Documente Academic
Documente Profesional
Documente Cultură
Version 5.1
GC32-1593-00
Version 5.1
GC32-1593-00
Note Before using this information and the product it supports, read the information in Notices, on page 29.
First Edition (May 2004) This edition applies to version 5, release 1, modification 0 of IBM Tivoli Security Compliance Manager (product number 5724-F82) and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright International Business Machines Corporation 2003, 2004. All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Who should read this book . . . . . . . . . What this book contains . . . . . . . . . . Publications . . . . . . . . . . . . . . IBM Tivoli Security Compliance Manager library . Related publications . . . . . . . . . . Accessing publications online . . . . . . . Accessibility . . . . . . . . . . . . . . Tivoli technical training . . . . . . . . . . Contacting software support . . . . . . . . Conventions used in this book . . . . . . . . Typeface conventions . . . . . . . . . . Operating system differences . . . . . . . v v v v . . . . . . . . . . . . . . . . . . . . . vi . . . . . . . . . . . . . . . . . . . . . vi . . . . . . . . . . . . . . . . . . . . . vii . . . . . . . . . . . . . . . . . . . . . vii . . . . . . . . . . . . . . . . . . . . . vii . . . . . . . . . . . . . . . . . . . . . vii . . . . . . . . . . . . . . . . . . . . . vii . . . . . . . . . . . . . . . . . . . . . vii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 5. Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Installing with an alternate temporary directory . Files left in temporary directory . . . . . . Logging during installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 . 27 . 27
Appendix. Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
iii
iv
Preface
The IBM Tivoli Security Compliance Manager Installation Guide: Client Component book explains how to install and configure the IBM Tivoli Security Compliance Manager client software. Tivoli Security Compliance Manager is a data collection service that gathers and stores a wide variety of information from multiple participating systems. Information types can include any data on a system, such as operating system versions, software patch levels, and security-related data. System and security administrators can use the Tivoli Security Compliance Manager service to monitor specific data checkpoints on any given machine (or group of machines).
Publications
Read the descriptions of the IBM Tivoli Security Compliance Manager library, the prerequisite publications, and the related publications to determine which publications you might find helpful. After you determine the publications you need, refer to the instructions for accessing publications online.
Explains how to install and configure the Tivoli Security Compliance Manager client component software. IBM Tivoli Security Compliance Manager Administration Guide (SC32-1594-00) Explains how to manage and configure Tivoli Security Compliance Manager services using the administration console. IBM Tivoli Security Compliance Manager Collector Development Guide (SC32-1595-00) Explains how to design and implement custom Tivoli Security Compliance Manager collectors. IBM Tivoli Security Compliance Manager Warehouse Enablement Pack, Version 1.1 Implementation Guide for Tivoli Data Warehouse, Version 1.2 (SC32-1596-00) Explains how to integrate Tivoli Security Compliance Manager with Tivoli Data Warehouse. IBM Tivoli Security Compliance Manager Release Notes (GI11-4695-00) Provides late-breaking information, such as software limitations, workarounds, and documentation updates.
Related publications
This section lists publications related to the Tivoli Security Compliance Manager library. The Tivoli Software Library provides a variety of Tivoli publications such as white papers, datasheets, demonstrations, redbooks, and announcement letters. The Tivoli Software Library is available on the Web at: http://www.ibm.com/software/tivoli/library/ The Tivoli Software Glossary includes definitions for many of the technical terms related to Tivoli software. The Tivoli Software Glossary is available, in English only, from the Glossary link on the left side of the Tivoli Software Library Web page http://www.ibm.com/software/tivoli/library/
vi
Accessibility
Accessibility features help a user who has a physical disability, such as restricted mobility or limited vision, to use software products successfully. You can use assistive technologies to hear and navigate the product documentation. You also can use the keyboard instead of the mouse to operate some features of the graphical user interface.
Typeface conventions
The following typeface conventions are used in this reference: Bold Lowercase commands or mixed case commands that are difficult to distinguish from surrounding text, keywords, parameters, options, names of Java classes, and objects are in bold. Variables, titles of publications, and special words or phrases that are emphasized are in italic. Code examples, command lines, screen output, file and directory names that are difficult to distinguish from surrounding text, system messages, text that the user must type, and values for arguments or command options are in monospace.
