AIX agent, AIX
Servers, and AIX Log Management Server involved in the collect operations. If
OpenSSH is not installed, SSH collections from an AIX system do not work. This
installation is not performed by the installation program and must be performed
separately.
Configuration requirements
Before installing Tivoli Security Information and Event Manager, configure the AIX
system according to the following requirements.
Increase the number of active processes to 512.
1. Start SMIT.
2. Select System Environments.
3. Select Change/Show Characteristics of Operating System.
4. In the Maximum number of PROCESSES allowed per user parameter,
change the default value from 128 to 512.
Note: There is a limit for the number of processes allowed per user on
AIX. The default value is 128 processes per user. This might not be
enough if there are more than 100 event sources defined on the server.
Increase the number of open files allowed per process.
Ensure that the number of open files allowed per process is set to at least
2048. Edit the /etc/security/limits file. Modify the lines in the default
stanza, or add these lines if they do not exist:
nofiles = 2048
nofiles_hard = 65536
Log off and log on again to reload the settings for the root user. You also
can restart the system to make the change effective for all users.
Install the AIX Fast Connect server and client.
For more information, see “Installing AIX Fast Connect Server” on page
137 and “Installing AIX Fast Connect client” on page 137.
Server requirements for Linux systems

On Linux systems, the following hardware, software, and configuration
requirements must be met for the Enterprise Server, Standard Server, and Log
Management Server to work properly.
v Quad Core Intel® Xeon® 3.0 GHz processor (64-bit)
v Temp directory: 100 MB for the /tmp directory (during installation). The
temporary directory is the working directory for the installation
program.
v Quad Core Intel Xeon 3.0 GHz processor (64-bit)
program.

v 8 GB RAM
program.
following software:
– Red Hat Enterprise Linux 5.3 for x86-64 bit
– Red Hat Enterprise Linux 5.4 for x86-64 bit
v UTF-8 must be enabled as the default character encoding for the operating
system.
v Ensure that the sudo utility is installed.
v The Korn shell, provided in the pdksh rpm package, is required. Install the most
recent version available for your operating system.
v Ensure that the following packages are installed. These packages are usually
installed by default with the operating system.
compat-gcc
compat-gcc-c++
compat-libstdc++
compat-libstdc++-devel
glibc-devel
glibc-headers
glibc-kernheaders
Configuration requirements
following configuration:
Install libstdc++.so.5 rpm:
1. Mount the Red Hat Enterprise Linux 5 DVD (or CD 1). For example:
/media/cdrom.
2. Locate the appropriate compat-libstdc++-33-3.2.3-47.3.rpm file (or
later) for your system on the Red Hat Enterprise Linux 5 installation
DVD or CD. For example, you can use the command:
find "/media/cdrom" -name compat-libstdc++* -print
Note: The package version number might be different depending on

whether the operating system is Red Hat Enterprise Linux version 5.3
or 5.4.
3. Run rpm -ivh /media/cdrom/RedHat/RPMS/compat-libstdc++-33-2.3-
47.3.rpm.
Substitute the correct mount point, directory name, and file name for
/media/cdrom/RedHat/RPMS/compat-libstdc++-33-2.3-47.3.rpm
Turn off native security.

To prevent errors when installing, turn off the Red Hat Enterprise Linux
native security before you install Tivoli Security Information and Event
Manager.
To turn off the Red Hat Enterprise Linux native security, type # setenforce
0. Alternatively, you can turn off the native security by editing the
/etc/selinux/config file by modifying the parameter SELINUX=disabled.
Note: After installing Tivoli Security Information and Event Manager, turn
Red Hat Enterprise Linux native security on by typing # setenforce 1.
Alternatively, you can turn on the native security by editing the
/etc/selinux/config file by modifying the parameter SELINUX=enabled.
Install Samba to enable Windows connectivity.
If you want to register a Standard Server on a Linux platform to an
Enterprise Server on a Windows platform, then you must install Samba to
enable the systems to communicate with each other. Install the following
packages (RPMs), located on the Red Hat Enterprise Linux installation
media:
v samba-common-3.0.33-3.7.el5
v system-config-samba-1.2.41-3.el5
v samba-3.0.33-3.7.el5
Note: The package version number might be different depending on

whether the operating system is Red Hat Enterprise Linux version 5.3 or
5.4.
For more information, see “Sharing the depot using Samba on Linux
systems” on page 140.
Increase the number of open files allowed per process.
Ensure that the number of open files allowed per process is set to at least
2048. Edit the /etc/security/limits.conf file and modify the existing
lines, or add these lines if they do not exist:
* soft nofile 2048
* hard nofile 65536
Log off and log on again to reload the settings for the root user. You also
can restart the system to make the change effective for all users. The ulimit
-a command can be used after a logoff or reboot to verify that the limit has
been changed.
Server requirements for Windows systems

On Windows systems, the following hardware, software, and configuration
requirements must be met for the Enterprise Server, Standard Server, and Log
Management Server to work properly.
v Quad Core Intel® Xeon® 3.0 GHz processor (64-bit)
v Temp directory: 600 MB (during installation)

“Determining disk space requirements” on page 22. The disks that store
the log management depot and indexes must be fast (at least 10,000
RPM) and configured in a striped configuration (for example, RAID 5).
v Duo Core Intel Xeon 3.0 GHz processor (64-bit)
v 8 GB RAM (+ 0.5 GB for Each Reporting Database)
the log management depot and the database instances must be fast (at
least 10,000 RPM) and configured in a striped configuration (for
example, RAID 5).
v 8 GB RAM
Minimum hard disk space
the log management depot and indexes must be fast (at least 10,000
RPM) and configured in a striped configuration (for example, RAID 5).
following software:
– Microsoft Windows 2003 Server SP1 (or higher) for 64-bit
– Microsoft Windows 2008 Server for 64-bit
– In addition:
- NetBIOS enabled
- Internet Protocol network connection configured to all other systems
hosting Tivoli Security Information and Event Manager components
- NTFS file system
v To use a screen reader during installation, a JVM (version 1.5 or higher) and the
Java™ Access Bridge must be installed on the computer on which you are
installing Tivoli Security Information and Event Manager. See “Using screen
readers with the Tivoli Security Information and Event Manager installation and
uninstallation programs” on page 108.
v For SSH collect to work, PuTTY must be installed on the Windows agent,
Windows Tivoli Security Information and Event Manager Servers, and Windows
Log Management Servers involved in the collect operations. If PuTTY is not
installed, SSH collections from AIX, HP-UX, Linux, and Solaris systems do not

work. This installation is not performed by the Tivoli Security Information and
Event Manager installation program and must be performed separately. PuTTY
is provided with Tivoli Security Information and Event Manager. You can find
PuTTY on the IBM Tivoli Security Information and Event Manager v2.0 for Windows
DVD in the \utils\putty folder. See the IBM Tivoli Security Information and Event
Manager Event Source Guide for information about installing PuTTY.
Requirements for Web Applications (browser client)

The following hardware, software, and configuration requirements must be met for
the Web Applications, such as Tivoli Integrated Portal and the Compliance
Dashboard, to work properly.
The Tivoli Security Information and Event Manager Standard Server or Enterprise
Server installed and configured.
One of the following browsers must be installed:

v Internet Explorer 6.0 SP2 or Internet Explorer 7.0 on Windows systems
v Firefox version 2.0, 3.0, or 3.1 on Windows or Linux systems
See Appendix B, “Configuring the web browser and system for the Tivoli
Integrated Portal,” on page 109 for more information about setting up the web
browser.
Requirements for the Tivoli Security Information and Event Manager

agent
Supported operating systems
Agents can be run on the following operating systems:

v AIX operating system versions:
– 5L v5.0
– 5L v5.1
– V5.2
– V5.3
– V6.1
v Sun Solaris SPARC version 7 - 10
v HP-UX 11.0 or 11i
v Windows operating system versions:
– Windows NT® 4.0 with Service Pack 6 or higher
– Windows 2000 with Service Pack 2 or higher
– Windows XP Professional with Service Pack 2 or higher
– Windows Server 2003 with Service Pack 1 or higher
– Windows 2008 Server
In addition:
– NetBIOS enabled
– NTFS file system
v z/OS®

Disk space requirements
The amount of disk space required for the log files on the audited systems
depends on several things:
v The amount of activity on the workstation
v The log settings, including the collect schedule and the frequency with which
the audit files are deleted
For guidelines for calculating disk space see “Determining disk space
requirements.”
Agents require the following software:

v Ensure that the Korn shell (ksh) is installed on audited machines that are on the
following operating systems:
– AIX
– HP-UX
– Linux
– Sun Solaris
v Install the Tivoli Security Information and Event Manager Server before
installing an agent. For information, see “Installing in graphical mode” on page
29.
v The agent must have access to the Tivoli Security Information and Event
Manager servers through an Internet Protocol network.
v The Server and agent components of the Tivoli Security Information and Event
Manager system use a number of network ports for communication. See Table 1
on page 14.
v Connect the agent to the Tivoli Security Information and Event Manager Servers
through an Internet Protocol network.
v To work with the Tivoli Security Information and Event Manager and its
components, use a minimum screen resolution of 1024 x 768.
Determining disk space requirements

The required amount of hard disk space is based on how much data is collected in
the daily log for the monitored platforms and applications, how many days of logs
are kept in the depot, and how many days of logs are kept in the reporting
databases.
The amount of data in the log depot and reporting databases determines the
required hard disk space. You can calculate the approximate disk space needed
using the following formula:
( 1.5 * ( daily_logs_in_GB / 10 ) * num_days_to_keep ) ← depot size

+ ( daily_logs_in_GB * num_days_to_report ) ← reporting database size
+ x GB
where:
daily_logs_in_GB
Total amount of data in the daily logs, in GB.
10 Compression factor for log data.

num_days_to_keep
Number of days that you plan to store data in the log depot.
num_days_to_report
Number of days of data loaded into the reporting databases.
x Amount of disk space needed for program files, temporary files, and other
databases. Minimum value is 25 GB.
The disk size for the Enterprise Server depends on the number of Standard Servers
it manages. The Enterprise Server builds a depot index for each Standard Server.
Each depot index might be as large as the depot for the Standard Server. You can
calculate the required disk space for the Enterprise Server using the following
formula:
depot size of Standard Server 1
+ depot size of Standard Server 2
+ depot size of Standard Server 3
with a maximum of three Standard Servers.

Chapter 3. Road map
This road map provides an overview of the steps to install, configure, and begin
using a new installation of Tivoli Security Information and Event Manager.
Before you begin
To learn about product concepts, review the following information:

v Chapter 1, “Introduction to IBM Tivoli Security Information and Event
Manager,” on page 1
v The introductory chapters of the IBM Tivoli Security Information and Event
Manager Users Guide
About this task
This road map provides an overview of the steps for a new installation of IBM
Tivoli Security Information and Event Manager.
Note: If you have the IBM Tivoli Compliance Insight Manager product installed
and want to upgrade to Tivoli Security Information and Event Manager, see
Chapter 6, “Upgrading to Tivoli Security Information and Event Manager,” on
page 61.
Procedure
1. Install the Security Server, which can be an Enterprise Server, Standard Server,
or Log Management Server. See “Installing in graphical mode” on page 29.
Note: You can install the Standard Servers before the Enterprise Server.
However, you must install the Enterprise Server before you can register the
Standard Servers on the Enterprise Server.
2. Install the Grouped Servers, which can be Enterprise Servers or Standard
Servers. See “Installing in graphical mode” on page 29.
3. Register all Standard Servers with the Enterprise Server. See “Registering a
Standard Server with the Enterprise Server” on page 51.
4. Add the systems to be audited and the event sources on those systems to the
Tivoli Security Information and Event Manager system. Use the Managing
Audited Machines and Managing Event Sources tasks in the product portal of
the Tivoli Integrated Portal. For information about supported event sources, see
the IBM Tivoli Security Information and Event Manager Event Source Guide. For
information about managing event sources and audited systems, see the system
maintenance information in the IBM Tivoli Security Information and Event
Manager Users Guide.
5. Optional: To set up auditing for your systems, install the agent on the systems
to be audited. See the following topics:
v Chapter 8, “The agent for Windows systems,” on page 81
v Chapter 9, “The agent for AIX systems,” on page 85
v Chapter 10, “The agent for Solaris systems,” on page 95
v Chapter 11, “The agent for HP-UX systems,” on page 103

To install an agent on a z/OS system, see the most recent version of the IBM
Tivoli zSecure Suite: CARLa Driven Components Installation and Configuration
Manual.
6. Configure auditing for the event sources. See the IBM Tivoli Security Information
and Event Manager Event Source Guide.
7. Register all users, using the Users and Roles task in the product portal of the
Tivoli Integrated Portal. See the information about user and role management
in the IBM Tivoli Security Information and Event Manager Administrators Guide.
8. Create a security policy. See the information about policy maintenance in the
IBM Tivoli Security Information and Event Manager Administrators Guide.
What to do next
After you complete these steps, Tivoli Security Information and Event Manager can
audit and load collected data in the Reporting Databases and deliver reports
through the Tivoli Integrated Portal Web application.

Chapter 4. Installing Tivoli Security Information and Event
Manager
A network running Tivoli Security Information and Event Manager contains
several types of Tivoli Security Information and Event Manager Servers.
You must have a Security Group, which contains a Security Server and can have
one or more Grouped Servers.
The use of a Security Group enables centralized user management. The Tivoli
Security Information and Event Manager servers in a Security Group authenticate
users and authorize access through a Lightweight Directory Access Protocol
(LDAP) directory on a designated server called the Security Server. The Security
Server is a Tivoli Security Information and Event Manager Standard Server,
Enterprise Server, or Log Management Server on which is also installed Tivoli
Directory Server. Tivoli Directory Server provides an LDAP server. The Security
Server authenticates the other servers in the Security Group. The Tivoli Security
Information and Event Manager servers that authenticate through the Security
Server are called Grouped Servers.
Both the Security Server and the Grouped Servers can be Standard Servers,
Enterprise Servers, or Log Management Servers.
Within the Security Group, a Tivoli Security Information and Event Manager
Cluster can contain an Enterprise Server and up to three Standard Servers. The
Standard Server performs basic security information management on audited
systems and devices. That is, the Standard Server collects log files, stores them in
the depot, normalizes them to W7, and performs compliance reporting.
The Enterprise Server provides centralized log management and forensic functions,
enabling these features to operate across multiple Standard Servers.
A Security Group can contain one or more Tivoli Security Information and Event
Manager Clusters. All of the Servers in a Tivoli Security Information and Event
Manager Cluster are members of the same Security Group.
In addition, you can install Log Management Servers, which can collect log files,
store them in the depot, and perform forensic functions.
For more information about Tivoli Security Information and Event Manager
Servers, see Chapter 1, “Introduction to IBM Tivoli Security Information and Event
For additional information about Tivoli Security Information and Event Manager,
see the IBM Tivoli Security Information and Event Manager Users Guide.

Planning the installation
Before installing, be sure that you understand the types of servers you are
installing.
Decide which computers you want to designate for the following purposes:
v Log Management Servers
v Standard Servers
v Enterprise Servers
In addition, decide which server you want to serve as the Security Server, and
which will be Grouped Servers.
Ensure that each server or workstation hosting Tivoli Security Information and
Event Manager components meets the system requirements outlined in Chapter 2,
“System Requirements,” on page 13.
As described in Chapter 3, “Road map,” on page 25, begin by installing the

Security Server, which can be an Enterprise Server or a Standard Server.
Depending on the size of your installation, add the Grouped Servers. Be sure that
you install the Enterprise Server and the Standard Servers that you require. After
installing the servers, add the systems you want to audit to your installation, and
install the agents as needed.
Installation DVDs and CDs

Before installing, become familiar with the installation DVDs and CDs provided
with Tivoli Security Information and Event Manager.
The IBM Tivoli Security Information and Event Manager product provides the
following installation DVDs:
v IBM Tivoli Security Information and Event Manager v2.0 for Windows
v IBM Tivoli Security Information and Event Manager v2.0 for AIX
v IBM Tivoli Security Information and Event Manager v2.0 for Linux
Note: The DVDs also contain Management Modules that provide

regulation-specific policy templates, reports, and guidelines for:
v Health Insurance Portability and Accountability Act (HIPAA)
v Gramm-Leach-Bliley Act (GLBA)
v Basel II
v Federal Information Security Management Act of 2002 (FISMA)
v Control Objectives for Information and related Technology (COBIT)
v ISO 27001
v Sarbanes-Oxley
v North American Electric Reliability Corporation Critical Infrastructure Protection
standards (NERC CIP)
v Payment Card Industry Data Security Standard (PCI-DSS)
In addition, the following CDs are provided:

v IBM Tivoli Security Information and Event Manager v2.0 for Agents
v IBM Tivoli Security Information and Event Manager 2.0 Quick Start Guide

Instructions for using the DVD and CDs are provided in the installation
procedures included in this guide.
Installing in graphical mode

Use the procedure in this section to install the Tivoli Security Information and
Event Manager components you want on each Tivoli Security Information and
Event Manager server.
Before you begin
Be sure that you understand the types of servers and know which type you are
installing.
For best results while installing the product, temporarily disable the firewall and
virus checking software on your computer.
During the installation process, the cifadmin user ID is created if it does not exist.
However, on AIX and Linux systems, the UID for the cifadmin user must be the
same on the Enterprise Server and the Standard Servers. If you plan to use a
cluster, you must create the cifadmin user on these systems before installing the
product. Set the cifadmin user's UID to the same value on all systems. You must
also create a cifusers group on each system and add the cifadmin user to that
group. Ensure that the PATH environment value is not set in the
/home/cifadmin/.profile file that is created as this might cause the product
installation to fail.
Note: An alternate method for ensuring that the cifadmin UID has the same UID
on all systems is to use LDAP for user management and authentication. Create the
cifadmin user as an LDAP user and ensure that all systems in the cluster use the
LDAP server.
On AIX, Linux, and Windows systems, ensure that you have the proper fonts
installed.
Note:
1. On Windows systems, installation fails if you attempt to access the installation
software through a Universal Naming Convention (UNC) name (such as
\\host_name\path\). Instead, you must specify the letter of a mapped drive.
2. In the following situations, DB2 does not deploy during installation:
v You are using a locale where the Windows Administrator account has been
translated and includes non-Western characters, such as Russian.
v You are using a custom account with Administrator privileges whose name
includes non-Western characters.
To install the product in either of these cases:
a. Create a temporary user with no non-Western characters (for example,
Administrator) and add the user to the Administrators group.
b. Log on as the user you created.
c. Start the installation.
After you finish installing the product, you can remove the temporary user that
you created.
Chapter 4. Installing Tivoli Security Information and Event Manager 29

3. On AIX and Linux systems, you must enable the IPv4 protocol before you
install Tivoli Security Information and Event Manager, even if you do not plan
to use IPv4. After you successfully install the Tivoli Security Information and
Event Manager, you can disable IPv4.
About this task
Follow these steps each time you install a Log Management, Standard, or
Enterprise Server. Use the road map to be sure that you install Servers in the
correct order. See Chapter 3, “Road map,” on page 25.
Several user IDs and passwords are created during installation. Be sure that all
user IDs and passwords conform to the rules described in Appendix C, “Account
and password naming rules,” on page 121.
Note: On Windows systems, the installation completes in approximately one hour.

On Linux systems, the installation completes in approximately 1-2 hours. The
installation process on AIX systems takes approximately 3-4 hours.
Procedure
1. Log on to the system where you wish to install Tivoli Security Information
and Event Manager.
On Windows systems:
Log on as a member of the Administrators group, such as
Administrator.
On AIX and Linux systems:
Log in as the root user.
2. Ensure that the host name and IP address of the system can be resolved.
a. Open a command window.
b. Use the hostname command to obtain the host name of the system.
For example:
# hostname
tsiemserver.example.com
c. If a fully qualified domain name (FQDN) is returned, verify that the host
name can be resolved using the ping command.
For example:
# ping tsiemserver.example.com
PING tsiemserver.example.com (192.168.4.24) 56(84) bytes of data.
64 bytes from tsiemserver.example.com (192.168.4.24): icmp_seq=1 ttl=64 time=0.121 ms
d. Verify that the IP address of the system can be resolved.

For example:
# ping 192.168.4.24
PING 192.168.4.24 (192.168.4.24) 56(84) bytes of data.
64 bytes from 192.168.4.24: icmp_seq=1 ttl=64 time=0.021 ms
e. Verify that the short name of the system can be resolved.

For example:

# ping tsiemserver
PING tsiemserver.example.com (192.168.4.24) 56(84) bytes of data.
If the host name and IP address of the system cannot be resolved, the
installation fails unexpectedly. Resolve any name resolution issues before
continuing with the installation.
3. Access the installation DVD.
On Windows systems:
a. Insert the Tivoli Security Information and Event Manager DVD.
Note: To use a screen reader with the installation program, see

“Using screen readers with the Tivoli Security Information and
Event Manager installation and uninstallation programs” on page
108.
b. If the installation program does not start automatically, do the
following steps:
1) Access the DVD drive. (Do not use a Universal Naming
Convention (UNC) name (such as \\host_name\path\. Instead,
specify the letter of a mapped drive. The path cannot contain
any spaces.)
2) Double-click the install.exe icon.
a. Insert and mount the Tivoli Security Information and Event Manager
DVD.
Note:
1) The mount point cannot contain any spaces.
2) Ensure that the entire mount point is readable and executable
by everyone. If only the root user has access, the installation
fails unexpectedly.
3) If the DVD is automatically mounted on a Linux system, the
noexec option is applied by default for removable media. This
option prevents executing files on the mounted file system and
causes the installation to fail. To correct this problem, remount
the DVD with the exec option. For example:
mount -o remount,exec /media/TSIEM20
b. On AIX systems, type ./install.aix
On Linux systems, type ./install.linux
The installation program starts and displays the Tivoli Security Information
and Event Manager window.

4. Select the language you want to use during installation and click OK.
5. In the Introduction window, read the instructions and click Next.
6. After reading the Software license agreement, do one of the following steps:
v To continue installation, select I accept the terms in the license agreement
and click Next.
v To cancel the installation, select I do not accept the terms in the license
agreement and click Next.
You must accept the license agreement to install the product.
The Deployment Engine Initialization window is displayed while the
installation program is installing the IBM Deployment Engine.
7. After the Deployment Engine is installed, the Choose Install Folder for Tivoli
Security Information and Event Manager window is displayed.
8. In the Directory Name field, do one of the following actions and click Next to
specify where you want to install Tivoli Security Information and Event
Manager:
v Click Directory Name if there is not a version of Tivoli Security Information
and Event Manager on the computer. Then do one of the following actions:
– Accept the default.
The default location depends on the operating system.
- Windows systems: C:\IBM\TSIEM
- AIX systems: /opt/IBM/tsiem
- Linux systems: /opt/ibm/tsiem
– Type the complete path name to a specific directory.

You can use special characters in the installation path, if the path is valid
for the operating system. However, the path cannot exceed 50 characters
or contain spaces.
– Click Browse to navigate to a directory. Ensure that the path selected
does not contain spaces.
If you restarted the installation after a previous installation failed, Reuse is
selected and the folder you specified during the failed installation is
displayed.
Note:
– On AIX systems, the first directory specified in the path name must be
three characters or less in length. This restriction is due to a problem
with DB2.
For example, a path name of /ibm/tivoli/tsiem works as expected, but
a path name of /products/ibm/tsiem causes a problem, because products
is more than three characters long.
– On Windows systems, the following groups of characters cannot occur
anywhere in the path name. This restriction is due to a problem with
Tivoli Common Reporting.
\nnn where nnn is an octal number
\xnnn where nnn is a hexadecimal number
\Xnnn where nnn is a hexadecimal number
The Choose Install Set window is displayed.
9. In the Choose Install Set window, select the distribution you want to install on
this computer from the following list and click Next.

