6.2 Configurations Using the Server Command Prompt

This section provides the following information:

6.2.1 Configuring Memory Settings

The SHMMAX setting configures the maximum size, in bytes, of a shared memory segment for PostgreSQL. Desirable values for SHMMAX ranges from hundreds of megabytes to a few gigabytes.

To change the kernel SHMMAX parameter, append the following information to the /etc/sysctl.conf file:

# for Postgresql
kernel.shmmax=1073741824

NOTE:By default, in RHEL SHMMAX is a low value, so it is important to modify it when installing to this platform.

6.2.2 Configuring Server Date and Time Synchronization

To determine the current date and time configured on the Change Guardian server, run the following command: date -u

To synchronize the Change Guardian server date and time with an external time service, configure NTP.

6.2.3 Verifying Server Hostname

You have the option to install the Change Guardian server using a static IP address or a dynamic (DHCP) IP address mapped to a hostname. For the Change Guardian server to work correctly when configured to DHCP, ensure that the system can return its hostname correctly by using the following procedure:

  1. Verify the hostname configuration:

    cat /etc/HOSTNAME

  2. Check the server hostname setting:

    hostname -f

  3. Verify the DHCP configuration:

    cat /etc/sysconfig/network/dhcp

    NOTE:The DHCLIENT_HOSTNAME_OPTION setting should reflect the fully-qualified hostname of the Change Guardian server.

  4. Resolve the hostname to the IP address:

    nslookup FULLY_QUALIFIED_HOSTNAME

  5. Resolve the server hostname from the client by running the following command entered from the remote server:

    nslookup FULLY_QUALIFIED_CHANGEGUARDIANSERVER_HOSTNAME

6.2.4 Configuring Email Servers

Complete the following steps to configure SMTP:

You can also configure email servers by using Policy Editor.

Configuring Email Server With Change Guardian in FIPS Mode

To configure:

  1. Export the certificate from the respective SMTP server site.

  2. Browse to the Sentinel bin directory. The default location is /opt/novell/sentinel/bin.

  3. Import the certificate by running the following command:

    ./convert_to_fips.sh -i <certificate_path>

    NOTE:If the certificate is not available in the current directory /opt/ novell/ sentinel/ bin, it is not added in the keystore database.

  4. Restart the Change Guardian server using the following command:

    systemctl restart sentinel.service

    rcsentinel restart (6.3.1 or before)

Configuring Email Server With Change Guardian in Non-FIPS Mode

To configure:

  1. Export the certificate from the respective SMTP server site.

  2. Import the certificate:

    /opt/novell/sentinel/jdk/jre/bin/keytool

    NOTE:If you have used a custom path for installation, modify the command accordingly.

  3. Restart the Change Guardian server:

    systemctl restart sentinel.service

    rcsentinel restart (6.3.1 or before)

6.2.5 Configuring Email Server to Receive Email Alerts

To receive alerts on emails, complete the following steps:

Adding Email Servers

To add email servers to Change Guardian server and change the default email host settings:

  1. Change directory:

    cd /opt/netiq/cg/scripts

  2. Set the email host settings:

    ./configure.sh udei --admin-account=<admin_account> --admin-password=<admin_account_password> --mail-host=<SMTP_hostname> --mail-port=<SMTP_port> --mail-from=<e-mail_address> --secure-connection=<true/false>

NOTE:To configure secure connection with STARTTLS, set the following option:

--secure-connection=true

6.2.6 Configuring Security Settings

This section provides the following information:

Using CA Signed Certificates

You can replace the self-signed certificate with a certificate signed by a well-known CA, such as VeriSign, Thawte, or Entrust. You can also replace the self-signed certificate with a certificate digitally signed by a less common CA, such as a CA within your company or organization.

NOTE:There are many well-known CAs and identifying which CAs are most commonly used varies with country.

This section provides information about various certificates used in Change Guardian and instructions about configuring the TLS/SSL certificates to get them digitally signed by a CA:

Web Server Certificate

The web server certificate is used for the following purposes:

  • With web browsers to connect to the Change Guardian Main interface.

  • Establish trust relationships for the REST API calls between Change Guardian instances. For example, it is used when configuring Data Federation

Javos and Agent Manager

The Javos and Agent Manager certificates are used for the following purposes:

  • Javos certificates are used for accepting connections from Change Guardian Agents.

  • Agent Manager certificates are used for communicating Change Guardian agents with Agent Manager.

Configuring the TLS/ SSL Certificates for Web Server

Configuring the TLS/SSL certificates involves the following steps:

Generating a Certificate Signing Request

To obtain a digitally signed certificate, you must first generate a certificate signing request (CSR), which is presented to the CA. To generate one or more CSRs, perform the following steps on the Change Guardian server:

  1. Log in to the Change Guardian server as the novell user.

  2. Create a certificate pair by using the following command:

    /opt/novell/sentinel/jdk/jre/bin/keytool -genkey -alias webserver -validity <days> -storetype JKS -keyalg RSA -keysize 2048 -storepass password -keypass password -keystore .webserverkeystore.jks -dname "CN=<certificate_common_name>,OU=<organization_unit>, O=<organization>, L=<city or town>, ST=<state>, C=<country>" -ext san=dns:<domain_name> && /opt/novell/sentinel/jdk/jre/bin/keytool -certreq -alias webserver -file .webserverkeystore.csr -keystore .webserverkeystore.jks -storepass password -ext san=dns:<domain_name>

The above command generates a CSR using the PKCS#10 format. The certificate signing requests are now saved in the specified file.

