Open topic with navigation

Completing Optional Post-Upgrade Tasks

This section describes optional post-upgrade tasks. Ensure that the upgrade was successful before you perform these tasks.

To complete optional post-upgrade tasks:

  1. Archive backup files that the upgrade program created.

    The upgrade program creates backup files for rollback purposes. These files might contain outdated JREs and other components that include vulnerabilities. Security scanners can detect these vulnerabilities. To avoid issues with security scanners, you can archive these backup files and restore them if necessary.

    To archive the backup files, run the following script:

    opt/arcsight/manager/bin/arcsight hide_obsolete_files

    The archive is created in /opt/arcsight. You can relocate the archive, but you must move it back to /opt/arcsight in order to restore it.

    If you need to revert to the previous version of ESM for any reason, you must restore the archive first. To restore the archive, run the following script:

    opt/arcsight/manager/bin/arcsight hide_obsolete_files -u <archive name>

    For example, opt/arcsight/manager/bin/arcsight hide_obsolete_files -u BLXXXX.

  2. Convert from compact mode to distributed correlation mode.

    For more information, see Converting from Compact Mode to Distributed Correlation Mode.

  3. Convert appliances to prefer IPv6.

    For more information, see Appliance: Converting to Prefer IPv6.

  4. Install the following packages:

    • ArcSight SocView

    • ArcSight ClusterView

    • Threat Intelligence Platform

    • Security Threat Monitoring

    For descriptions of these packages, see the ArcSight Administration and ArcSight System Standard Content Guide.

    ESM automatically installs content packages for new installations. However, when you upgrade, new packages are not automatically installed. You can install these packages from the ArcSight Console after the upgrade.

    For information about installing these packages, see the ArcSight Console User's Guide.

  5. Install NetFlow SmartConnectors.

    NetFlow events from the following SmartConnectors trigger NetFlow Monitoring content:

    • ArcSight IP Flow SmartConnector
    • ArcSight QoSient ARGUS SmartConnector

    These SmartConnectors are not installed with ESM. To use the NetFlow Monitoring content, install and configure these SmartConnectors. For information about obtaining the SmartConnectors, contact your sales representative.

  6. Install the ArcSight Platform.

    The ArcSight Platform enables you to visualize, identify, and analyze potential threats by incorporating intelligence from the multiple layers of security sources that might be installed in your security environment:

    • Real-time event monitoring and correlation with data from ESM
    • Analyzing end-user behavior with Interset

    To help you get started, the ArcSight Platform provides a Dashboard with a set of out-of-the-box widgets and dashboards. Users can organize the widgets into personalized dashboards.

    For information about deploying, configuring, and maintaining this product, see the Release Notes and the Administrator's Guide for the ArcSight Platform.

    Note: This release allows you to connect to a single ESM instance.

  7. If you want the ability to view Command Center from the ArcSight Platform, install ESM in the ArcSight Platform and then configure the ESM host in the ArcSight Platform. For more information, see the Administrator's Guide for the ArcSight Platform.

    This feature allows you to view Command Center from the ArcSight Platform without having to switch to the ESM host for Command Center. After you install ESM and configure the host in the ArcSight Platform, refresh the dashboard to display the Command Center menu in the ArcSight Platform. Click the menu to start Command Center. To go back to the ArcSight Platform dashboard from Command Center, use the ArcSight Platform menu from the Dashboard menu in Command Center.

  8. Configure Recon access.

    For more information, see Configuring Recon Access.

  9. Configure Transformation Hub access.

    For more information, see the applicable topic:

  10. Configure integration with ServiceNow® IT Service Management (ITSM).

    For more information, see Configuring Integration with ServiceNow® IT Service Management (ITSM).

After you complete optional post-upgrade tasks, continue to Upgrading the ArcSight Console and Smart Connectors.

Converting from Compact Mode to Distributed Correlation Mode

If you previously installed ESM in compact mode, you can convert the system to distributed correlation mode.

It is important to plan the cluster before you convert your system. For information about cluster planning, see the ESM Installation Guide.