Standard Server
Performs basic security information management on audited systems
and devices. The Standard Server collects log files, stores them in the
depot, normalizes them to the W7 format, and performs compliance
reporting.
Enterprise Server
Provides centralized log management and forensic functions so that
these features can operate across multiple Tivoli Security Information
and Event Manager Standard Servers. From one Enterprise Server, you
can get a consolidated view of log collections and log continuity. You
can also search and download logs. When you select this option, you
install all Standard Server function, plus log management reporting,
forensic searches, and consolidation of W7 trending and incident
information.
Log Management Server
Receives events and collects logs, stores logs in the depot, provides
log management reports, and performs forensic searches.
Custom
Enables you to specify a combination of components that is not
provided by the other options.
10. If you selected Custom, you can select the components you want to install
from the following options and click Next.
Log Management Base
Installs a Server that can collect audit data and store it in the depot. It
also installs the administration GUIs for event source management
and user management. This Server does not normalize audit data into
the W7 format.
Log Management Forensics
Installs log management forensics to investigate collected audit data
and provides the capability to report the forensic data.
SIM Normalization
Installs the capability to normalize audit data into the W7 format and
to match security policies. It provides mappers, policies, alert
management, viewing of the normalized data, and report distribution.
This component also adds trend analysis and activity reports.
SIM Consolidation
Installs the capability to consolidate the W7 trend analysis data so that
you can view trending reports for multiple Servers in a single report.
11. In the Is this a Security Server window, do one of the following actions:
v Click Yes, attach this Server to an existing Security Server if you have
already installed the Security Server for this Security Group and you are
now installing a Grouped Server. Then go to step 12.
v Click No, make this Server a Security Server if you want to install the
Security Server for the Security Group. Then go to step 13 on page 35.
Click Next.
12. To install a Grouped Server, perform the following steps:
a. In the Security Server Database Connection window, complete the
following fields or accept the defaults when they are appropriate:

Security Server Hostname
Type the host name or IP address of the computer where the Tivoli
Directory Server is installed. (This computer hosts the Security
Server.)
Security Server Database Port
Type the number of the TCP/IP port that the Security Server
database uses for communication or accept the default, 31001.
(This value must match the value entered for the DB2 Server Port
when you installed the Security Server.)
Security Database
Type the name of the Security Server Database or accept the
default, CIFDB. This name must match the value entered for the
DB2 Database when you installed the Security Server.
Security Server Username
Type the name of the Security Server Database owner or accept the
default, cifowner. This name must match the value entered for the
Security Server Username when you installed the Security Server.
Security Server Password
Type the password for the Security Server Username. This
password must match the value entered for the Security Server
Password when you installed the Security Server.
Click Next.
b. In the Security Server LDAP Connection window, complete the following
fields:
LDAP Server Hostname
Type the host name of the Security Server.
LDAP Server Port
Type the number of the TCP/IP port that the Security Server uses
for communication or accept the default, 389. This value must
match the value entered in the LDAP Port field when you
installed the Security Server.
LDAP Root User
Type the name of the Security Server root user (the IBM Tivoli
Directory Server account administrator) or accept the default,
cn=root. This name must match the value entered in the Security
Server ITDS Admin field when you installed the Security Server.
LDAP Root User Password
Type the password for the LDAP Root User. This password must
match the value entered in the Security Server ITDS Admin
Password field when you installed the Security Server.
Base DN
Type the base distinguished name (DN) of the Tivoli Security
Information and Event Manager user accounts or accept the
default, cn=cif,o=ibm. The value must match the value entered in
the LDAP suffix for LDAP user field when you installed the
Security Server.
Click Next.
13. To install the Security Server, perform the following steps:

a. In the Security Server LDAP Database Information window, complete the
following fields for the DB2 database that the IBM Tivoli Directory Server
uses:
Security Server LDAP Database Admin
Type the name of the Security Server Database owner or accept the
default name, itdsadmn.
Security Server LDAP Database Password
Type the password for the Security Server database owner
specified in the Security Server LDAP Database Admin field.
The DB2 password must be a minimum of 6 characters in length.
On AIX and Linux systems, the maximum password length is 8
characters. On Windows systems, the maximum password length
is 14 characters.
Note: If your Tivoli Security Information and Event Manager

Enterprise Server is running on Windows but you have one or
more Standard Servers running on AIX or Linux, specify a
password no longer than 8 characters. Otherwise, the AIX and
Linux systems cannot connect to the DB2 database on the
Enterprise Server.
Confirm Security Server LDAP Database Password
Type the password again for confirmation.
b. To change other options for the database used by IBM Tivoli Directory
Server, click Advanced.
c. In the Advanced Security Server LDAP Database Information window,
complete the following fields and click OK:
Security Server LDAP Database DB2 copy
Type the name of the DB2 software tree used by the LDAP
database on the Security Server or accept the default, IDSCOPY.
Security Server LDAP Database Instance
Type the name of the DB2 instance of the LDAP database on the
Security Server or accept the default instance name, DB2IDS.
Security Server LDAP Database Port
Type the number of the TCP/IP port used by the LDAP database
on the Security Server or accept the default port number, 31000.
Security Server LDAP Database Name
Type the name of the LDAP database on the Security Server or
accept the default database name, idsdb.
The Security Server LDAP Database Information window is again
displayed.
d. Click Next.
e. In the Security Server LDAP Information window, complete the following
fields:
Security Server ITDS Admin
Type the name of the administrator account for the Tivoli
Directory Server on the Security Server or accept the default,
cn=root.
Security Server ITDS Admin Password
Type the password for the administrator of the Tivoli Directory
Server on the Security Server.

Confirm Security ITDS Admin Password
f. To change other options for IBM Tivoli Directory Server, click Advanced.
g. In the Advanced Security Server LDAP Information window, complete the
following fields and click OK:
ITDS instance name
Type the name of the LDAP instance or accept the default, idsinst.
The installation program creates an operating system user with
this name.
OS Password
Type the password for the operating system user specified in the
ITDS instance name field.
Confirm OS Password
LDAP Port
Type the number of the TCP/IP port that the Tivoli Directory
Server uses for communication or accept the default, 389.
LDAP suffix for LDAP user
Type the base DN for the location where Tivoli Security
Information and Event Manager user accounts are stored in the
directory or accept the default, cn=cif,o=ibm.
Instance location
Type or select the location of the LDAP instance. (This location is
not the location of the LDAP software.) The default is one of the
following locations:
v On Windows systems, the drive where Tivoli Security
Information and Event Manager is installed.
v On AIX and Linux systems, $TSIEM_HOME/idsinst
The Security Server LDAP Information window is again displayed.

a. Click Next.
14. Do one of the following steps:
v If you are reusing an existing DB2 database, the installation program
displays the Database Administrator Account window. Complete the
following fields and click Next:
DB2 Server Hostname
Type the host name of the computer where the database is installed
or accept the default host name, localhost.
DB2 Server Port
Type the number of the TCP/IP port used by the database or accept
the default port, 31001.
DB2 Database
Type the name of the database or accept the default database name,
CIFDB.
DB2 System User
Type the name of the database administration account or accept the
default user name, cifdbadm.
DB2 System Password
Type the password for the database administration account.

Click Next.
v If you are not reusing an existing DB2 database, the installation program
displays the Database Information window.
a. Complete the following fields:
Database Admin
Type the name of the database administration account or accept
the default account name, cifdbadm.
Database Password
Type the password for the database administration account.
The DB2 password must be a minimum of 6 characters in
length. On AIX and Linux systems, the maximum password
length is 8 characters. On Windows systems, the maximum
password length is 14 characters.
Note: If your Tivoli Security Information and Event Manager

Enterprise Server is running on Windows but you have one or
more Standard Servers running on AIX or Linux, specify a
password no longer than 8 characters. Otherwise, the AIX and
Linux systems cannot connect to the DB2 database on the
Enterprise Server.
Confirm Database Password
b. To change other options for the database, click Advanced.
c. In the Advanced Database Information window, complete the following
fields.
Database DB2 copy
Type the name of the copy of DB2 to be used by Tivoli Security
Information and Event Manager or accept the default name
CIFCOPY.
Database Instance
Type the name of the instance containing the database or accept
the default instance name CIFINST.
DB2 Database
Type the name of the database or accept the default database
name, CIFDB.
DB2 Server Port
Type the number of the TCP/IP port used by the database or
accept the default port number, 31001.
Click OK to return to the Database Information window and click Next.
15. In the TIP Administrator Credentials window, complete the following fields
and click Next.
TIP Admin User
Type the name of the Tivoli Integrated Portal (TIP) administrator or
accept the default name tipadmin. This user administers access to the
Tivoli Security Information and Event Manager Web interface through
which you can administer other servers.
This user name must conform to the rules for database account names.
See Appendix C, “Account and password naming rules,” on page 121.

TIP Admin Password
Type the password for the Tivoli Integrated Portal administrator.
Confirm TIP Admin Password
Click Next.
16. If the installation program displays the Server Database Connection window,
complete the following fields and click Next:
Security Server Username
Type the name of the Tivoli Security Information and Event Manager
database owner or accept the default name, cifowner. This database
account is used to run the Security Server database.
This user name must conform to the rules for database account names.
See Appendix C, “Account and password naming rules,” on page 121.
Note: This account is granted access to all databases that are created
during installation.
Security Server Password
Type the password for the Tivoli Security Information and Event
Manager database owner.
Confirm Security Server Password
17. If the installation program displays the OS Account window, complete the
following fields and click Next:
Note: Your responses specify which operating system account runs Tivoli
Security Information and Event Manager. If this account does not exist, the
installation program creates it.
OS Username
Type the name of the operating system account or accept the default.
The name can be for a new or an existing account. If the account does
not yet exist, the installation program creates it with the password you
specify. If the account exists, be sure to specify the name correctly. The
default is cifadmin.
This user name must conform to the rules for operating system
account names. See Appendix C, “Account and password naming
rules,” on page 121.
Note: This account can be a domain account.

If you are creating an account, the account is assigned the following
privileges. If the account exists, it must have these privileges.
On Windows systems
v Act as part of the operating system
v Load and unload device drivers
v Log on as Service
v Manage the auditing and security logs
On AIX and Linux systems
No privileges

If the account is being created, the account is assigned to the
following groups:
On Windows systems
v Administrators group
v cifusers group
On AIX systems
v Security group
v cifusers group
On Linux systems
cifusers group
OS Account Password
Type the password for the account. If the account exists, be sure to
provide the correct password.
Confirm Password
18. In the Tivoli Security Information and Event Manager Server Information
window, complete the following fields and click Next:
Server Display Name
Type the display name of the Tivoli Security Information and Event
Manager Server. This name is displayed in reports.
Hostname
Type the host name of the Server.
Port Type the number of the TCP/IP port used by the Tivoli Security
Information and Event Manager Server or accept the default port
5992.
19. In the Tivoli Security Information and Event Manager Depot window,
complete the following fields and click Next:
Depot Do one of the following actions to specify the location of the depot of
collected chunks:
v Accept the default location
Windows
%TSIEM_HOME%\sim\depot
AIX and Linux
$TSIEM_HOME/sim/depot
v Type the complete path name to a specific directory.
Note: If you want to store the depot on a DR550 drive, be sure that
you have set up the correct user IDs and mounted the drive. See
Appendix F, “Using DR550 with Tivoli Security Information and
Event Manager,” on page 129. The following paths are examples of
the path to a DR550 drive:
– \\192.168.236.22\test\export\ if you created a DR550 user ID
that is identical to the user ID on the Tivoli Security Information
and Event Manager system. See “Creating the same user on the
DR550 and Tivoli Security Information and Event Manager
systems” on page 131.

– z:\depot\ if you mounted the DR550 drive specifying a DR550
user. See “Using separate user accounts on the DR550 and Tivoli
Security Information and Event Manager” on page 130.
v Click Browse to navigate to a directory.
Depot Name
Type the name by which the depot is shared or accept the default
name cifdepot.
20. In the Email-Alert Configuration window, direct the product software to send
email alerts when log collection fails by completing the following fields and
clicking Next:
Note: Leave both fields empty if you do not want email alerts or you want to
configure email alerts later from the product Portal.
SMTP Host
Type the name of the SMTP host sending the email alerts.
Email Address
Type the email address or addresses to which the alerts on collection
failures are sent. If you type multiple email addresses, separate them
by semicolons (;) or spaces ( ).
21. In the Server Maintenance Schedule window, specify the time at which you
want the server to run maintenance. Type the appropriate times in the Hour
and Minute fields and click Next.
The server shuts down and restarts during the maintenance activity. Specify a
time during which Tivoli Security Information and Event Manager is not in
use. The maintenance activity takes no more than 5 minutes to run.
22. If the installation program displays the Tivoli Security Information and Event
Manager 2.0 Server Time zone window, complete the following fields and
click Next:
Time zone Name
Select the time zone that you want the Server to use from the list.
By default, the time zone of the computer on which the Server is
installed is used, but you can change the time zone information.
After selecting a time zone, the GMT Offset: hours and GMT Offset:
minutes fields are updated. You can further adjust the time zone
offset by changing those values.
GMT Offset: hours
To specify an offset from the time zone for this Server, select the
number of hours by which you want to offset. The range is from -12
to 12 hours.
GMT Offset: minutes
To specify an offset from the time zone for this Server, select the
number of minutes by which you want to offset.
23. If the installation program displays the Indexes Location window, specify the
location where you want to store the depot indexes in the Indexes Location
field, or accept the default location.
Windows
%TSIEM_HOME%\sim\Indexes
AIX and Linux
$TSIEM_HOME/sim/Indexes

For each Standard Server, the Enterprise Server builds a depot index. Because
this index can be as large as the depot size of the Standard Server itself, be
sure to choose a location with enough free disk space.
24. In the Pre-Installation Summary window, do the following steps:
a. Review the subcomponents that the installation program will install.
b. Review the amount of disk space that is required and the amount available
on the computer.
c. Optional: To change any selections, click Previous until you return to the
window where you can make the appropriate changes.
d. When you are ready to install, click Install.
The installation program can be left unattended at this point. Progress
messages are displayed during the installation and a completion message is
displayed when the installation completes.
Note: On Windows systems, the installation completes in approximately one

hour. On Linux systems, the installation completes in approximately 1-2 hours.
The installation process on AIX systems takes approximately 3-4 hours.
What to do next
You have installed Tivoli Security Information and Event Manager on this
computer. Install Tivoli Security Information and Event Manager on any other
computers that are part of your Tivoli Security Information and Event Manager
Cluster by repeating the previous steps.
Note:
v On Windows 2008 systems only, if a member of the Administrators group on the
Server computer also needs to manage Tivoli Security Information and Event
Manager, the user must also be a member of the DB2ADMNS operating system
group. The DB2ADMNS group is created during installation. If the administrator
is not a member of this group, the administrator receives SQL5005C errors
because of insufficient permissions on the DB2 files.
v On AIX systems only, you must log in again to your CDE (Common Desktop
Environment) after installing the product. If you are using VNC (Virtual
Network Computing), then you must restart the VNC session. This is because
Tivoli Security Information and Event Manager supports only the CDE graphical
user interface on AIX systems.
Installing in silent mode

You can use response files to install Tivoli Security Information and Event Manager
in silent or unattended mode.
You can obtain a response file in one of two ways:

v Install Tivoli Security Information and Event Manager using the installation
program and save your entries on the installation panels to a response file. See
“Generating a response file for installation” on page 43.
v Use the sample response file provided with Tivoli Security Information and
Event Manager. See “The sample response file for installation” on page 44.
You can then perform the following steps:

1. Modify the response file to match the requirements of the computer on which
you are installing. See “Modifying the response file for installation” on page 46.

2. Use the response file to install the product on that computer. See “Installing
with a response file” on page 47.
During silent installation, no input is required.
Generating a response file for installation

While installing the product using the graphical interface, you can generate a
response file that you can modify and use to install Tivoli Security Information and
Event Manager silently on other computers.
Before you begin
Be sure that you understand the types of servers and know which type you are
installing.
For best results while installing the product, temporarily disable the firewall and
virus checking software on your computer.
Note: Installation fails if you attempt to access the installation software through a
Universal Naming Convention (UNC) name (such as \\host_name\path\). Instead,
you must specify the letter of a mapped drive. The path to the installation files
cannot contain blanks.
About this task
When you install Tivoli Security Information and Event Manager in graphical
mode, you can save your installation panel responses in a response file. Use the
following steps to start the installation program and specify the name of the
response file.
Procedure
1. Perform the following steps:
On Windows systems:
a. Log on as a member of the Administrators group.
b. Insert the Tivoli Security Information and Event Manager DVD. (If the
installation program starts automatically, stop it.)
c. Open a command prompt window and access the DVD drive. For
example, type D: at the command prompt.
d. Type the following command at the command prompt:
install -r path_to_response_file
where path_to_response_file is the full path and file name of the file
in which to save your responses.
a. Log in as root.
b. Insert and mount the DVD for your operating system:
v For AIX systems, IBM Tivoli Security Information and Event
Manager v2.0 for AIX
v For Linux systems, IBM Tivoli Security Information and Event
Manager v2.0 for Linux

When mounting the DVD, ensure that the entire mount point is
readable and executable by everyone. If only the root user has
access, the installation fails unexpectedly. The mount point cannot
contain any spaces.
c. Type the following command:
v For AIX systems: ./install.aix -r path_to_response_file
v For Linux systems: ./install.linux -r path_to_response_file
where path_to_response_file is the full path and file name of the file
in which to save your responses.
The installation program starts. Follow the instructions in “Installing in
graphical mode” on page 29. Your responses are saved in the response file that
you specified.
2. Optional: Edit the response file and add the following line:
INSTALLER_UI=silent
If you do not add the preceding line to the generated response file, you must
add a parameter to the installation command when using the response file. You
can find instructions in “Installing with a response file” on page 47.
What to do next
Modify the response file for the computer where you plan to install Tivoli Security
Information and Event Manager silently the next time. Then install the product on
the computer, using the response file.
Note: The passwords you specified are hidden in the generated response file. Be
sure to edit the response file and update the passwords before you use the
response file to install Tivoli Security Information and Event Manager silently.
The sample response file for installation

A sample response file is provided with Tivoli Security Information and Event
Manager. You can modify the file and use it to install the product silently.
You can find the sample response file on the following product installation DVDs:
v AIX: IBM Tivoli Security Information and Event Manager v2.0 for AIX
v Linux: IBM Tivoli Security Information and Event Manager v2.0 for Linux
v Windows: IBM Tivoli Security Information and Event Manager v2.0 for Windows
The file name on the DVD is installer.properties.template.
Contents of the sample response file
The following text is in the sample response file.

###############################################################
## Licensed Materials - Property of IBM
## 5724-S67
## (c) Copyright IBM Corp. 2010 All Rights Reserved.
## US Government Users Restricted Rights - Use, duplication or
## disclosure restricted by GSA ADP Schedule Contract with
## IBM Corp.
###############################################################
##
## InstallAnywhere variables to configure for silent install
## of Tivoli Security Information and Event Manager 2.0
##
## Usage windows: install -f <full path to this file>
## Usage AIX: ./install.aix -f <full path to this file>
## Usage Linux: ./install.linux -f <full path to this file>
##
## With windows, install.exe will return immediately. To avoid
## this, you should wrap the install.exe command into a batch

## file.
##
###############################################################
#
INSTALLER_UI=silent
#----
#---- Set Silent License Acceptance
#---- Accept license agreement: remove # sign
#---- example: LICENSE_ACCEPTED=true
#---- Silent Uninstall: do not define the LICENSE_ACCEPTED,
#---- leave it commented out, commented out means having # sign in front of it
#---- if the LICENSE_ACCEPTED is anything other then true the installation will exit
#---- no log will be produced, no indication of failure provided
#----
#---- By removing the # sign before #LICENSE_ACCEPTED=false and changing false to true
#---- you have signified acceptance of the Tivoli Security Information Event Manager 2.0 license agreement
LICENSE_ACCEPTED=true
IAGLOBAL_LANGUAGE=en
# TSIEM install location <TSIEM_HOME>

IAGLOBAL_TSIEM_installLocation=<full path to install folder eg. C\:\\IBM\\TSIEM or /opt/IBM/tsiem>
IAGLOBAL_INSTALL_LOCATION_SELECTION=create
# Define type of installation:

# CHOSEN_INSTALL_SET=SIM Std|SIM Ent|LM Srv|Custom
# SIM Std = TSIEM Standard Server. Installs the SIM Base + SIM Normalization components
# SIM Ent = TSIEM Enterprise Server. Installs all 4 SIM components.
# LM Srv = TSIEM Log Manager Server. Install SIM Base + LM components.
# Custom = Select individual TSIEM components. See below.
#
CHOSEN_INSTALL_SET=SIM Ent
# The CHOSEN_INSTALL_FEATURES should be set if ’Custom’ INSTALL_SET is chosen. Edit the feature list to suit your needs.
# CHOSEN_INSTALL_FEATURES_LIST=SIMBase,SIMMod,SIMLM,SIMCon
# SIMBase = TSIEM SIM base component, minimum selection
# SIMMod = TSIEM SIM module / Normalization component. Need SIMBase
# SIMLM = TSIEM SIM Log Manager / Forensics component. Need SIMBse
# SIMCon = TSIEM SIM Consolidation / Enterprise Server. Need SIMBase + SIMMod
#
#CHOSEN_INSTALL_FEATURES_LIST=SIMBase,SIMMod,SIMLM,SIMCon
#
# Define type of Server:
# IAGLOBAL_COI_GROUPED_SERVER=yes|no
# yes = Grouped Server (you will need a Security Server available to add this Grouped Server to)
# no = Security Server
IAGLOBAL_COI_GROUPED_SERVER=yes
#
#
# DB2 properties of the Security Server
# only needed for GROUPED SERVER (IAGLOBAL_COI_GROUPED_SERVER=yes)
#
# Server where LDAP server is running
IAGLOBAL_SECDB2_HOSTNAME=<your Security Server servername eg. 192.168.78.142>
# port where TSIEM DB2 instance is listening
IAGLOBAL_SECDB2_PORT=31001
IAGLOBAL_SECDB2_DATABASE=CIFDB
# enf of DB2 properties of the Security Server
#
#
# SIM Server DB2 properties (local DB2 instance of TSIEM server)
IAGLOBAL_SIMDB2_COPY=CIFCOPY
IAGLOBAL_SIMDB2_DATABASE=CIFDB
IAGLOBAL_SIMDB2_HOSTNAME=localhost
IAGLOBAL_SIMDB2_INSTANCE=CIFINST
IAGLOBAL_SIMDB2_INSTANCE_LOCATION=<full path to DB instance location eg. C\:\\IBM\\TSIEM\\CIFINST or /opt/IBM/tsiem/CIFINST>
IAGLOBAL_SIMDB2_PORT=31001
# TSIEM SIM admin user (DB user)
IAGLOBAL_SIMDB2_USERNAME=cifowner
IALOCAL_SIMDB2_PASSWORD=<your password here>
IALOCAL_SIMDB2_PASSWORD_CONFIRM=<your password here>
# SIM DB2 administrator
IAGLOBAL_SIMDB2_ADMIN_USERNAME=cifdbadm
IALOCAL_SIMDB2_ADMIN_PASSWORD=<your password here>
IALOCAL_SIMDB2_ADMIN_PASSWORD_CONFIRM=<your password here>
# TSIEM SIM admin user (OS user)
IAGLOBAL_SIM_OS_ACCOUNT=cifadmin
IALOCAL_SIM_OS_PASSWORD=<your password here>
IALOCAL_SIM_OS_PASSWORD_CONFIRM=<your password here>
#
# SIM Server properties
IAGLOBAL_SIM_SERVERNAME=<your servername here eg. win2k3-64bit-14>
IAGLOBAL_SIM_HOSTNAME=<your servername here eg. win2k3-64bit-14>
IAGLOBAL_SIM_PORT=5992
IAGLOBAL_SIM_DEPOT_LOCATION=<full path to depot folder eg. C\:\\IBM\\TSIEM\\sim\\depot or /opt/IBM/tsiem/sim/depot>
IAGLOBAL_SIM_INDEXES_LOCATION=<full path to indexes folder eg. C\:\\IBM\\TSIEM\\sim\\Indexes or /opt/IBM/tsiem/sim/Indexes>
# name of depot as seen as network share on this server
IAGLOBAL_SIM_DEPOT_NAME=cifdepot
IAGLOBAL_SIM_ALERT_SMTPHOST=<your SMTP hostname, or leave it empty>

IAGLOBAL_SIM_ALERT_EMAIL=<Email address to sent the alerts to, or leave it empty>
IAGLOBAL_SIM_MAINT_HOUR=6
IAGLOBAL_SIM_MAINT_MINUTE=0
IAGLOBAL_SIM_TZ_NAME=Europe/Berlin
IAGLOBAL_SIM_TZ_HOUR=+01
IAGLOBAL_SIM_TZ_MINUTE=00
#
# TIP Settings
IAGLOBAL_WAS_DEFAULTPORT=16310
IAGLOBAL_WAS_PORT_VALIDATED=false
IAGLOBAL_WAS_WINDOWS_SERVICE_NAME=TIPProfile_Port_16310
IAGLOBAL_WAS_WINDOWS_SERVICE_START_TYPE=manual
IAGLOBAL_WASCell=TIPCell
IAGLOBAL_WASNode=TIPNode
IAGLOBAL_WASProfileName=TIPProfile
IAGLOBAL_WASServer=server1
#
# WAS Settings
IAGLOBAL_WASUserID=tipadmin
IALOCAL_WASPassword=<your password here>
IALOCAL_WASPassword_RECONFIRM=<your password here>
IAGLOBAL_WC_adminhost=16315
IAGLOBAL_WC_adminhost_secure=16316
IAGLOBAL_WC_defaulthost=16310
IAGLOBAL_WC_defaulthost_secure=16311
IAGLOBAL_BOOTSTRAP_ADDRESS=16312
IAGLOBAL_SOAP_CONNECTOR_ADDRESS=16313
IAGLOBAL_DCS_UNICAST_ADDRESS=16318
IAGLOBAL_ORB_LISTENER_ADDRESS=16320
IAGLOBAL_SAS_SSL_SERVERAUTH_LISTENER_ADDRESS=16321
IAGLOBAL_CSIV2_SSL_MUTUALAUTH_LISTENER_ADDRESS=16322
IAGLOBAL_CSIV2_SSL_SERVERAUTH_LISTENER_ADDRESS=16323
#
# LDAP instance parameters
# Server properties where LDAP instance is running (Security Server)
IAGLOBAL_SSLDAP_HOSTNAME=<your Security Server servername eg. 192.168.78.142>
IAGLOBAL_SSLDAP_INSTANCE_LOCATION=<full path to DB instance location eg. C\:\\IBM\\TSIEM\\ldap or /opt/IBM/tsiem/ldap>
IAGLOBAL_SSLDAP_PORT=389
IAGLOBAL_SSLDAP_USERNAME=cn=root
IAGLOBAL_SSLDAP_ADMIN_USERNAME=ciftdsad
IALOCAL_SSLDAP_PASSWORD=<your password here>
IALOCAL_SSLDAP_PASSWORD_CONFIRM=<your password here>
IAGLOBAL_SSLDAP_BASEDN=cn=cif,o=ibm
IAGLOBAL_SSLDAP_INSTANCE=idsinst
IALOCAL_SSLDAP_OS_PASSWORD=<your password here>
IALOCAL_SSLDAP_OS_PASSWORD_CONFIRM=<your password here>
#
# ITDS DB2 parameters (DB2 instance of ITDS)
IAGLOBAL_SSDB2_COPY=IDSCOPY
IAGLOBAL_SSDB2_DATABASE=idsdb
IAGLOBAL_SSDB2_INSTANCE=DB2IDS
IAGLOBAL_SSDB2_PORT=31000
IAGLOBAL_SSDB2_USERNAME=itdsadmn
IALOCAL_SSDB2_PASSWORD=<your password here>
IALOCAL_SSDB2_PASSWORD_CONFIRM=<your password here>
#
# DB2 and ITDS already installed?
IAGLOBAL_COI_REUSE_DB2_ITDS=no
Modifying the response file for installation

Modify a response file to include the responses you want during installation.
Before you begin
Use one of the following response files:

v A response file that you generated while installing through the GUI. See
“Generating a response file for installation” on page 43.
v A copy of the sample response file. See “The sample response file for
installation” on page 44.
Decide which components you want to install. See “Installing in graphical mode”
on page 29 for help with the information you must provide.
About this task
In the response file, a comment sign (#) at the beginning of a line indicates that
you do not want to install the component shown in that line. Remove the comment

signs from all components you want to install. Then provide any information, such
as Server names, required on the lines without comment signs.
Procedure
1. In the response file, be sure that the LICENSE_ACCEPTED=true line does not have
a comment sign (#) in front of it and that true is specified.
2. Remove the comment (#) from each line that contains a component you want to
install.
3. On the lines without comment signs, specify any required information.
Note:
v Several user IDs and passwords are created during installation. Ensure that
all user IDs and passwords specified in the response file conform to the rules
described in Appendix C, “Account and password naming rules,” on page
121.
v Passwords in the response files are in plain text, which introduces a potential
security risk. To minimize this risk:
– Protect the response file by setting the correct file permissions:
- On Windows systems, grant read and write permission to only the
Administrators group.
- On AIX and Linux systems, set the permission to 660.
– Add the passwords to the file as late as possible (for example, just before
running the silent installation).
– Remove the passwords from the response file when the silent installation
finishes.
What to do next
Install Tivoli Security Information and Event Manager using the modified response
file. See “Installing with a response file.”
Installing with a response file

Use the response file that you have modified to install Tivoli Security Information
and Event Manager silently.
Before you begin
Be sure that you have a response file that you have edited to install the
components you want with the correct parameters.
About this task
Use the steps in the following procedure to install Tivoli Security Information and
Event Manager using the response file.
Procedure
Perform the following steps:

On Windows systems:
1. Log on as a member of the Administrators group.
2. Insert the IBM Tivoli Security Information and Event Manager v2.0 for
Windows DVD. (If the installation program starts automatically, stop it.)

