3.1 Traditional Change Guardian Server Installation

This section provides the following information:

3.1.1 Prerequisites

Ensure that your system meets the following:

  • Review the latest Change Guardian release notes to understand new features and known issues.

  • Review the System Requirements to understand the memory and CPU requirements.

  • FIPS mode is supported only for Change Guardian. Change Guardian is not supported if the operating system is in FIPS mode. Therefore, ensure that the operating system is not in FIPS mode.

  • NTP synchronized your computer time with the network time.

  • The operating system for the Change Guardian server must include at least the Base Server components of the SLES server or the RHEL server. Change Guardian requires the 64-bit versions of the following RPMs:

    • bash

    • bc

    • curl

    • expect

    • coreutils

    • gettext

    • glibc

    • grep

    • libgcc

    • libstdc

    • lsof

    • net-tools

    • openssl

    • python-libs

    • samba-client

    • samba-common-libs

    • samba-common-tools

    • samba-libs

    • sed

    • tcl

    • zlib

    • fontconfig

    • dejavu-fonts

    • insserv-compat (applicable on SLES server)

    • pam-modules (available only when you install Legacy-Module on SLES server 15.x)

    • Packages applicable for installation on RHEL and SLES 15 SP2 command-line interface:

      • libX11

      • libXext

      • libXi

      • libXrender

      • libXtst

      • libwbclient

      • cups-libs

      • libtdb

      • libldb

      • gnutls

    • zlib (up to SLES 12.x and RHEL 7.x, 8.x)

    • python-libs (up to SLES 12.x and RHEL 7.x)

    • netstat (up to SLES 12.x and RHEL 7.x) or ss (for SLES 15 and later)

NOTE:If there was a previous installation of Change Guardian, ensure that there are no files or system settings remaining from a previous installation.

3.1.2 Installing the Change Guardian Server

You can use either of the following methods to install Change Guardian server:

NOTE:If you change the IP address of the Change Guardian server, there is a break down of communication between the server and agent. This requires reconfiguration of the server to restore communication. Therefore, consider using static IP addresses in your Change Guardian deployment.

Performing an Interactive Installation

This section provides information about standard and custom installation.

Standard Installation

Use the following steps to perform a standard installation:

To install the Change Guardian server:

  1. Download the Change Guardian installation file from the Downloads website.

  2. On the command line, log in as the root user and type the following command to extract the installation file:

    tar zxvf change_guardian-<version>.tgz

  3. Run the Change Guardian server installation program as root by typing the following command in the root of the extracted directory:

    ./install-changeguardian.sh

    NOTE:To see additional installation script options, run the command: ./install-changeguardian.sh -h to display the Help.

    Or

    If you want to install Change Guardian on more than one system, you can record your installation options in a file. You can use this file for an unattended Change Guardian installation on other systems. To record your installation options, specify the following command: ./install-changeguardian.sh -r <response_filename>

  4. (Conditional) If NTP could not synchronize your computer time with the network time, make the required changes to the computer.

  5. (Conditional) If your system does not meet the recommended disk space, make the required changes to the computer.

    NOTE:Ensure that the disk has the recommended space for Change Guardian installation files. Allocate recommended space in /, /var/opt, and /opt.

  6. Specify the language as English, then press Enter. The end user license agreement is displayed in the selected language.

  7. Press the space bar to read the license agreement. You must scroll through the entire agreement before you can accept it.

  8. When prompted, select the standard configuration.

    The installation proceeds an evaluation license key included with the installer. You can replace the evaluation license with a license key you purchased.

  9. Create an admin account password for global system administration.

    NOTE:While setting the admin password, only the following non-alphanumeric characters are allowed:` ! @ $ ^ _ { } [ ] \ : " , . / ?

  10. Create a password for the cgadmin user.

    Use this account to log in to Policy Editor. cgadmin has administrative rights to monitor configurations.

    NOTE:The cgadmin, dbauser, and appuser accounts use this password.

  11. If you want to email reports, configure the default email host using the following information:

    • SMTP Host:The full name, including domain name, of the email server from which you want to send scheduled reports by email. Change Guardian server should be able to resolve the hostname.

    • SMTP Port:The remote SMTP port, where the default number is 25. Use port 587 for a secure connection.

    • From:The return email address.

    • SMTP User Name (Optional):The user name to connect to the SMTP server.

    • SMTP Password (Optional):The password that corresponds to the SMTP user name.

    • Secure Connection:The connection mechanism for STARTTLS protocol.

    NOTE:If you later decide to email reports and events, you must use the configure.sh script to update this configuration. For more information, see Configuring Email Server to Receive Email Alerts.