Before you start the conversion process, you must ensure that information repository instances will not run on the disk partition that contains /opt/arcsight. In a distributed correlation environment, running an information repository instance on the disk partition that contains /opt/arcsight leads to performance problems. To avoid these problems, you must create /var/opt/arcsight (as a directory or a symbolic link to a directory) on all of the cluster nodes before you upgrade ESM. If /var/opt/arcsight does not meet the requirements that are listed below, the upgrade program will generate an error and will not continue. During the upgrade, the upgrade program moves repository data to the partition that contains /var/opt/arcsight.

The /var/opt/arcsight directory (or the directory that it points to) must meet the following requirements:

Note: To convert from compact mode to distributed correlation mode, each server host name must resolve to an IP address for each cluster node. Otherwise, the conversion process will fail with an error message.

To convert your system from compact mode to distributed correlation mode:

  1. Verify that all services are running:

    /etc/init.d/arcsight_services status

  2. Change to the arcsight user.

  3. Stop the ArcSight Manager:

    /etc/init.d/arcsight_services stop manager

  4. Change directory to /opt/arcsight/manager.

  5. Initialize distributed correlation mode:

    bin/arcsight initialize-distributed-mode

  6. Set up the information repository, using the option Change the TCP Port Range for ESM Processes to specify the port range:

    bin/arcsight reposetup

    For more information about reposetup, see the ESM Administrator's Guide.

  7. Run managersetup:

    bin/arcsight managersetup

    For more information about managersetup, see the ESM Administrator's Guide.

    Important: Do not start the ArcSight Manager after managersetup is complete.

  8. Initialize certificate administration and create a password for certificate administration:

    bin/arcsight certadmin -init

    For information about password restrictions, see the ESM Administrator's Guide.

  9. Add the version information for this node:

    /etc/init.d/arcsight_services setLocalBuildVersions

  10. If you need a distributed cache instance on the persistor node, run the following command:

    bin/arcsight dcachesetup

    For more information about dcachesetup, see the ESM Administrator's Guide.

  11. Add correlators or aggregators as needed on the persistor node:

    bin/arcsight correlationsetup

    For more information about correlationsetup, see the ESM Administrator's Guide.

The system is now in distributed correlation mode. For information about installing ESM on the remaining cluster nodes, see the ESM Installation Guide.

To complete configuration and bring up the services:

Note: Run these commands on the persistor node, as user arcsight, from the /opt/arcsight/manager directory.

  1. Set up passwordless SSH:

    /etc/init.d/arcsight_services sshSetup

  2. Review and approve all certificates:

    bin/arcsight certadmin -list submitted

    Review the output to verify that the certificates represent the nodes where the ArcSight Manager or correlation services were installed. To view the certificate details, use the -v option.

  3. After you confirm that the certificate list is correct, run the following command:

    bin/arcsight certadmin -approveall

  4. Stop all services:

    /etc/init.d/arcsight_services stop all

  5. Start the repository service:

    /etc/init.d/arcsight_services start repo

  6. Set up message bus control and message bus data:

    bin/arcsight mbussetup

    For more information about mbussetup, see the ESM Administrator's Guide.

  7. If you need additional repository instances, run the following command:

    bin/arcsight reposetup

    For more information about reposetup, see the ESM Administrator's Guide.

  8. Start all services, which will bring up services related to distributed correlation mode:

    /etc/init.d/arcsight_services start all

  9. Verify that all services are running:

    /etc/init.d/arcsight_services statusByNode

Appliance: Converting to Prefer IPv6

After the upgrade, you can convert your ESM appliance to a pure IPv6 network configuration and convert ESM to prefer using IPv6, or convert the appliance to a dual stack configuration.

Note: You will need to re-register any connectors that are registered on the appliance after you complete the conversion. The IPv4 IP address will change to a host name and the ArcSight Manager certificate will be regenerated.

To convert an appliance to use IPv6:

  1. As user root or arcsight, stop all services:

    /etc/init.d/arcsight_services stop all

  2. As user root or arcsight, confirm that all services are stopped:

    /etc/init.d/arcsight_services status all

  3. As user root, run the network configuration script and select IPv6 or Dual Stack to change the operating system:

    /opt/arcsight/services/bin/scripts/nw_reconfig.py
  4. Reboot the system.
  5. As user root, edit the /etc/hosts file and comment out the line that contains an IPv4 address to a hostname mapping, if present.