3. Open a command prompt window and access the DVD drive. For
example, type D: at the command prompt.
4. Type one of the following commands at the command prompt:
v If you are using the sample response file or a generated response file
to which you added the line INSTALLER_UI=silent:
install -f path_to_response_file
v If you are using a generated response file and you did not add the
line INSTALLER_UI=silent to the file:
install -i silent -f path_to_response_file
where path_to_response_file is the full path and file name of the file in
which you saved your responses.
1. Log in as root.
2. Insert and mount the DVD for your operating system:
v For AIX systems: IBM Tivoli Security Information and Event Manager
v2.0 for AIX
v For Linux systems: IBM Tivoli Security Information and Event Manager
v2.0 for Linux
3. Type one of the following commands:
v If you are using the sample response file or a generated response file
to which you added the line INSTALLER_UI=silent:
– For AIX systems:
./install.aix -f path_to_response_file
– For Linux systems:
./install.linux -f path_to_response_file
v If you are using a generated response file and you did not add the
line INSTALLER_UI=silent to the file:
– For AIX systems:
./install.aix -i silent -f path_to_response_file
– For Linux systems:
./install.linux -i silent -f path_to_response_file
where path_to_response_file is the full path and file name of the file in
which you saved your responses.
The installation program installs the components specified in the response file.
What to do next
For security purposes, remove the passwords from the response file when the
silent installation finishes.
You have installed Tivoli Security Information and Event Manager on this
computer. You can install the product on any other computers that are part of the
Tivoli Security Information and Event Manager Cluster, either through the GUI or
silently, using a response file.
Promoting a Standard Server to an Enterprise Server

If you installed a Standard Server, you can promote it later to an Enterprise Server.

Before you begin
On the computer where the Standard Server is installed, start the installation
program. See “Installing in graphical mode” on page 29.
About this task
You promote a Standard Server to an Enterprise Server by installing additional

components.
Procedure
1. Run the installation program.
2. In the Choose Install Set window, click Custom.
3. Select the Log Management Forensics and Consolidation Component options,
and click Next.
4. Follow the instructions in “Installing in graphical mode” on page 29 to
complete installation.
What to do next
1. Register the Standard Servers in the cluster with the new Enterprise Server. See
“Registering a Standard Server with the Enterprise Server” on page 51.
2. Schedule the Consolidation Server to aggregate the data from the Standard
Servers. See “Scheduling the Consolidation Server to aggregate data” on page
53.
Promoting a Log Management Server to an Enterprise Server

If you installed a Log Management Server, you can promote it later to an
Enterprise Server.
Before you begin
On the computer where the Log Management Server is installed, start the
installation program. See “Installing in graphical mode” on page 29.
About this task
You promote a Log Management Server to an Enterprise Server by installing

additional components.
Procedure
1. Run the installation program.
2. In the Choose Install Set window, click Custom.
3. Select the Normalization Component and Consolidation Component and Log
Management Base options, and click Next.
4. Follow the instructions in “Installing in graphical mode” on page 29 to
complete installation.
What to do next
1. Register the Standard Servers in the cluster with the new Enterprise Server. See
“Registering a Standard Server with the Enterprise Server” on page 51.

2. Schedule the Consolidation Server to aggregate the data from the Standard
Servers. See “Scheduling the Consolidation Server to aggregate data” on page
53.

Chapter 5. Configuration tasks
After installation, you might need to perform additional configuration tasks.
You must register the Standard Servers with the Enterprise Server and configure
the schedule for the Consolidation Server to aggregate data. By performing these
tasks, you enable the Enterprise Server to consolidate the data from all the
Standard Servers in the Tivoli Security Information and Event Manager Cluster.
See the following information:

v “Registering a Standard Server with the Enterprise Server”
v “Scheduling the Consolidation Server to aggregate data” on page 53
v “Updating the Java SDK policy files” on page 54
v “Replacing the self-signed X.509 certificate with a CA-issued X.509 certificate” on
page 55
v “IPv6” on page 56
v “Enabling network browsing on AIX systems” on page 59
v “Configuring the database for large workloads” on page 59
v “Increasing the Java heap size on AIX and Linux systems” on page 60
Note: Run the Tivoli Security Information and Event Manager tools and utilities
using the cifadmin user created during the installation process. To run these tools
and utilities under a different user ID, or as root, you must update that user's
environment to access the Tivoli Security Information and Event Manager libraries.
Registering a Standard Server with the Enterprise Server

You must register each Standard Server with the Enterprise Server so that the
Enterprise Server can consolidate data from Standard Servers and perform
centralized log management.
Before you begin

1. Before the Enterprise Server can consolidate data from the Standard Servers,
the indexer and searcher processes of the Enterprise Server must have access to
the depots of all Standard Servers in the cluster. Therefore, you must share and
mount the depot of each Standard Server before you register that Standard
Server with the Enterprise Server. To access remote depots, the indexer and
searcher processes use the credentials of the user running the processes
(typically a domain or a local cifadmin user).
A cluster can contain a combination of operating systems (AIX, Linux, and
Windows). Often the computers in a cluster do not share storage and they use
different mechanisms for user authentication.
To ensure that the Enterprise Server can access the depots of the Standard
Servers, first perform all necessary configuration on the computers in the
cluster. See Appendix H, “Sharing and mounting remote depots,” on page 139.
2. Be sure that both the Enterprise Server and the Standard Server to be registered
are running.
3. Be sure that the Enterprise Server and the Standard Server use the same
Security Server.

About this task
Perform the following steps on the Enterprise Server for each Standard Server in
the cluster.
Note: You can also use these steps to add a Log Management Server to a Tivoli
Security Information and Event Manager Cluster. Run the registration command
shown in the procedure and register the Log Management Server.
Procedure
1. On the Enterprise Server, open a command prompt.
2. Navigate to the appropriate directory:
v On Windows systems:
cd %TSIEM_HOME%\sim\consolidation\bin
v On AIX and Linux systems:
cd $TSIEM_HOME/sim/consolidation/bin
3. To add the Standard Server, do one of the following steps:
v Type the registration command at the command prompt.
v The registration command, which is correct except for the passwords, is
saved to a text file during the Standard Server installation process. The saved
file is:
Windows
%TSIEM_HOME%\sim\addToEnterpriseServer.txt
AIX and Linux
$TSIEM_HOME/sim/addToEnterpriseServer.txt
To avoid typing the command, do the following steps:
a. Retrieve and edit the text file.
b. Modify the password values as required.
c. Paste the command at the command prompt.
The registration command is:
beat.bat -setsrv host_name TCPport data_server DB_cifowner_user
DBcifownerpwd OS-user OS-user_password path_to_remote_depot
beat.sh -setsrv host_name TCPport data_server DB_cifowner_user
DBcifownerpwd OS-user OS-user_password path_to_remote_depot
where:
v host_name is the hostname of the Standard Server system on which
data_server is installed.
v TCPport is the TCP port that the Standard Server database uses to
communicate. (The default value is 31001.)
v data_server is the database server where the engine for the Standard Server to
be registered resides.
v DB_cifowner_user is the user account that owns the database on the Standard
Server. During installation, this name was specified in one of the following
fields. (The default name is cifdbadm.)
– If you reused an existing DB2 database, the DB2 System User field of the
SIM Database Administrator Account window.

– If you did not reuse an existing DB2 database, the Database Admin field
of the SIM Database Information window.
See “Installing in graphical mode” on page 29.
v DBcifownerpwd is the password for the DB_cifowner_user user account.
v OS-user is the operating system user account for the Standard Server, as
defined in the OS Account window in the OS Username field. The default
name is cifadmin. See “Installing in graphical mode” on page 29.
v OS-user password is the password for the OS-user account on the Standard
Server.
v path_to_remote_depot is the system path to the shared or mounted depot
folder of the Standard Server being registered. (See Appendix H, “Sharing
and mounting remote depots,” on page 139.)
Note: When the command runs, the Tivoli Security Information and Event
Manager checks to see if the parameters are valid. If the parameters are not
valid, the Standard Server is not registered. This verification can succeed only if
both the Enterprise Server and the Standard Server to be registered are
running.
Example
v On a Windows system:
beat.bat -setsrv sedco 31001 CIFDB cifowner consul cifadmin
cifpasswd \\sedco\cifdepot
v On an AIX or Linux system:
./beat.sh -setsrv sedco 31001 CIFDB cifowner consul cifadmin
cifpasswd /mnt/sedco/cifdepot
What to do next
Continue using this procedure until you have registered all Standard Servers in the
cluster with the Enterprise Server. The Enterprise Server can then collect and
consolidate data from the Standard Servers.
Scheduling the Consolidation Server to aggregate data

Configure the schedule for the Consolidation Server so that you can generate and
view aggregated data from multiple servers on a regular basis.
Before you begin
Be sure that you have done the following steps:

v Installed the Enterprise Server and the Standard Servers in the Tivoli Security
Information and Event Manager Cluster.
v Registered the Standard Servers in the cluster with the Enterprise Server.
About this task
The Consolidation Server component resides on the Enterprise Server. This

component allows viewing of aggregated data from multiple Servers. Every Server
automatically aggregates the data it collects by group. The Enterprise Server
collects the aggregated data of all Servers in the Enterprise Server database. You
can then view the aggregated data using the Tivoli Integrated Portal.
Chapter 5. Configuration tasks 53

To generate useful overview information, you must run the Consolidation Server
regularly. The schedule for the Consolidation Server depends on the data collection
and loading schedules defined for Servers. In general, plan to run the
Consolidation Server at least once a day.
After each successful consolidation, Tivoli Security Information and Event Manager
flushes aggregated data in each Reporting Database to prevent the data from being
consolidated again.
The consolidation process is run by the Tivoli Security Information and Event
Manager Server AuthDaemon. The AuthDaemon is a background process that does
various tasks such as running the consolidation process once a day. By default, the
Consolidation Server is configured to run the consolidation process at 8:00 AM
daily. To change the time when the consolidation process is run, change the value
of consolidation_start_time in the auth.ini file.
Perform the following steps:
Procedure
1. On the Enterprise Server, edit the auth.ini file.
Windows
%TSIEM_HOME%\sim\server\run\auth.ini
AIX or Linux
$TSIEM_HOME/sim/server/run/auth.ini
2. Change the value of consolidation_start_time in the auth.ini file to the time
you want the consolidation process to run. The key uses 24-hour notation; to
set the time at 10:15 PM, for example, set consolidation_start_time to 22:15.
Note: To run the Consolidation Server manually, use the following command:
Windows
%TSIEM_HOME%\consolidation\bin\beat.bat
AIX or Linux
$TSIEM_HOME/consolidation/bin/beat.sh
What to do next
See the IBM Tivoli Security Information and Event Manager Users Guide for
information about viewing aggregated data.
Updating the Java SDK policy files

Tivoli Integrated Portal provides Java SDK 5.0 that contains strong but limited
jurisdiction policy files. Some key formats (such as PKCS #12) that are provided by
a Certificate Authority (CA) might be protected with algorithms that are not
provided with the limited policy files in Java SDK 5.0. Before you replace
self-signed certificates with CA-issued certificates, update your Java SDK policy
files.
About this task
The unrestricted JCE policy files that are provided in the policy file update can
ensure that you have the correct algorithms for CA-issued certificates.

Procedure
1. Use a browser to go to http://www.ibm.com/developerworks/java/jdk/
security/index.html.
2. Click JS2SE 5.0.
3. Click IBM SDK Policy files.
4. Click Sign in and enter your IBM.com ID and password.
5. Select Unrestricted JCE Policy files for SDK for all newer versions and click
Continue.
6. View the license, check I agree, and click I confirm.
7. Click Download now.
8. Extract the unlimited jurisdiction policy files that are packaged in a
compressed file. The compressed file contains a US_export_policy.jar file and
a local_policy.jar file.
9. On the server where Tivoli Integrated Portal is installed, back up the
following files:
v US_export_policy.jar
v local_policy.jar
These files are installed in the following directory by default:
AIX or Linux
$TSIEM_HOME/TIP/java/jre/lib/security
Windows
%TSIEM_HOME%\TIP\java\jre\lib\security
10. Replace the US_export_policy.jar and local_policy.jar files with the
updated files from the compressed file that you downloaded.
What to do next
Continue with “Replacing the self-signed X.509 certificate with a CA-issued X.509
certificate.”
Replacing the self-signed X.509 certificate with a CA-issued X.509

certificate
Tivoli Integrated Portal is automatically configured to use a default self-signed
certificate for all SSL communications. If your environment requires the use of a
CA-issued certificate, you must obtain the certificate and replace the self-signed
certificate.
Before you begin
Before you begin this task, complete the steps in “Updating the Java SDK policy
files” on page 54.
About this task
The default certificate is named key.p12. Its default location is:

AIX or Linux
$TSIEM_HOME/TIP/profiles/TIPProfile/config/cells/TIPCell/nodes/
TIPNode

Windows
%TSIEM_HOME%\TIP\profiles\TIPProfile\config\cells\TIPCell\nodes\
TIPNode
Use this task to replace this default certificate with a CA-issued certificate.
Procedure
1. Request and receive a signed certificate from a certificate authority. You can
make a request to a Certificate Authority (CA) using any method you choose.
WebSphere Application Server has built-in tools that enable you to request and
receive certificates that are issued by a CA. For more information, see the topics
about creating certificate authority requests in the WebSphere Application
Server information center:
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp
2. Delete the default certificate:
a. Log in to the Tivoli Integrated Portal. The default administration ID is
tipadmin.
Use that ID to display the keystore management tasks.
b. Click SSL certificate and key management → Key stores and certificates →
NodeDefaultKeyStore → Personal certificates.
c. Select the default key.
d. Click Delete.
3. Import the new certificate into a keystore:
a. Click SSL certificate and key management → Key stores and certificates →
NodeDefaultKeyStore → Personal certificates → Import certificates from a
key file.
b. Click Import.
c. Enter the key file name.
Ensure that the key is on the local file system of the server.
d. Select the key type.
e. Click Get key file aliases, if it is required for the key type.
f. Select the key alias you want to import from your keystore
g. Enter the alias name default for the key.
h. Click OK.
4. Confirm selections, save selections, and restart the server:
a. In the key table, confirm that the key you imported is listed. Also confirm
that the attributes match the key.
b. Click Save to save the configuration.
c. Restart the Tivoli Integrated Portal service. On Windows, restart the service.
On AIX or Linux, restart the service by using the following initd script:
/etc/init/tsiem_tip_service.sh restart
IPv6
Tivoli Security Information and Event Manager can be directly installed on an IPv6
Microsoft Windows system. However, Tivoli Security Information and Event
Manager can be installed only on an IPv4 or dual stack AIX or Linux system. After
installing the product, you can convert the AIX or Linux system to IPv6-only.

When using IPv6 networking, note that some features are affected because UNIX
and Windows systems have different representations of UNC (Universal Naming
Convention) names with regard to IPv6 plain addresses. For example, the
Windows network stack for UNC access does not accept plain IPv6 addresses (such
as 2001:db8:28:3:f98a:5b31:67b7:67ef) which is correct only for UNIX systems.
Similarly, UNIX systems do not accept literal addresses (such as
2001-db8-28-3-f98a-5b31-67b7-67ef.ipv6-literal.net) for IPv6 communications.
As a result, when using Tivoli Security Information and Event Manager on AIX
and Linux, note the following restrictions:
v When installing an agent to a Windows system using plain IPv6, you must
manually install the agent. To use the automatic agent installation feature, add
the system using a nickname that is appropriate for the specified IP address.
Then add the IP address to the DNS on the Tivoli Security Information and
Event Manager server.
v When applying an audit profile to Windows system that uses an IPv6 plain
address, you must use the manual policy setting.
Configuring IPv6
To use IPv6 for data transfer between a Server and an agent, configure the IPv6
protocol on both the Server and the agent.
Be aware of the following requirements when using the product in IPv6

environments:
v The systems must have stable global (not link-local) IPv6 addresses, acquired
either by stateful autoconfiguration (DHCPv6), stateless autoconfiguration, or
manual configuration.
v For systems with stateful autoconfiguration or stateless autoconfiguration, an
IPv6 capable router must be present and configured on the local network to help
determine the full address.
v It is preferable, but not required, for each IPv6 system to have an AAAA (or
quad-A) Domain Name System (DNS) entry. The system can then be accessed by
name rather than number.
v SSH collect over IPv6 is supported only if the host is specified by its host name.
Therefore, to perform SSH collect, use a name specified as an IPv4 address or as
a host name.
In general on Microsoft Windows systems, there are no required tasks for

migrating from IPv4 to IPv6. For AIX and Linux systems, see “Converting an AIX
or Linux system from dual stack to IPv6” on page 58.
Automatic event source migration from an IPv4 to an IPv6-only environment is not

supported. You must reinstall the event source if both of the following are true:
v An event source is collecting data from a computer that was added with an IPv4
address.
v The IPv4 protocol is not supported on either the Server or the agent computer.
No action is required if either of the following is true:

v An agent is added by DNS name.
v IPv4 is still supported by the Server and the agent computers (both are dual
stack systems.)

Additional IPv6 information
See the following online documents for more information on configuring IPv6.
Configuring IPv6 on Windows systems
http://www.ipv6.ru/english/documents/practice/windows.php
Configuring IPv6 network on UNIX systems
http://www.ipv6.ru/english/documents/practice/unix.php
Converting an AIX or Linux system from dual stack to IPv6

After you install Tivoli Security Information and Event Manager, you can convert
the system from dual stack to IPv6-only.
About this task
Because Tivoli Security Information and Event Manager cannot be installed on an

IPv6-only AIX or Linux system, it must be installed on either an IPv4 system or a
dual stack system. After the installation is complete, you can convert the system to
IPv6-only.
Run all of the following commands as root.
For more information about starting and stopping services, see the appendices in
the IBM Tivoli Security Information and Event Manager Administrators Guide.
Procedure
1. Stop Tivoli Security Information and Event Manager by entering the following
command in a terminal:
/etc/init.d/tsiem_sim_service.sh stop
2. Stop the Tivoli Integrated Portal by entering the following command in a
terminal:
/etc/init.d/tsiem_tip_service.sh stop
3. Stop DB2 by entering the following command in a terminal:
/etc/init.d/tsiem_db2_service.sh stop
4. Stop LDAP by entering the following command in a terminal:
/etc/init.d/tsiem_ldap_service.sh stop
5. Set the variable DB2FCMCOMM=TCPIP6 for the Tivoli Security Information and
Event Manager DB2 instance by entering the following command in a
terminal:
/home/<Database Admin Name>/sqllib/adm/db2set - g DB2FCMCOMM=TCPIP6
For example:
/home/cifdbadm/sqllib/adm/db2set - g DB2FCMCOMM=TCPIP6
6. Set the variable DB2FCMCOMM=TCPIP6 for the Tivoli Security Information and
Event Manager LDAP DB2 instance by entering the following command in a
terminal:
/home/<ITDS_instance_name>/sqllib/adm/db2set -g DB2FCMCOMM=TCPIP6
For example:
/home/idsinst/sqllib/adm/db2set -g DB2FCMCOMM=TCPIP6
7. Add the host name to the /etc/hosts file so that the host name is resolved as
an IPv6 address.
8. Convert the dual stack machine to IPv6.
9. Start LDAP by entering the following command in a terminal:

/etc/init.d/tsiem_ldap_service.sh start
10. Start DB2 by entering the following command in a terminal:
/etc/init.d/tsiem_db2_service.sh start
11. Start the Tivoli Integrated Portal by entering the following command in a
terminal:
/etc/init.d/tsiem_tip_service.sh start
12. Start Tivoli Security Information and Event Manager by entering the following
command in a terminal:
/etc/init.d/tsiem_sim_service.sh start
Results
After you have converted the system from dual stack to IPv6, the system should
resolve cross-names in IPv6 format.
Enabling network browsing on AIX systems

You must manually configure the AIX firewall to permit network browsing.
About this task
On Windows and Linux systems, network browsing is enabled as part of the

installation process. On AIX systems, you must perform this task to enable it.
Procedure
1. Open the SMITTY interface.
2. Click Communications Applications and Services → TCP/IP → Configure IP
Security → Advanced IP Security Configuration → Configure IP Security Filter
Rules → Add an IP Security Filter Rule.
3. Add permit rules for the following services.
* netbios-ns 137/udp
* netbios-dgm 138/udp
* netbios-ssn 139/tcp
* microsoft-ds 445/tcp
* microsoft-ds 445/udp
Also add permit rules for any UDP port numbers that the master browser uses
to send query packets with nmblookup.
Configuring the database for large workloads

In enterprise environments where large amounts of uncompressed raw log data is
being processed, adjust the DB2 log file settings to handle larger workloads.
About this task
By default, the Tivoli Security Information and Event Manager database (CIFDB)
uses the following DB2 log file settings:
Log file size (4KB) (LOGFILSIZ) = 16384
Number of primary log files (LOGPRIMARY) = 20
Number of secondary log files (LOGSECOND) = 80
In enterprise environments where the amount of raw log data exceeds 30 GB per
day, adjust the DB2 log file settings. Failure to adjust the settings might result in
the following error:

SQL0964C The transaction log for the database is full. SQLSTATE=57011
Procedure
1. Connect to the Tivoli Security Information and Event Manager database,
CIFDB.
2. Set the log file size to 65536.
update db cfg for db_name using LOGFILSIZ 65536
3. Increase the number of secondary log files to 160.
update db cfg for db_name using LOGSECOND 160
4. Restart the DB2 service.
db2stop
db2start
Example
update db cfg for CIFDB using LOGFILSIZ 65536
update db cfg for CIFDB using LOGSECOND 160
Increasing the Java heap size on AIX and Linux systems

The Java heap size is set to the maximum size allowed by Microsoft Windows. For
better performance when using the Log Management Depot Investigation Tool on
AIX and Linux systems, increase the heap size.
Procedure
1. Locate the $TSIEM_HOME/sim/server/tcr/bin/searchman.py file on the system.
2. Edit the file and search for the following section.
args = [install_dir + ’jre/jre/bin/java’+java_ext,
’-Xms32M’,
’-Xmx1536M’,
’-cp’,
3. Change the heap size value from 1536M to 2G.
args = [install_dir + ’jre/jre/bin/java’+java_ext,
’-Xms32M’,
’-Xmx2G’,
’-cp’,
4. Save the file.