Italic Monospace
Preface
vii
viii
Level 5.1 5.2 11.0 11i 6.2 7.0 7.1 7.2 7.3 8.0 9.0 2.6 2.7 2.8 2.9 4.0 Server 4.0 Workstation Server Advanced Server Professional Professional Server Standard Edition and Enterprise Edition
Patch/maintenance level Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest service pack and security roll up package Latest service pack and security roll up package Latest service pack and security roll up package Latest service pack and security roll up package Latest service pack and security roll up package Latest service pack and security roll up package Latest service pack and security roll up package
Table 1. Clients, collectors, and proxy relay (continued) Operating system Red Hat Enterprise Linux Red Hat Enterprise Linux Advanced Server Level 2.1 3.0 (see note below) Patch/maintenance level Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches Latest cumulative patches
Red Hat Enterprise Linux for 3.0 zSeries Red Hat Enterprise Linux for 3.0 iSeries or pSeries Red Hat Enterprise Linux for 7.2 zSeries Red Hat Enterprise Linux Advanced Server SUSE LINUX SUSE LINUX Enterprise Server SUSE LINUX Enterprise Server for zSeries SUSE LINUX Enterprise Server for iSeries or pSeries 2.1 7.0 8 8 8
Note: The Red Hat Enterprise Linux Advanced Server 3.0 platform can only be installed using the console mode in Japanese. Please see Console mode installation on page 26 for more information on how to perform a console mode install.
Software prerequisites
All UNIX-based and Linux systems must have full X Windows (X11) support in place for the installation to run correctly, regardless of whether or not the system contains a graphics card. See the installation media for the systems operating system to install X Windows (X11). The following table lists the software prerequisites for the HP-UX client.
Table 2. Client, collectors, and proxy relay software prerequisites Operating system HP-UX 11.0, 11i Requirements Java Runtime Environment (JRE) 1.3.1
AIX HP-UX
Table 3. Disk and memory requirements for Tivoli Security Compliance Manager client (continued) Client Platform Disk Requirements for Installation Directory 64 MB 64 MB 64 MB Disk Requirements for Temporary Directory 46 MB 65 MB 44 MB Memory Requirements 75 MB RAM 75 MB RAM 75 MB RAM
Note: The HP-UX platform values in the table are much smaller than the other platform values because the Java Runtime Environment is not packaged with the HP-UX client.
AIX
HP-UX
64 MB
6 MB
Linux
64 MB
46 MB
Solaris
64 MB
65 MB
Windows
64 MB
44 MB
Note: The HP-UX platform values in the table are much smaller than the other platform values because the Java Runtime Environment is not packaged with the HP-UX client.
CD Layout
The Tivoli Security Compliance Manager 5.1 CD contains the following files and directories: v /policies/Network_AIX.pol v /policies/System_AIX.pol v /policies/Network_Windows.pol v /policies/System_Windows.pol v scm_aix
Chapter 1. Installation overview
v v v v v v v
The scm_aix, scm_hp11, scm_linux, scm_linux390, scm_linuxppc, scm_solaris, scm_win32.exe and scminstall.jar are the InstallShield executables and .jar file needed to install Tivoli Security Compliance Manager.
questions are provided by the installation, and a simple configuration is performed during installation to get you up and running quickly. In addition to the regular product installation package, a stand-alone ISMP client installation package is provided. This client-only installation is very similar to the regular product installation, but contains fewer screens. Differences between the regular and client-only installation packages are indicated throughout the installation procedure. When you use ISMP to install the Tivoli Security Compliance Manager client, you will follow these steps regardless of your operating system: 1. Run the installation executable. The list of the platform-specific installation executables is located in Chapter 1, Installation overview, on page 1. A startup window for the Java Virtual Machine, JVM, is displayed while the JVM is loaded. 2. The Language Selection window is displayed. Select a language for the installation. Click OK.
3. The installation Welcome window is displayed. This window lists all the required information for each Tivoli Security Compliance Manager component; use the scroll bar to display the required information for the component you will be installing. Click Next. Note: This window is not displayed in the client-only installation.
4. The software license agreement is displayed. Accept the agreement and click Next to continue.
5. The Installation Directory Location window is displayed. The Tivoli Security Compliance Manager client code is installed in the /opt/IBM/SCM directory on UNIX-based platforms and the Linux platforms, and in the C:\Program Files\IBM\SCM directory on Windows. Enter a different installation location in this window if you do not want to use the default directory. Click Next. Note: If you have already installed another Tivoli Security Compliance Manager component, or are reinstalling the client, the Installation Directory Location window will not be displayed. The installation program will automatically install the client to the same location as the previously installed components.
