Академический Документы
Профессиональный Документы
Культура Документы
Version 5.1
GC32-1592-00
Version 5.1
GC32-1592-00
Note Before using this information and the product it supports, read the information in Notices, on page 71.
First Edition (May 2004) This edition applies to version 5, release 1, modification 0 of IBM Tivoli Security Compliance Manager (product number 5724-F82) and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright International Business Machines Corporation 2003, 2004. All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Who should read this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v What this book contains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi IBM Tivoli Security Compliance Manager library . . . . . . . . . . . . . . . . . . . . . . vi Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi Accessing publications online . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Tivoli technical training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Contacting software support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Conventions used in this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Typeface conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Operating system differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Chapter 7. After the installation has completed . . . . . . . . . . . . . . . . . . 63 Chapter 8. Alternate installation methods . . . . . . . . . . . . . . . . . . . . . 65
Silent install . . . . . Console mode installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 . 66
Chapter 9. Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Installing with an alternate temporary directory . Files left in temporary directory . . . . . .
Copyright IBM Corp. 2003, 2004
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. 67 . 67
iii
Logging during installation . . . . . . . . . . . . . . . . . . Frequently asked questions . . . . . . . . . . . . . . . . . . Invalid DB2 user ID and password given during install . . . . . . . Entered wrong DB2 password during server start . . . . . . . . . Deselected create database now box by mistake . . . . . . . . . . Forgot Tivoli Security Compliance Manager administrator password . . . Forgot Tivoli Security Compliance Manager administrator ID . . . . . . Forgot to reset UMASK before installation on UNIX-based or Linux platforms Used double-byte characters for my administrator user ID and/or password Forgot to select stash password during install and server will not start . . Selected stash password during install and server will not start . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
67 68 68 68 68 68 69 69 69 69 70
Appendix. Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
iv
Preface
The IBM Tivoli Security Compliance Manager Installation Guide: All Components book explains how to install and configure the IBM Tivoli Security Compliance Manager software. Tivoli Security Compliance Manager is a data collection service that gathers and stores a wide variety of information from multiple participating systems. Information types can include any data on a system, such as operating system versions, software patch levels, and security-related data. System and security administrators can use the Tivoli Security Compliance Manager service to monitor specific data checkpoints on any given machine (or group of machines).
v Chapter 9, Troubleshooting, on page 67 describes solutions for problems that you might encounter during the installation of Tivoli Security Compliance Manager.
Publications
Read the descriptions of the IBM Tivoli Security Compliance Manager library, the prerequisite publications, and the related publications to determine which publications you might find helpful. After you determine the publications you need, refer to the instructions for accessing publications online.
Related publications
This section lists publications related to the Tivoli Security Compliance Manager library. The Tivoli Software Library provides a variety of Tivoli publications such as white papers, datasheets, demonstrations, redbooks, and announcement letters. The Tivoli Software Library is available on the Web at: http://www.ibm.com/software/tivoli/library/ The Tivoli Software Glossary includes definitions for many of the technical terms related to Tivoli software. The Tivoli Software Glossary is available, in English only, from the Glossary link on the left side of the Tivoli Software Library Web page http://www.ibm.com/software/tivoli/library/
vi
http://www.ibm.com/software/data/db2/
Accessibility
Accessibility features help a user who has a physical disability, such as restricted mobility or limited vision, to use software products successfully. You can use assistive technologies to hear and navigate the product documentation. You also can use the keyboard instead of the mouse to operate some features of the graphical user interface.
Typeface conventions
The following typeface conventions are used in this reference:
Preface
vii
Bold
Lowercase commands or mixed case commands that are difficult to distinguish from surrounding text, keywords, parameters, options, names of Java classes, and objects are in bold. Variables, titles of publications, and special words or phrases that are emphasized are in italic. Code examples, command lines, screen output, file and directory names that are difficult to distinguish from surrounding text, system messages, text that the user must type, and values for arguments or command options are in monospace.
