This section provides the following information:
The SHMMAX setting configures the maximum size, in bytes, of a shared memory segment for PostgreSQL. Desirable values for SHMMAX ranges from hundreds of megabytes to a few gigabytes.
To change the kernel SHMMAX parameter, append the following information to the /etc/sysctl.conf file:
# for Postgresql kernel.shmmax=1073741824
NOTE:By default, in RHEL SHMMAX is a low value, so it is important to modify it when installing to this platform.
To determine the current date and time configured on the Change Guardian server, run the following command: date -u
To synchronize the Change Guardian server date and time with an external time service, configure NTP.
You have the option to install the Change Guardian server using a static IP address or a dynamic (DHCP) IP address mapped to a hostname. For the Change Guardian server to work correctly when configured to DHCP, ensure that the system can return its hostname correctly by using the following procedure:
Verify the hostname configuration:
cat /etc/HOSTNAME
Check the server hostname setting:
hostname -f
Verify the DHCP configuration:
cat /etc/sysconfig/network/dhcp
NOTE:The DHCLIENT_HOSTNAME_OPTION setting should reflect the fully-qualified hostname of the Change Guardian server.
Resolve the hostname to the IP address:
nslookup FULLY_QUALIFIED_HOSTNAME
Resolve the server hostname from the client by running the following command entered from the remote server:
nslookup FULLY_QUALIFIED_CHANGEGUARDIANSERVER_HOSTNAME
Complete the following steps to configure SMTP:
You can also configure email servers by using Policy Editor.
To configure:
Export the certificate from the respective SMTP server site.
Browse to the Sentinel bin directory. The default location is /opt/novell/sentinel/bin.
Import the certificate by running the following command:
./convert_to_fips.sh -i <certificate_path>
NOTE:If the certificate is not available in the current directory /opt/ novell/ sentinel/ bin, it is not added in the keystore database.
Restart the Change Guardian server using the following command:
rcsentinel restart
To configure:
Export the certificate from the respective SMTP server site.
Import the certificate:
/opt/novell/sentinel/jdk/jre/bin/keytool
NOTE:If you have used a custom path for installation, modify the command accordingly.
Restart the Change Guardian server:
rcsentinel restart
To receive alerts on emails, complete the following steps:
To add email servers to Change Guardian server and change the default email host settings:
Change directory:
cd /opt/netiq/cg/scripts
Set the email host settings:
./configure.sh udei --admin-account=<admin_account> --admin-password=<admin_account_password> --mail-host=<SMTP_hostname> --mail-port=<SMTP_port> --mail-from=<e-mail_address> --secure-connection=<true/false>
NOTE:To configure secure connection with STARTTLS, set the following option:
--secure-connection=true
This section provides the following information:
You can replace the self-signed certificate with a certificate signed by a well-known CA, such as VeriSign, Thawte, or Entrust. You can also replace the self-signed certificate with a certificate digitally signed by a less common CA, such as a CA within your company or organization.
NOTE:There are many well-known CAs and identifying which CAs are most commonly used varies with country.
This section provides information about various certificates used in Change Guardian and instructions about configuring the TLS/SSL certificates to get them digitally signed by a CA:
Types of Certificates
Configuring the TLS/ SSL Certificates
The web server certificate is used for the following purposes:
With web browsers to connect to the Change Guardian Main interface.
Establish trust relationships for the REST API calls between Change Guardian instances. For example, it is used when configuring Data Federation
The Javos and Agent Manager certificates are used for the following purposes:
Javos certificates are used for accepting connections from Change Guardian Agents.
Agent Manager certificates are used for communicating Change Guardian agents with Agent Manager.
Configuring the TLS/SSL certificates involves the following steps:
To obtain a digitally signed certificate, you must first generate a certificate signing request (CSR), which is presented to the CA. To generate one or more CSRs, perform the following steps on the Change Guardian server:
Log in to the Change Guardian server as the novell user.