Chapter 6. Upgrading to Tivoli Security Information and Event
Manager
Upgrading refers to the process of installing Tivoli Security Information and Event
Manager version 2.0 over an existing product, while retaining all configuration,
collected, and stored data. (During the upgrade, the existing data is migrated to the
new version.)
You can upgrade to Tivoli Security Information and Event Manager version 2.0
from the following products:
v IBM Tivoli Compliance Insight Manager version 8.5
v IBM Tivoli Security Information and Event Manager version 1.0
v IBM Tivoli Event Log Manager version 1.0 PRPQ
The upgrade preserves:

v The system configuration of systems and event sources
v Policies, grouping, rules
v IBM Tivoli Compliance Insight Manager user accounts
v The chunk log depot
Note: After the upgrade, the following roles are assigned only to the cifowner
user, but not to other users:
v Unlock policy
v Management scoping
These roles are new in Tivoli Security Information and Event Manager version 2.0
and cannot be upgraded. See the IBM Tivoli Security Information and Event Manager
Administrators Guide for information about roles.
The following restrictions apply when upgrading:

v Upgrading in place (on the same computer is) not supported. An upgrade can
be done only from an existing source computer to a new 64-bit computer.
v You cannot upgrade directly from Tivoli Compliance Insight Manager version
8.0 to Tivoli Security Information and Event Manager version 2.0. Follow this
process:
1. Upgrade to Tivoli Compliance Insight Manager version 8.5. See the
installation documentation for Tivoli Compliance Insight Manager version
8.5.
2. Upgrade to Tivoli Security Information and Event Manager version 2.0.
v Tivoli Security Information and Event Manager version 1.0 combines Tivoli
Compliance Insight Manager version 8.5 and Tivoli Security Operations Manager
version 4.1.
If you are upgrading from Tivoli Security Information and Event Manager 1.0,
upgrade only the Tivoli Compliance Insight Manager part; do not upgrade Tivoli
Security Operations Manager.
Upgrading from Tivoli Security Information and Event Manager 1.0 does not
change the user management.

v The new Tivoli Security Information and Event Manager must be running a
supported 64-bit Windows operating system; you cannot upgrade to an AIX or
Linux system.
v If you are upgrading Tivoli Compliance Insight Manager, you must upgrade
from:
– A 32-bit version of the operating system to a 64-bit version of the same
operating system.
– Tivoli Compliance Insight Manager 8.5 to Tivoli Security Information and
Event Manager version 2.0.
For example, you can migrate from Tivoli Compliance Insight Manager 8.5 on
Windows Server 2003 (32-bit) to Tivoli Security Information and Event Manager
version 2.0 on Windows Server 2003 (64-bit).
v You cannot use silent installation to upgrade.
v The migration tool, which exports the data from the old product version and
imports it to the new version, does not migrate report distribution task
schedules or the Chunk Continuity Report Generator (CCRG) schedule. Before
migration, record the distribution tasks schedules and the CCRG schedule. Then
set these schedules again manually on the Tivoli Security Information and Event
Manager system. After migration, all distribution tasks are set to inactive.
v If the Tivoli Compliance Insight Manager 8.5 system uses SSH collect, you must
install PuTTY on the Tivoli Security Information and Event Manager 2.0 system
before migrating the data. You can find PuTTY on the IBM Tivoli Security
Information and Event Manager v2.0 for Windows DVD in the \utils\putty folder.
See the IBM Tivoli Security Information and Event Manager Event Source Guide for
information about installing PuTTY.
Upgrading a Tivoli Compliance Insight Manager Cluster

To upgrade a Tivoli Compliance Insight Manager Cluster, you must upgrade the
Servers in the correct order.
Before you begin
Be sure that the computers where you upgrade to Tivoli Security Information and
Event Manager version 2.0 meet all hardware, software, storage, memory, and
browser requirements. See Chapter 2, “System Requirements,” on page 13.
About this task
This procedure is a high-level task that shows only the order in which you must
upgrade Servers. For detailed information about upgrading each Server in the
following steps, see “Upgrading from Tivoli Compliance Insight Manager on
Microsoft Windows systems” on page 63.
Procedure
1. Upgrade the Security Server.
2. Upgrade the Enterprise Server (if it is not the Security Server).
3. Upgrade all Standard Servers in the Tivoli Compliance Insight Manager Cluster.
What to do next
After you upgrade the Servers, Tivoli Security Information and Event Manager is
operational. However, before you change the system configuration, for best results,

upgrade any Actuators on Windows, Solaris, HP-UX, AIX, and z/OS systems to
Tivoli Security Information and Event Manager version 2.0 agents.
Note: For instructions for upgrading the Actuator for z/OS, see the information
about upgrading an existing agent in the most recent version of the IBM Tivoli
zSecure Suite: CARLa-Driven Components Installation and Configuration Manual.
Upgrading from Tivoli Compliance Insight Manager on Microsoft

Windows systems
You can upgrade from Tivoli Compliance Insight Manager version 8.5 on a 32-bit
Windows system to Tivoli Security Information and Event Manager version 2.0 on
a 64-bit Windows system.
Before you begin

1. Be sure that the system from which you are upgrading has the latest Tivoli
Compliance Insight Manager version 8.5 fix pack installed.
2. Be sure that, on the computer from which you are upgrading, none of the
Reporting Databases are in the loading state.
3. Be sure that the computer to which you are upgrading meets all hardware,
software, storage, memory, and browser requirements. See Chapter 2, “System
Requirements,” on page 13.
4. The IP address and hostname of the system on which you are upgrading to
Tivoli Security Information and Event Manager version 2.0 must be the same as
the IP address and hostname on the Tivoli Compliance Insight Manager version
8.5 system from which you are upgrading. See step 5 on page 65 for
information.
About this task
To upgrade Tivoli Compliance Insight Manager version 8.5 on a 32-bit Windows

system to Tivoli Security Information and Event Manager version 2.0 on a 64-bit
Windows system, you must do the following steps. (These steps are high-level
steps; see the steps in the procedure that follows for detailed information.)
1. Export the data from the old system.
2. Take the old system offline.
3. Prepare the new system.
4. Install Tivoli Security Information and Event Manager version 2.0 on the new
system. (Step 6 on page 65 provides detailed information about the parameters
from the Tivoli Compliance Insight Manager version 8.5 system that must be
preserved.)
5. Import the data to the new system.
Procedure
Use the following steps:

1. Stop all Tivoli Compliance Insight Manager services on the Tivoli Compliance
Insight Manager version 8.5 system. These services are only those services
whose names start with IBM TCIM. Be sure that the DB2 services and the IBM
Tivoli Directory Server services are still running.
2. Optional: On the Tivoli Compliance Insight Manager version 8.5 system, use
the migration tool in calculate mode. In this mode, the migration tool scans the
system on which it is run and determines the disk space needed to successfully
Chapter 6. Upgrading to Tivoli Security Information and Event Manager 63

run the tool in export mode. You can then be sure that the location where you
store the exported data has sufficient space. Use the following steps:
a. Go to the Drive_or_path\migration directory. Drive_or_path is one of the
v The drive letter of the product installation DVD (for example, E:)
v The full path of the location where you downloaded and unpacked the
product installation files.
b. Type the following command and press Enter:
cifmigrate calculate path_to_export_location
user_name password
[depot_in_place] [indexes_in_place]
See “The migration tool: cifmigrate” on page 67 for more information about
using the migration tool.
3. On the Tivoli Compliance Insight Manager version 8.5 system, use the
migration tool to export your Tivoli Compliance Insight Manager version 8.5
data. The export stops and disables the Tivoli Compliance Insight Manager
services. After export, take the Tivoli Compliance Insight Manager version 8.5
system offline and do not use it any more. Perform the following steps:
cifmigrate export path_to_export_location
user_name password
c. Take the Tivoli Compliance Insight Manager version 8.5 system offline.
4. Optional: Use the migration tool in showconfig mode to view the configuration
of the Tivoli Compliance Insight Manager version 8.5 system. You can run the
tool on any system that has access to the location where the data was exported.
Use the following steps:
product installation files
cifmigrate showconfig path_to_export_location
This step shows the configuration that was recorded during export. It does not
modify the exported data. You can use the information when installing Tivoli
Compliance Insight Manager on the 64-bit Windows system. (See step 6 on
page 65).

5. On the Windows 64-bit system, change the hostname and IP address of the
Windows 64-bit system to the hostname and IP address of the Tivoli
Compliance Insight Manager version 8.5 system if you have not already done
so.
Note: If you do not change the host name and IP address, two major problems
occur:
v The centralized authentication for the Security Group is broken. As a result,
all Tivoli Security Information and Event Manager and Tivoli Compliance
Insight Manager Servers in the Security Group no longer function and you
cannot upgrade them.
v Agents that are connected to the Tivoli Compliance Insight Manager version
8.5 Server no longer function if the hostname of the new (Tivoli Security
Information and Event Manager version 2.0) Server is not the same.
Some companies do not permit host names to be reused. If so in your company,

you can use a vanity host name (DNS alias) to transparently point to the
currently active Tivoli Compliance Insight Manager or Tivoli Security
Information and Event Manager Server. The IBM Software Support group for
Tivoli Security Information and Event Manager can provide information about
using this technique.
6. Install Tivoli Security Information and Event Manager version 2.0 on the
Windows 64-bit system. See “Installing in graphical mode” on page 29. While
installing, be sure that you meet the following conditions:
v The following parameters, which pertain to the DB2 database installation,
must be the same for Tivoli Security Information and Event Manager as they
were for Tivoli Compliance Insight Manager:
– DB2 database name: This parameter is the DB2 Database field that you
specify in one of the following windows when you install Tivoli Security
Information and Event Manager version 2.0.
- The SIM Database Administrator Account window (if you reuse an
existing DB2 database)
- The SIM Database Information window (if you do not reuse an existing
DB2 database)
– TCP/IP port number: This parameter is the DB2 Server Port field that
you specify in one of the following windows when you install Tivoli
Security Information and Event Manager version 2.0.
- The SIM Database Administrator Account window (if you reuse an
existing DB2 database)
- The SIM Database Information window (if you do not reuse an existing
DB2 database)
v The Server on the Tivoli Security Information and Event Manager system
must be the same type as the Server on the Tivoli Compliance Insight
Manager system. That is:
– If the Tivoli Compliance Insight Manager version 8.5 Server is a Security
Server, you must also install a Security Server as the Tivoli Security
Information and Event Manager version 2.0 Server.
– If the Tivoli Compliance Insight Manager version 8.5 Server is a Standard
Server, you must also install a Standard Server as the Tivoli Security
Information and Event Manager version 2.0 Server.

– If the Tivoli Compliance Insight Manager version 8.5 Server is an
Enterprise Server, you must also install an Enterprise Server as the Tivoli
Security Information and Event Manager version 2.0 Server.
In addition, if you are upgrading from IBM Tivoli Event Log Manager
Version 1.0 PRPQ, you are legally allowed to install only a Log Management
Server.
v The following parameters, which you specify during installation of Tivoli
Security Information and Event Manager version 2.0, must be the same as
those parameters in the Tivoli Compliance Insight Manager version 8.5
installation:
– The host name or IP address
– The installation path
– The name of the operating system account
– The name of the database account
– The base DN of the LDAP entries
Important: In addition, the language of the operating system must be

English.
You can use the output from the cifmigrate command with the showconfig
parameter to be sure that you specify the correct parameters.
7. Copy the output of the migration tool to the Windows 64-bit computer on
which you installed Tivoli Security Information and Event Manager version 2.0.
8. Import the Tivoli Compliance Insight Manager version 8.5 data into the Tivoli
Security Information and Event Manager version 2.0 system using the
migration tool. Use the following steps:
cifmigrate migrate path_to_export_location
user_name password
[ depot_in_place | depot_from:location ]
[ indexes_in_place | indexes_from:location ]
9. After you successfully import the data, uninstall Tivoli Compliance Insight
Manager version 8.5 from the Tivoli Compliance Insight Manager version 8.5
system.
Note:
a. If you upgraded from Tivoli Compliance Insight Manager version 8.0 (or
earlier) to Tivoli Compliance Insight Manager version 8.5 before upgrading
to Tivoli Security Information and Event Manager version 2.0 and you did
not remove or disable the Oracle Self Audit Event source, you must disable
this event source after the upgrade.
b. If you used PuTTY for SSH collect in Tivoli Compliance Insight Manager
version 8.5, you must run the PuTTY client and connect to the remote hosts
to store remote hosts hash values in the registry.

What to do next
Upgrade the next computer in the cluster. Use the order in “Upgrading a Tivoli
Compliance Insight Manager Cluster” on page 62.
The migration tool: cifmigrate

The migration tool, cifmigrate, is used to export data from the Tivoli Compliance
Insight Manager 8.5 system to be upgraded and to import the data into the new
Tivoli Security Information and Event Manager 2.0 system. The tool can also be
used to calculate the amount of disk space required to run the tool in migrate
mode on the new system.
The migration tool modifies the Tivoli Compliance Insight Manager 8.5 data to be
used on a Tivoli Security Information and Event Manager 2.0 system. It cannot,
therefore, be used as a backup and restore tool.
The migration tool must be run from the Drive_or_path\migration directory. (That
is, you must be in the Drive_or_path\migration directory when you run the
migration tool.) Drive_or_path is one of the following locations:
v The full path of the location where you downloaded and unpacked the product
installation files
The migration tool has the following syntax:

cifmigrate mode args
where
v mode is one of four modes in which the tool can run. The modes are: calculate,
export, migrate, and showconfig.
For modes other than showconfig, the user name and password for the database
owner must be specified after the mode.
v args is zero or more arguments that are specific to the mode.
The migration tool is available only in English.
Running the migration tool in calculate mode
In calculate mode, the migration tool performs the following actions:

1. Scans the system on which it is run
2. Assumes that this system is the source system
3. Determines the needed file space to successfully run the tool in export mode on
the new system
To run the migration tool in calculate mode, use the following command from the
Drive_or_path\migration directory:
cifmigrate calculate path_to_export_location
user_name password
where
v Drive_or_path is one of the following locations:
– The drive letter of the product installation DVD (for example, E:)

– The full path of the location where you downloaded and unpacked the
v path_to_export_location is the location where you want to store the exported data.
v user_name is the user name of the database owner for the Server you are
upgrading, such as cifowner.
v password is the password for the specified database owner.
v depot_in_place is an optional parameter. If you use this option, the depot size is
not included when calculating the size of the exported data.
v indexes_in_place is an optional parameter. If you use this option, the size of the
indexes is not included when calculating the size of the exported data. This
parameter is used only on an Enterprise Server.
If the required file space is sufficient, a message tells you that you can continue
with the export. However, if the available file space is less than the estimated
needed file space, the migration tool displays the following information:
v The file space required, in MB.
v The file space available, in MB.
Running the migration tool in export mode
In export mode, the migration tool exports data from the Tivoli Compliance Insight
Manager 8.5 system to a location that you specify. The data can then be imported
into a Tivoli Security Information and Event Manager version 2.0 system.
To run the migration tool in export mode, use the following command from the
cifmigrate export path_to_export_location
user_name password
where
v path_to_export_location is the location where you want to store the exported data.
Note: The export fails if you specify this location as a UNC name such as
\\migrate\c$\export. You must export to a mapped drive such as z:\export
(where z: is mapped to \\migrate\c$).
v depot_in_place is an optional parameter. If you use this option, the depot is not
included in the export. You can then import directly from the old location of the
depot or mount the file system containing the depot on the Tivoli Security
Information and Event Manager 2.0 computer without migrating the depot.
Note:
1. Be aware of the following interaction between running the migration tool in
export mode and running the tool in migrate mode:

– If you run the migration tool in export mode using the depot_in_place
option, then you must also run the migration tool in migrate mode using
either the depot_in_place or the depot_from option. If you do not use one
of these options, the command to run the migration tool in migrate mode
will fail.
– If you run the migration tool in export mode without using the
depot_in_place option, then you must also run the migration tool in
migrate mode without using the depot_in_place option. If you use the
depot_in_place option, the migrated system will not have access to the
audit-log data collected by Tivoli Compliance Insight Manager version 8.5.
In this case the migration tool will not fail, but it will write a warning
message to the log file.
If you need to recover from this error, manually make the audit-log data
collected by Tivoli Compliance Insight Manager version 8.5 available to
Tivoli Security Information and Event Manager version 2.0. To make the
data available, move the Tivoli Compliance Insight Manager version 8.5
depot to the location where Tivoli Security Information and Event
Manager version 2.0 searches for it.
2. Do not mount the file system containing the depot on the Tivoli Security
Information and Event Manager version 2.0 computer until after you run the
migration tool in migrate mode.
During (and after) installation of Tivoli Security Information and Event
Manager version 2.0, the installed system begins to collect chunks and write
them to the depot. If you have already mounted the file system containing
the Tivoli Compliance Insight Manager version 8.5 depot at that time, these
chunks are written to that depot. Because these chunks do not belong to the
system after it has been migrated, they "pollute" the depot and cause
"zombie" chunks. These zombie chunks are displayed in the Chunk
Continuity Report as discontinuous chunks. They are also included in any
manual Reporting Database loads if the start or end time of these chunks
falls within the specified load window. (Scheduled Reporting Database loads
do not pick up the zombie chunks.)
Therefore, mount the depot after migration so that only the migrated Tivoli
Security Information and Event Manager system writes to the mounted
depot.
v indexes_in_place is an optional parameter. If you use this option, the size of the
indexes is not included in the export. You can then do either of the following
actions:
– Import directly from the old location of the indexes of the Tivoli Compliance
Insight Manager 8.5 system
– Mount the file system containing the depot on the Tivoli Security Information
and Event Manager version 2.0 system without migrating the indexes.
This parameter is used only on an Enterprise Server.
Running the migration tool in migrate mode
In migrate mode, the migration tool imports the data that was exported from the
Tivoli Compliance Insight Manager 8.5 system into the Tivoli Security Information
and Event Manager 2.0 system.
To run the migration tool in migrate mode, use the following command from the

cifmigrate migrate path_to_export_location
user_name password
[ depot_in_place | depot_from:location ]
[ indexes_in_place | indexes_from:location ]
where
v path_to_export_location is the location where the exported data is stored.
v depot_in_place and depot_from:location are optional, mutually exclusive
parameters.
If you use the depot_in_place option, the depot is not included in the import.
Use this option if you have mounted the file system containing the Tivoli
Compliance Insight Manager 8.5 depot in the location specified during Tivoli
Security Information and Event Manager 2.0 installation.
If you use the depot_from:location parameter, the migration tool loads the
depot from the location specified in location rather than from the exported
location. If this location does not exist, the migration tool displays a message
and stops. If you use this parameter successfully, the migration tool removes the
existing depot.
Note:
1. Be aware of the following interaction between running the migration tool in
export mode and running the tool in migrate mode:
– If you run the migration tool in export mode using the depot_in_place
option, then you must also run the migration tool in migrate mode using
either the depot_in_place or the depot_from option. If you do not use one
of these options, the command to run the migration tool in migrate mode
will fail.
– If you run the migration tool in export mode without using the
depot_in_place option, then you must also run the migration tool in
migrate mode without using the depot_in_place option. If you use the
depot_in_place option, the migrated system will not have access to the
audit-log data collected by Tivoli Compliance Insight Manager version 8.5.
In this case the migration tool will not fail, but it will write a warning
message to the log file.
If you need to recover from this error, manually make the audit-log data
collected by Tivoli Compliance Insight Manager version 8.5 available to
Tivoli Security Information and Event Manager version 2.0. To make the
data available, move the Tivoli Compliance Insight Manager version 8.5
depot to the location where Tivoli Security Information and Event
Manager version 2.0 searches for it.
2. Do not mount the file system containing the depot on the Tivoli Security
Information and Event Manager version 2.0 computer until after you run the
migration tool in migrate mode.
The reason is that during (and after) installation of Tivoli Security
Information and Event Manager version 2.0, the installed system begins to
collect chunks and write them to the depot. If you have already mounted the

file system containing the Tivoli Compliance Insight Manager version 8.5
depot at that time, these chunks are written to that depot. Because these
chunks do not belong to the system after it has been migrated, they "pollute"
the depot and cause "zombie" chunks. These zombie chunks are displayed in
the Chunk Continuity Report as discontinuous chunks. They are also
included in any manual Reporting Database loads if the start or end time of
these chunks falls within the specified load window. (Scheduled Reporting
Database loads do not pick up the zombie chunks.)
Therefore, mount the depot after migration so that only the migrated Tivoli
Security Information and Event Manager system writes to the mounted
depot.
v indexes_in_place and indexes_from:location are optional, mutually exclusive
parameters.
If you use the indexes_in_place option, the indexes are not included in the
import. Use this option if you have mounted the file system containing the
Tivoli Compliance Insight Manager 8.5 depot in the location specified during
Tivoli Security Information and Event Manager version 2.0 installation.
If you use the indexes_from:location parameter, the migration tool loads the
indexes from the location specified in location rather than from the exported
location. If this location does not exist, the migration tool displays a message
and stops. If you use this parameter successfully, the migration tool removes the
existing indexes.
Running the migration tool in showconfig mode
In showconfig mode, the migration tool shows the configuration of the exported
data.
To run the migration tool in showconfig mode, use the following command from
the Drive_or_path\migration directory on the Tivoli Compliance Insight Manager
8.5 system after exporting the data:
cifmigrate showconfig path_to_export_location
where:
v path_to_export_location is the location where the exported data was stored.
The migration tool shows the contents of a file that it created while running in
export mode. This file contains the current installation values. You can use this
information when you install the Tivoli Security Information and Event Manager
2.0 system on the 64-bit Windows system. In this way, you can be sure that you are
specifying the correct values for the new system, thus minimizing the risk of
problems during migration.
The file is in path_to_export_location and is named

cifmigrate_configuration.properties.

Upgrading the Actuator for Windows systems
If you have a Tivoli Compliance Insight Manager Actuator on a Windows system,
upgrade it to a Tivoli Security Information and Event Manager 2.0 agent. The
agent can then collect data from Tivoli Security Information and Event Manager
event sources.
Before you begin
Before you upgrade the Actuator for Windows:

1. Be sure that you have upgraded the Server.
2. Be sure that the target system meets the hardware, software, storage, memory,
and browser requirements for installing and running the agent. See Chapter 2,
About this task
To take advantage of improvements to the Actuators and event sources that were
made for Tivoli Security Information and Event Manager 2.0, upgrade the
Windows Actuator to a Tivoli Security Information and Event Manager 2.0 agent.
Procedure
1. Uninstall the Tivoli Compliance Insight Manager Actuator. See the installation
documentation for Tivoli Compliance Insight Manager.
2. Use the Tivoli Security Information and Event Manager Portal to configure the
agent and generate a configuration file. See the IBM Tivoli Security Information
and Event Manager Administrators Guide.
3. Install the Tivoli Security Information and Event Manager agent. See Chapter 8,
“The agent for Windows systems,” on page 81.
What to do next
Create new event sources for the Windows audited systems. See the IBM Tivoli
Security Information and Event Manager Event Source Guide.
Upgrading the Actuator for AIX systems

If you have a Tivoli Compliance Insight Manager Actuator on an AIX system,
event sources.
Before you begin
Before you upgrade the Actuator for AIX:


About this task
made for Tivoli Security Information and Event Manager 2.0, upgrade the AIX
Actuator to a Tivoli Security Information and Event Manager 2.0 agent.
The collection process for the AIX event source includes the original audit logs in
the collected data. Collection of original audit logs is explained in the IBM Tivoli
Security Information and Event Manager Administrators Guide.
During the upgrade process, the existing event sources continue to work. However,
the original audit logs are collected only after the entire upgrade process is
complete.
Procedure
3. Install the Tivoli Security Information and Event Manager agent. See Chapter 9,
“The agent for AIX systems,” on page 85.
What to do next
Create new event sources for the AIX audited systems. See the IBM Tivoli Security
Information and Event Manager Event Source Guide.
Upgrading the Actuator for Solaris systems

If you have a Tivoli Compliance Insight Manager Actuator on a Solaris system,
event sources.
Before you begin
Be sure that the target system meets the hardware, software, storage, memory, and
browser requirements for installing and running the agent. See Chapter 2, “System
Requirements,” on page 13.
About this task
made for Tivoli Security Information and Event Manager 2.0, upgrade the Solaris
Procedure

3. Install the Tivoli Security Information and Event Manager agent. See
Chapter 10, “The agent for Solaris systems,” on page 95.
What to do next
Create new event sources for the Solaris audited systems. See the IBM Tivoli
Upgrading the Actuator for HP-UX systems

If you have a Tivoli Compliance Insight Manager Actuator on an HP-UX system,
event sources. Replace the HP-UX event sources with the new ones.
Before you begin
Before you upgrade the Actuator for HP-UX:

About this task
made for Tivoli Security Information and Event Manager 2.0, upgrade the HP-UX
Procedure
3. Install the Tivoli Security Information and Event Manager agent. See
Chapter 11, “The agent for HP-UX systems,” on page 103.
What to do next
Create new event sources for the HP-UX audited systems. See the IBM Tivoli

Chapter 7. Uninstalling Tivoli Security Information and Event
Manager
Use the uninstallation program to uninstall Tivoli Security Information and Event
Manager.
When you uninstall Tivoli Security Information and Event Manager, you can
choose to leave the depot on the computer.
You can uninstall using the GUI uninstallation program, or you can uninstall
silently using a response file.
Uninstalling in graphical mode

Use the uninstallation program to uninstall Tivoli Security Information and Event
Manager.
Before you begin
Before uninstalling on a Windows system, log on as a member of the

On an AIX or Linux system, log on as root.
Note: If the initial installation of Tivoli Security Information and Event Manager
failed, the uninstallation program might not be available. If the program is not
available, see the "Recovering from a failed installation" section of the Tivoli
Security Information and Event Manager Troubleshooting Guide.
About this task
Uninstalling Tivoli Security Information and Event Manager removes the entire
product. You can, however, leave the depot on the computer when you uninstall
the product.
Procedure
1. Start the uninstallation program.
Note: To use a screen reader with the uninstallation program, see “Using
screen readers with the Tivoli Security Information and Event Manager
installation and uninstallation programs” on page 108.
v On Windows systems, use one of the following methods:
– Uninstall from the Control Panel:
a. From the Control Panel, double-click Add or Remove Programs.
b. Click Tivoli Security Information and Event Manager and click
Remove.
– Run the uninstall.exe command from the %TSIEM_HOME%\_uninst\
TSIEMInstall folder.
v On AIX or Linux systems, go to the $TSIEM_HOME/_uninst/TSIEMInstall
directory and type uninstall.

2. In the Uninstall IBM Tivoli Security Information and Event Manager 2.0
window, click Next.
3. The Uninstall the Log Management Depot window is displayed.
Do one of the following actions and click Next:

v Click Yes to uninstall the depot.
v Accept the default value No to leave the depot installed.
4. In the Database Information window, complete the following fields and click
Next:
Database Admin
Type the name of the database administrator account for the Tivoli
Security Information and Event Manager database or accept the default
user name, cifdbadm.
Database Password
Type the password for the Security Server database owner.
5. In the TIP Administrator Credentials window, complete the following fields
and click Uninstall:
TIP Admin User
Type the name of the TIP administrator or accept the default name
tipadmin.
TIP Admin Password
Type the password for the TIP administrator.
The uninstallation program uninstalls the components you specified. Progress

messages and a completion message are displayed.
6. On Windows systems, you must shut down and reboot the system. On Linux
systems, you must log off and then log in again.