Italic Monospace
viii
Patch/maintenance level No fix pack required No fix pack required Latest fix pack level Latest fix pack level Latest fix pack level Latest fix pack level
Table 2. Clients, collectors, and proxy relay Operating system AIX AIX HP-UX HP-UX Red Hat Linux Red Hat Linux Red Hat Linux Red Hat Linux Red Hat Linux Red Hat Linux Red Hat Linux Sun Solaris Sun Solaris Sun Solaris Sun Solaris Windows NT
Level 5.1 5.2 11.0 11i 6.2 7.0 7.1 7.2 7.3 8.0 9.0 2.6 2.7 2.8 2.9 4.0 Server
Patch/maintenance level Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest service pack and security roll up package
Table 2. Clients, collectors, and proxy relay (continued) Operating system Windows NT Windows 2000 Windows 2000 Windows 2000 Windows XP Windows 2003 Red Hat Enterprise Linux Red Hat Enterprise Linux Advanced Server Level 4.0 Workstation Server Advanced Server Professional Professional Server Standard Edition and Enterprise Edition 2.1 3.0 (see note below) Patch/maintenance level Latest service pack and security roll up package Latest service pack and security roll up package Latest service pack and security roll up package Latest service pack and security roll up package Latest service pack and security roll up package Latest service pack and security roll up package Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches
Red Hat Enterprise Linux for 3.0 zSeries Red Hat Enterprise Linux for 3.0 iSeries or pSeries Red Hat Enterprise Linux for 7.2 zSeries Red Hat Enterprise Linux Advanced Server SUSE LINUX SUSE LINUX Enterprise Server SUSE LINUX Enterprise Server for zSeries SUSE LINUX Enterprise Server for iSeries or pSeries 2.1 7.0 8 8 8
Note: The Red Hat Enterprise Linux Advanced Server 3.0 platform can only be installed using the console mode in Japanese. Please see Console mode installation on page 66 for more information on how to perform a console mode install.
Table 3. Administration console Operating system Windows 2000 Windows XP Level Professional Professional Patch/maintenance level Latest service pack and security roll up package Latest service pack and security roll up package
Table 4. Administration command line interface Operating system AIX Level 5.1 Patch/maintenance level Latest cumulative patches
Table 4. Administration command line interface (continued) Operating system AIX Windows 2000 Windows 2000 Windows 2000 Windows XP Sun Solaris Sun Solaris HP-UX HP-UX SUSE LINUX Enterprise Server Red Hat Linux Red Hat Enterprise Linux Advanced Server Level 5.2 Professional Server Advanced Server Professional 2.8 2.9 11 11i 8 9 3.0 Patch/maintenance level Latest cumulative patches Latest service pack and security roll up package Latest service pack and security roll up package Latest service pack and security roll up package Latest service pack and security roll up package Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches
Red Hat Enterprise Linux for 3.0 iSeries or pSeries SUSE LINUX Enterprise Server for iSeries or pSeries 8
Software prerequisites
All UNIX-based and Linux systems must have full X Windows (X11) support in place for the installation to run correctly, regardless of whether or not the system contains a graphics card. See the installation media for the systems operating system to install X Windows (X11). The following table lists the software prerequisites for the server.
Table 5. Server software prerequisites Operating system AIX 5.1 AIX 5.2 Windows 2000 Server Sun Solaris 2.8 Sun Solaris 2.9 SUSE LINUX Enterprise Server 8 for IA32 Requirements DB2 7.2 or 8.1 DB2 7.2 or 8.1 DB2 7.2 or 8.1 DB2 7.2 or 8.1 DB2 7.2 or 8.1 DB2 7.2 or 8.1
The Tivoli Security Compliance Manager 5.1 product package includes DB2 8.1. The following table lists the software prerequisites for the HP-UX client and command line interface.
Table 6. Client, collectors, and proxy relay software prerequisites Operating system HP-UX 11.0, 11i Requirements Java Runtime Environment (JRE) 1.3.1
1 2 24
Note: The HP-UX platform values in the table are much smaller than the other platform values because the Java Runtime Environment is not packaged with the HP-UX client.
AIX
Table 9. Disk and memory requirements for Tivoli Security Compliance Manager proxy relay (continued) Client Platform Disk Requirements for Installation Directory 64 MB Disk Requirements for Temporary Directory 6 MB Memory Requirements 256 MB RAM minimum, 512 MB RAM recommended 256 MB RAM minimum, 512 MB RAM recommended 256 MB RAM minimum, 512 MB RAM recommended 256 MB RAM minimum, 512 MB RAM recommended
HP-UX
Linux
64 MB
46 MB
Solaris
64 MB
65 MB
Windows
64 MB
44 MB
Note: The HP-UX platform values in the table are much smaller than the other platform values because the Java Runtime Environment is not packaged with the HP-UX client.
