Using ArcSight Platform Installer

You can use ArcSight Platform Installer to build your environment. ArcSight Platform Installer takes care of the end-to-end installation process, which starts from configuring the prerequisites to completing the post-installation configurations.

Using the Configuration Files

The Platform Installer requires a .yaml configuration file to determine which capabilities to deploy on which nodes and how to configure the capabilities. The installation package includes example .yaml files with pre-configured scenarios to help you build your configuration file.

The .yaml files are available by default in the {​​unzipped-installer-dir}/config folder. To help you understand the settings that you might want to add, modify, or remove in your chosen .yaml file, review the install-config-doc.yaml, which is also in the /config folder. Do not use the install-config-doc.yaml file as your configuration file. Rather, choose one of the example files. Each example has placeholders for your specific environment, such as host names, so you will need to edit the example file before using it. For more information on the examples, see Configuring the Deployed Capabilities.

For example, to deploy ESM Command Center and Transformation Hub in a high-availability environment, start with the file example-install-config-esm_and_transformation_hub-high_availability.yaml.

The "suite > config-params" section of the example deployment configuration .yaml files include the internal ID of configuration properties that cannot be configured easily after installation. For a description of each property internal ID in the example deployment configuration .yaml files, see Configuring the Deployed Capabilities. After installation, you can easily configure most properties (those not in the example deployment configuration .yaml files) using the CDF Management Portal, where descriptions for all properties are supplied as tooltips.

You can start from any of these example files:

In the example files below, SSL, FIPS, and client-auth are all enabled by default.
Configuration Example File Deployment Scenario
ArcSight ESM Command Center and Transformation Hub with high availability example-install-config-esm_and_transformation_hub-high_availability.yaml Provides a good starting point if you anticipate your needs will grow since this configuration allows for further scaling when you need it without having to reinstall. Configures all components required by ESM Command Center on a single node, including Fusion and (optionally) SOAR, plus Transformation Hub, across 3 worker and 3 master nodes.
ArcSight ESM Command Center on a single node example-install-config-esm_cmd_center-single-node.yaml Installs all components required by ESM Command Center on a single node, including Fusion and (optionally) SOAR.
Intelligence with high availability example-install-config-intelligence-high_availability.yaml

Configures all components required by Intelligence including Fusion and Transformation Hub across 3 worker and 3 master nodes.

The Database has 3 nodes with data replication enabled (1 original, 1 copy) so that it can tolerate a failure of a single node and remain operational.

Intelligence with high availability on the ArcSight Database example-install-config-intelligence-scale_db.yaml

Supports an environment with modest EPS and minimal number of nodes but allows for futher scaling with multiple worker nodes. Configures all components required by Intelligence on a single node, including Fusion and Transformation Hub, across 3 worker nodes and 1 master node.

The Database has 3 nodes with data replication enabled (1 original, 1 copy) so that it can tolerate a failure of a single node and remain operational.

Intelligence on a single node example-install-config-intelligence-single-node.yaml

Configures all components required by Intelligence on a single node, including Fusion and Transformation Hub.

The Database has 3 nodes with data replication enabled (1 original, 1 copy) so that it can tolerate a failure of a single node and remain operational.

Intelligence and Recon on a single node example-install-config-intelligence_and_recon-single-node.yaml

Configures all components required by Intelligence and Recon on a single node, including Fusion and Transformation Hub.

The Database resides on a separate node.

Recon with high availability example-install-config-recon-high_availability.yaml

Provides a good starting point if you anticipate your needs will grow since this configuration allows for further scaling when you need it without having to reinstall. Configures all components required by Recon, including Fusion, Transformation Hub, and (optionally) SOAR, across 3 worker and 3 master nodes.

The Database has 3 nodes with data replication enabled (1 original, 1 copy) so that it can tolerate a failure of a single node and remain operational.
Recon with high availability on the ArcSight Database example-install-config-recon-scale_db.yaml

Provides a good starting point when you want to scale the Database beyond a single node to handle your workload and storage requirements, but you don't yet wish to invest in high availability for Recon. Configures all components required by Recon on a single node, including Fusion, Transformation Hub, and (optionally) SOAR.

The Database has 3 nodes with data replication enabled (1 original, 1 copy) so that it can tolerate a failure of a single node and remain operational.
Recon on a single node

example-install-config-recon-single-node.yaml

Configures all components required by Recon on a single node, including Fusion, Transformation Hub, and (optionally) SOAR.

The Database resides on a separate node.

For information about FIPS mode on the Database Server, see Enabling FIPS Mode on the Database Server.

Transformation Hub with high availability example-install-config-transformation_hub_and_fusion-high_availability.yaml Configures Fusion and Transformation Hub across 3 worker and 3 master nodes.

 

Understanding the Installation Commands

This table provides information about the installation commands and their purpose.

These instructions use the primary commands with defaults for the most straightforward installation experience. Additional options are available if needed and are explained when you run the command ./arcsight-install --help.
Script Purpose
./arcsight-install -c /opt/my-install-config.yaml --cmd preinstall

The preinstall command attempts to install automatically any missing operating system package dependencies using the yum command. Therefore, be sure yum is configured on all nodes to automatically be able to download the packages from a package repository.