Note: After the uninstallation completes successfully, a few files remain on the
system under the original installation folder and Tivoli Security Information
and Event Manager user folders. You can safely delete these files; they are no
longer used.
On AIX and Linux systems, the original versions of the /etc/profile and
/etc/.login files are saved as:
/etc/profilennnnnnnnnn
/etc/.loginnnnnnnnnnn
where nnnnnnnnnn is a ten digit number. These files can be restored if no

changes were made to the /etc/profile and /etc/.login files after installation.
What to do next
You have uninstalled Tivoli Security Information and Event Manager. If you want
to install the product again, see Chapter 4, “Installing Tivoli Security Information
and Event Manager,” on page 27.
Uninstalling in silent mode

You can use a response file to uninstall Tivoli Security Information and Event
Manager in silent or unattended mode.
You can obtain a response file from the product installation DVD. See “The sample
response file for uninstallation.”
Then perform the following steps:

1. Modify the response file to match the requirements of the computer on which
you are uninstalling. See “Modifying the response file for uninstallation” on
page 78.
2. Use the response file to uninstall the product on that computer. See
“Uninstalling using a response file” on page 79.
During silent uninstallation, no input is required.
The sample response file for uninstallation

A sample response file for uninstallation is provided with Tivoli Security
Information and Event Manager. You can copy the file, modify it, and use it to
uninstall the product silently.
You can find the sample response file on the following product installation DVDs:
v AIX: IBM Tivoli Security Information and Event Manager v2.0 for AIX
v Linux: IBM Tivoli Security Information and Event Manager v2.0 for Linux
v Windows: IBM Tivoli Security Information and Event Manager v2.0 for Windows
The file name on the DVD is uninstaller.properties.template.
Contents of the sample response file
The following text is in the sample response file.

###############################################################
## Licensed Materials - Property of IBM
## 5724-S67
## (c) Copyright IBM Corp. 2010 All Rights Reserved.
## US Government Users Restricted Rights - Use, duplication or
Chapter 7. Uninstalling Tivoli Security Information and Event Manager 77

## disclosure restricted by GSA ADP Schedule Contract with
## IBM Corp.
###############################################################
##
## InstallAnywhere variables to configure for silent install
## of Tivoli Security Information and Event Manager 2.0
##
## Usage on Windows: uninstall -f <full path to this file>
## Usage on Aix/Linux: ./uninstall -f <full path to this file>
##
## With windows, install.exe will return immediately. To avoid
## this, you should wrap the install.exe command into a batch
## file.
##
###############################################################
#
INSTALLER_UI=silent
IAGLOBAL_LANGUAGE=en
# 1 means remove the DEPOT folder,

# 0 means don’t remove the DEPOT folder
IAGLOBAL_UNINSTALL_SIM_DEPOT=0
# TSIEM SIM admin user (DB user)

IAGLOBAL_SIMDB2_USERNAME=cifowner
IALOCAL_SIMDB2_PASSWORD=<your password here>
IALOCAL_SIMDB2_PASSWORD_CONFIRM=<your password here>
# SIM DB2 administrator
IAGLOBAL_SIMDB2_ADMIN_USERNAME=cifdbadm
IALOCAL_SIMDB2_ADMIN_PASSWORD=<your password here>
IALOCAL_SIMDB2_ADMIN_PASSWORD_CONFIRM=<your password here>
# WAS Settings
IAGLOBAL_WASUserID=tipadmin
IALOCAL_WASPassword=<your password here>
IALOCAL_WASPassword_RECONFIRM=<your password here>
Modifying the response file for uninstallation

Modify the response file to include the responses you want during uninstallation.
Before you begin
Make a copy of the sample response file. See “The sample response file for
uninstallation” on page 77.
Decide whether you want to remove the depot.
About this task
Modify the response file to contain the correct user IDs and passwords.
Procedure
1. In the response file, check the following line: IAGLOBAL_UNINSTALL_SIM_DEPOT=0
Be sure that this property is set to the correct setting:
v 0 if you want to leave the depot installed
v 1 if you want to remove the depot
2. Specify the correct user IDs and passwords in the appropriate lines in the file.
Note: Passwords in the response file are in plain text, which introduces a
security risk. To minimize this risk:

v Protect the response file by setting the correct file permissions. On Windows
systems, grant read and write permission to only the Administrators group.
On AIX and Linux systems, set the permission to 660.
v Add the passwords to the file as late as possible (for example, just before
running the silent uninstallation).
v Remove the passwords from the response file when the silent uninstallation
finishes.
What to do next
Uninstall Tivoli Security Information and Event Manager using the modified
response file. See “Uninstalling using a response file.”
Uninstalling using a response file

You can use a response file to uninstall Tivoli Security Information and Event
Manager in silent or unattended mode.
Before you begin
Before uninstalling on a Windows system, log on as a member of the

On an AIX or Linux system, log on as root.
Be sure to use a response file that you have modified to contain the correct
information. See “Modifying the response file for uninstallation” on page 78.
About this task
Use the steps in the following procedure to uninstall Tivoli Security Information
and Event Manager using the response file.
Procedure
1. Go to the _uninst\TSIEMInstall or _uninst/TSIEMInstall subdirectory of the
directory where Tivoli Security Information and Event Manager is installed. By
default this directory is:
v On Windows systems, C:\IBM\TSIEM\_uninst\TSIEMInstall
v On AIX systems, /opt/IBM/tsiem/_uninst/TSIEMInstall
v On Linux systems, /opt/ibm/tsiem/_uninst/TSIEMInstall
2. Type one of the following commands:
uninstall.exe -f response_file
v On AIX or Linux systems:
uninstall.sh -f response_file
where response_file is the full path to the response file.
Uninstallation proceeds.
3. On Windows systems, you must shut down and reboot the system. On Linux
systems, you must log off and then log in again.
Chapter 7. Uninstalling Tivoli Security Information and Event Manager 79

Note: After the uninstallation completes successfully, a few files remain on the
system under the original installation folder and Tivoli Security Information
and Event Manager user folders. You can safely delete these files; they are no
longer used.
On AIX and Linux systems, the original versions of the /etc/profile and
/etc/.login files are saved as:
/etc/profilennnnnnnnnn
/etc/.loginnnnnnnnnnn
where nnnnnnnnnn is a ten digit number. These files can be restored if no

changes were made to the /etc/profile and /etc/.login files after installation.
What to do next
You have uninstalled Tivoli Security Information and Event Manager from the
computer.
For security purposes, remove the passwords from the response file when the
silent uninstallation finishes.

Chapter 8. The agent for Windows systems
Use this information to install and uninstall the agent for Microsoft Windows
systems.
Install an agent when the audit configuration requires the agent to collect data
from Windows systems.
When you add a computer through the Managing Audited Machines task in the
Tivoli Integrated Portal, you can select one of two ways to install an agent
remotely: Automatic or Manual. If you select the Automatic installation type, you
specify the following information:
v The installation path for the agent software.
v The user credentials under which the agent will run.
v The administrator credentials under which the agent will be installed on the
remote system. This administrator must be a domain administrator or local
built-in administrator.
The agent software is installed at that time.
Note:
1. Before using Automatic installation, be sure to establish a network connection
that allows the Server to copy files on remote Windows hosts. For example, be
sure that no firewalls or antivirus programs prevent automatic installation.
2. Tivoli Security Information and Event Manager does not support Automatic
agent installation if both of the following are true:
v The machine name is an IPv6 address.
v One or both computers are running a version of the Windows operating
system that is lower than Windows 2008.
Therefore, if you use an IPv6 address as the machine name when performing
an automatic installation, both computers (the Server and the audited
computer) must use the Windows 2008 operating system.
If you select the Manual installation type for the remote agent, you must install
the agent after you add the audited computer. See “Installing the agent manually
on a Windows system.”
See the IBM Tivoli Security Information and Event Manager Administrators Guide for
information about creating an audited computer and about installing the agent
automatically.
Note: If you are upgrading an Actuator from a previous version, see “Upgrading
the Actuator for Windows systems” on page 72 for information about the steps you
must follow.
Installing the agent manually on a Windows system

Follow these steps to install the agent manually on a Windows system.

Before you begin
Complete the following tasks before you install the agent:

v Be sure that the target system meets the hardware, software, storage, memory,
v Configure the agent in the Tivoli Integrated Portal. See the IBM Tivoli Security
Information and Event Manager Administrators Guide.
v If you are installing the agent on a computer that previously had an agent
attached to another Server, explicitly remove the agent from the old Server. If
you do not, the old Server might try to establish a connection with the agent
and the new agent might not work correctly.
About this task
This procedure installs an agent manually on a Windows system.
Procedure
1. Log on to the target system as a member of the Administrators group.
2. Insert the CD labeled IBM Tivoli Security Information and Event Manager v2.0 for
Agents into the CD-ROM drive.
3. Run the Setup.exe program in the x86_nt_4 directory on the CD. The Welcome
window of the Setup program is displayed.
4. In the Welcome window, click Next.
5. In the Target Directory window, do one of the following steps to specify the
directory for the Setup program to install the agent components:
v Accept the default value C:\IBM\TSIEM by clicking Next.
v Type the complete path to another directory and click Next.
v Click Browse and navigate to the directory you want to use and click Next.
A Target Directory window is displayed for confirmation.
6. Verify that the directory where you want to install the agent is displayed, and
click Next.
7. In the Select Configuration File window, do one of the following steps:
v To use a configuration file for the agent configuration parameters, specify the
name of the configuration file that the Server created when this agent was
configured in the Tivoli Integrated Portal. You can specify the file name in
one of the following ways:
– In the Configuration File Location field, type the complete path and file
name and click Next.
– Click Browse and navigate to the directory containing the configuration
file and click Next.
Note: Do not use a Universal Naming Convention (UNC) name for this
path. Instead, either specify the letter of a mapped drive or copy the
configuration file to a local disk.
v To specify the agent configuration parameters manually, select the Manual
Configuration check box and click Next.
8. In the OS Account window, type the name and password for the operating
system account that will run the agent, and click Next.

Note: This account can be a domain account, and it must be a domain account
if the agent is used for remote collect.
9. If you selected the Manual Configuration check box:
a. In the Tivoli Security Information and Event Manager Agent window,
specify the following information for the agent and click Next:
v Agent ID
v IP address
v TCP Port
v Password
b. In the Tivoli Security Information and Event Manager Server Information
window, specify the following information for the Server and click Next:
v IP address
v TCP Port
c. In the HOP Information window, specify the following information and
click Next:
v Agent ID
v IP address
v TCP Port
Installation begins. When installation finishes, the Setup Finished window
displays a notification of whether the installation succeeded. If the window
indicates that installation did not succeed, run the Setup program again.
What to do next
Before you can use the agent, use the procedures in the IBM Tivoli Security
Information and Event Manager Event Source Guide to configure the audit settings for
the appropriate Windows operating system.
Uninstalling the agent on a Windows system

To uninstall the agent on a Windows system, use the Windows Add or Remove
Programs function in the Control Panel.
Chapter 8. The agent for Windows systems 83

Chapter 9. The agent for AIX systems
Use this information to install and uninstall the agent for AIX.
The agent for AIX is required under the following circumstances:

v You have event sources running on an AIX system that does not support remote
collect of audited events.
v The audit configuration requires an agent to collect data from AIX systems.
the Actuator for AIX systems” on page 72 for information about the steps you
must follow.
Installing the agent for AIX

Use this information to install the agent for AIX.
Use one of the following methods to install the agent on an AIX system:
v The command line. See “Installing the agent from the command line.”
v The SMIT utility. See “Installing the agent with the SMIT utility” on page 86.
Installing the agent from the command line

To install the agent for AIX from the command line, follow these instructions.
Before you begin
Before you install the agent for AIX, perform the following tasks:
1. Make sure that each target system meets the hardware, software, storage,
memory, and browser requirements for installing and running the agent on the
AIX operating system. See Chapter 2, “System Requirements,” on page 13 for
more information.
2. Before you install the agent on a target system, you must configure the agent
using the Tivoli Integrated Portal. See the IBM Tivoli Security Information and
Event Manager Administrators Guide.
3. If you are installing the agent on a computer that previously had an agent
About this task
If you prefer to install the agent on an AIX system using SMIT, see “Installing the
agent with the SMIT utility” on page 86.
Procedure
1. Log on as root to the system where you are installing the agent for AIX.
3. To obtain the CD-ROM device name, type:
lsdev -Cc cdrom

4. Optional: If necessary, unmount a previously mounted CD by typing:
umount CD-ROM_device_name
For example, to unmount a CD using the default CD-ROM device name

/dev/cd0, type:
umount /dev/cd0
5. Mount the CD labeled IBM Tivoli Security Information and Event Manager v2.0 for
Agents by typing one of the following commands:
mount CD-ROM_device_name
or
mount -o ro /dev/cd0 /my_cdrom
Note:
a. For CD-ROM_device_name, specify either the name or physical path of the
CD-ROM.
b. -o ro means Read Only
c. Replace /my_cdrom with the mount path that you want to use.
6. Go to the /usr/sys/inst.images directory on the CD.
7. To begin the installation, run the following command:
installp -acgNq -d . ibm.tsiem.actuator
The agent installation begins.
What to do next
When the agent installation is finished, import the agent configuration file, as
described in “Configuring the agent on an AIX system” on page 88.
You also must set up auditing on the target system, as described in the IBM Tivoli
Security Information and Event Manager Event Source Guide. You can complete the
agent installation and configuration and platform configuration in any order, but
both tasks must be complete before you run the agent.
Installing the agent with the SMIT utility

To install the agent using the SMIT utility, follow these instructions.
Before you begin
Before you install the agent for AIX, perform the following tasks:
1. Make sure that each target system meets the hardware, software, storage,
memory, and browser requirements for installing and running the agent on the
AIX operating system. See Chapter 2, “System Requirements,” on page 13 for
more information.
2. Before you install the agent on a target system, you must configure the agent
using the Tivoli Integrated Portal. See the IBM Tivoli Security Information and
Event Manager Administrators Guide.

About this task
If you prefer to install the agent on an AIX system using the command line, see
“Installing the agent from the command line” on page 85.
Procedure
1. Log on to the target system as root.
3. To obtain the CD-ROM device name, type:
lsdev -Cc cdrom
4. If necessary, unmount a previously mounted CD by typing:
umount CD-ROM_device_name
For example, to unmount a CD using the default CD-ROM device name

/dev/cd0, type:
umount /dev/cd0
5. Mount the IBM Tivoli Security Information and Event Manager v2.0 for Agents CD
by typing one of the following commands:
mount CD-ROM_device_name
or
mount -o ro /dev/cd0 /mycdrom
Note:
a. For CD-ROM_device_name, specify either the name or physical path of the
CD-ROM.
b. - o ro means Read Only
c. Replace /mycdrom with the mount path you want to use.
6. Start SMIT by typing smit.
7. In SMIT, click Software Installation and Maintenance → Install and Update
Software → Install and Update from ALL Available Software.
8. When prompted for the INPUT device /directory of the software, click the
list to display a selection of input devices. Then click the CD-ROM device that
contains the CD with the agent.
9. In the first window, click OK to confirm the input device you selected.
10. In the Customization window, click OK to begin the installation. An
installation progress window is displayed. Installation might take some time.
11. Click Cancel to close the installation process and return to the SMIT main
menu.
12. To exit SMIT, click File → Exit.
13. To exit the root shell and return to the original user shell, type exit.
The agent is now installed.
What to do next
When the agent installation is finished, import the agent configuration file, as
described in “Configuring the agent on an AIX system” on page 88.
You also must set up auditing on the target system, as described in the IBM Tivoli
Security Information and Event Manager Event Source Guide. You can complete the
Chapter 9. The agent for AIX systems 87

agent installation and configuration and platform configuration in any order, but
both tasks must be complete before you run the agent.
Configuring the agent on an AIX system

After installing the agent on the AIX system, you must configure it on the AIX
system where it is installed.
Before you begin
Do the following steps:

1. Configure the agent on the Server through the Tivoli Integrated Portal. This
process creates a configuration file.
2. Copy the configuration file to the AIX system where you install the agent.
Note: If you use ftp to send the agent configuration file to the AIX system, be
sure that you use the ASCII mode of the ftp session.
About this task
To configure the agent, import the configuration file that the Tivoli Integrated
Portal created when you configured this agent on the Server. Use the following
steps.
Procedure
1. Log in as root.
2. Go to the directory that contains the agent setup programs and start the setup
program:
cd /opt/IBM/tsiem/actuator
./install/setup.sh agent_configuration_file
where agent_configuration_file is the path and file name of the configuration file
on the AIX system. For example:
./install/setup.sh /tmp/aix_config.cfg
The agent configuration begins. When configuration is complete, the message
The actuator should now be installed and started is displayed.
What to do next
Configure the audit settings on the target system that is being audited by this
agent. See the IBM Tivoli Security Information and Event Manager Event Source Guide.
Setting the agent to start automatically

Use these instructions to set the agent to restart automatically after it is stopped or
after the computer restarts.
Before you begin
Be sure that you have taken the following actions:

1. Configured the agent through the Tivoli Integrated Portal.
2. Installed and configured the agent on the AIX system.

About this task
The agent installation process creates a startup script named /etc/

ibm.tsiem.actuator. Configure the agent for automatic restart by editing the
/etc/inittab file to add the restart configuration.
Procedure
1. In the vi text editor, open the file /etc/inittab.
2. Find the line that starts TCP/IP. (This line typically starts with /etc/rc.net.)
Type the following command after the line:
TSIEMact:2:respawn:/etc/ibm.tsiem.actuator >/dev/console 2>&1
# Startup of the agent
3. Save the /etc/inittab file and exit the text editor.
4. From the command line, run the command to apply changes to the system:
telinit q
After you have added the restart line, the agent starts at every change to run
level 2.
Note: Level 2 is assumed to have the following characteristics:

v Run level 2 is the multi-user environment.
v Run level 2 is the normal run level for a restart.
The run levels are the same as the run levels that start the audit subsystem,
either directly or through /etc/rc.
What to do next
No further action is required.
Uninstalling the agent for AIX systems

You must stop the agent before you uninstall it.
If you do not stop the agent before uninstalling it, you cannot activate it after you
reinstall it.
Stopping the agent

If the agent is configured to restart automatically, reset the respawn option before
uninstalling the agent. Then the uninstallation program can stop the agent before
uninstalling it.
Before you begin
There are no prerequisites for this task.
About this task
If the agent is configured to restart automatically, you must reset the respawn
option for TSIEMact in the /etc/inittab file.
Procedure
1. Open the /etc/inittab file in the vi text editor.
# vi /etc/inittab

2. Delete the following line:
TSIEMact:2:respawn:/etc/ibm.tsiem.actuator >/dev/console 2>&1
# Startup of the actuator
3. Save the /etc/inittab file and quit the text editor.
4. From the command line, type the following command to apply changes to the
system:
# telinit q
What to do next
After you have applied the changes, you can stop the agent from the command
line or the SMIT utility.
Stopping a running process with SMIT

You can use SMIT to stop a running process, such as the agent.
Before you begin
If the agent is configured to restart automatically, reset the respawn option in the
etc/inittab file.
Procedure
1. Log on as the root user.
2. To start SMIT, type: smit
3. Access the Remove a Process option:
a. In SMIT, click Processes & Subsystems.
b. In Processes & subsystems, click Processes.
c. Click Remove a Process.
4. To stop the process:
a. In the window that asks for SIGNAL type and PROCESS ID, leave
SIGNAL type set to SIGTERM.
b. For PROCESS ID, click List to display all running processes.
c. Select the agent process. The process number displays in the PROCESS ID
field.
d. Click OK to stop the process.
5. Click Cancel until you return to the SMIT System Management menu.
What to do next
You can now uninstall the agent.
Stopping a running process from the command line

You can use the command line to stop a running process, such as the agent.
Before you begin
If the agent is configured to restart automatically, reset the respawn option in the
etc/inittab file.

About this task
Attention: Stopping the agent prevents the Server from collecting and removing
audit trail files from the /var/log/eprise directory. If you do not stop the audit
subsystem, these files eventually fill up the entire hard disk of the target system.
When you stop the audit subsystem, you also stop auditing activity on the target
system.
If you plan to remove the agent temporarily (for example, to upgrade), do not stop
the audit subsystem.
If you plan to remove the agent for several days, do one of the following actions:
v Stop the audit subsystem. Selecting this option means that no data is collected
for the period when the audit subsystem is stopped.
v Edit the /etc/security/audit/bincmds file to prevent writing the audit trail files.
Selecting this option means that no data is collected until you edit the
/etc/security/audit/bincmds file to enable writing of the audit trail files.
v Move audit trail files to another system or archive them on disk. Selecting this
option allows you to continue collecting data while the agent is inactive.
You can also use the cron daemon to automatically remove old audit trail files at
regular intervals. For example, add the following line to a cron file to remove all
audit trail files more than seven days old. The action occurs each day at 8 minutes
after midnight:
# This line deletes audit trails from /var/log/eprise when they are one
week old. 8 0 * * * find/var/log/eprise -type f -mtime +7 -exec rm {} \\\;
For more information about using cron, see the UNIX documentation on the
Information CD provided with your AIX system.
Procedure
1. Log on as the root user.
2. To find the process ID (PID) of the agent, run the ps -af command.
Information like the following example is displayed:
UID PID PPID C STIME TTY TIME CMD
root 11078 1 0 May 27 pts/2 5:36 ../bin/agent 12.1.103
The process ID in this example is the PID value 11078.
3. To stop the agent, run the following command:
kill PID
For example, to stop the agent using the process in step 2, type:
kill 11078
4. Run the ps -af command again to confirm that the agent has stopped.
What to do next
After you stop the agent, you can safely uninstall the agent.
Uninstalling the agent for AIX

You can uninstall the agent using the SMIT utility or from the command line.
See “Uninstalling the agent for AIX using SMIT” on page 92 or “Uninstalling the
agent for AIX from the command line” on page 92.

Uninstalling the agent for AIX using SMIT
Follow these instructions to use SMIT to uninstall the agent for AIX.
Before you begin
Be sure that you have stopped the agent.
About this task
If you prefer to uninstall the agent on an AIX system using the command line, see
“Uninstalling the agent for AIX from the command line.”
Procedure
1. Log in as the root user.
2. To start SMIT, type smit.
3. In the System Management panel, click Software Installation and
Maintenance.
4. In Software Installation and Maintenance, click Software Maintenance and
Utilities.
5. Click Remove Installed Software. A window is displayed asking for the name
of the software you want to uninstall.
6. From the list of all installed software packages, click ibm.tsiem.actuator.
7. In the first window, set the PREVIEW only option to No. Click OK to confirm
your selection.
8. Click OK in the next window to confirm the uninstallation you selected. A
new window is displayed, showing the progress of the uninstallation.
9. If the removal completed successfully, select Done on the last window to
return to the Remove Software Products option.
10. Click Cancel.
11. On the SMIT main menu, click File → Exit.
12. To remove all files and catalogs from the /opt/IBM/tsiem/actuator/ directory,
type the following command:
rm -r /opt/IBM/tsiem/actuator/
13. Exit the root shell and return to the original user shell by typing exit.
What to do next
After you remove the agent, you can install a new version. For instructions, see
“Installing the agent for AIX” on page 85.
Uninstalling the agent for AIX from the command line

Follow these instructions to use the command line to uninstall the agent for AIX.
Before you begin
Be sure that you have stopped the agent.
About this task
If you prefer to uninstall the agent on an AIX system using SMIT, see “Uninstalling
the agent for AIX using SMIT.”

Procedure
1. Log in as the root user.
2. Type the following command to uninstall the agent from your system:
/usr/lib/instl/sm_inst installp_cmd -u -f ibm.tsiem.actuator
3. To remove all files and catalogs from the /opt/IBM/tsiem/actuator/ directory,
type the following command:
What to do next
After you remove the agent, you can install a new version. For instructions, see
“Installing the agent for AIX” on page 85.

Chapter 10. The agent for Solaris systems
Use this information to install, configure, and uninstall the agent on a Solaris
system.
You must install the agent for Solaris in either of the following cases:
v When you need to audit event sources that run on Solaris systems that do not
support remote collect of audited events.
v When the audit configuration requires an agent to collect data from Solaris
systems.
The agent for Solaris enables centralized auditing of a decentralized computing

environment. The agent does the following tasks:
v Accesses the audit and accounting logs using Solaris system calls
v Reads the logs
v Places the logs in a structure called a chunk log
Chunk logs can be generated based on a schedule or by a direct call through the
Tivoli Integrated Portal. The agent records a timestamp each time it generates a
chunk log. When a new chunk log is generated, only log records that were
generated after the last extraction are added to the new chunk log.
Audit configuration settings on the target system determine the types of events
that the agent logs. Because logging every event consumes too many resources,
configure the target system to log only events that expose security threats and
weaknesses. The goal is to select audit settings that provide both acceptable
security and acceptable use of resources.
Attention: When auditing starts, the audit subsystem claims an increasing

amount of disk space. If no containing measures are taken, the receiving file
systems might fill up resulting in severe system problems.
The agent is designed to limit any security risk it can pose to a targeted system;
you must therefore configure it to run with the minimal required permissions.
However, on the Solaris operating system, the system calls needed to access the log
require the root user ID to operate properly. The agent is capable only of reading
logs; it is therefore questionable whether using the root user ID poses any security
risk.
the Actuator for Solaris systems” on page 73 for information about the steps you
must follow.
Audit Settings
The Audit Subsystem collects all data about events that happen on a specific
system. The agent communicates the data to the Server.
To install or start the Audit Subsystem, you must be logged in as superuser.

