Verify that the following settings are complete:
Importing Certificates to FIPS Keystore Database (if the Change Guardian server is running on FIPS mode)
Upgrading Python (if the base operating system changed during a traditional upgrade)
Proxy servers act as intermediaries between client applications and other servers. In an enterprise setting, proxy servers provide control over the content consumed by the users across network boundaries.
To enable proxy settings:
Add the following properties to <Install Directory>/etc/opt/novell/sentinel/config/server-custom.conf file
Dhttps.proxyHost=<proxy server IP/Hostname>
Dhttps.proxyPort=<proxy port no>
Post addition of these properties, the server-custom.conf file will look like the below example:
# Custom Server Properties # Custom Java additional properties should start from 101 wrapper.java.additional.101=-Dhttps.proxyHost=192.168.0.1 wrapper.java.additional.102=-Dhttps.proxyPort=3128
NOTE:If you are using an http proxy server, then use Dhttp instead of Dhttps while editing the file.
Restart Change Guardian service using the command:
systemctl restart sentinel.service
rcsentinel restart (6.3.1 or before)
If you want to use secure LDAP connections on the previously configured AD server, you have to edit the existing settings.
Change Guardian does not support AD servers that are configured with either IP address or FQDN, and does not support AD user name in the following format: cn=users,dc=domain,dc=lab. After upgrading Change Guardian, edit the pre-configured AD servers by specifying the domain name as the Active Directory Server. Similarly, modify the user name with an administrator or a user that has access to the domain.
To edit:
Open the following URL and click CONFIGURATION > LDAP CONNECTIONS:
https://<IP_Address_Change_Guardian_server>:<port_number>
The default port is 8443. You can use a custom port if Change Guardian was installed with custom configurations.
Select the desired servers and edit the settings.
For more information about configuring LDAP, see Configuring LDAP for AD Browsing.
In Change Guardian 6.2 version or below, the H2 Database version was 1.4.200. In CG 6.3 version, it has been upgraded to 2.1.214. Hence, existing event data partitions that are having CG attachment data cannot be retrieved from H2 Database. You must migrate existing H2db files to 2.1.214 by using an offline tool.
This will only be applicable if you configure the Change Guardian integration.
All attachment data in the system need to be migrated so that for Change guardian events, on clicking the Shield icon, Diff and Delta attachments will be loaded. After upgrading Change Guardian (from prior to the 6.3 version), if the partitions that are having attachment data are not migrated, then the existing data will not be supported to display Diff and Delta attachments. Hence, the results of CG reports will be inconsistent.
For example, for reports that have information for the past three months, the attachment data for that period must be migrated, before starting report jobs. Else, the generated reports might not be accurate.
After upgrading Change Guardian, migration is required only for the existing (old) attachment data and not for the new attachment data.
You can migrate attachment data through an offline tool.
|
Scenario |
Action |
|---|---|
|
After upgrading to 6.3 and above. |
Migrate all existing event data partitions (applicable only if you integrate CG with Sentinel and has attachment data in event data partitions). |
Migration uses CPU, memory, and disk bandwidth. If migration is performed during peak hours, it might take more time than expected or might add a load on the existing jobs. Hence, we recommend you to perform the migration during a scheduled maintenance time or during off-peak hours.
If there are many attachment data to migrate, to optimize the time taken to migrate, select the date range for event data partitions that have attachments. You can migrate the rest of the event data partitions as per your requirement.
To migrate the event data partitions, you can use the offline tool. This tool must be run on the Change Guardian server to migrate the underlying H2DB version of the attachment data partition to the latest version. You will not be able to view attachments in older data if you do not migrate event data partitions containing Change Guardian attachment data using the offline tool.
To migrate the attachment data partitions, you must use the offline tool. You can run the offline tool on event data partitions containing attachment data on primary storage (Change Guardian server).
You can use the following steps migrate attachment of data using the offline tool:
Log in to the Change Guardian server.