6. The System Component Selection window is displayed. After the system component selection window opens, you will be able to continue your installation based on the system component you have selected. Select IBM Tivoli Security Compliance Manager Client and click Next. Note: This window is not displayed in the client-only installation.
7. For client installations on the HP-UX platform, the Java Runtime Location window is displayed. Enter the directory that contains the 1.3.1 JVM, and click Next.
10
8. The Client Communication Mode Configuration window is displayed. Enter the client connection port, and the client communications mode. There are two communication modes: Push Pull A client that permits communication with the server to be initiated by either the client or the server.
A client that permits communication with the server to be initiated by only the server. Defining a client as a push client permits communication with the server to be established by either the client or the server. In some network environments, however, inbound connections to the server might not be permitted. In these cases, defining the client as a pull client forces the server to initiate all communications with the client. Pull clients are generally needed when the server is located behind a firewall. To install a push client, select Push and click Next. To install a pull client, select Pull, click Next, and proceed to Step 11 on page 14.
11
9. The Server Communication Configuration window is displayed. Enter the Tivoli Security Compliance manager server host name and connection port for server and client communications. Select the check box if the client has a dynamic IP address, or if the IP address or host name of the client changes frequently. Clear the check box if the client has a static IP address. Click Next to continue the installation.
12
10. For DHCP clients, the Client DHCP Configuration window is displayed. You can enter an optional DHCP client alias, or the system will use a default alias of the client host name. Click Next to continue the installation.
13
11. The Installation Summary window is displayed. This window displays the installation location, the system components to be installed, and the installation size. Click Next to begin the installation process.
14
12. An installation progress indicator will be displayed in place of the summary window. After the installation has completed, a results window is displayed. Click Finish to exit the installation.
15
16
17
18
4. The Uninstallation Selection window is displayed. All installed Tivoli Security Compliance Manager system components are listed, and preselected, in this window. Select the Tivoli Security Compliance Manager system components to uninstall and click Next. Note: This window is not displayed in the client-only installation.
5. If you select to uninstall the server, the Confirm Keystore Deletion window is displayed. If you intend to reinstall the server and have your existing clients communicate without needing to be reinstalled, you must keep the keystore files currently being used for client-server communication. See the chapter on managing server keys and keystores in the IBM Tivoli Security Compliance Manager Administration Guide for instructions on using the administration console to create a backup of the server keys and keystores. Select the check box to delete the client server communication keystore file if you have a back-up copy or you do not intend to reinstall the server. Deselect the check box to leave the two files, server.jksand master.jks, in the INSTDIR/server/keystores directory and uninstall the server. Click Next to continue.
19
6. The Uninstallation Summary window is displayed. This window displays the directory location that the system components will be uninstalled from and the system components to be uninstalled. Click Next to begin the uninstallation process.
20
7. A progress indicator will be displayed in place of the summary window. After the uninstallation has completed, a results window is displayed. Click Next.
21
8. The uninstall wizard might require you to restart your computer to complete the uninstallation process. Click Finish to exit the uninstallation program. Note: The uninstallation process on HP-UX systems will display a Next option on the final uninstallation panel instead of a Finish option. Selecting the Next option will complete the uninstall.
22
Note: The console mode uninstallation process on HP-UX systems will display a Next option on the final uninstallation panel instead of a Finish option. Selecting the Next option will complete the uninstall.