The following table lists the disk and memory requirements for the command line interface.
Table 11. Disk and memory requirements for Tivoli Security Compliance Manager command line interface Command Line Interface Platform AIX Disk Requirements for Installation Directory 64 MB Disk Requirements for Temporary Directory 45 MB Memory Requirements 256 MB RAM minimum, 512 MB RAM recommended 256 MB RAM minimum, 512 MB RAM recommended 256 MB RAM minimum, 512 MB RAM recommended
Chapter 1. Installation overview
HP-UX
64 MB
6 MB
Linux
64 MB
46 MB
Table 11. Disk and memory requirements for Tivoli Security Compliance Manager command line interface (continued) Command Line Interface Platform Solaris Disk Requirements for Installation Directory 64 MB Disk Requirements for Temporary Directory 65 MB Memory Requirements 256 MB RAM minimum, 512 MB RAM recommended 256 MB RAM minimum, 512 MB RAM recommended
Windows
64 MB
44 MB
Note: The HP-UX platform values in the table are much smaller than the other platform values because the Java Runtime Environment is not packaged with the HP-UX client.
CD Layout
The Tivoli Security Compliance Manager 5.1 CD contains the following files and directories: v /policies/Network_AIX.pol v /policies/System_AIX.pol v /policies/Network_Windows.pol v /policies/System_Windows.pol v scm_aix v scm_hp11 v scm_linux v scm_linux390 v scm_linuxppc v scm_solaris v scm_win32.exe v scminstall.jar The scm_aix, scm_hp11, scm_linux, scm_linux390, scm_linuxppc, scm_solaris, scm_win32.exe and scminstall.jar are the InstallShield executables and .jar file needed to install Tivoli Security Compliance Manager.
v v v
need to place a copy of the db2java.zip and the db2jcc.jar files onto your IBM Tivoli Security Compliance Manager server machine. These files must be located in the same directory on the IBM Tivoli Security Compliance Manager server. You will need to provide the fully-qualified directory path to the db2java.zip file during install. A DB2 7.2 database may either be on the server machine, or on a remote machine. In order to use a DB2 7.2 database on a remote machine, you will need to place a copy of the db2java.zip file onto your IBM Tivoli Security Compliance Manager server machine. You will need to provide the fully-qualified directory path to the db2java.zip file during install. You need to know the DB2 instance ID and password. For UNIX-based and Linux systems, you must be logged on as the user ID root. For installations on UNIX-based or Linux platforms, set the umask to 022 for the Tivoli Security Compliance Manager files to be installed with the correct permissions for operations. If the umask is set to another value, the install will complete but the product will not run. For more information on alternative installation methods, including silent and console mode installations, see Chapter 8, Alternate installation methods, on page 65.
Additional server installation requirements are listed on the Welcome panel of the installation program.
3. The installation Welcome window is displayed. This window lists all the required information for each Tivoli Security Compliance Manager component; use the scroll bar to display the required information for the component you will be installing. Click Next.
4. The software license agreement is displayed. Accept the agreement and click Next to continue.
5. The Installation Directory Location window is displayed. The Tivoli Security Compliance Manager server code is installed in the /opt/IBM/SCM directory on UNIXbased platforms and Linux platforms, and in the C:\Program Files\IBM\SCM directory on Windows. Enter a different installation location in this window if you do not want to use the default directory. Click Next. Note: If you have already installed another Tivoli Security Compliance Manager component, or are reinstalling the server, the Installation Directory Location window will not be displayed. The installation program will automatically install the server to the same location as the previously installed components.
10
6. The System Component Selection window is displayed. After the system component selection window opens, you will be able to continue your installation based on the system component you have selected. Select IBM Tivoli Security Compliance Manager Server and click Next. Note: The IBM Tivoli Security Compliance Manager Database Configuration utility is automatically included with the server installation. After the server installation has completed, a separate database configuration step is not required.
11
7. The Server E-mail Configuration window is displayed. Enter the SMTP e-mail server host name that will be used by Tivoli Security Compliance Manager to send e-mail notifications, and the e-mail address to send the notifications to. The e-mail address will be used as the From: field in the e-mail notification sent by the Tivoli Security Compliance Manager server. Click Next to continue.
12
8. The Server Communication Configuration window is displayed. Enter the server and client connection ports, and click Next. The server connection port displayed on this window is the port used for communications with the administration console and with the administration command line interface.
