Verify that the following settings are complete:
Importing Certificates to FIPS Keystore Database (if the Change Guardian server is running on FIPS mode)
Upgrading Python (if the base operating system changed during a traditional upgrade)
If you want to use secure LDAP connections on the previously configured AD server, you have to edit the existing settings.
Change Guardian does not support AD servers that are configured with either IP address or FQDN, and does not support AD user name in the following format: cn=users,dc=domain,dc=lab. After upgrading Change Guardian, edit the pre-configured AD servers by specifying the domain name as the Active Directory Server. Similarly, modify the user name with an administrator or a user that has access to the domain.
To edit:
Open the following URL and click CONFIGURATION > LDAP CONNECTIONS:
https://<IP_Address_Change_Guardian_server>:<port_number>
The default port is 8443. You can use a custom port if Change Guardian was installed with custom configurations.
Select the desired servers and edit the settings.
For more information about configuring LDAP, see Configuring LDAP for AD Browsing.
If indexing libraries are upgraded during Change Guardian upgrade, the underlying data formats also get updated and the data cannot be searched. Therefore, all event data partitions in the system should be indexed so that it can be searched. If the partitions are not re-indexed after an upgrade, search results and reports shows inconsistent data.
NOTE:Perform the re-indexing steps if you have upgraded from Change Guardian 5.2 or 6.0.
Re-indexing is required only for the existing event data partitions and not for the new incoming events.
You can re-index using one or both methods:
Open the following URL: https://<IP_Address_Change_Guardian_server>:<port_number>
The default port is 8443. You can use a custom port if Change Guardian was installed with custom configurations.
Open ADMINISTRATION tab and click Storage > Event Partition Administration.
NOTE:You can also the Event Partition Administration page from the Change Guardian web console. Click the Event Partition Administration link in the warning message at the top of the page.
Select either Primary Storage or Secondary Storage, depending on the type of event partition that you want to re-index.
Select the event partitions to re-index, by clicking Date Range.
Click Start Re-indexing.
The approximate time required to complete the operation is displayed depending on the storage type and the event data time range selected.
After the re-indexing operation completes, all log files related to the operation are available in the following log file: <installation_directory>/var/opt/novell/sentinel/log/reindex0.0.log
You can also use a tool to re-index event data partition, in the offline mode. The tool uses minimal number of resources without affecting any of the existing processes. Re-indexing operation in the offline mode takes longer when compared to reindexing by using the online mode.
You can run the tool outside the Change Guardian server. However, you must copy the Java files and the Change Guardian libraries folder to the machine from which you want to run the re-indexing tool.
Before you proceed, ensure that you have the following information:
The path to the folder where Java 1.8 is located. For a default installation, the path is:
<installation_directory>/opt/novell/sentinel/jre/bin/java
The path to folder where Change Guardian libraries are present. For a default installation, the path is:
<installation_directory>/opt/novell/sentinel/lib
The location of event data partitions. For a default installation, the path for primary partitions is:
<installation_directory>/var/opt/novell/sentinel/data/eventdata/events/
To re-index:
Log in to the Change Guardian server as root.
Run the following command:
<installation_directory>/opt/novell/sentinel/jdk/bin/java -cp /opt/novell/sentinel/lib/ccsapp-8.4.0.0-RELEASE.jar esecurity.ccs.comp.event.indexedlog.IndexedLogRebuild -forcerebuild <partition-directory>/<partition_ID>
-forcerebuild is an optional parameter. If this option is not specified, the tool creates a backup of index folder and temporary files, which occupies additional disk-space.
<partition-directory> refers to the path where all the partitions are present. You can add multiple IDs separated by space.
<partition_ID> refers to the ID of the partition in the following format: 0200428_6E1CCA35-4BD4-102D-91CD-000C2907C76D or 20200428_6E1CCA35-4BD4-102D-91CD-000C2907C76D_20200607
If there are more than one partition, specify the IDs separated by space. You can also use the wild cards for ID such as, 202004*.