23
24
Silent install
Note: Before you begin be aware that ISMP does not report any errors in silent mode. Therefore, if you type any of the options incorrectly, the installation will silently fail or respond unexpectedly. For example, if you are installing in /syslocal/tools/SCM and you were to type the command incorrectly, the component would still be installed and there would be no error message. The InstallShield MultiPlatform tool provides the capability to create a template file that contains all possible responses. The tool also provides a record option that allows you to record the responses given when installing a particular system. Response files created using these techniques can be used to perform silent installations. Note: When performing a silent install on a Windows system, the InstallShield program does not wait for the installation to complete before displaying an active command window. The install will still be in progress once the user prompt is displayed, so check to ensure that the installation is complete before using the command window. In the examples given in this section for the platform variables, substitute one of the following: scm_aix, scm_hp11, scm_linux, scm_linux390, scm_linuxppc, scm_solaris, scm_win32.exe To record a response file during an installation, enter the following command:
scm_platform -options-record filename
where filename is the path name of the file to which the recorded response data will be written. Note: Using the -options-record on the Solaris platform causes invalid error messages to be displayed. The options file that is created on Solaris can be used for silent installation. To generate a template file, enter the following command:
scm_platform -options-template filename
where filename is the path name of the file that the template response data will be written. When the template generation successfully completes, you will receive the following message:
Options file filename was successfully created
25
The template file that is created must be edited using a text editor as follows: v For options you want to set, remove the three comment characters (###) at the start of the option line. v Replace value with the appropriate value for each uncommented option. When you first perform a silent installation, use the -options-record option to generate a response file from an actual installation. This option allows you to familiarize yourself with the data variables that can be set and with the valid responses. After you are familiar with the data that must be provided in the response file, you might find the -options-template option, which provides a template file of all possible responses, to be useful. After you have created a response file with the desired data input, you can use that file in a subsequent silent installation. For example, to perform a silent installation enter the following command:
scm_platform -silent -options filename
where filename is the path name of the file that contains the response data to be used.
26
Chapter 5. Troubleshooting
This chapter describes problems that you might encounter as you install and configure Tivoli Security Compliance Manager and it provides some solutions to these problems.
where scm_platform is one of the platform launchers for Tivoli Security Compliance Manager: scm_aix, scm_hp11, scm_linux, scm_linux390, scm_linuxppc, scm_solaris, scm_win32.exe. The @ALL parameter will log all installation events.
27
The ISMP installation program also stores information about the ISMP installed components in a vital product data file called vpd.properties. This file is found in various directories depending on the operating system, such as: v Windows: %SystemRoot%\vpd.properties v AIX: /usr/lib/objrepos/vpd.properties v Linux: /root/vpd.properties v HP-UX: /vpd.properties v Solaris: /vpd.properties
28
Appendix. Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the users responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation 500 Columbus Avenue Thornwood, NY 10594 U.S.A For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106, Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Copyright IBM Corp. 2003, 2004
29
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation 2Z4A/101 11400 Burnet Road Austin, TX 78758 USA Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBMs future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. If you are viewing this information softcopy, the photographs and color illustrations may not appear.
Trademarks
The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both: AIX DB2 IBM
30
IBM logo Tivoli Tivoli logo Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, and service names may be trademarks or service marks of others.
Appendix. Notices
31
32
Glossary
collector. A software module that runs on a client system and gathers data. This data is subsequently sent to a server. compliance query. An SQL query that extracts specific data from the server database and returns a list of clients that are in violation of specific security requirements. delta table. A database table used for saving changed data from subsequent runs of a collector. disinherit. To remove actions from a role that were originally copied from a template. inherit. To copy actions to a role from a template. policy. A set of one or more compliance queries used to demonstrate the level of adherence to specific security requirements. policy bundle. A file containing the information associated with a policy, such as the compliance queries, the collectors, and the associated schedules. A policy bundle permits the policy to be saved and subsequently applied to other servers. proxy relay. A special pull client that acts as a relay between the server and one or more clients. A proxy relay is used to reach a limited number of clients that are located behind a firewall, or that are in an IP-address range that is not directly addressable by the server. pull client. A client that permits communication with the server to be initiated by only the server. push client. A client that permits communication with the server to be initiated by either the client or the server. snapshot. The result of running all of the compliance queries in a policy against a set of clients. A snapshot shows the number of violations and indicates what clients are not adhering to the security requirements being tested by the compliance queries.
33
34
Index A
accessibility vii alternate temporary installation directory 27
C
CD layout 3 client installation 5 console mode installation 26 console mode uninstallation 22
I
installation console mode 26 silent 25 troubleshooting 27 using an alternate temporary directory 27 installation prerequisites 1 installing client 5 InstallShield MultiPlatform uninstallation 17
P
product removal 17
R
reinstalling client 5 related publications vi
S
silent install administration utilities client 25 server 25 silent installation 25 software prerequisites 1 25
T
troubleshooting installation 27
U
uninstall console mode 22 InstallShield MutliPlatform uninstalling 17 17
35
36
Printed in USA
GC32-1593-00