13
9. The Server Security Configuration window is displayed. a. Enter the fully qualified host name of the server machine for the system name for the certificate, and the password to be used for the master keystore and a separate password to be used for the server keystore. These passwords must be at least six characters in length. b. Select the check box to stash the server keystore password and enable the server to start automatically after installation has completed; if you do not select the box you will have to manually start the server and then enter the server keystore password. Additionally on Windows systems, if you choose not to store the server keystore password, the server service will not be installed as a Windows server. As a result, the server will not start automatically when the Windows machine is started. Instead, you will need to use the jacserver command to start the server, and then you will be prompted for the server keystore password before launching the server. Click Next to continue the installation. Note: The master keystore password is used to generate the keystore.
14
10. The Database Location window is displayed. v To use a database on the server machine, select The database is on the local machine, click Next, and continue onto the next step. v To use a database on a remote machine, select The database is remote, click Next, and continue onto Step 13 on page 19
15
11. The Database Configuration window is displayed. A slightly different window is displayed on Windows platforms as opposed to UNIX-based or Linux platforms. v For Windows platforms, enter the following information: The DB2 user ID and password. The location of the .jar or .zip file that contains the DB2 JDBC driver. Click the Browse button to navigate to the location of the .jar or .zip file, or enter the location manually. The typical location for this file is: C:\Program Files\IBM\SQLLIB\java\db2java.zip The name of the DB2 JDBC driver. A default DB2 JDBC driver name is displayed. The URL to use for database connectivity. Leave the default for a local database, and see your DB2 administrator for a remote database. See your DB2 documentation for more information on how to configure JDBC for DB2. Click Next to continue the installation and continue onto Step 12 on page 18.
16
v For UNIX-based and Linux platforms, enter the following information: The DB2 user ID and password. The location to create the DB2 database. If this field is left blank, the installation will use the default location of the database instance ID home. If a location is specified in this field, that location will be used as the location of the database. Select the check box to create the DB2 database as part of the server installation. See the note in the next step for more details on the function of the check box. Click Next to continue the installation and continue onto Step 15 on page 22.
17
12. A second Database Configuration window is displayed for Windows platforms. Select the check box to create the DB2 database as part of the server installation. If you choose to not create the database as part of the server installation, then the installation program will bypass the creation of the database. Click Next to continue the installation and continue onto Step 15 on page 22.
Note: The check box option allows you to customize your database configuration by not installing the database with the default configuration. The default database used by IBM Tivoli Security Compliance Manager is called JAC. The table definitions are included in the file INSTDIR/sql/jac.sql. The commands to create the database and the local node alias, SCM, are included as comments in the jac.sql file. You can either create the database JAC and the SCM local node alias using DB2 commands prior to using jac.sql, or uncomment the statements in jac.sql. There are two other files in the INSTDIR/sql/ directory that are used during database configuration: groups_and_roles.sql and admin.sql. The file groups_and_roles.sql contains the default administration group and role definitions. The file admin.sql contains the commands used to create the administrator user ID.
18
The db2 tvf <filename> command can be used to execute the commands contained in the .sql files. When creating a custom database configuration, you should create the database tables using the jac.sql file before using the other two .sql files. The IBM Tivoli Security Compliance Manager Server connects to the JAC database or the SCM alias using the configuration parameters specified during installation. The database configuration options are included in the INSTDIR/server/server.ini file. The configuration options contained in the server.ini file must be valid for any database customization. 13. For installations that will use a remote database, the Database Configuration window is displayed. Enter the following information: Note: Although the information requested is the same, the order in which the information is requested differs between Windows platforms and UNIX-based or Linux platforms. The windows that follow show the order for Windows platforms. v The DB2 user ID and password. v The location of the .jar or .zip file that contains the DB2 JDBC driver. Click the Browse button to navigate to the location of the .jar or .zip file, or enter the location manually. The typical location for this file is: Windows: C:\Program Files\IBM\SQLLIB\java\db2java.zip UNIX-based or Linux platforms: /home/db2instl/sqllib/java/db2java.zip v The name of the DB2 JDBC driver. A default DB2 JDBC driver name is displayed. v The URL to use for database connectivity. Leave the default for a local database, and see your DB2 administrator for a remote database. See your DB2 documentation for more information on how to configure JDBC for DB2. v Click Next to continue the installation.