Before you can use the Audit Subsystem, the Basic Security Module (BSM) must be
enabled. In the Common Desktop Environment, you can check the file
rootdir/etc/system for the following line:
set c2audit:audit_load = 1
When this line is present, the BSM is active; otherwise you must type the following
command:
bsmconv rootdir
where rootdir is the root directory of possible diskless clients.
Another way to see whether the BSM is active is to use the following command:
grep "c2audit" [rootdir]/etc/system
For more information about the BSM, see "bsmconv (1M)" (in the Solaris Reference
Manual Collection).
The Auditing System should start automatically when the system starts. Therefore
the file /etc/security/audit_startup must be present. An example of a valid file
is:
#!/bin/sh
auditconfig -conf
auditconfig -setpolicy none
auditconfig -setpolicy +cnt
auditconfig -setfsize 1000000
For information about enabling extended logging, see the IBM Tivoli Security
Information and Event Manager Event Source Guide.
Table 2 and Table 3 list the flag settings required in the file /etc/security/
audit_control for logging success and failure actions.
Table 2. Solaris flag settings to log success actions
Short Name Long Name Short Description
fd file_deletion Deletion of object

pc process Process operations such as fork, exec,
and exit
ad administrative Administrative actions
lo login_logout Login and logout events
io ioctl ioctl system call
ex exec Program execution
na non_attrib Non-attributable events
Table 3. Solaris flag settings to log failure actions

Short Name Long Name Short Description
fm file_attr_mod Change of object attributes such as

chown and flock
fc file_creation Creation of object
nt network Network events such as bind, connect,
and accept
ip ipc System V IPC operations
The Audit System writes the audit logs to the directory /var/audit.

An example of the contents of an audit_control file follows:
flags:fd,pc,ad,lo,io,ex,na,-fm,-fc,-nt,-ip
naflags:fd,pc,ad,lo,io,ex,na,-fm,-fc,-nt,-ip
minfree:20
dir:/var/audit
Starting and stopping the audit daemon

If you need to start or stop the audit daemon manually, use the information in this
section.
Before you begin
Read and understand the information in “Audit Settings” on page 95.
About this task
Use the following commands to start and stop the audit daemon on a Solaris
system.
For more detailed information, see the documentation in the Solaris System
Administrator Collection.
Procedure
1. To start the audit daemon, type the following command: /usr/sbin/auditd
Note: If you run the command audit -s, the daemon reads the audit_control
file again.
2. To stop the audit daemon, type the following command: audit -t
What to do next
Accounting System
The accounting system monitors the usage of system resources and login times. It
is not necessary to activate or configure the accounting system for the agent.
Several accounting files are generated and updated automatically by Solaris. Tivoli
Security Information and Event Manager uses the /var/adm/wtmpx file.
The wtmpx log contains records that indicate user logins, system startups, and
system events. The records of the wtmpx log are in utmp format.
This file is one of the key logs for the mapping process. Its absence does not affect
the agent, except to lessen the information it can gather. The /var/adm/wtmpx file is
readable for any user. Therefore, no special privileges are needed to access this file.
Installing the agent for Solaris

You can install the agent using utilities in the graphical common desktop
environment (CDE) or using shell commands.
To use the Admintool to install the agent for Solaris, see “Installing the agent with
Admintool” on page 98.
Chapter 10. The agent for Solaris systems 97

To use pkgadd to install the agent for Solaris, see “Installing the agent with the
pkgadd shell command” on page 99.
Installing the agent with Admintool

You can use the Admintool to install the agent on a Solaris system.
Before you begin
Before you begin to install:

2. Before installing the agent on a target system, register the agent in the Tivoli
Integrated Portal. See the IBM Tivoli Security Information and Event Manager
Administrators Guide
About this task
If you prefer a graphical interface, you can use Admintool to install the agent on a
Solaris system.
Procedure
1. Log in as root.
3. To start Admintool, click Applications on the front panel and then click
Application manager → System_Admin → Admintool.
4. When Admintool starts, click Browse → Software.
5. Click Edit → Add.
6. Admintool asks for a CD path. Type the following path and click OK:
/cdrom/cdrom0/
(The Solaris agent installation software is in the root directory on the CD

under TSIEMac.)
7. The Admintool: Add Software window opens. In the Software Overview on
the left side of the window, click Agent, your only choice, and then click Add.
8. Admintool asks for the location of the agent configuration file. This
configuration file was created when you registered this agent in the Tivoli
Integrated Portal.
9. Type the path and name of the configuration file or provide the following
configuration parameters:
v Agent ID
v Agent IP address
v Agent port
v Installation password
v Server ID
v Server IP address

v Server port
v HOP ID
v HOP IP address
v HOP port
Note: For information about the agent and Server parameters, see the product
Portal online helps. For HOP parameters, use the same values as for the
Server.
When you finish typing the configuration file location or entering
configuration parameters, Admintool asks you to confirm your work. Type y
and then press Enter.
Installation begins.
10. When the Installation successful message is displayed at the bottom of the
window, press Enter. The Admintool Software window opens. The agent is
not listed yet. The name is displayed after you exit Admintool and reopen it.
What to do next
You have now successfully installed the agent. To run the agent, configure your
Solaris settings if you have not already done so.
Installing the agent with the pkgadd shell command

You can use the pkgadd command to install the agent on a Solaris system.
Before you begin
Before you begin to install:

2. Before installing the agent on a target system, register the agent in the Tivoli
Integrated Portal. See the IBM Tivoli Security Information and Event Manager
Administrators Guide.
About this task
If you prefer using shell commands, you can use the pkgadd command to install
the agent on a Solaris system.
Procedure
1. Log in as root.
3. Type the following command:
pkgadd -d /cdrom/cdrom0 TSIEMac
4. The program asks you for the location of the agent configuration file. This
configuration file was created when you registered this agent in the Tivoli
Integrated Portal.

5. Type the path and name of the configuration file or provide the following
configuration parameters:
v Agent ID
v Agent IP address
v Agent port
v Installation password
v Server ID
v Server IP address
v Server port
v HOP ID
v HOP IP address
v HOP port
Note: For information about agent and Server parameters, see the product
online help in the Tivoli Integrated Portal. For HOP parameters, use the same
values that you used for the Server.
6. Installation begins. When it finishes, an Installation successful message is
displayed at the bottom of the window.
What to do next
You have now successfully installed the agent. To run the agent, configure your
Solaris settings if you have not already done so.
Setting up the agent to restart automatically

For ease of use, you can set up the agent to restart automatically.
Before you begin
Be sure that you have taken the following actions:

1. Configured the agent through the Tivoli Integrated Portal
2. Installed and configured the agent on the Solaris system
About this task
You can use the watchdog timer to set up the agent to restart automatically.
Procedure
To start the watchdog timer so that the agent is automatically restarted after it is
terminated, use the following command:
/etc/init.d/CEAWatchdog start
What to do next
Uninstalling the agent for Solaris systems

You can uninstall the agent for Solaris using either the Admintool utility or shell
commands.
To use the Admintool to uninstall an agent on a Solaris system, see “Uninstalling
the agent on Solaris systems using the Admintool.”
To use the pkgrm command uninstall an agent on a Solaris system, see

“Uninstalling the agent on Solaris systems from the command line.”
Uninstalling the agent on Solaris systems using the Admintool

You can use the Admintool to uninstall the agent on Solaris systems.
Before you begin
Be sure that you are logged in as root.
Before attempting to uninstall the agent, you must stop the agent. Otherwise, you
cannot activate a new agent after you install it.
About this task
If the Admintool is present on your version of Solaris, you can use it to uninstall
the agent. If you do not have the Admintool, use the pkgrm shell command.
Procedure
1. Stop the agent using the following steps:
a. Log in as root.
b. From the Common Desktop Environment, click the Front panel.
c. Click the Tools subpanel.
d. Click Find Process.
e. Click the process with the name Agent.
f. From the Process menu, click Kill. Now the agent has been stopped and you
can uninstall it.
2. Uninstall the agent using the following steps:
a. Log in as root.
b. Select the Applications subpanel from the Front Panel. Click Applications.
c. Click the System-Administrator icon.
d. Click the Admintool icon.
e. Click Browse → Software → Actuator.
f. From the Edit pull-down, click Delete. Then, confirm the delete action.
g. Click Enter twice.
h. From the File pull-down, click Exit.
What to do next
After you uninstall the agent the name is still visible in the Admintool software
survey. This name is gone after you close the menu.
To install a new version of the agent for Solaris, see “Installing the agent for
Solaris” on page 97.
Uninstalling the agent on Solaris systems from the command

line
You can uninstall the agent on Solaris systems using the command line.

Before you begin
Be sure that you are logged in as root.
Before attempting to uninstall the agent, you must stop the agent. Otherwise, you
cannot activate a new agent after you install it.
About this task
If the Admintool is present on your version of Solaris, you can use it to uninstall
the agent. If you do not have the Admintool, use the procedure that follows.
Procedure
1. Type the command pkgrm TSIEMac.
2. At the Do you want to delete? prompt, type Y.
The pkgrm utility stops the watchdog timer, kills the agent processes, and then
removes the agent package from the system.
What to do next
The agent for Solaris is now uninstalled.
To install a new version of the agent for Solaris, see “Installing the agent for
Solaris” on page 97.
Chapter 11. The agent for HP-UX systems
Use this information to install and uninstall the agent for HP-UX systems.
The agent for HP-UX is required:

v For auditing event sources that run on HP-UX systems and do not support
remote collect of audited events
v When the audit configuration requires the agent to collect data from HP-UX
systems
There are installation and configuration steps on the client and the Server.
To install the agent on an HP-UX system, you must:

1. On the client:
a. Install the agent using the swinstall command.
b. If you do not specify a configuration file during installation, configure the
agent manually.
2. On the Server, register the agent in Tivoli Integrated Portal. See the IBM Tivoli
Security Information and Event Manager Administrators Guide.
the Actuator for HP-UX systems” on page 74 for information about the steps you
must follow.
Installing the agent using the swinstall command

Use the swinstall command to install the agent on an HP-UX system.
Before you begin

v Before you start the installation, log in as root.
v If you are installing the agent on a computer that previously had an agent
About this task
To install the agent for HP-UX on the client system:

1. Install the agent using the swinstall command. While installing the agent, you
can also specify a configuration file and configure the agent.
2. If you do not specify a configuration file during installation, configure the
agent manually.
Procedure
2. Before you can mount the CD, the pfs_mountd and pfs daemons must be
running.

a. To see if the daemons are running, type the following command at the
prompt:
# ps -e | grep pfs
If the daemons are running, the results display a line that ends in
pfs_mountd and a line that ends in pfsd. For example:
1509 ? 0:00 pfsd.rpc
1495 ? 0:00 pfsd
1498 ? 0:00 pfs_mountd.rpc
1494 ? 0:00 pfs_mountd
1531 ? 0:00 pfsd.rpc
1500 ? 0:00 pfsd.rpc
1530 ? 0:00 pfsd.rpc
b. If the daemons are not running, issue the following commands to start
them:
v To start the pfs_mountd daemon, type:
# /usr/sbin/pfs_mountd &
v To start the pfsd daemon, type
# /usr/sbin/pfsd 2 &
3. Use grep to search the /etc/pfs_fstab file for a line referring to the CD-ROM
device. For example, type the following command:
# cat /etc/pfs_fstab | grep rrip
4. Check to see if the result looks like the following line:
/dev/dsk/c0t2d0 /cdrom pfs-rrip ro 0 0
with the third column equal to "pfs-rrip:". If it does, you can mount the CD
with the command:
# pfs_mount /cdrom
(or substitute the appropriate value from the second column).
5. If there is not an appropriate line in /etc/pfs_fstab, then you can mount the
CD using the following command:
/usr/sbin/pfs_mount -t rrip -o xlat=unix /dev/dsk/c0t2d0 /cdrom
Substitute the appropriate (CD-ROM) device name and directory name for the
last two arguments.
6. Use the following command to copy files from the CD to the path directory:
cp -r /cdrom/catalog /path/catalog
For example, type:

cp -r /cdrom/catalog /tmp/catalog
7. Start the software installation with the following command:
swinstall -x ask=true -s /path/tsiem.depot TSIEMact
For example, type:

# swinstall -x ask=true -s /tmp/hp9000_ux_11/tsiem.depot TSIEMact
8. Do one of the following steps:
v At the prompt for the agent configuration file, specify the configuration file
you created on the Server.
/home/username/hpux.cfg
After you specify the configuration file, the system automatically sets the
configuration parameters based on the values in the configuration file. The
installation process begins. When the process finishes, the message
*Execution succeeded is displayed.
v When prompted for the agent configuration file, accept the default setting,
manual configuration. Then see “Configuring the agent manually on HP-UX
systems.”
What to do next
Configure the agent if you did not configure it automatically.
Configuring the agent manually on HP-UX systems

Instead of using the configuration file you created, you can configure the agent
manually.
Procedure
1. At the prompt for the configuration file, press Enter instead of specifying a file
name.
agent configuration file (default: manual configuration):
<Enter>
2. The installation program prompts you to enter four configuration parameters
for the agent, three parameters for the Server, and three parameters for the
HOP. For the agent and Server parameters, see the online help for the product
in the Tivoli Integrated Portal. For the HOP parameters, provide the same
values specified for the Servers.
The following are examples of these configuration parameters:
Agent ID (default: ""): 12.1.118
Agent IP address (default: ""): 172.16.1.3
Agent port (default: ""): 5992
Installation password (default: ""): 96820F8CE6
Server ID (default: ""): 12.1.1
Server IP address (default: ""): 172.31.1.2
Server port (default: ""): 5992
HOP ID (default: "12.1.1"): 12.1.1
HOP IP address (default "crme13.example.com"): 172.31.1.2
HOP port (default: "5992"): 5992
3. After you enter the 10 configuration parameters, the installation process
prompts you to confirm or change the parameters you entered:
Agent ID: 12.1.118
Agent IP address: 172.16.1.3
Agent port: 5992
Installation password: 96820F8CE6
Server ID: 12.1.1
Server IP address: 172.31.1.2
Server port: 5992
HOP ID: 12.1.1
HOP IP address: 172.31.1.2
HOP port: 5992
Do you want to change any of these data [y,n]? n
What to do next
After you specify the configuration parameters, the installation process begins.
When the process finishes, the message *Execution succeeded is displayed.
Starting the agent

The agent is automatically started during installation.
Chapter 11. The agent for HP-UX systems 105

Before you begin
Be sure that you have installed the agent for HP-UX.
About this task
You can start the agent manually, and you can also set the agent up to restart
automatically when it is terminated.
Procedure
1. To start the agent manually, go to the directory of the agent. (The default is
/opt/IBM/tsiem/actuator.) At the command line, run the following command:
./start-client
2. To restart the agent automatically when it is terminated, start the watchdog
timer:
/sbin/init.d/cea.watchdog start
What to do next
Uninstalling the agent for HP-UX using swremove

You can uninstall the agent for HP-UX using the swremove command.
Before you begin

Be sure that you are logged on as the root user.
About this task
Use the swremove command to uninstall the agent for HP-UX.
Procedure
1. Verify that Tivoli Security Information and Event Manager is installed by using
the shell command swlist:
# swlist | grep TSIEM
If Tivoli Security Information and Event Manager is installed, the output looks
as follows:
TSIEMact 2.0.0.0 IBM Tivoli Security Information and Event Manager
2. Use the shell command swremove to uninstall the Tivoli Security Information
and Event Manager software:
# swremove TSIEMact
After the agent is removed, the message * Execution succeeded is displayed.

3. Type the following command to remove all files and catalogs from the
/opt/IBM/tsiem/actuator/ directory.
What to do next
You can install a new version of the agent for HP-UX.
Appendix A. Accessibility
Accessibility features help users with physical disabilities, such as restricted
mobility or limited vision, to use software products successfully. Tivoli Security
Information and Event Manager is not fully accessible.
The list of items that are not accessible includes, but is not limited to, the following
examples:
v Not all images in the Tivoli Security Information and Event Manager
Management Console have alternate text provided.
v Some action items in the Tivoli Security Information and Event Manager
Management Console are provided as non-text context only and might not be
able to be manipulated using assistive technologies.
v Not all image maps in the product provide alternative text and not all maps can
be navigated using equivalent text links.
v Assistive technologies might not automatically detect changes to information
and structures in the Tivoli Security Information and Event Manager
Management Console. In addition not all captions, labels, and tables are
correctly interpreted by assistive technologies.
v Some items in the Tivoli Security Information and Event Manager Management
Console are differentiated solely through the use of color.
v Not all functions in the Tivoli Security Information and Event Manager
Management Console can be performed by only using the keyboard.
v Not all table cells, relationships between cells, primary natural languages of Web
units, and user interface components can be programmatically determined.
v Timeouts cannot always be adjusted by the user.
v Titles and accessible frame sources are not provided for all frames.
v Errors in information typed by the user are not always identified, described in
text, and presented to the user.
The product documentation was modified to include the following features to aid
accessibility:
v All documentation is available in both HTML and convertible PDF formats to
give the maximum opportunity for users to apply screen-reader software.
v All images in the documentation are provided with alternative text so that users
with vision impairments can understand the contents of the images.
Navigating the interface using the keyboard
Not all interfaces can be navigated using just the keyboard. For those interfaces
that can be, the product uses the standard shortcut and accelerator keys provided
by the operating system. Refer to the documentation provided by your operating
system for more information.
Magnifying what is displayed on the screen
You can enlarge information on the product windows using facilities provided by
the operating systems on which the product is run. For example, in a Microsoft
Windows environment, you can lower the resolution of the screen to enlarge the

font sizes of the text on the screen. Refer to the documentation provided by your
operating system for more information.
Using screen readers with the Tivoli Security Information and

Event Manager installation and uninstallation programs
Taking into account the limitations on accessibility in the product, users can use
screen readers that rely on the Java Access Bridge. Job Access With Speech (JAWS)
is such a screen reader. See http://java.sun.com/javase/technologies/accessibility/
accessbridge/ for information about the Java Access Bridge.
A JVM (version 1.5 or higher) and the Java Access Bridge must be installed on the
computer on which you are installing Tivoli Security Information and Event
Manager.
Start the Tivoli Security Information and Event Manager installation or

uninstallation program with a parameter that specifies the correct JVM.
For installation
At a command prompt, go to the DVD drive where the IBM Tivoli Security
Information and Event Manager v2.0 for Windows DVD is inserted and type
the following command:
install.exe LAX_VM "path_to_java.exe"
For example, type the following commands:

D:
install.exe LAX_VM "C:\Program Files\Java\jdk1.5.0_07\bin\java.exe"
For uninstallation
Go to the installation_location/_uninst/TSIEMInstall folder and type
the following command:
uninstall.exe LAX_VM "path_to_java.exe"
For example, type the following commands:

C:
cd \IBM\TSIEM\_uninst\TSIEMInstall
uninstall.exe LAX_VM "C:\Program Files\Java\jdk1.5.0_07\bin\java.exe"
For more information, search for article Q200311 entitled "How to Use JAWS with
InstallAnywhere" at http://www.flexerasoftware.com/
Appendix B. Configuring the web browser and system for the
Tivoli Integrated Portal
Tivoli Security Information and Event Manager uses the Tivoli Integrated Portal, a
web-based application, for performing administrative, configuration, and reporting
functions. In order for the features in Tivoli Security Information and Event
Manager to function properly in the web browser and reports, you must use a
supported web browser and configure your web browser and system.
Supported web browsers

Tivoli Security Information and Event Manager has a single login entrance for
accessing all its installed components. It is implemented as a web application
called the Tivoli Integrated Portal, and it can be opened in a web browser.
The Tivoli Integrated Portal is compatible with the following web browsers:
Microsoft Windows systems
v Microsoft Internet Explorer Version 6.0 Service Pack 2 (SP2)
v Microsoft Internet Explorer Version 7.0
v Mozilla Firefox versions 2.0, 3.0, and 3.1
Linux systems
Mozilla Firefox versions 2.0, 3.0, and 3.1
Other versions of these web browsers are not compatible with the Tivoli Integrated
Portal.
Screen resolution
The minimum screen resolution is 1024 x 768.
Enabling JavaScript and ActiveX

To view the Tivoli Integrated Portal properly, ensure that JavaScript™ and ActiveX
are enabled for the web browser. If you are using Internet Explorer, ensure that the
system where Tivoli Security Information and Event Manager is installed is added
to the "Trusted sites" list in Internet Explorer.
If JavaScript is disabled or ActiveX is disabled in Internet Explorer, then the Tivoli

Integrated Portal windows do not resize correctly. To ensure that the windows
resize correct, enable JavaScript, enable Active Scripting, and add the system where
Tivoli Security Information and Event Manager is installed to the "Trusted sites"
list in Internet Explorer.
Enabling ActiveX and configuring security settings in Internet

Explorer
Enable ActiveX for Internet Explorer.

Before you begin
Ensure that Internet Explorer Version 6.0 Service Pack 2 or Internet Explorer
Version 7.0 is installed.
Procedure
1. Open Internet Explorer.
2. Click Tools.
3. Click Internet Options.
4. Click the Security tab.
5. Select Custom Level.... The Security Settings window opens.
6. In the Security Settings window, ensure that the following settings are
enabled.
v Ensure that the radio button for Script ActiveX controls marked safe for
scripting is set to Enable.
v Ensure that the radio button for Active scripting is set to Enable.
v Ensure that the radio button for Display mixed content is set to Enable.
7. Click OK to exit the Security Settings window.
8. Click the General tab.
9. In the Browsing history section, click Settings. The Temporary Internet Files
and History Settings page opens.
10. In the Temporary Internet Files section, ensure that the radio button for
Check for newer versions of stored pages: is set to Every time I visit the
webpage.
11. Click OK to exit the Temporary Internet Files and History Settings page.
12. Click OK to exit the Internet Options window.
13. Restart Internet Explorer for the settings to take effect.
Configuring "Trusted sites" in Internet Explorer

Add the system where Tivoli Security Information and Event Manager is installed
and about:blank to the "Trusted sites" list in Internet Explorer.
Before you begin
About this task
In order for Tivoli Integrated Portal to display correctly, you must add the system
where Tivoli Security Information and Event Manager is installed and about:blank
to the "Trusted sites" list in Internet Explorer.
Procedure
2. Click Tools.
4. Click the Security tab.
5. Click Trusted sites.
6. Click Sites....
7. In the Add this website to the zone field, add the following sites to the
Trusted sites list.
v Enter the IP address or the URL for the system where Tivoli Security
v Enter about:blank.
8. Click OK to exit the Trusted sites window.
9. In the section, Security Level for this zone, click Custom Level.
10. Ensure that the slider is set to Medium-low.
11. Click OK to exit the Internet Options window.
What to do next
If you are running the Tivoli Integrated Portal on Windows 2003 Server or
Windows 2008 Server, you must also disable the Internet Explorer Enhanced
Security Configuration. For more information, see “Disabling Enhanced Security
Configuration in Windows 2003 Server” and “Disabling Enhanced Security
Configuration in Windows 2008 Server.”
Disabling Enhanced Security Configuration in Windows 2003 Server

If you are running the Tivoli Integrated Portal on Windows 2003 Server, you must
also disable the Internet Explorer Enhance Security Configuration.
Before you begin
About this task
This section explains how to disable the Enhanced Security Configuration in

Internet Explorer on a Windows 2003 Server.
Procedure
1. Open the Control Panel.
2. Click Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. Select Internet Explorer Enhanced Security Configuration.
5. Click Details.
6. Unselect the option for the user group running Tivoli Integrated Portal on
Internet Explorer.
Disabling Enhanced Security Configuration in Windows 2008 Server

If you are running the Tivoli Integrated Portal on Windows 2008 Server, you must
also disable the Internet Explorer Enhance Security Configuration.
Before you begin
Appendix B. Configuring the web browser and system for the Tivoli Integrated Portal 111
About this task
This section explains how to disable the Enhanced Security Configuration in

Internet Explorer on a Windows 2008 Server.
Procedure
1. Open the Server Manager administrative tool.
2. Navigate to the Security Information section.
3. Click Configure Internet Explorer Enhanced Security Configuration.
4. Disable Internet Explorer Enhanced Security Configuration for the user group
running Tivoli Integrated Portal on Internet Explorer.
Configuring encryption for Internet Explorer

Enable the Transport Layer Security (TLS) protocol for Internet Explorer.
Before you begin

Procedure
2. Click Tools.
4. In the Advanced tab, scroll down to the Security section.
5. Select the check box for Use TLS 1.0.
6. Click OK.
Configuring encryption for Firefox

Enable the Transport Layer Security (TLS) protocol for Firefox.
Before you begin
Ensure that a supported version of Mozilla Firefox is installed.
Procedure
1. In the browser menu, click Tools.
2. Click Options. The Options window opens.
3. Click the Advanced icon.
4. Click the Encryption tab.
5. In the Protocols section, select the Use TLS 1.0 check box.
6. Click OK to close the Options window.
Enabling cookies
To access the Tivoli Integrated Portal, cookies must be enabled in the browser.
Enabling cookies in Internet Explorer
Enabling cookies in Internet Explorer allows Tivoli Security Information and Event
Manager to remember your settings.
Before you begin
Procedure
2. Click Tools.
3. Click Internet Options. The Internet Options window opens.
4. In the Privacy tab, move the settings slide to Low or Accept All Cookies.
5. Click OK.
Enabling cookies in Firefox

Enabling cookies in Firefox allows Tivoli Security Information and Event Manager
to remember your settings.
Before you begin
About this task
By default, cookies are enabled in Firefox.
Procedure
1. Open Firefox
2. Click Tools.
3. Click Options. The Options window opens.
4. Click the Privacy icon.
5. In the Firefox will: field, select Use custom settings for history.
6. Ensure that the check box for Accept cookies from sites is selected.
7. Ensure that the check box for Accept third-party cookies is selected.
8. In the Keep until: field, select they expire.
9. Click OK.
Enabling browser caching

To ensure that the Tivoli Integrated Portal and the Compliance Dashboard always
display the most recent audit data, you must adjust caching for the browser. Make
this adjustment before starting the Tivoli Integrated Portal for the first time.
Configuring browser caching in Internet Explorer

This section explains how to configure browser caching in Internet Explorer
Version 6.0 SP and Internet Explorer Version 7.0.
Before you begin
Procedure
2. Click Tools.
4. In the Temporary Internet Files section, click Settings.
5. Below Check for new versions of stored pages, click Every visit to the page.
6. Click OK twice to save and apply the new settings.
Configuring browser caching in Firefox