  6. As user root, stop the Manager service:

    /etc/init.d/arcsight_services stop manager

  7. As user arcsight, run managersetup again:

    /opt/arcsight/manager/bin/arcsight managersetup
  8. Change the preferred IP protocol to IPv6 and change the host name to the host name of the appliance's IPv6 address.
  9. Regenerate the ArcSight Manager certificate.

  10. As user root, start the ArcSight Manager:

    /etc/init.d/arcsight_services start all

Configuring Recon Access

This section describes how to configure ESM to access Recon.

Note: ESM 7.5 requires Recon 1.1.0.

To configure ESM access to Recon:

  1. As user arcsight, stop the ArcSight Manager services:

    /etc/init.d/arcsight_services stop manager

  2. As user arcsight, from the /opt/arcsight/manager/bin directory, start the managersetup wizard:

    ./arcsight managersetup -i console

    Advance through the wizard until you reach the Recon screen.

  3. Specify the search URL for the Recon deployment.

  4. Advance through the wizard and complete the configuration.

    For more information about managersetup, see the ESM Administrator's Guide.

  5. As user arcsight, restart the ArcSight Manager:

    /etc/init.d/arcsight_services start all

Configuring Transformation Hub Access - Non-FIPS Mode

This section describes how to configure ESM to access Transformation Hub when FIPS mode is not enabled.

To configure ESM access to Transformation Hub in non-FIPS mode:

  1. As user arcsight, stop the ArcSight Manager:

    /etc/init.d/arcsight_services stop manager

  2. As user arcsight , from the /opt/arcsight/manager/bin directory, run the following command to start the managersetup wizard:

    ./arcsight managersetup -i console

    Advance through the wizard until you reach the Transformation Hub screen.

  3. Provide the following information:

    1. Specify the host name or IP address and port information for the nodes in Transformation Hub. Include the host and port information for all nodes and not just the master node. Use a comma-separated list (for example: <host>:<port>,<host>:<port>).

      Note: You must specify the host name and not the IP address.

      Transformation Hub can only accept IPv4 connections from ESM.

      If the Kafka cluster is configured to use SASL/PLAIN authentication, ensure that you specify the port configured in the cluster for the SASL_SSL listener.

    2. Specify the topics in Transformation Hub from which you want to read. These topics determine the data source.

      For more information, see the Administrator's Guide for the ArcSight Platform.

      Note: You can specify up to 25 topics using a comma-separated list (for example: topic1,topic2).

    3. Import the Transformation Hub root certificate to ESM's client truststore.

      Transformation Hub maintains its own certificate authority (CA) to issue certificates for individual nodes in the Transformation Hub cluster. ESM needs that CA certificate in its truststore so that it will trust connections to Transformation Hub. For information about obtaining the certificate, see the information about viewing and changing the certificate authority in the Administrator's Guide for the ArcSight Platform. You might need to contact the Transformation Hub administrator to obtain the CA certificate if you do not have sufficient privileges to access the Transformation Hub cluster.

      Copy the Transformation Hub root certificate from /opt/arcsight/kubernetes/scripts/cdf-updateRE.sh > /tmp/ca.crt on the Transformation Hub server to a local folder on the ESM server. After you provide the path to the certificate, the wizard imports the Transformation Hub root certificate into ESM's client truststore.

    4. If the Kafka cluster is not configured to use SASL/PLAIN authentication, leave the authentication type as None. If the Kafka cluster is configured to use SASL/PLAIN authentication, select SASL/PLAIN as the authentication type.

    5. If you selected SASL/PLAIN as the client authentication type, specify the user name and password for authenticating to Kafka.

    The wizard validates the connection to Transformation Hub. If there are any issues, you will receive an error or warning message. If the wizard does not generate error or warning messages and you are able to advance to the next screen, the connection is valid.

  4. Advance through the wizard and complete the configuration.

    For more information about managersetup, see the ESM Administrator's Guide.

  5. As user arcsight, restart the ArcSight Manager:

    /etc/init.d/arcsight_services start all

  6. To verify that the connection to Transformation Hub is working, look for the line Transformation Hub service is initialized in server.std.log.

Setting Up SSL Client-Side Authentication Between Transformation Hub and ESM - Non-FIPS Mode

Before setting up client-side authentication with Transformation Hub, you must import the Transformation Hub root certificate into the ESM truststore.