19
20
14. A Confirm Remote Database Exists window is displayed. This window prompts you to check that the remote database exists and has been enabled to use the JDBC interface specified on the Database Configuration windows. Click Next to continue the installation and continue onto Step 16 on page 23.
21
15. The Administrator User ID Configuration window is displayed. Enter the Tivoli Security Compliance Manager system administrator user ID and password, and click Next. The user ID and password entered on this window will be used as the primary administrator for the administration console or the command line interface. The passwords must be at least six characters in length.
Note: All administrator user IDs and passwords must contain only single-byte characters for the installation to complete successfully. Once the installation is complete, you may use the administration console to change the administrator user ID and password to contain double-byte characters.
22
16. The Installation Summary window is displayed. This window displays the installation location, the system components to be installed, and the installation size. Click Next to begin the installation process.
23
17. An installation progress indicator will be displayed in place of the summary window. After the installation has completed, a results window is displayed. Click Finish to exit the installation.
18. After installation is complete, make sure to back up your server keys and keystores. See the chapter on managing server keys and keystores in the IBM Tivoli Security Compliance Manager Administration Guide for instructions on using the administration console to create a back-up of the server keys and keystores. In addition, refer to Chapter 7, After the installation has completed, on page 63 for further post-installation recommendations.
24
25
questions are provided by the installation, and a simple configuration is performed during installation to get you up and running quickly. In addition to the regular product installation package, a stand-alone ISMP client installation package is provided. This client-only installation is very similar to the regular product installation, but contains fewer screens. Differences between the regular and client-only installation packages are indicated throughout the installation procedure. When you use ISMP to install the Tivoli Security Compliance Manager client, you will follow these steps regardless of your operating system: 1. Run the installation executable. The list of the platform-specific installation executables is located in Chapter 1, Installation overview, on page 1. A startup window for the Java Virtual Machine, JVM, is displayed while the JVM is loaded. 2. The Language Selection window is displayed. Select a language for the installation. Click OK.
26
3. The installation Welcome window is displayed. This window lists all the required information for each Tivoli Security Compliance Manager component; use the scroll bar to display the required information for the component you will be installing. Click Next. Note: This window is not displayed in the client-only installation.
4. The software license agreement is displayed. Accept the agreement and click Next to continue.
27
5. The Installation Directory Location window is displayed. The Tivoli Security Compliance Manager client code is installed in the /opt/IBM/SCM directory on UNIX-based platforms and the Linux platforms, and in the C:\Program Files\IBM\SCM directory on Windows. Enter a different installation location in this window if you do not want to use the default directory. Click Next. Note: If you have already installed another Tivoli Security Compliance Manager component, or are reinstalling the client, the Installation Directory Location window will not be displayed. The installation program will automatically install the client to the same location as the previously installed components.
28
6. The System Component Selection window is displayed. After the system component selection window opens, you will be able to continue your installation based on the system component you have selected. Select IBM Tivoli Security Compliance Manager Client and click Next. Note: This window is not displayed in the client-only installation.
29
7. For client installations on the HP-UX platform, the Java Runtime Location window is displayed. Enter the directory that contains the 1.3.1 JVM, and click Next.
30
8. The Client Communication Mode Configuration window is displayed. Enter the client connection port, and the client communications mode. There are two communication modes: Push Pull A client that permits communication with the server to be initiated by either the client or the server.
A client that permits communication with the server to be initiated by only the server. Defining a client as a push client permits communication with the server to be established by either the client or the server. In some network environments, however, inbound connections to the server might not be permitted. In these cases, defining the client as a pull client forces the server to initiate all communications with the client. Pull clients are generally needed when the server is located behind a firewall. To install a push client, select Push and click Next. To install a pull client, select Pull, click Next, and proceed to Step 11 on page 34.
31
9. The Server Communication Configuration window is displayed. Enter the Tivoli Security Compliance manager server host name and connection port for server and client communications. Select the check box if the client has a dynamic IP address, or if the IP address or host name of the client changes frequently. Clear the check box if the client has a static IP address. Click Next to continue the installation.
32
10. For DHCP clients, the Client DHCP Configuration window is displayed. You can enter an optional DHCP client alias, or the system will use a default alias of the client host name. Click Next to continue the installation.
33
11. The Installation Summary window is displayed. This window displays the installation location, the system components to be installed, and the installation size. Click Next to begin the installation process.