It runs checks on all hosts specified in the install config file and reports if they meet the requirements. It also modifies the configuration of all hosts specified in the install config file so each host meets the required system configuration for the components that will be installed on each host. Not all required system configurations can be handled by this command. The items that must be manually configured will be reported. It also installs or configures NFS as specified in the install config file.
./arcsight-install -c /opt/my-install-config.yaml --cmd install The install command installs or configures the Database, Container Deployment Foundation (CDF) cluster, and ArcSight capabilities as specified in the install config file.
./arcsight-install -c /opt/my-install-config.yaml --cmd postinstall The postinstall command performs the post-installation configurations.

 

Configuring the System Clock of the Database Nodes

A network time server must be available in your environment. The chrony process implements this protocol and it is installed by default on some versions of RHEL and CentOS. Ensure that chrony is installed on every node using. Click here for more information.

CentOS 8.4 only

For all database nodes running CentOS version 8.4, you need to run this command to set the time to UTC:

sudo timedatectl set-timezone UTC

Using ArcSight Platform Installer to Deploy

ArcSight Platform Installer takes care of the prerequisites, software installations, and post-installation configurations.

Before building your environment, ensure the firewall is running on the CDF nodes.
To copy the metadata file and the images to their corresponding directories, see Downloading the Installation Packages for an On-Premises Deployment.

To use the installer to deploy:

  1. Launch a terminal session and log in to the master node as root.
  2. Change to the following directory:
    3. cd {​​unzipped-installer-dir}/config/
  3. Select an example install config file in the directory that most closely matches the deployment you need.
    4. There is an explanation at the top of each example file and additional explanations are available in the {​​unzipped-installer-dir}/config/ directory. Do not use the install-config-doc.yaml file for your deployment, as it is for information purposes only.
  4. Make a copy of the selected example file. For example, in these instructions, we will name the copy the following:
    5. /opt/my-install-config.yaml
  5. Edit the following file as needed:
    /opt/my-install-config.yaml

    Each example install config file explains the minimal changes that must be made before performing the installation with the example file.

    Depending on your specific deployment, you might need to make additional modifications that are not described in the example file. Additional explanations are available in the {​​unzipped-installer-dir}/config/install-config-doc.yaml file.
  6. Change to the following directory:
    7. {​​unzipped-installer-dir}
  7. Execute the following command to check all the nodes and deploy all the prerequisites.
    8. ./arcsight-install -c /opt/my-install-config.yaml --cmd preinstall
    When you execute the script, the installer prompts you for the username and password you provided for each hostname specified. You need to provide this information only once for each hostname. The installer sets up secure passwordless ssh using certificates so executing commands later is seamless.
    Valid password specifications include:
    Length: between 8-30
    Can contain: letters, digits and special characters
    Valid special characters: _ ! % @ &
    Valid examples: 9badm1N_X, my6AsW@rd, mypasS_w0?d
  8. Execute the command to install the Database, CDF, and ArcSight capabilities.
    ./arcsight-install -c /opt/my-install-config.yaml --cmd install

    Database

    If your install config file specifies to install the Database, the installer displays prompts for:

    • Accept License Agreement
    • Database admin password
    • Database app admin password
    • Database search username
      • Be patient as the Database installation might take time to complete. The Database might need time to create indexes and complete setup tasks. The Database installation might appear to be complete; however, if you start the product before the Database installation is complete, you might experience errors and performance issues.
      In the initial 22.1.0 release, the ArcSight Database does not support FIPS mode due to a defect. A fix is already being worked on and will be released soon after 22.1.0. In the mean time, for the database to function properly, you must disable FIPS mode on the database server.

    CDF and ArcSight Capabilities

    Next, the installer displays prompts for:

    • Accept License Agreement (again)
      • If the installer discovers warnings while running a check of the node hardware configuration, a prompt appears asking you to confirm the warnings and continue.
    • CDF admin password
      • Be patient as the installation might take time to complete, depending on the number of suite products and cluster nodes being installed. For example, a small cluster might take 40 minutes or more to complete. You can monitor the progress of the installer in the terminal.
  9. After the install command completes, run the pod command to check the pod status. Before continuing to the post-installation step, all pods must be in Running or Completed status.
    10. kubectl get pods -A
  10. View additional cluster status, including logs (as needed).

    a. Log in to the CDF Management Portal using the CDF admin username and password you provided.

    b. Navigate to Cluster > Dashboard.

    c. In the Kubernetes Dashboard, select Namespace arcsight-installer-*.

    d. Navigate to pods, then select the pod to inspect.

    e. To view the logs for the pod, click the View Logs icon in the upper-right corner of the UI.

    f. In the Logs from menu, select a different container to view relevant logs.

  11. Execute the following command to perform the post-installation configurations.
    12. ./arcsight-install -c /opt/my-install-config.yaml --cmd postinstall
  12. When you run this command, the installer displays the following prompt:
    13. Are you sure all arcsight pods are running and you want to continue? (y/N)
  13. After ensuring that all the ArcSight pods are running, specify y.

  14. Continue to Performing Post-deployment Configuration.

Updating RE Certificates (optional)

It's optional, but we recommend that you use an RE certificate signed by your Trusted Certificate Authority as part of the installation process. For more information, see: