Converting from Compact to Distributed Mode

If you previously installed ESM in compact mode, you can convert the system to distributed correlation mode.

It is important to plan the cluster before you convert your system. For information about cluster planning, see the ESM Installation Guide.

Before you start the conversion process, you must ensure that information repository instances will not run on the disk partition that contains /opt/arcsight. In a distributed correlation environment, running an information repository instance on the disk partition that contains /opt/arcsight leads to performance problems. To avoid these problems, you must create /var/opt/arcsight (as a directory or a symbolic link to a directory) on all of the cluster nodes before you upgrade ESM. If /var/opt/arcsight does not meet the requirements that are listed below, the upgrade program will generate an error and will not continue. During the upgrade, the upgrade program moves repository data to the partition that contains /var/opt/arcsight.

The /var/opt/arcsight directory (or the directory that it points to) must meet the following requirements:

/var/opt/arcsight must not be in the same partition that contains /opt/arcsight.
The arcsight user must own the directory.
The partition that contains /var/opt/arcsight must have at least 1 GB of free disk space.

Note: To convert from compact mode to distributed correlation mode, each server host name must resolve to an IP address for each cluster node. Otherwise, the conversion process will fail with an error message.

To convert your system from compact mode to distributed correlation mode:

Verify that all services are running:
```
/etc/init.d/arcsight_services status
```
Change to the arcsight user.

Stop the ArcSight Manager:

/etc/init.d/arcsight_services stop manager

Change directory to /opt/arcsight/manager.

Initialize distributed correlation mode:

bin/arcsight initialize-distributed-mode

Set up the information repository, using the option Change the TCP Port Range for ESM Processes to specify the port range:
```
bin/arcsight reposetup
```
For more information about reposetup, see the ESM Administrator's Guide.
Run managersetup:
```
bin/arcsight managersetup
```
For more information about managersetup, see the ESM Administrator's Guide.

Important: Do not start the ArcSight Manager after managersetup is complete.
Initialize certificate administration and create a password for certificate administration:
```
bin/arcsight certadmin -init
```
For information about password restrictions, see the ESM Administrator's Guide.

Add the version information for this node:

/etc/init.d/arcsight_services setLocalBuildVersions

If you need a distributed cache instance on the persistor node, run the following command:
```
bin/arcsight dcachesetup
```
For more information about dcachesetup, see the ESM Administrator's Guide.
Add correlators or aggregators as needed on the persistor node:
```
bin/arcsight correlationsetup
```
For more information about correlationsetup, see the ESM Administrator's Guide.

The system is now in distributed correlation mode. For information about installing ESM on the remaining cluster nodes, see the ESM Installation Guide.

To complete configuration and bring up the services:

Note: Run these commands on the persistor node, as user arcsight, from the /opt/arcsight/manager directory.

Set up passwordless SSH:
```
/etc/init.d/arcsight_services sshSetup
```
Review and approve all certificates:
```
bin/arcsight certadmin -list submitted
```
Review the output to verify that the certificates represent the nodes where the ArcSight Manager or correlation services were installed. To view the certificate details, use the -v option.
After you confirm that the certificate list is correct, run the following command:
```
bin/arcsight certadmin -approveall
```
Stop all services:
```
/etc/init.d/arcsight_services stop all
```

Start the repository service:

/etc/init.d/arcsight_services start repo

Set up message bus control and message bus data:
```
bin/arcsight mbussetup
```
For more information about mbussetup, see the ESM Administrator's Guide.
If you need additional repository instances, run the following command:
```
bin/arcsight reposetup 
```
For more information about reposetup, see the ESM Administrator's Guide.

(Conditional): If compact system had certificate management enabled, perform the following:

On the persistor shutdown the repository instances
```
/etc/init.d/arcsight_services stop repo
```

On each new node run the following from the /opt/arcsight/manager directory:

bin/arcsight keyadmin setup

bin/arcsight keyadmin changePassword --store clientkeys   (set a password at least 6 characters in length)

bin/arcsight keyadmin changePassword --store managerkeys  (set a password at least 6 characters in length)

On the persistor from the /opt/arcsight/manager directory re-enable Certificate Management:
```
bin/arcsight keyadmin initializeManagement
```

Start all services, which will bring up services related to distributed correlation mode:
```
/etc/init.d/arcsight_services start all
```

Verify that all services are running:

/etc/init.d/arcsight_services statusByNode