Getting the CSR Signed by the CA

  1. Submit the CSRs to the CA for signature.

  2. Obtain the signed certificate files from the CA.

The details of how this is done depend on the CA. For more information, consult your CA.

Importing the Digitally Signed Certificates into Change Guardian

Copy the files that contains the digital certificates signed by the CA to the Change Guardian server. If the files are signed by an enterprise or organizational CA rather than a well-known CA, you must copy the CA's self-signed root certificate to the Change Guardian server. You must import the intermediate, root, and signed certificates.

You can specify the desired alias names for the intermediate and root certificates. However, the signed certificate must be imported with the same alias that was used while creating a certificate pair, which is webserver. The default keystore password is password. If you have changed the keystore password, specify the changed password.

To import the certificate files to the Change Guardian server:

  1. Log in to the Change Guardian server as the novell user.

  2. Back up the default self-signed certificate:

    cp /etc/opt/novell/sentinel/config/.webserverkeystore.jks /etc/opt/novell/sentinel/config/.webserverkeystore.jks_bkp

  3. Copy the CA signed certificate to the Sentinel server:

    cp <CA_signed_certificate> /etc/opt/novell/sentinel/config/.webserverkeystore.jks

  4. Import the intermediate certificate:

    /opt/novell/sentinel/jdk/jre/bin/keytool -importcert -alias <alias_name> -file /opt/cert/intermediate.pem -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass <keystore_password>

  5. Import the root certificate:

    /opt/novell/sentinel/jdk/jre/bin/keytool -importcert -alias <alias_name> -file /opt/cert/root.pem -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass <keystore_password>

  6. Import the signed certificate:

    /opt/novell/sentinel/jdk/jre/bin/keytool -importcert -alias webserver -file /opt/cert/signedcert.pem -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass <keystore_password>

  7. (Optional) Verify whether all the certificates are imported successfully:

    /opt/novell/sentinel/jdk/jre/bin/keytool -list -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks

  8. Restart Change Guardian:

    systemctl restart sentinel.service

    rcsentinel restart (6.3.1 or before)

Configuring the TLS/ SSL Certificates for Javos and Agent Manager

You can use CA-signed certificates in place of the self-signed certificates provided by Change Guardian.

To replace the self-signed certificates on the server:

  1. Log in to the Change Guardian server as root.

  2. Switch user to novell.

  3. Backup of the existing certs folder, which is located at /opt/netiq/cgutils/certs.

  4. Create a new certs folder at /opt/netiq/cgutils/.

  5. Copy the CA-signed certificates to /opt/netiq/cgutils/certs.

  6. Change the permission of the certs folder:

    chmod 700 /opt/netiq/cgutils/certs

  7. Rename the CA-signed certificate files as below:

    • cgca-cert.pem: Root CA certificate

    • cgca-pk.pem: Private key

    • cgca-pk.pem.pass: Private key password

  8. Change the ownership of the CA-signed files:

    chown novell:novell /opt/netiq/cgutils/certs/*

  9. Go to the /opt/netiq/cgutils/bin directory and run the following command:

    ./cg_cert_setup.sh

    The required certificates are created in the /opt/netiq/cgutils/certs/ directory.

  10. Verify that the new certificates have the new CA name in the issuer field:

    • openssl x509 -in amsca-cert.pem -noout -text

    • openssl x509 -in javosca-cert.pem -noout -text

  11. Go to the /opt/netiq/ams/ams/bin directory, and run the following commands:

    ./ams_cert_setup.sh --setup --profile=ams_new_profile_name

    ./ams_cert_setup.sh --enable --profile=ams_new_profile_name

    NOTE:Consider not changing default profile names and create profile with a new name.

  12. Confirm that the profile is enabled:

    ./ams_cert_setup.sh --show

  13. Go to the /opt/netiq/cg/javos/bin/ directory and run the following commands:

    ./javos_cert_setup.sh --setup --profile=javos_new_profile_name

    ./javos_cert_setup.sh --enable --profile=javos_new_profile_name

  14. Confirm that the profile is enabled:

    ./javos_cert_setup.sh --show

  15. (Conditional) If the Change Guardian server is in FIPS mode, run the following commands:

    ./opt/netiq/ams/ams/bin/convert_to_fips.sh

    ./opt/netiq/cg/javos/bin/convert_to_fips.sh

  16. (Optional) To test if the certificates are replaced successfully, remotely deploy an agent and generate an event.

Applying Updates for Security Vulnerabilities in Embedded Third-Party Products

Change Guardian contains embedded third-party products such as JRE, Jetty, PostgreSQL, and ActiveMQ. Change Guardian includes patches to address security vulnerabilities (CVE) for these products with Change Guardian releases.

The third-party products have their own release cycles and new CVEs might be discovered before a Change Guardian release. You must review the CVEs for each embedded third-party product and decide whether to apply these updates to your Change Guardian deployment before getting a corresponding Change Guardian patch from OpenText. If you decide to apply patches to address these CVEs, contact Technical Support.

6.2.7 Configuring FIPS 140-2

For detailed information on how to configure FIPS and to configure data federation in FIPS mode, see Configuring FIPS