34
12. An installation progress indicator will be displayed in place of the summary window. After the installation has completed, a results window is displayed. Click Finish to exit the installation.
35
36
37
3. The installation Welcome window is displayed. This window lists all the required information for each Tivoli Security Compliance Manager component; use the scroll bar to display the required information for the component you will be installing. Click Next.
38
4. The software license agreement is displayed. Accept the agreement and click Next to continue. 5. The Installation Directory Location window is displayed. The Tivoli Security Compliance Manager administration utilities code is installed in the /opt/IBM/SCM directory on UNIX-based platforms and the Linux platforms, and in the C:\Program Files\IBM\SCM directory on Windows. Enter a different installation location in this window if you do not want to use the default directory. Click Next. Note: If you have already installed another Tivoli Security Compliance Manager component, or are reinstalling the administration console or the command line interface, the Installation Directory Location window will not be displayed. The installation program will automatically install the administration console or administration command line interface to the same location as the previously installed components.
39
6. The System Component Selection window is displayed. After the system component selection window opens, you will be able to continue your installation based on the system component you have selected. Select IBM Tivoli Security Compliance Manager Administration Utilities and click Next.
40
7. For administration utilities installations on the HP-UX platform, the Java Runtime Location window is displayed. Enter the directory that contains the 1.3.1 JVM, and click Next.
41
8. The Installation Summary window is displayed. This window displays the installation location, the system components to be installed, and the installation size. Click Next to begin the installation process.
42
9. An installation progress indicator will be displayed in place of the summary window. After the installation has completed, a results window is displayed. Click Finish to exit the installation.
43
44
45
46
3. The installation Welcome window is displayed. This window lists all the required information for each Tivoli Security Compliance Manager component; use the scroll bar to display the required information for the component you will be installing. Click Next.
4. The software license agreement is displayed. Accept the agreement and click Next to continue.
47
5. The Installation Directory Location window is displayed. The Tivoli Security Compliance Manager server code is installed in the /opt/IBM/SCM directory on UNIX-based and Linux platforms, and in the C:\Program Files\IBM\SCM directory on Windows. Enter a different installation location in this window if you do not want to use the default directory. Click Next. Note: If you have already installed another Tivoli Security Compliance Manager component, the Installation Directory Location window will not be displayed. The installation program will automatically install the database configuration utilities to the same location as the previously installed components.
48
6. The System Component Selection window is displayed. After the system component selection window opens, you will be able to continue your installation based on the system component you have selected. Select IBM Tivoli Security Compliance Manager Database Configuration and click Next.
49
7. The Database Configuration window is displayed. Enter the following information: v The DB2 user ID and password. v The location of the .jar or .zip file that contains the DB2 JDBC driver. Click the Browse button to navigate to the location of the .jar or .zip file, or enter the location manually. The default location for this file is: Windows: C:\Program Files\IBM\SQLLIB\java\db2java.zip UNIXbased platforms: /home/db2inst1/sqllib/java/db2java.zip v The name of the DB2 JDBC driver. A default DB2 JDBC driver name is displayed. v The URL to use for database connectivity. Leave the default for a local database, and see your DB2 administrator for a remote database. See your DB2 documentation for more information on how to configure JDBC for DB2. Click Next to continue the installation.
50
8. A second Database Configuration window is displayed. Select the check box to create the DB2 database. This option allows you to customize your database configuration by not installing the database with the default configuration. The default database used by IBM Tivoli Security Compliance Manager is called JAC. The table definitions are included in the file INSTDIR/sql/jac.sql. The commands to create the database and the local node alias, SCM, are included as comments in the jac.sql file. You can either create the database JAC and the SCM local node alias using DB2 commands prior to using jac.sql, or uncomment the statements in jac.sql. There are two other files in the INSTDIR/sql/ directory that are used during database configuration: groups_and_roles.sql and admin.sql. The file groups_and_roles.sql contains the default administration group and role definitions. The file admin.sql contains the commands used to create the administrator user ID. The db2 tvf <filename> command can be used to execute the commands contained in the .sql files. When creating a custom database configuration, you should create the database tables using the jac.sql file before using the other two .sql files. The IBM Tivoli Security Compliance Manager Server connects to the JAC database or the SCM alias using the configuration parameters specified during installation. The database configuration options are included in the INSTDIR/server/server.ini file. The configuration options contained in the server.ini file must be valid for any database customization.
