You must first enable data federation on the authorized requestor server and then add data source servers to the authorized requestor server. You can add data source servers in the following ways:
If you know the administrator username and password for the data source server, add the data source server directly from the authorized requestor.
If you do not know the administrator username and password for a data source server, set up the authorized requestor with an opt-in password and share it with the source server. The administrator can use the opt-in password to add the data source servers to the authorized requestor.
To generate a report about the health of agents on federated servers, see Agent Health on Federated Servers
in the Change Guardian Online Help.
For troubleshooting tips, see Issues on Federated Servers.
To enable:
Create a role with Proxy for Authorized Data Requestors permission in the data source server.
For more information about configuring users and roles, see Configuring Roles and Users.
On your requestor machine, click Administration > Integration > Change Guardian.
In the Data Sources section, select Local server and other data sources.
Do one of the following to add data source servers to your authorized requestor:
If you are the administrator of the authorized requestor and you know the administrator username and password for the data source server, continue with Using the Administrator Credentials to Add a Data Source Server.
If you are the administrator of the authorized requestor and you do not know the administrator user name and password on the data source server, continue with Using the Opt-in Password to Add a Data Source Server.
To allow distributed searches across multiple Change Guardian servers running in FIPS 140-2 mode, add or import certificates used for secure communication to the FIPS keystore.
To add:
Log in to the distributed search source computer.
Browse to the following certificate directory:
cd /etc/opt/novell/sentinel/config/
Copy the source certificate (sentinel.cer) to a temporary location on the requestor computer.
Import the source certificate into the FIPS keystore of the requestor server.
For more information about importing the certificate, see Importing certificates into the FIPS keystore database.
Log in to the distributed search requestor computer.
Browse to the following certificate directory:
cd /etc/opt/novell/sentinel/config
Copy the requestor certificate (sentinel.cer) to a temporary location on the source computer.
Import the requestor system certificate into the FIPS keystore of the source server.
For more information about importing the certificate, see Importing certificates into the FIPS keystore database.
To import:
Copy the certificate file to any temporary location on the Change Guardian server or remote Collector Manager.
Change the ownership of the certificate to novell user:
chown novell:novell /<path to certificate>
Change the permission of the certificate:
chmod 644 /<path to certificate>
Switch to novell user.
Browse to the Sentinel bin directory.
The default location is /opt/novell/sentinel/bin.
Import the certificate into the FIPS keystore database, and then follow the on-screen instructions:
./convert_to_fips.sh -i <certificate file path>Enter yes or y when prompted to restart the Change Guardian server or remote Collector Manager.
If you are the administrator of the authorized requestor and you know the administrator username and password for the data source server, you can add the data source server while you are logged in to your authorized requestor server.
IMPORTANT:Ensure that the data source server that you add is able to communicate with the authorized requestor through TCP/IP. Use a ping command to ensure that the IP address or hostname of the data source server is accessible through firewalls or NATs. If there is a communication failure, an error is displayed in the extended status page. For more information, see Managing Search Results
To add a data source server:
Complete the steps in Enabling Data Federation.
Click the Add a data source link.
Specify the following information:
IP Address/DNS Name: IP address or the DNS name of the data source server.
Port: Port number of the data source server. The default port number is 8443. The data source server and authorized requestor do not need to be on the same port.
User Name: Name of a user with administrator privileges.
Password: Password associated with the username.
Click Login, then click Accept after verifying that the certificate information is correct.
Specify the following information to configure the data source server:
Name: Specify a descriptive name to identify the data source server.
Search Proxy Role: Select a search proxy role that you want to assign to the authorized requestor. This permission is required for the data source server to accept and process incoming search requests from the authorized requestor server.
When the authorized requestor makes search requests to the data source server, the security filter of the proxy role is used. Only those events that pass the security filter of the proxy role are returned to the authorized requestor server.
Only roles that have the Proxy for Authorized Requestors permission are listed. This permission is required for the data source server to accept and process incoming search requests from the authorized requestor server.
Click OK.
The server information is listed in the Data Sources list.
You can now search events, view event reports, and view alerts from the data source server. For more information, see Searching for Events, Running Reports in a Federated Setup, and Viewing Federated Alerts respectively.
In organizations where administrative control of Change Guardian servers is decentralized, sharing administrator password might lead to violation of the security policy. If you do not have the administrator password for the data source server, Change Guardian allows you to set an opt-in password in the authorized requestor server, then provide the opt-in password to the data source server administrators to allow them to opt in to the authorized requestor server.
During the opt-in process, the authorized requestor and the data source server exchange the appropriate password, which allows the data source server to authenticate the search requests from the authorized requestor.
When a data source server opts in to the authorized requestor, a message is sent to the authorized requestor server requesting to be added to the list of data source servers. The authorized requestor requires an opt-in password to verify that the opt-in request has originated from a valid data source server. The request authorizes the authorized requestor to access data on the data source server.
To set the password:
Complete the steps in Enabling Data Federation.
Click Integration > Change Guardian.
In the Data Sources section, select Local server and other data sources.
Click Set Opt-in Password.
Specify the opt-in password, then click Set Password.
Continue with Allowing Access to an Authorized Requestor Server to add the data source server to the authorized requestor.
To allow access:
Log in to the data source server as an administrator.
Click Integration > Change Guardian.
From the Authorized Requestors section, check the Allow authorized requestors to access data from your server box.
Click the Add link.
Specify the following information:
IP Address/DNS Name: The IP address or the DNS name of the authorized requestor.
Port: Port number of the authorized requestor. This is the port number on which the authorized requestor listens for incoming opt-in requests. The default port number is 8443.
Opt-in Password: The opt-in password that you configured on the authorized requestor. You must obtain this password from the administrator of the authorized requestor.
Click OK.
Verify the certificate information, then click Accept.
Specify the following information to configure the data source server:
Name : A descriptive name to identify the authorized requestor server.
Search Proxy Role : A proxy role to assign to the authorized requestor.
This permission is required for the data source server to accept and process incoming search requests from the authorized requestor server. When the authorized requestor makes search requests to the data source server, the security filter of the proxy role is used. Only those events that pass the security filter of the proxy role are returned to the authorized requestor server. Only roles that have the Proxy for Authorized Requestors permission are listed.
Click OK.
The authorized requestor is added to Authorized Requestors list and is enabled by default.
The data source server is also added in the Data Sources list in the authorized requestor server. Alternatively, you can click the Refresh link to see the data source server in the Data Sources list.