    1. (Conditional) If the SMTP server certificate is self-signed or if not signed by a well-known CA, such as VeriSign, you have to import the certificate to the server trust-store. To import the self-signed certificate or CA certificate, complete the following steps:

      1. Download the certificate to the server.

      2. To store the certificate in activemqkeystore, run the following command on the server:

        /opt/novell/sentinel/jdk/jre/bin/keytool -import -alias <appropriate_alias> -keystore /etc/opt/novell/sentinel/config/.activemqkeystore.jks -file <certificate_file_path> -storepass password

      3. Restart the server:

        rcsentinel restart

After the Change Guardian server installation completes, the server starts. It might take a few minutes for all services to start after installation. Wait until the installation finishes and starts all services before you log in to the server.

To install the Change Guardian components, see Installing Change Guardian Components.

Custom Installation

To install the Change Guardian server:

  1. Download the Change Guardian installation file from the Downloads website.

  2. On the command line, log in as the root user and type the following command to extract the installation file:

    tar zxvf change_guardian-<version>.tgz

  3. To install from a custom path, specify the following command:

    ./install-changeguardian.sh --location=<custom_CG_directory_path>

    NOTE:This custom path must have 0755 permissions. Ensure that you allocate the recommended disk space in / and /home.

    Or

    If you want to install Change Guardian on more than one system, you can record your installation options in a file. You can use this file for an unattended Change Guardian installation on other systems. To record your installation options, specify the following command:./install-changeguardian.sh --location=<custom_CG_directory_path> -r <response_filename>

  4. Specify the language as English, then press Enter. The end user license agreement is displayed in the selected language.

  5. Press the space bar to read the license agreement. You must scroll through the entire agreement before you can accept it.

  6. When prompted, select custom configuration, and provide the following information:

    Add a production license key: Installs a production web console license key

    Assign admin account password: Account for global administration of the system

    NOTE:While setting the admin password, only the following non-alphanumeric characters are allowed:` ! @ $ ^ _ { } [ ] \ : " , . / ?

    Assign dbauser account password: Account for PostgreSQL database maintenance

    Assign appuser account password: Account for connections with PostgreSQL database at runtime

    Customize port assignments: Change the default ports used by the system

    NOTE:Changing the default database service port 5432 might cause Change Guardian to behave inconsistently.

    Configure LDAP authentication: Configure an LDAP user repository to handle authentication

    NOTE:Configuring FIPS using the custom configuration is currently not supported. For more information about configuring Change Guardian to run in FIPS mode, see Configuring FIPS 140-2

  7. Create a password for the cgadmin user.

    Use this account to log in to the Policy Editor. This account has the privilege to administer monitoring configuration.

    NOTE:The cgadmin, dbauser, and appuser accounts use this password.

  8. Configure the default email host using the following information:

    • SMTP Host:The full name, including domain name, of the email server from which you want to send scheduled reports by email. Change Guardian server should be able to resolve the hostname.

    • SMTP Port:The remote SMTP port, where the default number is 25. Use port 587 for a secure connection.

    • From:The return email address.

    • SMTP User Name (Optional): The user name to connect to the SMTP server.

    • SMTP Password (Optional):The password that corresponds to the SMTP user name.

    • Secure Connection:The connection mechanism for STARTTLS protocol. Set the value to true if you want to configure SMTP server for STARTTLS.

    NOTE:If you later decide to email reports and events, you must use the configure.sh script to update this configuration.

    1. (Conditional) If the SMTP server certificate is self-signed or not signed by a well-known CA, such as VeriSign, you have to import the certificate to the server trust-store. To import self-signed certificate or the CA certificate, complete the following steps:

      1. Download the certificate to the server.

      2. To store the certificate in activemqkeystore, run the following command on the server:

        /opt/novell/sentinel/jdk/jre/bin/keytool -import -alias <appropriate_alias> -keystore /etc/opt/novell/sentinel/config/.activemqkeystore.jks -file <certificate_file_path> -storepass password

      3. Restart the server by running the following command:

        rcsentinel restart

After the Change Guardian server installation completes, the server starts. It might take a few minutes for all services to start after installation. Wait until the installation finishes and starts all services start before you log in to the server.

To install the Change Guardian components, see Installing Change Guardian Components.

Performing a Silent Installation

The silent or unattended installation is useful if you need to install more than one Change Guardian instance in your deployment. You can record the installation parameters during the interactive installation and then run the recorded files on other systems.

Ensure that you have recorded the installation parameters to a file. For more information about creating the response file, see:

To enable FIPS 140-2 mode, ensure that the response file includes the following parameters:

  • ENABLE_FIPS_MODE

  • NSS_DB_PASSWORD

To perform a silent installation:

  1. Download the installation files from the Downloads website.

  2. Log in as root to the server where you want to install Change Guardian.

  3. Specify the following command to extract the install files from the tar file:

    tar -zxvf change_guardian-<version>

  4. To install in silent mode, specify the following command:

    ./install-changeguardian -u <response_filename>

    The installation proceeds with the values stored in the response file.

    After the installation finishes, you can log in to the server. To install the Change Guardian components, see Installing Change Guardian Components.

    NOTE:To see additional installation script options, run the command: ./install-changeguardian.sh -h to display the Help.