51
9. The Administrator User ID Configuration window is displayed. Enter the Tivoli Security Compliance Manager system administrator user ID and password, and click Next. The password must be at least six characters in length. Note: All administrator user IDs and passwords must contain only single-byte characters for the installation to complete successfully. Once the installation is complete, you may use the Administration Console to change the administrator user ID and password to contain double-byte characters.
52
10. The Installation Summary window is displayed. This window displays the installation location, the system components to be installed, and the installation size. Click Next to begin the installation process.
53
11. An installation progress indicator will be displayed in place of the summary window. After the installation has completed, a results window is displayed. Click Finish to exit the installation.
54
55
56
4. The Uninstallation Selection window is displayed. All installed Tivoli Security Compliance Manager system components are listed, and preselected, in this window. Select the Tivoli Security Compliance Manager system components to uninstall and click Next. Note: This window is not displayed in the client-only installation.
5. If you select to uninstall the server, the Confirm Keystore Deletion window is displayed. If you intend to reinstall the server and have your existing clients communicate without needing to be reinstalled, you must keep the keystore files currently being used for client-server communication. See the chapter on managing server keys and keystores in the IBM Tivoli Security Compliance Manager Administration Guide for instructions on using the administration console to create a backup of the server keys and keystores. Select the check box to delete the client server communication keystore file if you have a back-up copy or you do not intend to reinstall the server. Deselect the check box to leave the two files, server.jksand master.jks, in the INSTDIR/server/keystores directory and uninstall the server. Click Next to continue.
57
6. The Uninstallation Summary window is displayed. This window displays the directory location that the system components will be uninstalled from and the system components to be uninstalled. Click Next to begin the uninstallation process.
58
7. A progress indicator will be displayed in place of the summary window. After the uninstallation has completed, a results window is displayed. Click Next.
59
8. The uninstall wizard might require you to restart your computer to complete the uninstallation process. Click Finish to exit the uninstallation program. Note: The uninstallation process on HP-UX systems will display a Next option on the final uninstallation panel instead of a Finish option. Selecting the Next option will complete the uninstall.
60
Note: The console mode uninstallation process on HP-UX systems will display a Next option on the final uninstallation panel instead of a Finish option. Selecting the Next option will complete the uninstall.
61
62
63
64
Silent install
Note: Before you begin be aware that ISMP does not report any errors in silent mode. Therefore, if you type any of the options incorrectly, the installation will silently fail or respond unexpectedly. For example, if you are installing in /syslocal/tools/SCM and you were to type the command incorrectly, the component would still be installed and there would be no error message. The InstallShield MultiPlatform tool provides the capability to create a template file that contains all possible responses. The tool also provides a record option that allows you to record the responses given when installing a particular system. Response files created using these techniques can be used to perform silent installations. Note: When performing a silent install on a Windows system, the InstallShield program does not wait for the installation to complete before displaying an active command window. The install will still be in progress once the user prompt is displayed, so check to ensure that the installation is complete before using the command window. In the examples given in this section for the platform variables, substitute one of the following: scm_aix, scm_hp11, scm_linux, scm_linux390, scm_linuxppc, scm_solaris, scm_win32.exe To record a response file during an installation, enter the following command:
scm_platform -options-record filename
where filename is the path name of the file to which the recorded response data will be written. Note: Using the -options-record on the Solaris platform causes invalid error messages to be displayed. The options file that is created on Solaris can be used for silent installation. To generate a template file, enter the following command:
scm_platform -options-template filename
where filename is the path name of the file that the template response data will be written. When the template generation successfully completes, you will receive the following message:
Options file filename was successfully created
65
The template file that is created must be edited using a text editor as follows: v For options you want to set, remove the three comment characters (###) at the start of the option line. v Replace value with the appropriate value for each uncommented option. When you first perform a silent installation, use the -options-record option to generate a response file from an actual installation. This option allows you to familiarize yourself with the data variables that can be set and with the valid responses. After you are familiar with the data that must be provided in the response file, you might find the -options-template option, which provides a template file of all possible responses, to be useful. After you have created a response file with the desired data input, you can use that file in a subsequent silent installation. For example, to perform a silent installation enter the following command:
scm_platform -silent -options filename
where filename is the path name of the file that contains the response data to be used.