Switch to novell user using the following command:
su novell
Go to the following directory:
<changeguardian_installation_path>/opt/novell/sentinel/bin
Run the following script:
./h2migrate.sh <event datadirectory path> <from date> <to date>
Example:./h2migrate.sh /var/opt/novell/sentinel/data/eventdata/events 20220825 20220925
The above parameters mentioned in the command migrate partitions containing attachment data from Aug 25, 2022 to September 25, 2022.
If indexing libraries are upgraded during Change Guardian upgrade, the underlying data formats also get updated and the data cannot be searched. Therefore, all event data partitions in the system should be indexed so that it can be searched. If the partitions are not re-indexed after an upgrade, search results and reports shows inconsistent data.
Re-indexing is required only for the existing event data partitions and not for the new incoming events.
You can re-index using one or both methods:
Open the following URL: https://<IP_Address_Change_Guardian_server>:<port_number>
The default port is 8443. You can use a custom port if Change Guardian was installed with custom configurations.
Open ADMINISTRATION tab and click Storage > Event Partition Administration.
NOTE:You can also the Event Partition Administration page from the Change Guardian web console. Click the Event Partition Administration link in the warning message at the top of the page.
Select either Primary Storage or Secondary Storage, depending on the type of event partition that you want to re-index.
Select the event partitions to re-index, by clicking Date Range.
Click Start Re-indexing.
The approximate time required to complete the operation is displayed depending on the storage type and the event data time range selected.
After the re-indexing operation completes, all log files related to the operation are available in the following log file: <installation_directory>/var/opt/novell/sentinel/log/reindex0.0.log
You can also use a tool to re-index event data partition, in the offline mode. The tool uses minimal number of resources without affecting any of the existing processes. Re-indexing operation in the offline mode takes longer when compared to reindexing by using the online mode.
You can run the tool outside the Change Guardian server. However, you must copy the Java files and the Change Guardian libraries folder to the machine from which you want to run the re-indexing tool.
Before you proceed, ensure that you have the following information:
The path to the folder where Java 1.8 is located. For a default installation, the path is:
<installation_directory>/opt/novell/sentinel/jre/bin/java
The path to folder where Change Guardian libraries are present. For a default installation, the path is:
<installation_directory>/opt/novell/sentinel/lib
The location of event data partitions. For a default installation, the path for primary partitions is:
<installation_directory>/var/opt/novell/sentinel/data/eventdata/events/
To re-index:
Log in to the Change Guardian server as root.
Run the following command:
<installation_directory>/opt/novell/sentinel/jdk/bin/java -cp /opt/novell/sentinel/lib/ccsapp-8.4.0.0-RELEASE.jar esecurity.ccs.comp.event.indexedlog.IndexedLogRebuild -forcerebuild <partition-directory>/<partition_ID>
-forcerebuild is an optional parameter. If this option is not specified, the tool creates a backup of index folder and temporary files, which occupies additional disk-space.
<partition-directory> refers to the path where all the partitions are present. You can add multiple IDs separated by space.
<partition_ID> refers to the ID of the partition in the following format: 0200428_6E1CCA35-4BD4-102D-91CD-000C2907C76D or 20200428_6E1CCA35-4BD4-102D-91CD-000C2907C76D_20200607
If there are more than one partition, specify the IDs separated by space. You can also use the wild cards for ID such as, 202004*.
For example, to re-index a single event data partition, specify the following command:
<installation_directory>/opt/
novell/sentinel/jdk/bin/java -cp /opt/novell/sentinel/lib/ccsapp-
8.4.0.0-RELEASE.jar
esecurity.ccs.comp.event.indexedlog.IndexedLogRebuild -forcerebuild /
var/opt/novell/sentinel/data/eventdata/events/20200428_6E1CCA35-4BD4-
102D-91CD-000C2907C76D
For example, to re-index multiple event data partitions for April 2020, specify the following command:
<installation_directory>/opt/
novell/sentinel/jdk/bin/java -cp /opt/novell/sentinel/lib/ccsapp-
8.4.0.0-RELEASE.jar
esecurity.ccs.comp.event.indexedlog.IndexedLogRebuild -forcerebuild /
var/opt/novell/sentinel/data/eventdata/events/202004*To import:
Change directory to /opt/novell/sentinel/bin, and run the following command:
./convert_to_fips.sh -i
Specify the password for the FIPS keystore database.