For example, to re-index a single event data partition, specify the following command:
<installation_directory>/opt/
novell/sentinel/jdk/bin/java -cp /opt/novell/sentinel/lib/ccsapp-
8.4.0.0-RELEASE.jar
esecurity.ccs.comp.event.indexedlog.IndexedLogRebuild -forcerebuild /
var/opt/novell/sentinel/data/eventdata/events/20200428_6E1CCA35-4BD4-
102D-91CD-000C2907C76D
For example, to re-index multiple event data partitions for April 2020, specify the following command:
<installation_directory>/opt/
novell/sentinel/jdk/bin/java -cp /opt/novell/sentinel/lib/ccsapp-
8.4.0.0-RELEASE.jar
esecurity.ccs.comp.event.indexedlog.IndexedLogRebuild -forcerebuild /
var/opt/novell/sentinel/data/eventdata/events/202004*To import:
Change directory to /opt/novell/sentinel/bin, and run the following command:
./convert_to_fips.sh -i <path_to_certificate> inserts the given certificate into the FIPS keystore database.
For example: ./convert_to_fips.sh -i <installation_directory>/opt/novell/sentinel/3rdparty/elasticsearch/config/http.pks
Specify the password for the FIPS keystore database
Specify the certificate alias
You must restart the Sentinel server after inserting certificate. Do you want to restart the Sentinel server now? yes/no [y] => yes
The chg_keystore_pass.sh script allows you to change the keystore passwords. As a security best practice, change the keystore passwords immediately after upgrading Change Guardian.
NOTE:Do not perform this procedure if Change Guardian server is in FIPS mode.
To change the keystore passwords:
Log in to the Change Guardian server as root.
Switch user to novell.
Go to the /opt/novell/sentinel/bin directory.
Run the chg_keystore_pass.sh script and follow the on-screen prompts to change the keystore passwords.
NOTE:When you upgrade Change Guardian to 5.1 or later and change the keystore database password with specific special characters, the following exception are displayed: Failed to initialize Communicator
.
The heartbeat of Change Guardian Agent for Windows (displayed as Polling Interval) and Change Guardian Agent for UNIX (displayed as Heartbeat) determines the frequency at which Change Guardian server checks health of agents. It is the interval at which any policy changes on the server is synced to agents. If you have less than 500 agents and configured up to 15 policies per agent, consider setting Polling Interval to 15 minutes. If you have more than 500 agents or configured more than 15 policies per agent, consider setting the interval to 60 minutes. This ensures that there is no congestion of network traffic due to exchange of policy and agent health data at frequent intervals.
In Agent Manager, click Manage Installation > Reconfigure, and set the desired Polling Interval.
NOTE:This interval is referred to as Heartbeat in Policy Editor.
During a traditional Change Guardian upgrade, when the base operating system version changes, you must check the Python version after upgrading both Change Guardian and the operating system. Change Guardian requires a compatible version of Python library to function properly and to ensure that the Change Guardian agents are upgraded successfully.
For example, consider that the base operating system changes from RHEL 6.10 to RHEL 7.9. If running the python –V command at the RHEL 6.10 server prompt shows Python version is 2.6.x, then after upgrading the command shows 2.7.x on RHEL 7.9. Although the operating system is using Python 2.7.x, Python shared object file (.so) might be built on Python 2.6.x.
Prerequisite: Before planning to upgrade Python, check which Python version the plpython2.so file is built on:
ldd <installation_directory>/opt/novell/sentinel/3rdparty/postgresql/lib/postgresql/plpython2.so
If the output is as below, it indicates that this .so file is based on Python 2.6.x and you must upgrade Python after upgrading both Change Guardian and the operating system.
libpython2.6.so.1.0 => /usr/lib64/libpython2.6.so.1.0
If the output is as below, it indicates the .so file is not linked to a Python version, and you must upgrade Python after upgrading both Change Guardian and the operating system.
libpython2.6.so.1.0 => not found
To upgrade Python:
Stop the Sentinel services:
rcsentinel stop
Change to the directory where plpython2.so file is present
cd <installation_directory>/opt/novell/sentinel/3rdparty/postgresql/lib/postgresql
Remove the existing .so file which is pointing to 2.6.x:
rm plpython2.so
Extract the Python 2.7.x.so file, which is present in <installation_directory>/opt/novell/sentinel/3rdparty/postgresql/lib/postgresql
tar zxf plpython2.7.so.tar.gz
Set novell user permission on the file
chown novell:novell plpython2.so
Verify that the file is pointing to the correct Python version:
ldd <installation_directory>/opt/novell/sentinel/3rdparty/postgresql/lib/postgresql/plpython2.so
Start the Sentinel services:
rcsentinel start