66
Chapter 9. Troubleshooting
This chapter describes problems that you might encounter as you install and configure Tivoli Security Compliance Manager and it provides some solutions to these problems.
where scm_platform is one of the platform launchers for Tivoli Security Compliance Manager: scm_aix, scm_hp11, scm_linux, scm_linux390, scm_linuxppc, scm_solaris, scm_win32.exe. The @ALL parameter will log all installation events.
67
The ISMP installation program also stores information about the ISMP installed components in a vital product data file called vpd.properties. This file is found in various directories depending on the operating system, such as: v Windows: %SystemRoot%\vpd.properties v AIX: /usr/lib/objrepos/vpd.properties v Linux: /root/vpd.properties v HP-UX: /vpd.properties v Solaris: /vpd.properties
where <correct_userid_value> is the valid DB2 user ID and <correct_password_value> is the valid DB2 password. You may enter the password as plain text, and it will be encrypted in the file for you.
68
Forgot to select stash password during install and server will not start
Problem: I deselected the stash password check box on the Server Security Configuration window during installation, and my server fails to start when the system is rebooted. Solution:Deselecting the stash password check box removes the server.keystore.password value from the INSTDIR/server/server.ini file, but does not change the system entries to automatically start the server. v To solve this problem on AIX systems, enter the following command:
rmitab ibmscmsrv
v To solve this problem on other UNIX-based systems, enter the following commands:
Chapter 9. Troubleshooting
69
v To solve this problem on a Windows system, enter the following command to remove the server as a Windows service:
scmserver remove
Selected stash password during install and server will not start
Problem:I selected the stash password check box on the Server Security Configuration window during installation, but my server does not automatically start when the system is rebooted. Solution: Use the following steps to add the server to your systems start up process: Note: Make sure to replace the INSTDIR directory below with the directory where you installed Tivoli Security Compliance Manager. v For AIX systems, enter the following command:
mkitab ibmscmsrv:2:once:INSTDIR/server/scmserver start 2>/dev/null
70
Appendix. Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the users responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation 500 Columbus Avenue Thornwood, NY 10594 U.S.A For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106, Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Copyright IBM Corp. 2003, 2004
71
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation 2Z4A/101 11400 Burnet Road Austin, TX 78758 USA Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBMs future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. If you are viewing this information softcopy, the photographs and color illustrations may not appear.
Trademarks
The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both: AIX DB2 IBM
72
IBM logo Tivoli Tivoli logo Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, and service names may be trademarks or service marks of others.
Appendix. Notices
73
74
Glossary
collector. A software module that runs on a client system and gathers data. This data is subsequently sent to a server. compliance query. An SQL query that extracts specific data from the server database and returns a list of clients that are in violation of specific security requirements. delta table. A database table used for saving changed data from subsequent runs of a collector. disinherit. To remove actions from a role that were originally copied from a template. inherit. To copy actions to a role from a template. policy. A set of one or more compliance queries used to demonstrate the level of adherence to specific security requirements. policy bundle. A file containing the information associated with a policy, such as the compliance queries, the collectors, and the associated schedules. A policy bundle permits the policy to be saved and subsequently applied to other servers. proxy relay. A special pull client that acts as a relay between the server and one or more clients. A proxy relay is used to reach a limited number of clients that are located behind a firewall, or that are in an IP-address range that is not directly addressable by the server. pull client. A client that permits communication with the server to be initiated by only the server. push client. A client that permits communication with the server to be initiated by either the client or the server. snapshot. The result of running all of the compliance queries in a policy against a set of clients. A snapshot shows the number of violations and indicates what clients are not adhering to the security requirements being tested by the compliance queries.
75
76
Index A
accessibility vii administration utilities installation 37 after installation 63 alternate temporary installation directory 67
T
troubleshooting installation 67
U
uninstall console mode 60 InstallShield MutliPlatform uninstalling 55 55
C
CD layout 6 client installation 25 configuration database 45 console mode installation 66 console mode uninstallation 60
D
database configuration 45 database utilities 45
I
installation after completion 63 console mode 66 silent 65 troubleshooting 67 using an alternate temporary directory 67 installation prerequisites 1 installing administration utilities 37 client 25 server 7 InstallShield MultiPlatform uninstallation 55
P
product removal 55
R
reinstalling administration utilities 37 client 25 server 7 related publications vi running database utilities 46
S
server installation 7 silent install administration utilities client 65 server 65 silent installation 65 software prerequisites 1 65
77
78
Printed in USA
GC32-1592-00