Transformation Hub maintains its own certificate authority (CA) to issue certificates for individual nodes in the Transformation Hub cluster. ESM needs that CA certificate in its truststore so that it will trust connections to Transformation Hub. For information about obtaining the certificate, see the information about viewing and changing the certificate authority in the Administrator's Guide for the ArcSight Platform. You might need to contact the Transformation Hub administrator to obtain the CA certificate if you do not have sufficient privileges to access the Transformation Hub cluster.

To import the Transformation Hub root certificate into the ESM truststore:

Note: Before completing the steps below, verify whether the Transformation Hub root certificate has previously been imported into ESM. If it has, you do not need to re-import it.

  1. On the Transformation Hub server, copy the certificate from /opt/arcsight/kubernetes/scripts/cdf-updateRE.sh > /tmp/ca.crt to a location on the ESM server.

  2. Use the keytool command to import the root CA certificate into the ESM truststore:

    /opt/arcsight/manager/bin/arcsight keytool -store clientcerts -importcert -file <absolute path to certificate file> -alias <alias for the certificate>

    For example:

    /opt/arcsight/manager/bin/arcsight keytool -store clientcerts -alias alias1 -importcert -file /tmp/ca.crt

To enable client-side authentication between Transformation Hub and ESM:

  1. Obtain your company's root CA certificate, an intermediate certificate, and key pair and place them in /tmp with the following names:

    • /tmp/intermediate.cert.pem
    • /tmp/intermediate.key.pem
    • /tmp/ca.cert.pem
  2. Verify that Transformation Hub is functional and that client authentication is configured.

  3. As user arcsight, stop the ArcSight Manager:

    /etc/init.d/arcsight_services stop manager

  4. If /opt/arcsight/manager/config/client.properties does not exist, create it using an editor of your choice.

  5. Change the store password for the keystore, keystore.client, which has an empty password by default. This empty password interferes with the certificate import.

  6. Run the following commands to update the empty password of the generated key services-cn in the keystore to be the same password as that of the keystore itself:

    /opt/arcsight/manager/bin/arcsight keytool -store clientkeys -storepasswd -storepass ""

    When prompted, enter the same password that you entered for the store password:

    /opt/arcsight/manager/bin/arcsight keytool -store clientkeys -keypasswd -keypass "" -alias services-cn

  7. Run the following command to update the password in config/client.properties:

    /opt/arcsight/manager/bin/arcsight changepassword -f config/client.properties -p ssl.keystore.password

  8. Generate the keypair and certificate signing request (.csr) file. When generating the keypair, enter the fully-qualified domain name of the ArcSight Manager host as the common name (CN) for the certificate.

    Run the following commands:

    /opt/arcsight/manager/bin/arcsight keytool -store clientkeys -genkeypair –dname "cn=<your host's fully-qualified domain name>, ou=<your organization>, o=<your company>, c=<your country>" -keyalg rsa -keysize 2048 –alias ebkey -startdate -1d -validity 366
    /opt/arcsight/manager/bin/arcsight keytool -certreq -store clientkeys -alias ebkey -file ebkey.csr

    where ebkey.csr is the output file where the .csr is stored

  9. Sign the .csr with the Transformation Hub root certificate. On the Transformation Hub server, the root certificate is located at /opt/arcsight/kubernetes/ssl/intermedite.cert.pem and the key is called ca.key.

    Run the following command on either the Transformation Hub server or a different server with a functional openssl (as long as you have the intermediate.cert.pem and intermediate.key.pem available):

    openssl x509 -req -CA ${INTERMEDIATE_CA_CRT} -CAkey ${INTERMEDIATE_CA_KEY} -in <full path to the esm csr> -out <full path and file name for storing the generated cert> -days 3650 -CAcreateserial -sha256

    For example:

    openssl x509 -req -CA /tmp/intermediate.cert.pem -CAkey /tmp/intermediate.key.pem -in /tmp/ebkey.csr -out /tmp/signedIntermediateEBkey.crt -days 3650 -CAcreateserial -sha256

    You must specify all file locations with the full path.