Create a certificate pair by using the following command:
/opt/novell/sentinel/jdk/jre/bin/keytool -genkey -alias webserver -validity <days> -storetype JKS -keyalg RSA -keysize 2048 -storepass password -keypass password -keystore .webserverkeystore.jks -dname "CN=<certificate_common_name>,OU=<organization_unit>, O=<organization>, L=<city or town>, ST=<state>, C=<country>" -ext san=dns:<domain_name> && /opt/novell/sentinel/jdk/jre/bin/keytool -certreq -alias webserver -file .webserverkeystore.csr -keystore .webserverkeystore.jks -storepass password -ext san=dns:<domain_name>
The above command generates a CSR using the PKCS#10 format. The certificate signing requests are now saved in the specified file.
Submit the CSRs to the CA for signature.
Obtain the signed certificate files from the CA.
The details of how this is done depend on the CA. For more information, consult your CA.
Copy the files that contains the digital certificates signed by the CA to the Change Guardian server. If the files are signed by an enterprise or organizational CA rather than a well-known CA, you must copy the CA's self-signed root certificate to the Change Guardian server. You must import the intermediate, root, and signed certificates.
You can specify the desired alias names for the intermediate and root certificates. However, the signed certificate must be imported with the same alias that was used while creating a certificate pair, which is webserver. The default keystore password is password. If you have changed the keystore password, specify the changed password.
To import the certificate files to the Change Guardian server:
Log in to the Change Guardian server as the novell user.
Back up the default self-signed certificate:
cp /etc/opt/novell/sentinel/config/.webserverkeystore.jks /etc/opt/novell/sentinel/config/.webserverkeystore.jks_bkp
Copy the CA signed certificate to the Sentinel server:
cp <CA_signed_certificate> /etc/opt/novell/sentinel/config/.webserverkeystore.jks
Import the intermediate certificate:
/opt/novell/sentinel/jdk/jre/bin/keytool -importcert -alias <alias_name> -file /opt/cert/intermediate.pem -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass <keystore_password>
Import the root certificate:
/opt/novell/sentinel/jdk/jre/bin/keytool -importcert -alias <alias_name> -file /opt/cert/root.pem -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass <keystore_password>
Import the signed certificate:
/opt/novell/sentinel/jdk/jre/bin/keytool -importcert -alias webserver -file /opt/cert/signedcert.pem -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass <keystore_password>
(Optional) Verify whether all the certificates are imported successfully:
/opt/novell/sentinel/jdk/jre/bin/keytool -list -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks
Restart Change Guardian:
rcsentinel restart
You can use CA-signed certificates in place of the self-signed certificates provided by Change Guardian.
To replace the self-signed certificates on the server:
Log in to the Change Guardian server as root.
Switch user to novell.
Backup of the existing certs folder, which is located at /opt/netiq/cgutils/certs.
Create a new certs folder at /opt/netiq/cgutils/.
Copy the CA-signed certificates to /opt/netiq/cgutils/certs.
Change the permission of the certs folder:
chmod 700 /opt/netiq/cgutils/certs
Rename the CA-signed certificate files as below:
cgca-cert.pem: Root CA certificate
cgca-pk.pem: Private key
cgca-pk.pem.pass: Private key password
Change the ownership of the CA-signed files:
chown novell:novell /opt/netiq/cgutils/certs/*
Go to the /opt/netiq/cgutils/bin directory and run the following command:
./cg_cert_setup.sh
The required certificates are created in the /opt/netiq/cgutils/certs/ directory.
Verify that the new certificates have the new CA name in the issuer field:
openssl x509 -in amsca-cert.pem -noout -text
openssl x509 -in javosca-cert.pem -noout -text
Go to the /opt/netiq/ams/ams/bin directory, and run the following commands:
./ams_cert_setup.sh --setup --profile=ams_new_profile_name
./ams_cert_setup.sh --enable --profile=ams_new_profile_name
NOTE:Consider not changing default profile names and create profile with a new name.