Add the path of the OpenSearch certificate when prompted:
<sentinel_installation_path>/opt/novell/sentinel/3rdparty/opensearch/config/certs/<certificate_name>.pem
Where <certificate_name> has following values:
root-ca
admin
node
client
NOTE:For each external certificate prompted, add the above certificates one by one, by giving the complete path.
For example:
<sentinel_installation_path>/opt/novell/sentinel/3rdparty/opensearch/config/certs/root-ca.pem
Enter a unique alias name for this certificate when prompted. Add all of the above certificates one by one similarly and provide a unique alias for each of them.
The chg_keystore_pass.sh script allows you to change the keystore passwords. As a security best practice, change the keystore passwords immediately after upgrading Change Guardian.
NOTE:Do not perform this procedure if Change Guardian server is in FIPS mode.
To change the keystore passwords:
Log in to the Change Guardian server as root.
Switch user to novell.
Go to the /opt/novell/sentinel/bin directory.
Run the chg_keystore_pass.sh script and follow the on-screen prompts to change the keystore passwords.
NOTE:When you upgrade Change Guardian to 5.1 or later and change the keystore database password with specific special characters, the following exception are displayed: Failed to initialize Communicator
.
The heartbeat of Change Guardian Agent for Windows and Change Guardian Agent for UNIX determines the frequency at which Change Guardian server checks health of agents. It is the interval at which any policy changes on the server is synced to agents. If you have less than 500 agents and configured up to 15 policies per agent, consider setting the interval to 15 minutes. If you have more than 500 agents or configured more than 15 policies per agent, consider setting the interval to 60 minutes. This ensures that there is no congestion of network traffic due to exchange of policy and agent health data at frequent intervals.
In the web console, navigate to CONFIGURATIONS > Agents > Manage Agents. Select the agent and click Manage Installation > Reconfigure Agents. In the Reconfigure Agents box, click Edit and set the desired heartbeat interval.
During a traditional Change Guardian upgrade, when the base operating system version changes, you must check the Python version after upgrading both Change Guardian and the operating system. Change Guardian requires a compatible version of Python library to function properly and to ensure that the Change Guardian agents are upgraded successfully.
For example, consider that the base operating system changes from RHEL 6.10 to RHEL 7.9. If running the python –V command at the RHEL 6.10 server prompt shows Python version is 2.6.x, then after upgrading the command shows 2.7.x on RHEL 7.9. Although the operating system is using Python 2.7.x, Python shared object file (.so) might be built on Python 2.6.x.
Prerequisite: Before planning to upgrade Python, check which Python version the plpython2.so file is built on:
ldd <installation_directory>/opt/novell/sentinel/3rdparty/postgresql/lib/postgresql/plpython2.so
If the output is as below, it indicates that this .so file is based on Python 2.6.x and you must upgrade Python after upgrading both Change Guardian and the operating system.
libpython2.6.so.1.0 => /usr/lib64/libpython2.6.so.1.0
If the output is as below, it indicates the .so file is not linked to a Python version, and you must upgrade Python after upgrading both Change Guardian and the operating system.
libpython2.6.so.1.0 => not found
To upgrade Python:
Stop the Sentinel services:
systemctl stop sentinel.service
rcsentinel stop (6.3.1 or before)
Change to the directory where plpython2.so file is present
cd <installation_directory>/opt/novell/sentinel/3rdparty/postgresql/lib/postgresql
Remove the existing .so file which is pointing to 2.6.x:
rm plpython2.so
Extract the Python 2.7.x.so file, which is present in <installation_directory>/opt/novell/sentinel/3rdparty/postgresql/lib/postgresql
tar zxf plpython2.7.so.tar.gz
Set novell user permission on the file
chown novell:novell plpython2.so
Verify that the file is pointing to the correct Python version:
ldd <installation_directory>/opt/novell/sentinel/3rdparty/postgresql/lib/postgresql/plpython2.so
Start the Sentinel services:
systemctl start sentinel.service
rcsentinel start (6.3.1 or before)