  10. Import the intermediate certificate from Transformation Hub into the ESM client truststore:

    /opt/arcsight/manager/bin/arcsight keytool -store clientcerts -alias <alias for the certificate> -importcert -file <absolute path to certificate file>

    For example:

    /opt/arcsight/manager/bin/arcsight keytool -store clientcerts -alias ebcaroot -importcert -file /tmp/intermediate.cert.pem

  11. On the ESM server, run the following command to import the signed certificate (the -out parameter in the above openssl command):

    /opt/arcsight/manager/bin/arcsight keytool -store clientkeys -alias ebkey -importcert -file <path to signed cert> -trustcacerts

    For example:

    /opt/arcsight/manager/bin/arcsight keytool -store clientkeys -alias ebkey -importcert -file /tmp/signedIntermediateEBkey.crt -trustcacerts
  12. To verify that the configuration is complete and that the connection to Transformation Hub is valid, run managersetup and ensure that there are no errors.

  13. Start the ArcSight Manager:

    /etc/init.d/arcsight_services start all

Configuring Transformation Hub Access - FIPS Mode (Server Authentication Only)

This section describes how to configure ESM to access Transformation Hub when FIPS mode is enabled. FIPS 140-2 is the only supported FIPS mode.

To configure ESM access to Transformation Hub in FIPS Mode:

  1. As user arcsight, stop the ArcSight Manager:

    /etc/init.d/arcsight_services stop manager

  2. From the Transformation Hub server, copy the certificate from /opt/arcsight/kubernetes/scripts/cdf-updateRE.sh > /tmp/ca.crt to a location on the ESM server.

  3. Use the keytool command to import the root CA certificate into the ESM client truststore:

    /opt/arcsight/manager/bin/arcsight keytool -store clientcerts -importcert -file <absolute path 
					to certificate file> -alias <alias for the certificate>

  4. As user arcsight, run the following command from the /opt/arcsight/manager/bin directory to start the managersetup wizard:

    ./arcsight managersetup -i console

  5. Provide the following information:

    Note: You do not need to provide the path to the Transformation Hub root certificate, as it has already been imported.

    1. Specify the host name or IP address and port information for the nodes in Transformation Hub. Include the host and port information for all nodes and not just the master node. Use a comma-separated list (for example: <host>:<port>,<host>:<port>).

      Note: You must specify the host name and not the IP address.

      Transformation Hub can only accept IPv4 connections from ESM.

      If the Kafka cluster is configured to use SASL/PLAIN authentication, ensure that you specify the port configured in the cluster for the SASL_SSL listener.

    2. Specify the topics in Transformation Hub from which you want to read. These topics determine the data source.

      For more information, see the Administrator's Guide for the ArcSight Platform.

      Note: You can specify up to 25 topics using a comma-separated list (for example: topic1,topic2).
    3. If the Kafka cluster is not configured to use SASL/PLAIN authentication, leave the authentication type as None. If the Kafka cluster is configured to use SASL/PLAIN authentication, select SASL/PLAIN as the authentication type.

    4. If you selected SASL/PLAIN as the client authentication type, specify the user name and password for authenticating to Kafka.

    The wizard validates the connection to Transformation Hub. If there are any issues, you will receive an error or warning message. If the wizard does not generate error or warning messages and you are able to advance to the next screen, the connection is valid.

  6. Advance through the wizard and complete the configuration.

    For more information about managersetup, see the ESM Administrator's Guide.

  7. As user arcsight, restart the ArcSight Manager:

    /etc/init.d/arcsight_services start all

  8. To verify that the connection to Transformation Hub is working, look for the line Transformation Hub service is initialized in server.std.log.

Configuring Integration with ServiceNow® IT Service Management (ITSM)

This section describes how to integrate with ServiceNow® IT Service Management (ITSM) after completing the upgrade.

To configure ESM to integrate with ServiceNow® ITSM:

  1. As user arcsight, stop the ArcSight Manager services:

    /etc/init.d/arcsight_services stop manager

  2. As user arcsight, from the /opt/arcsight/manager/bin directory, run the following command to start the managersetup wizard:

    ./arcsight managersetup -i console

    Advance through the wizard until you reach the ServiceNow® ITSM screen.

  3. Specify the ServiceNow® URL and, optionally, the ServiceNow® proxy URL.

  4. If you want to use a global ID to authenticate connections to ServiceNow, click Yes, and then specify the user name and password.

  5. Advance through the wizard and complete the configuration.

    For more information about managersetup, see the ESM Administrator's Guide.

  6. As user arcsight, restart the ArcSight Manager:

    /etc/init.d/arcsight_services start all