Confirm that the profile is enabled:
./ams_cert_setup.sh --show
Go to the /opt/netiq/cg/javos/bin/ directory and run the following commands:
./javos_cert_setup.sh --setup --profile=javos_new_profile_name
./javos_cert_setup.sh --enable --profile=javos_new_profile_name
Confirm that the profile is enabled:
./javos_cert_setup.sh --show
(Conditional) If the Change Guardian server is in FIPS mode, run the following commands:
./opt/netiq/ams/ams/bin/convert_to_fips.sh
./opt/netiq/cg/javos/bin/convert_to_fips.sh
(Optional) To test if the certificates are replaced successfully, remotely deploy an agent using Agent Manager and generate an event.
Change Guardian contains embedded third-party products such as JRE, Jetty, PostgreSQL, and ActiveMQ. Change Guardian includes patches to address security vulnerabilities (CVE) for these products with Change Guardian releases.
The third-party products have their own release cycles and new CVEs might be discovered before a Change Guardian release. You must review the CVEs for each embedded third-party product and decide whether to apply these updates to your Change Guardian deployment before getting a corresponding Change Guardian patch from Micro Focus. If you decide to apply patches to address these CVEs, contact Technical Support.
Change Guardian offers enhanced protection against security threats and compliance with United States federal government standards by supporting FIPS. Change Guardian leverages the FIPS 140-2 compliant features to meet the security requirements of United States federal agencies and customers with highly secure environments. Change Guardian is re-certified by Common Criteria at EAL3+ and provides FIPS 140-2 Inside.
Complete the following steps to configure FIPS:
To convert Change Guardian server:
As a root user, ensure that Mozilla Network Security Services (NSS) and Mozilla NSS Tools are installed on the Change Guardian server.
(Conditional) If you want to change the keystore password:
At the Change Guardian server command prompt, switch to novell user.
Change directory to <installation_directory>/opt/novell/sentinel/bin, and run the following command: ./chg_keystore_pass.sh
Follow the on-screen prompts to change the web server keystore passwords. You need this password later during this procedure.
Switch to root user.
Change directory to <installation_directory>/opt/novell/sentinel/bin, and run the following command:
./convert_to_fips.sh
Specify n to backup the server.
Provide a password that meets the stated criteria. This password is required later during this procedure.
Specify y to insert external certificates in the keystore database.
Specify the path of the Elasticsearch certificate:
<installation_directory>/opt/novell/sentinel/3rdparty/elasticsearch/config/http.pks
Specify the alias name of the certificate.
Specify y to restart the Sentinel server.
Ensure that the file <installation_directory>/var/opt/novell/sentinel/log/server0.0.log contains the following entry:
Date_Timestamp|INFO|JAVOS listener|com.netiq.cg.capi.dao.UpgradeDao.upgrade
Upgrading EventDestination.Upgrade to fips compatible
Date_Timestamp|INFO|JAVOS listener|com.netiq.cg.capi.dao.UpgradeDao.upgrade
records updated=1 data={"service-host":"Server_Name","password":"Encrypted_Password","protocol":"vosrestdispatcher:rest
To convert javos services:
Change directory to <installation_directory>/opt/netiq/cg/javos/bin, and run the following command:
./convert_to_fips.sh
Provide the password for the FIPS keystore database (the password you created in Step 4.b).
When prompted to restart the javos service, select y.
Ensure that the following entry is present in the <installation_directory>/opt/netiq/cg/javos/log/javos.log file:
Creating a FIPS SSL listener on 8094
To convert ams service:
Change directory to <installation_directory>/opt/netiq/ams/ams/bin, and run the following command:
./convert_to_fips.sh
Specify a password for the FIPS keystore database.
When prompted to restart the Agent Manager service, select y.
Ensure that the <installation_directory>/opt/netiq/ams/ams/log/ams.log file contains the following entry:
INFO [Date_Timestamp,446] com.netiq.commons.security.FIPSProvider: Running in FIPS mode. Changing the SSL security provider from JSSE to FIPS. <installation_directory>/opt/netiq/ams/ams/security/nss