This section explains how to configure browser caching in Mozilla Firefox.
Before you begin
About this task
By default, browser caching is enabled in Firefox.
Procedure
1. Open Firefox.
2. In the address bar, enter about:config.
3. Scroll to the preference network.http.use-cache.
v If the value equals true, then browser caching is enabled.
v If the value equals false, then browser caching is disabled. To enable browser
caching, right-click network.http.use-cache and select Toggle. The value
switches to true.
4. Close the browser tab.
Turning off the "Show friendly HTTP error messages" parameter in

Internet Explorer
If you are viewing data or reports in the Compliance Dashboard and you click the
Back button, you might see an error message such as "Warning: Page has expired"
or "The page cannot be displayed." In order to be redirected to the correct page
and to avoid these error messages, you must turn off the "Show friendly HTTP
error messages" parameter in Internet Explorer.
Before you begin
Procedure
2. Click Tools.
4. In the Advanced tab, scroll down to the Browsing section.
5. Unselect the check box for Show friendly HTTP error messages.
6. Click OK.
7. Restart Internet Explorer.
Installing language files and fonts

You must install the appropriate language files and fonts on your system for the
languages in which you want to view reports using the Compliance Dashboard
and generate PDF reports.
You might need to collect audit data from systems in different countries that use
different languages. For example, an international organization might want to
collect audit data from England, Brazil, and Japan. If the appropriate fonts are
installed on the Tivoli Security Information and Event Manager Server, then Tivoli
Security Information and Event Manager can generate reports in the Compliance
Dashboard that display data in the respective languages.
For information about installing fonts, see:

v “Installing TrueType fonts.”
v “Installing language files for Asian languages on Windows 2003 systems” on
page 116.
Installing TrueType fonts

TrueType fonts must be installed on the Tivoli Security Information and Event
Manager system in order to properly display localized Compliance Dashboard PDF
reports.
Before you begin
The TrueType fonts are typically located on the installation CDs for the operating
system.
About this task
Tivoli Security Information and Event Manager can generate Compliance

Dashboard reports that contain content in multiple languages. To properly display
multilingual reports in the Web browser, the appropriate Unicode TrueType fonts
for the desired languages must be installed on the client system. To properly
generate multilingual PDF reports, the appropriate Unicode TrueType fonts for the
desired languages must be installed on the server where Tivoli Security
For example, if your enterprise is monitoring systems that include both Japanese
and Russian languages, then both Japanese and Russian TrueType fonts must be
installed on the client system so that you can view the multilingual report in the
Compliance Dashboard using your Web browser. If you wanted to generate a PDF
of that report, then both Japanese and Russian TrueType fonts must be installed on
the server so that Tivoli Security Information and Event Manager can generate the
multilingual PDF report.
Procedure
1. Install the TrueType fonts.
v AIX systems:
a. Install the fonts located on the AIX distribution media in package
X11.fnt.ucs.ttf (AIX and Windows Unicode TrueType Fonts).
b. Verify that the fonts were installed into the following directories:
– /usr/X11R6/lib/X11/fonts/TrueType, which resolves to the real path
/usr/lpp/X11/lib/X11/fonts/TrueType
– /usr/openwin/lib/X11/fonts/TrueType
– /usr/share/fonts/default/TrueType
– /usr/X11R6/lib/X11/fonts/ttf
v Linux systems:
a. Install the fonts located on the Linux operating system media.
– /Library/Fonts
– /System/Library/Fonts
– /usr/X11R6/lib/X11/fonts/TrueType
v Windows systems:
a. Install the fonts located on the Windows operating system media.
– C:/windows/fonts
– C:/winnt/fonts
– D:/windows/fonts
– D:/winnt/fonts
2. Restart the Tivoli Integrated Portal:
/etc/rc.d/init.d/tsiem_tip_service.sh restart
What to do next
Tivoli Security Information and Event Manager can now generate multilingual PDF
reports, and the Compliance Dashboard can now display multilingual reports.
Installing language files for Asian languages on Windows

2003 systems
To generate PDF reports in East Asian languages (Chinese, Japanese, and Korean)
on Windows 2003 systems, you must install the batang.ttc font.
About this task
If the batang.ttc font is not installed, then Asian-language text cannot be

displayed in reports.
The font is installed on Windows 2008 systems by default. To install the font on
Windows 2003 systems, follow these instructions.
Procedure
1. In Windows 2003, open the Control Panel.
2. Click Regional and Language Options.
3. Click the Languages tab.
4. Select Install files for East Asian languages. Installing the Chinese, Japanese,
and Korean language files requires 230 MB of available disk space.
5. Click Apply.
6. Click OK.
Changing the system locale to support globalized domain names

If your network includes non-Unicode globalized domain names, then you must
ensure that the system locale for the Tivoli Security Information and Event
Manager system is the same as the system locale for the domain controller (DC)
system.
Before you begin
Check with your information technology (IT) department or network administrator

to find out if the default encoding on the domain controller (DC) system has been
changed from ASCII to a globalized (that is, non-Unicode) encoding. If the default
encoding has been changed, find out which encoding is being used.
About this task
If your network includes globalized domain names (that is, domain names in other
languages), then the default encoding on the domain controller system must be the
same as the encoding on the target machine (that is, the system on which Tivoli
Security Information and Event Manager is installed). If the encoding is not the
same, then the domain name might not display correctly in the Domain or
Workgroup section of the Choose Audited Machine page in the Create Machine
Wizard.
Procedure
1. In Windows, log in as Administrator.
2. Click Start.
3. Open the Control Panel.
4. Click Regional and Language Options. The Regional and Language Options
window opens.
5. Select the Advanced tab.
6. In the Language for non-Unicode programs section, select a language to match
the language version of the non-Unicode programs you want to use.
7. In the Default user account settings section, select the check box to apply these
settings to all user accounts on the Windows system.
8. Click Apply.
9. Click the X in the top right corner of the Regional and Language Options
window to exit.
What to do next
After you have changed the system locale on your system, you should update
these settings for all Tivoli Security Information and Event Manager users in the
cifusers and cifadmins groups. To do so, you must log in as each user and manually
update the settings.
Configuring the server locale for localized number formatting
The server locale controls how Tivoli Security Information and Event Manager web
applications (such as Tivoli Integrated Portal and the Compliance Dashboard)
formats numbers according to local custom.
About this task
Different countries use different formats for numbers. For example, the number
one thousand five can be written in several different ways. In European countries,
people might write "1.005". In North American countries, people tend to write
"1,000" and so on.
The way that Tivoli Security Information and Event Manager displays numbers is
controlled by the server locale on the system where Tivoli Security Information and
Event Manager is installed. The formatting is not controlled by the browser locale.
Thus, if the server locale is set to one format, but the browser locale is set to a
different format, then the Tivoli Security Information and Event Manager web
applications will display numbers based on the server locale.
Procedure
To configure the server locale:

AIX
1. Log on to the Tivoli Security Information and Event Manager server as
the root user.
2. Start SMIT.
3. Click System Management.
4. In the lower pane, select Manage language environment.
5. Click Change/Show Primary Language Environment → Change/Show
Cultural Convention, Language, or Keyboard.
6. Change the Primary CULTURAL convention, Primary LANGUAGE
translation, and Primary KEYBOARD fields to the desired values.
7. Specify the location of the AIX installation media in the INPUT
device/directory for software field, such as /mnt/dvd.
8. Click OK to apply your changes.
9. Restart the system to make your changes effective.
For information about UNIX server locales, see:
http://publib.boulder.ibm.com/infocenter/aix/v6r1/
index.jsp?topic=/com.ibm.aix.cmds/doc/aixcmds3/locale.htm
Linux
1. Log on to the Tivoli Security Information and Event Manager server as
the root user.
2. Click System → Administration → Language.
3. Select the desired language and click OK.
4. Restart the system to make your changes effective.
Windows
1. Click Start.
2. Click Control Panel.
3. Click Regional and Language Options.
4. In the Regional Options tab, go to the Standards and formats section.
Select your country from the menu.
5. Click OK.
Results
Tivoli Security Information and Event Manager uses the updated settings when
formatting numbers in web applications.
Appendix C. Account and password naming rules
During installation, the installation program creates a number of user ID and
password combinations. These user IDs and passwords must conform to certain
rules. In addition, there are rules for the names, instance names, and user accounts
for the databases that the product uses.
Rules for operating system account names and passwords
The following rules apply to operating system account names and passwords used
by Tivoli Security Information and Event Manager:
Operating system account names
v Names must begin with an alphabetic character.
v Must contain at least 3 characters but no more than 20 characters
v User names cannot contain spaces.
v On Windows systems, names can include:
– Letters in uppercase, lowercase, and mixed-case
– Letters a–z and A–Z. When used in most names, characters a through
z are converted from lowercase to uppercase.
– Numbers 0–9
– Special characters: ! % ( ) { }. – ^ ~ _ @ # $ \
v On AIX systems, names can include:
– Only letters in lowercase
– Letters a–z
– Numbers 0–9
v On Linux systems, names can include:
– Only letters in lowercase
– Letters a–z
– Special characters _ and -
v User names cannot be equal to any of the following:
– The name of any Reporting Database
– eprisedb
– aggrdb
– beat
– lmdb
– clmdb
Operating system passwords
v An operating system account password cannot include the user name.
v An operating system account password can include only the following
characters:
– Letters a–z and A–Z
– Numbers 0–9
– Special characters: % { } - ~ _ @ # $ ` * + = [ ] .

v An operating system account password must start with an alphabetic
character.
v There are no restrictions on the minimum and maximum number of
characters.
Rules for Windows domain account names
The following rules apply to Windows domain names and passwords used by
Tivoli Security Information and Event Manager:
v Domain names must begin with an alphabetic character.
v Domain names must be in the following format: <domain>\<user_name>
v Domain names can include:
– Letters in uppercase, lowercase, and mixed-case
– Numbers 0–9
Rules for database account names and passwords
The following rules apply to database account names and passwords used by
Tivoli Security Information and Event Manager:
Database account names
v Database account names must contain at least 3 characters.
v On Windows systems, database account names can contain up to 30
characters.
v On AIX and Linux systems, database account names can contain up to 8
characters.
v The database account names:
– Must begin with an alphabetic character.
– Cannot begin with a number or with any of the following special
characters: ! % ( ) { } - ~ _ @ # $
– Cannot be USERS, ADMINS, GUESTS, PUBLIC, LOCAL, or any SQL
reserved word.
– Cannot begin with IBM, SQL, or SYS.
– Cannot contain spaces.
– Cannot be equal to any of the following:
- The name of any Reporting Database
- eprisedb
- aggrdb
- beat
- lmdb
- clmdb
v The database account names can include only the following characters:
– Numbers 0–9
– On Windows and AIX systems, database account names can include
the following special characters: ! % ( ) { } . - ^ ~ _ @ # $
– On Linux systems, database account names can include only the
following special characters: _ -
Database account passwords
v The database account password can include only the following
characters:
– Numbers 0–9
– Special characters: % { } - ~ _ @ # $ ` * + = [ ] .
v The database account password must start with an alphabetic character.
v The database account password cannot include the user name.
v The password must be a minimum of 6 characters in length.
v On AIX and Linux systems, the maximum password length is 8
characters. On Windows systems, the maximum password length is 14
characters.
Note: If your Tivoli Security Information and Event Manager Enterprise

Server is running on Windows but you have one or more Standard
Servers running on AIX or Linux, specify a password no longer than 8
characters. Otherwise, the AIX and Linux systems cannot connect to the
DB2 database on the Enterprise Server.
Rules for database instances and database names
The following rules apply to database instance and database names used by Tivoli
Security Information and Event Manager:
v On Windows systems, names can be in uppercase, lowercase, and mixed-case.
v On AIX and Linux systems, names must be in lowercase.
v Names can include only the following characters:
– Letters A–Z. When used in most names, characters a through z are converted
from lowercase to uppercase.
– Numbers 0–9
– Special characters: % { } – ~ _ \
v The instance or database name cannot start with a number or any of the
following special characters: % { } – ~ _ \
v The instance or database name cannot be USERS, ADMINS, GUESTS, PUBLIC,
LOCAL, or any SQL reserved word.
v The instance or database name cannot begin with IBM, SQL, or SYS.
v Database names must be unique within the location in which they are cataloged.
On AIX and Linux implementations of the DB2 database manager, this location
is a directory path. On Windows implementations of the DB2 database manager,
the location is a logical disk.
v Databases, database aliases, and database instance names can have up to 8 bytes.
(8 bytes are not necessarily the same as eight characters. This distinction is
important for multi-byte languages such as Chinese.)
v On Windows systems, no database instance can have the same name as a service
name.
Appendix C. Account and password naming rules 123

Appendix D. Installation Paths
Installation paths are listed for the product on each operating system, and for the
components.
Product installation paths
By default, the product is installed in the following locations:

On AIX systems:
/opt/IBM/tsiem
On Linux systems:
/opt/ibm/tsiem
On Windows systems:
C:\IBM\TSIEM
The TSIEM_HOME environment variable is set to the installation location.
Component installation paths
Components are installed in the following directories:

SIM components
AIX or Linux
$TSIEM_HOME/sim
Windows
%TSIEM_HOME%\sim
Java Runtime Environment (JRE)
AIX or Linux
$TSIEM_HOME/jre
Windows
%TSIEM_HOME%\jre
AIX or Linux
$TSIEM_HOME/tip
Windows
%TSIEM_HOME%\tip
Tivoli Directory Server (for the Security Server) or Tivoli Directory Server client
(for a Grouped Server)
AIX or Linux
$TSIEM_HOME/ldap
Windows
%TSIEM_HOME%\ldap
DB2 Server for Tivoli Directory Server
AIX or Linux
$TSIEM_HOME/db2-ldap

Windows
%TSIEM_HOME%\db2-ldap
DB2 Server for SIM
AIX or Linux
$TSIEM_HOME/db2
Windows
%TSIEM_HOME%\db2
Appendix E. Limits
There are limits in Tivoli Security Information and Event Manager. For example,
there are limits on the amounts of data that can be processed and the number of
Standard Servers in a Tivoli Security Information and Event Manager Cluster.
Table 4 shows some known limits in Tivoli Security Information and Event
Manager.
Table 4. Tivoli Security Information and Event Manager limits
Description Limit
Maximum number of Standard Servers in one Tivoli Security Information and 3
Event Manager Cluster
Maximum number of event sources that can be added to one Tivoli Security 5,000
Information and Event Manager Cluster Server
Maximum number of processes that can be loaded in parallel on a 1
two-processor core
Maximum amount of uncompressed original data in depot processed daily 60 GB
(mapping/loading/aggregation) in GB
Maximum amount of uncompressed original data in depot processed per 40 MB
minute by Tivoli Common Reporting reports in MB
Maximum number of messages that can be collected in real time per second 30,000
(syslog, SNMP, and so on)
Maximum number of real-time event sources per server with * as source 10
address

Appendix F. Using DR550 with Tivoli Security Information and
Event Manager
You can use IBM System Storage DR550 (DR550) for storing the Tivoli Security
Information and Event Manager Log Management Depot after you perform some
initial setup.
Before you start working with a DR550 shared drive, you must make the drive
available to Tivoli Security Information and Event Manager. See “Mounting the
DR550 drive on AIX and Linux systems using CIFS” and “Mounting the DR550
drive on Windows systems” on page 130.
You can then manage the Log Management Depot using the DR550 shared drive.
See “Moving data between the DR550 drive and the Log Management Depot” on
page 132.
Mounting the DR550 drive on AIX and Linux systems using CIFS
A DR550 drive can be accessed through either NFS or CIFS. These instructions
explain how to access the drive from an AIX system or a Linux system using CIFS.
Before you begin
Be sure that the "write once read many" policy is not enabled on the DR550 drive.
Note: On AIX systems, the runtime for SMBFS must be installed. The SMBFS
runtime is found in the bos.cifs_fs fileset (bos.cifs_fs.rte).
About this task
Tivoli Security Information and Event Manager uses several user accounts to access
the Tivoli Integrated Portal, Reporting Databases, and the Tivoli Directory Server.
The DR550 drive by default will assign a UID and GID of 0 to files in the mount
point. Tivoli Security Information and Event Manager by default runs under the
cifadmin user and cifusers group. In order for Tivoli Security Information and
Event Manager to read and write to the DR550, it must be mounted using the UID
and GID of the cifadmin user and cifusers group.
Procedure
1. Login to Tivoli Security Information and Event Manager as the root user.
2. Create a mount point.
For example:
$ mkdir /dr550mount
3. Mount the DR550 drive.
v On AIX, use the mkcifsmnt command.
The syntax for the mkcifsmnt command is:
mkcifsmnt -f MountPoint -d RemoteShare -h RemoteHost
-c user [-p password] [-m MountTypeName] [-A|-a] [-I|-B|-N]
[-t {rw|ro}] [-u uid] [-g gid] [-x fmode] [-w wrkgrp]
For example:

$ mkcifsmnt -f /dr550mount -d /dr550test -h redoubt.example.com
-c dr550test -p dr550pwd -A -u 206 -g 205
v On Linux, use the mount.cifs command.
The syntax for the mount.cifs command is:
mount.cifs {service} {mount_point} [-o options]
For example:
$ mount.cifs //redoubt.example.com/dr550test /dr550mount
-o user=dr550test,password=dr550test,uid=504,gid=504
What to do next
You can now export the data from the depot to the DR550 or relocate the depot to
the DR550 using the mount point.
Mounting the DR550 drive on Windows systems

On Windows systems, there are two ways that you can use to mount the drive.
Use one of the following methods:

v Mount the DR550 shared drive, specifying an existing DR550 user that is
separate from the Tivoli Security Information and Event Manager users. See
“Using separate user accounts on the DR550 and Tivoli Security Information and
Event Manager.”
v Create on the DR550 the same operating system user ID that Tivoli Security
Information and Event Manager uses and mount the DR550 drive as a common
drive. See “Creating the same user on the DR550 and Tivoli Security Information
and Event Manager systems” on page 131.
Using separate user accounts on the DR550 and Tivoli

Security Information and Event Manager
When you use DR550 storage for the Tivoli Security Information and Event
Manager depot, you can use separate user accounts on the DR550 system and the
Tivoli Security Information and Event Manager system.
Before you begin
Be sure that the "write once read many" policy is not enabled on the DR550.
About this task
the Tivoli Integrated Portal, databases, and Tivoli Directory Server. The DR550 also
uses different user accounts to access the file system. If you use DR550 storage for
the Tivoli Security Information and Event Manager depot, the account used by the
Tivoli Security Information and Event Manager service must have access rights to
store files on the DR550. For convenience, you can make the Tivoli Security
Information and Event Manager and DR550 accounts independent of each other.
You can then run the Tivoli Security Information and Event Manager service with
the user account it normally uses and still access the DR550, while the Tivoli
Security Information and Event Manager account has no rights on the DR550. Use
the following steps to create this setup.
Procedure
1. Create a network drive, using the following command on the Tivoli Security
Information and Event Manager system:
net use drive_letter: \\computer_name\path_to_dr550_drive password
/user:user_name
where
v \\computer_name\path _to_dr550_drive is the path to DR550 shared network
drive.
v user_name and password are the DR550 user account credentials to access the
shared DR550 drive.
2. Make this network drive permanent
a. Create a batch file that contains the net use command shown in step 1.
b. Create a Windows scheduler task to run the batch file as the Windows
SYSTEM account each time the computer starts. Schedule a short delay
before the task runs, about 5-10 seconds.
After the computer is restarted, the computer network drive is available to
What to do next
After you mount the DR550 drive, you can export the data from the depot to the
DR550 or relocate the depot to the DR550 using the network drive that you
created.
Creating the same user on the DR550 and Tivoli Security

Information and Event Manager systems
When you use DR550 storage for the Tivoli Security Information and Event
Manager depot, you can create identical user accounts on the Tivoli Security
Information and Event Manager and DR550 systems.
Before you begin
Be sure that the Write Once Read Many (WORM) policy is not enabled on the
DR550.
About this task
the Tivoli Integrated Portal, databases, and Tivoli Directory Server. The DR550 also
uses different user accounts to access the file system. If you use DR550 storage for
the Tivoli Security Information and Event Manager Log Management Depot data,
the account used by the Tivoli Security Information and Event Manager service
must have access rights to store files on the DR550. You can create a user ID on the
DR550 system with the same user name and password as an account used by
Procedure
1. Choose a user ID on the Tivoli Security Information and Event Manager that
can access the Tivoli Integrated Portal (for example, cifadmin).
2. On the DR550 system, create an operating system user ID with the same user
name and password.
Appendix F. Using DR550 with Tivoli Security Information and Event Manager 131
3. Map the DR550 shared drive on the Tivoli Security Information and Event
Manager system. Refer to the network drive as a common drive (for example,
\\192.168.236.22\test\export\).
What to do next
You can now export the data from the depot to the DR550 or relocate the depot to
the DR550 using the network drive that you created.
Managing Log Management Depot data with a DR550 drive

After you make the shared DR550 drive available to Tivoli Security Information
and Event Manager, you can move Log Management Depot data between the two
systems.
You can use one of the following methods:

Export and import the data from the depot to the DR550 shared drive
If the Log Management Depot is not actually on the DR550 shared drive,
you must export the Log Management Depot data periodically to keep the
data up to date on the DR550, and then import the data back to the Log
Management Depot on the Tivoli Security Information and Event Manager
system. See “Moving data between the DR550 drive and the Log
Management Depot.”
Relocate the depot itself to DR550 shared drive
In this case, Tivoli Security Information and Event Manager writes
collected chunks directly to the DR550. See “Relocating the Log
Management Depot to the DR550 shared drive on Windows” on page 134.
Moving data between the DR550 drive and the Log

Management Depot
If the Log Management Depot itself is not on the DR550 shared drive, you must
move the Log Management Depot data between the DR550 drive and the Log
Management Depot on the Tivoli Security Information and Event Manager system.
You must export and import the Log Management Depot data.
v To export data, see “Exporting data from the Log Management Depot to the
DR550 drive.”
v To import data, see “Importing data from the DR550 drive to the Log
Management Depot” on page 133.
Exporting data from the Log Management Depot to the DR550

drive
If you do not store the Log Management Depot on the DR550 system, you must
export the data to the DR550 system periodically.
Before you begin
Before you export data:

v Be sure that you have mounted the DR550 drive.
v Be sure that you have configured a DR550 user with DR550 write/read
permission for mounting the network drive or for direct access to the network
share.
v See the information about archiving audit data in the IBM Tivoli Security
About this task
You can store Log Management Depot data on the DR550 shared drive by using
the Tivoli Integrated Portal.
Procedure
1. Log on to Tivoli Security Information and Event Manager.
2. In the Tivoli Integrated Portal navigation panel, expand the Tivoli Security
Information and Event Manager topic.
3. Expand the Configuration and Management topic.
4. Expand the Archive Tools topic.
5. Click Export Audit Data. The Export Audit Data page opens.
6. Complete all required fields to set up a schedule for exporting data to the
DR550. In the Export logs to path on Server field, type the path to the shared
DR550 drive. The following paths are examples of the path you might type in
this field:
– /dr550mount/coalbrook
– \\192.168.236.22\test\export\ if you created a DR550 user ID that is
identical to the user ID on the Tivoli Security Information and Event
Manager system.
– z:\depot\ if you mounted the DR550 drive specifying a DR550 user.
7. Click OK to begin exporting the data.
Note: The original logs will be removed from depot.

8. When the export is complete, check the export results. Be sure that a folder
with the current date as its name is present.
What to do next
You can also import the data from the DR550 drive to the depot to the Log
Management Depot.
Importing data from the DR550 drive to the Log Management

Depot
If you do not store the Log Management Depot on the DR550 system, you must
import data that you have exported to the DR550 system back to the Log
Management Depot.
Before you begin
Before you import data:

v Be sure that you have mounted the DR550 drive.
v Be sure that you have configured a DR550 user with DR550 write/read
permission for mounting the network drive or for direct access to the network
share.
v Be sure that you have exported Log Management Depot to the DR550 shared
drive.
v See the information about archiving audit data in the IBM Tivoli Security
About this task
After you store Log Management Depot data on the DR550 shared drive, you can
use the Tivoli Integrated Portal to import the data.
Procedure
1. Log on to Tivoli Security Information and Event Manager.
2. In the Tivoli Integrated Portal navigation panel, expand the Tivoli Security
Information and Event Manager topic.
3. Expand the Configuration and Management topic.
4. Expand the Archive Tools topic.
5. Click Import Audit Data. The Import Audit Data page opens.
6. In the User ID and Password fields, type the user ID and password of the user
that you configured with DR550 write/read permission.
– Type the user ID and password of the Tivoli Integrated Portal user. The
default user ID is cifowner.
– Type the user ID and password of the user you configured with DR550
write/read permission.
7. In the Import logs from path on Server field, type the path to the shared
DR550 drive. The following paths are examples of the path you might type in
this field:
– /dr550mount/coalbrook/20100818
– \\192.168.236.22\test\export\ if you created a DR550 user ID that is
identical to the user ID on the Tivoli Security Information and Event
Manager system.
– z:\depot\ if you mounted the DR550 drive specifying a DR550 user.
8. Click OK to begin importing the data.
Results
When the import completes successfully, the log information has been restored to
the depot.
What to do next
Relocating the Log Management Depot to the DR550 shared

drive on Windows
If you did not specify the path to the depot as a DR550 drive during Tivoli
Security Information and Event Manager installation, you can relocate the depot to
a DR550 drive after installation.
Before you begin
Be sure that you have mounted the DR550 drive.
About this task
This task is needed only if you specified a non-DR550 drive as the location for the
depot during installation, and you want to move the depot to a DR550 shared
drive.
Procedure
1. Create a folder named install in the %TSIEM_HOME%\sim\server folder.
2. Copy the following files to the folder you created:
v db2asc.exe
v asc2db.exe
These files are originally located in the %TSIEM_HOME%\sim\server\bin folder.
3. Open a Command Prompt window and go to the install folder you created.
4. Type cd ..\run and press the Enter key.
5. Type ..\install\db2asc.exe blrec ..\install\blrec.asc and press the Enter
key.
6. Open the blrec.asc file in the install folder with a text editor.
7. Change the depot path in the blrec.asc file in the line containing the string
Chunklog Depot Path. For example:
((string)"Chunklog Depot Path") = (((objval) ((string) "\\192.168.236.22\test\depot\*")))
8. Save the blrec.asc file.
9. Return to the command window.
10. Type ..\install\asc2db.exe blrec ..\install\blrec.asc and press the Enter
key.
11. Restart the IBM TSIEM - SIM Server service.
All collected chunks will now be written to the DR550 shared drive.
12. On the Enterprise Server, modify the depot location in the
%TSIEM_HOME%\sim\consolidation\ini\beat.ini file to reflect the new location
of the depot.
13. On the Enterprise Server, restart the appropriate indexer process.
What to do next
Relocating the Log Management Depot to the DR550 shared

drive on AIX and Linux
This section provides instructions for moving the Log Management Depot to a
DR550 shared drive on AIX and Linux systems.
Before you begin
Be sure that you have mounted the DR550 drive.
About this task
This task is needed only if you specified a non-DR550 drive as the location for the
depot during installation, and you want to move the depot to a DR550 shared
drive.
Procedure
1. Login to the Tivoli Security Information and Event Manager system as the
cifadmin user.
2. Create a new directory named install using the following command:
$ mkdir $TSIEM_HOME/sim/server/install
3. Copy the db2asc and asc2db programs to the directory that you just created:
$ cd $TSIEM_HOME/sim/server/install
$ cp ../bin/db2asc .
$ cp ../bin/asc2db .
4. Run the db2asc command to dump the configuration information to a file:
$ cd $TSIEM_HOME/sim/server/run
$ ../install/db2asc blrec ../install/blrec.asc
5. Edit the blrec.asc file to change the location of the depot to a directory on the
DR550. Change the line containing the Chunklog Depot Path:
$ cd $TSIEM_HOME/sim/server/install
$ vi blrec.asc
For example:
((string) "Chunklog Depot Path") = (((objval) ((string) "/dr550mount/coalbrookdepot/")))
6. Run the asc2db command to update the configuration information:
$ cd $TSIEM_HOME/sim/server/run
$ ../install/asc2db blrec ../install/blrec.asc
7. Login to the Tivoli Security Information and Event Manager system as the root
user and restart the SIM server:
$ cd /etc/rc.d/init.d
$ ./tsiem_sim_service.sh stop
$ ./tsiem_sim_service.sh start
8. On the Enterprise Server, modify the depot location in the beat.ini file to
show the new location of the depot and then restart the appropriate indexer
process.
$ cd $TSIEM_HOME/sim/consolidation/ini
$ vi beat.ini
What to do next
Appendix G. Installing Fast Connect
This section explains how to install the Fast Connect server and Fast Connect client
on AIX systems.
Installing AIX Fast Connect Server

Before you begin
Obtain a copy of AIX Fast Connect 3.2x. You can download a demo copy of Fast
Connect for AIX 5.x, from:
https://www14.software.ibm.com/webapp/iwm/web/
preLogin.do?source=aixbp&lang=en_US
To access the download pack programs, you must register and log in to the IBM
website.
You also can order a Fast Connect server CD from the website. The description of
the CD for AIX 6.1 is: CD 5765-E72 - Fast Connect V3.2.1 for AIX (10/2009)
LCD4-1069-06.
About this task
If you downloaded a copy of Fast Connect in the tar.Z format, install it using the
following procedure.
If you ordered the Fast Connect CD, install it using the instructions on the CD.
Procedure
1. Run mkdir /tmp/cifs.
2. Run cp cifs.tar.Z/tmp/cifs.
3. Run cd /tmp/cifs.
4. Run uncompress cifs.tar.Z.
5. Run tar -xvf cifs.tar.
6. Run inutoc installp/ppc.
7. Run cd installp/ppc.
8. Run smitty to install or use the installp command.
What to do next
After you have installed the Fast Connect Server, install the Fast Connect Client.
Installing AIX Fast Connect client

Install the Fast Connect client, which enables you to mount Samba/Windows
shares locally on the AIX system.

Before you begin
Ensure that you have the AIX operating system installation media. A copy of Fast
Connect for AIX is available on the AIX installation CDs.
Procedure
1. Mount the AIX CD using SMIT or the command line.
2. Install the Fast Connect client using either method:
v Using SMIT: Use smitty to install the bos.cif_fs package.
v Using command line: Run the installp -acgXY bos.cif_fs command.
Appendix H. Sharing and mounting remote depots
Before you register a Standard Server with the Enterprise Server, you must ensure
that the depot on the Standard Server can be accessed by the Enterprise Server.
When adding a Standard Server to a cluster, you must share the depot folder so
that it is accessible to the indexer and searcher processes on the Enterprise Server.
To share the depot of an AIX or Linux Standard Server with a Windows Enterprise
Server, you must use the CIFS protocol.
On Linux systems, you can share the depot folder by creating a Samba share. See
“Sharing the depot using Samba on Linux systems” on page 140. On AIX systems,
you can share the depot folder by creating a Fast Connect share. See “Sharing the
depot using Fast Connect on AIX systems” on page 141.
Note: The increased security provided by Windows Server 2008 requires that
network communications be performed using NTLM protocol 2, or later, by
default. To interoperate with AIX and Linux systems in a cluster, you might need
to adjust the network security settings on the Windows server.
If the security settings are not restricted by group policy:

1. Open the Security Policy Editor, secpol.msc.
2. Click Security Settings → Local Policies → Security Options.
3. Locate Network security: LAN Manager authentication level in the list and
open it. In the Local Security Setting tab, set the level to Send LM & NTLM
responses.
If the security settings are governed by group policy:

1. Open the Group Policy Management Console, gpmc.msc.
2. Click Computer Configuration → Policies → Windows Settings → Security
Settings → Local Policies → Security Options.
3. Locate Network security: LAN Manager authentication level in the list and
open it. In the Local Security Setting tab, set the level to Send LM & NTLM
responses.
User credentials
There are two ways to be sure that the user on the Enterprise Server is authorized
to access the depot on the Standard Server.
v The Enterprise Server and the Standard Server can be members of one domain
(use the same user storage). For best results in this case, the indexer and
searcher processes must run under the same domain user. Samba on Linux or
Fast Connect on AIX can use domain user authentication (ADS or Domain for
Samba, LDAP for Fast Connect user authentication mode).
v The indexer and searcher processes on the Enterprise Server can be authorized
to access a folder that was shared using Samba on Linux or Fast Connect on
AIX. In this case, these processes must run as the operating system user under
which the Standard Server runs. By default this user is cifadmin. Otherwise you
must create a Samba or Fast Connect user with the same credentials as
Enterprise Server cifadmin user has. The new Samba or Fast Connect user is set

up to have a logical relationship between the Enterprise Server user and the
Standard Server user. (For both users, cifadmin is the default user name).
Note:
v If the Enterprise Server runs on a Windows system, the Samba or Fast Connect
user must have the same credentials as the Enterprise Server user has. These
credentials are important because the indexer and searcher processes access the
share with exactly these credentials.
v For Fast Connect, it is always necessary to create a Fast Connect user and map it
to the AIX user (cifadmin by default).
Sharing the depot using Samba on Linux systems

If the Enterprise Server is on a Windows system and the Standard Server is on a
Linux system, you can use Samba to make the depot on the Standard Server
accessible to the Enterprise Server.
Before you begin
The Samba configuration is stored in the /etc/samba/smb.conf file. You must be

logged in as root to edit this file.
About this task
The Samba software rereads configuration changes every minute. For best results,
edit a copy of the smb.conf file. Then replace the /etc/samba/smb.conf file with the
copy when you have finished making all the changes.
Procedure
1. Choose a user authentication mode such as ADS, Domain, Server, or USER. You
can use ADS, Domain, or Server if the Enterprise Server and Standard Servers
use the same user storage (are members of one domain). If the servers do not
use the same storage, you must use the USER authentication mode. To set the
authentication mode, add the following line to the [global] section of the
smb.conf file:
security = USER
2. If you are using the Samba USER authentication mode, be sure that password
encryption is on. (Windows NT 4.0 and higher operating systems encrypt SMB
passwords.) Add the following lines to the /etc/samba/smb.conf file:
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
3. If you are using USER authentication mode or if the servers are not in one
domain, add a Samba user. Map this user to the operating system account
under which Tivoli Security Information and Event Manager runs by modifying
the smbusers file. By default, the user is cifadmin. You can use either the
command line or the Samba Server Configuration tool to update the smbusers
file and add a password for the new user.
The new user must have the same credentials as the Windows Enterprise
Server user (cifadmin by default). smb_username == windows_username ==
cifadmin
v If you are using the command line:
The smbusers file has following format:
smb_username = windows_username
Add a password for the Samba user, using the following command:
smbpasswd –a cifadmin
v If you are using the Samba Server Configuration tool:
a. Start the tool.
b. Select Preferences -> Samba Users and click Add User.
c. Complete the fields in the Create New Samba User window.
4. Share the depot on the Standard Server.
v To use the command line, add the new share definition to the appropriate
section of the /etc/samba/smb.conf file. In this example, the share is named
depot.
[depot]
comment = any comment; for example, "Tivoli Security Information and Event Manager depot"
path = path to the depot folder
valid users = cifadmin (cifadmin domain user or the samba user added)
public = no
writable = no
v You can also use the Samba Server Configuration tool:
a. Start the tool.
b. Click Add.
c. Complete the fields in the Edit Samba Share window.
5. Restart the Samba service:
service smb restart
What to do next
Register the Standard Server with the Enterprise Server.
Sharing the depot using Fast Connect on AIX systems

If the Enterprise Server is on a Windows system and the Standard Server is on an
AIX system, you can use Fast Connect to make the depot on the Standard Server
accessible to the Enterprise Server.
Before you begin
For best results, use password encryption. Use the following command:
net config /encrypt_passwords:2
About this task
All Fast Connect configuration changes can be made using the /usr/sbin/net
command or through a Web interface. This procedure uses the net command.
Note: For more information about the net command, go to http://

publib.boulder.ibm.com/infocenter/systems/index.jsp?topic=/
com.ibm.aix.fastconnect/doc/fastcon/advfeatures.htm.
Procedure
1. No matter what authentication mode is used, you must create a Fast Connect
user with the same credentials as the user who runs Tivoli Security Information
and Event Manager on the Enterprise Server. By default, this user is cifadmin.
Use the following command:
net user /add username -p /active:yes /comment:”comment describing the user”
Appendix H. Sharing and mounting remote depots 141

For example:
net user /add cifadmin -p /active:yes
/comment:”Tivoli Security Information and Event Manager User”
2. If the Fast Connect user differs from the AIX user on the Standard Server:
a. Enable user mapping by using the following command:
net config /usernamemapping:1
b. Map the Fast Connect user on the AIX system to the user on the Windows
Enterprise Server. Use the following command:
net user /map user_name AIX_user_name
For example:
net user /map cifadmin cifAIXadmin
3. Share the depot using the following command:
net share /add /netname:share_name path_to_share_folder /desc:description /mode:0
For example, to use the share name depot:

net share /add /netname:depot /path:/opt/IBM/TSIEM/Depot /desc:”TSIEM DEPOT” /mode:0
What to do next
Register the Standard Server with the Enterprise Server.
Mounting the remote depot on an AIX or Linux Enterprise Server

If the Enterprise Server is on an AIX or Linux system, then manually mount the
Standard Server depot on the Enterprise Server.
Before you begin
Be sure that the depot has been shared on the Standard Server.
About this task
There are several ways to mount the depot if both the Enterprise Server and the
Standard Server are running on AIX or Linux. Only one way is shown in this
procedure.
Procedure
1. On Linux systems, use the following command:
mount.cifs -o username=cifadmin //hostname/depot /mnt/hostname/cifdepot
Then register the depot to automount after the operating system is restarted.
2. On AIX systems, use the following command:
mount -v cifs -n hostname/cifadmin/password /depot /mnt/hostname/cifdepot
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user's responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not grant you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing

IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation

Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law: INTERNATIONAL
BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"
WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE. Some states do not allow disclaimer of express or implied warranties in
certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors.

Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact:
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and conditions,

including in some cases, payment of a fee.
The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled

environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurements may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of

those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which

illustrate programming techniques on various operating platforms. You may copy,
modify, and distribute these sample programs in any form without payment to
IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating
platform for which the sample programs are written. These examples have not
been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or
imply reliability, serviceability, or function of these programs.
If you are viewing this information softcopy, the photographs and color
illustrations may not appear.
Trademarks
IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of
International Business Machines Corporation in the United States, other countries,
or both. If these and other IBM trademarked terms are marked on their first
occurrence in this information with a trademark symbol (® or ™), these symbols
indicate U.S. registered or common law trademarks owned by IBM at the time this
information was published. Such trademarks may also be registered or common
law trademarks in other countries. A current list of IBM trademarks is available on
the Web at Copyright and trademark information (www.ibm.com/legal/
copytrade.shtml).
Adobe, the Adobe logo, PostScript®, and the PostScript logo are either registered
trademarks or trademarks of Adobe Systems Incorporated in the United States,
and/or other countries.
Cell Broadband Engine™ is a trademark of Sony Computer Entertainment, Inc. in

the United States, other countries, or both and is used under license therefrom.
Intel, Intel logo, Intel Inside®, Intel Inside logo, Intel® Centrino®, Intel Centrino
logo, Celeron®, Intel Xeon, Intel SpeedStep®, Itanium®, and Pentium® are
trademarks or registered trademarks of Intel Corporation or its subsidiaries in the
United States and other countries.
IT Infrastructure Library® is a registered trademark of the Central Computer and

Telecommunications Agency, which is now part of the Office of Government
Commerce.
ITIL® is a registered trademark, and a registered community trademark of the

Office of Government Commerce, and is registered in the U.S. Patent and
Trademark Office.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the
United States, other countries, or both.
Linux is a registered trademark of Linus Torvalds in the United States, other

countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Other company, product, or service names may be trademarks or service marks of

others.
Notices 145
Index
A agent, Windows (continued)
when required 81
command line (continued)
uninstalling (continued)
accessibility xiii AIX agent for Solaris 102
description 107 agent uninstalling agent for HP-UX 106
features 107 See AIX agent Compliance Management Modules
non-accessible items 107 mounting CD 86, 87 modules provided 2
accounting system, Solaris 97 starting agent automatically 88 component 1
Actuator, upgrading stopping running process forensics 1
AIX 72 command line 90 configuring
HP-UX 74 SMIT 90 agent for AIX 88
Solaris 73 unmounting CD 86, 87 agent for HP-UX 105
Windows 72 upgrading Actuator 72 Consolidation Server 53
Admintool AIX agent IPv6 57
installing agent for Solaris 98 configuring 88 Consolidation Server
uninstalling agent for Solaris 101 installation methods 85 configuring 53
agent installing using command line 85 schedule setup 54
description 5 installing using SMIT 86 conventions
supported operating systems 21 starting automatically 88 typeface xiv
agent, AIX stopping, reasons 89
configuring 88 stopping, using command line 90
installation methods 85
installing
stopping, using SMIT 90
supported operating systems 21
D
command line 85 deployment, sample 5
uninstallation methods 91
SMIT 86 directory names, notation xv
uninstalling using command line 92
starting automatically 88 disk space requirements, determining 22
uninstalling using SMIT 92
stopping 89 domain controller 117
when required 85
stopping, using command line 90 DR550
audit daemon
stopping, using SMIT 90 exporting data from Log Management
starting on Solaris 97
supported operating systems 21 Depot 132
stopping on Solaris 97
uninstallation methods 91 importing data to Log Management
audit settings, Solaris 95
uninstalling Depot 133
automatic installation, Windows
command line 92 managing Log Management Depot
agent 81
SMIT 92 data 132
when required 85 moving data to and from the Log
agent, HP-UX Management Depot 132
configuring manually 105 B relocating depot to 135
installing with swinstall 103 books setup using identical user
registering in Tivoli Integrated See publications accounts 131
Portal 103 setup using separate user
starting 106 accounts 130
supported operating systems 21 C using to store depot data 129
uninstalling with swremove 106 CA-issued certificates
when required 103 replacement to self-signed 55
agent, Solaris certificates E
installation methods 97, 101 replacing 55 education
installing cifmigrate See Tivoli technical training
Admintool 98 calculate mode 67 Enterprise Server
pkgadd 99 description 67 description 3
starting automatically 100 export mode 68 functions 4
supported operating systems 21 migrate mode 69 promoting from Log Management
uninstallation methods 101 showconfig mode 71 Server 49
uninstalling using 67 promoting from Standard Server 49
Admintool 101 collect history reports 1 registering Standard Server 51
command line 102 command line environment variables, notation xv
pkgrm 102 installing event source, description 5
when required 95 agent for AIX 85 example deployment 5
agent, Windows installing agent for HP-UX 103
installing installing agent for Solaris 99
automatic 81
manual 82
stopping process, AIX 90
uninstalling
F
supported operating systems 21 Firefox
agent for AIX 92
uninstalling 83 browser caching 114

Firefox (continued)
cookies 113
installing (continued)
in graphical mode 29
N
encryption 112 in silent mode 42 naming rules, user ID 121
forensics component 1 options 27 network ports 13
planning 28 new features 10
roadmap 25 notation
environment variables xv
G using a response file 42
using response file 47 path names xv
globalized domain names typeface xv
using screen reader 20, 108
configuring 117
installing language files
Asian languages (Chinese, Japanese,
and Korean) 116 O
H Internet Explorer online publications
hardware requirements ActiveX 110 accessing xiii
disk space for Enterprise Server 23 browser caching 114 operating systems
Log Management Server 20 cookies 113 supported for agents 21
Standard Server 20 encryption 112 supported for Windows server 20
HP-UX enhanced security configuration 111 ordering publications xiii
agent error messages 114
See HP-UX agent JavaScript 109
mounting CD 103
upgrading Actuator 74 IPv6
Trusted sites list 110
P
HP-UX agent capabilities in Tivoli Security password rules 121
configuring manually 105 Information and Event Manager 10 path names, notation xv
installing with swinstall 103 configuring 57 path, default installation 32
registering in Tivoli Integrated limitations in Tivoli Security pkgadd
Portal 103 Information and Event Manager 10 installing agent for Solaris 99
starting 106 migration from IPv4 57 pkgrm
supported operating systems 21 requirements 57 uninstalling
uninstalling with swremove 106 support 10 agent for Solaris 102
when required 103 policy files, updating 54
ports, network 13
processes, maximum for two-processor
L core 127
I languages supported 11 promoting
IBM PowerVM Hypervisor 13 limits in Tivoli Security Information and Enterprise Server from Log
IBM System Storage DR550 Event Manager 127 Management Server 49
exporting data from Log Management log continuity reports 1 Enterprise Server from Standard
Depot 132 Log Management module 1 Server 49
importing data to Log Management Log Management Server Log Management Server to Enterprise
Depot 133 description 1 Server 49
managing Log Management Depot functions 4 Standard Server to Enterprise
data 132 promoting to Enterprise Server 49 Server 49
moving data to and from the Log publications xi
Management Depot 132 accessing online xiii
relocating depot to 135
setup using identical user
M ordering xiii
manual installation, Windows agent 82
accounts 131
manuals
setup using separate user
accounts 130
See publications R
migration tool registering Standard Server 51
using to store depot data 129
calculate mode 67 respawn option, resetting 89
installing
description 67 response file
agent for AIX
export mode 68 customizing for installation 46
command line 85
migrate mode 69 customizing for uninstallation 78
showconfig mode 71 generating 43
SMIT 86
using 67 installing with 47
agent for HP-UX 103
module 1 modifying for installation 46
agent for Solaris
Log Management 1 modifying for uninstallation 78
Admintool 98
Security Information Management 2 sample for installation 44
pkgadd 99
mounting CD sample for uninstallation 77
agent for Windows
AIX 87 uninstalling with 79
automatic 81
HP-UX 103 roadmap, installation 25
manual 82
mounting CD, AIX 86
AIX agent 85
CDs 28
compliance modules 28 S
default location 32 sample deployment 5
DVDs 28
sample response file
installation 44
configuring 109
V
uninstallation 77 Tivoli Security Information and Event variables, notation for xv
scheduling Consolidation Server 53 Manager virtual machine considerations 13
screen reader, using during components 1 VMware ESX 13
installation 20, 108 description 1
Security Group installing
description 3 CDs 28 W
Security Information Management DVDs 28 W7
module 2 overview 27 normalization 2
Security Server planning 28 reporting 2
description 3 modules 1 watchdog timer 100
server new features 10 web browser
functions 3 software requirements 20 See also Firefox
prerequisites 13 supported operating systems 20 See also Internet Explorer
types 3 uninstalling browser caching 113
silent installation 42 GUI 75 cookies 113
SIM module 2 silently 77 enabling JavaScript and ActiveX 109
SIM Server types 3 upgrading to 61 Windows
SMIT Tivoli Security Information and Event agent
installing agent for AIX 86 Manager Cluster See Windows agent
stopping process, AIX 90 description 3, 4 upgrading Actuator 72
uninstalling agent for AIX 92 number of event sources 127 Windows agent
software requirements number of servers 3, 4, 127 installing automatically 81
agent operating systems 21 Tivoli technical training xiii installing manually 82
for SSH collect 20 Tivoli user groups xiii supported operating systems 21
PuTTY 20 training, Tivoli technical xiii uninstalling 83
server 20 typeface conventions xiv when required 81
web browsers 21
Solaris
accounting system 97
U Z
unattended installation 42 z/OS
agent
uninstalling 77 mainframe auditing setup 26
See Solaris agent
agent for AIX
audit settings 95
command line 92
starting agent automatically 100
SMIT 92
starting audit daemon 97
stopping audit daemon 97
agent for HP-UX 106
upgrading Actuator 73
agent for Solaris
watchdog timer 100
Admintool 101
Solaris agent
command line 102
agent for Windows 83
installing using Admintool 98
silently 79
installing using pkgadd 99
Tivoli Security Information and Event
Manager
silently 77
uninstalling using Admintool 101,
through GUI 75
102
using response file 77
when required 95
using response file 79
SSL, using CA-issued certificates 55
unmounting CD, AIX 86, 87
Standard Server
upgrading
adding 52
Actuator for AIX 72
description 3
Actuator for HP-UX 74
functions 5
Actuator for Solaris 73
promoting to Enterprise Server 49
Actuator for Windows 72
registering with Enterprise Server 51
cluster 62
swinstall 103
definition 61
swremove 106
from Tivoli Compliance Insight
system locale 117
Manager version 8.5 63
system requirements 13
limitations 61
order 62
supported upgrade paths 61
T user groups, Tivoli xiii
Tivoli Compliance Insight Manager, user ID naming rules 121
upgrading from 61
Tivoli Information Center xiii
Index 149

Printed in USA
GI11-8778-01

Tsiem20 Install

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Tsiem20 Install

Caricato da

Copyright:

Formati disponibili

Tivoli Security Information and Event Manager

iv Tivoli Security Information and Event Manager V2.0: Installation Guide

© Copyright IBM Corp. 2010 v

© Copyright IBM Corp. 2010 vii

The target audience for this book includes:

Readers should have working knowledge of network security issues, audit

What this publication contains

© Copyright IBM Corp. 2010 ix

x Tivoli Security Information and Event Manager V2.0: Installation Guide

IBM Tivoli Security Information and Event Manager library

About this publication xi

Accessing terminology online

You can also order by telephone by calling one of these numbers:

In other countries, contact your software account representative to order Tivoli

For additional information, see Appendix A, “Accessibility,” on page 107.

Tivoli technical training

Tivoli user groups

About this publication xiii

Access the link for the Tivoli Users Group at http://www.tivoli-ug.org.

Conventions used in this publication

Operating system-dependent variables and paths

About this publication xv

Tivoli Security Information and Event Manager provides continuous, non-intrusive

This section includes information about the following topics:

Product modules and components

This section describes the following modules and components:

© Copyright IBM Corp. 2010 1

The SIM module provides after-the-fact policy-based analysis and compliance

2 Tivoli Security Information and Event Manager V2.0: Installation Guide

The Standard Server performs basic security information management on audited

Server types and their functions

The three types of Servers are shown in Figure 1 on page 4.

Chapter 1. Introduction to IBM Tivoli Security Information and Event Manager 3

Figure 1. Types of Tivoli Security Information and Event Manager Servers

4 Tivoli Security Information and Event Manager V2.0: Installation Guide

Event sources have a Log Management component and an optional SIM

This section provides information about the following types of deployments:

Single server deployment

Chapter 1. Introduction to IBM Tivoli Security Information and Event Manager 5

Tivoli Security Information Tivoli Security Information

Actuators Depot eWAS / ISC

Audit SIM DB2

Figure 2. Sample single server deployment

Multiple Log Management Servers deployment

Figure 3 on page 7 shows a deployment with two Log Management servers

6 Tivoli Security Information and Event Manager V2.0: Installation Guide

Collect Tivoli Directory

Tivoli Security Information and Event Manager

Collect eWAS / ISC

Figure 3. Deployment with multiple Log Management Servers

Chapter 1. Introduction to IBM Tivoli Security Information and Event Manager 7

Figure 4. Medium or large business deployment with a single cluster

Multiple Tivoli Security Information and Event Manager

8 Tivoli Security Information and Event Manager V2.0: Installation Guide

Figure 5. Large business deployment with multiple clusters

Chapter 1. Introduction to IBM Tivoli Security Information and Event Manager 9

The following items are not provided:

10 Tivoli Security Information and Event Manager V2.0: Installation Guide

Chapter 1. Introduction to IBM Tivoli Security Information and Event Manager 11

The default ports are described in Table 1 on page 14.

© Copyright IBM Corp. 2010 13

Note: The following event sources require certain TCP ports: