13.6 Post Upgrade Configuration

Verify that the following settings are complete:

13.6.1 Adding Application License

You must import license keys for each application you want to monitor.

To import and assign a license:

  1. Login to Policy Editor.

  2. Click Module Manager.

  3. In Licenses, click the required application name.

  4. Click Import License Key.

  5. Browse and select the module license file.

  6. Click Import.

13.6.2 Configuring LDAP

If you want to use secure LDAP connections on the previously configured AD server, you have to edit the existing settings.

Change Guardian does not support AD servers that are configured with either IP address or FQDN, and does not support AD user name in the following format: cn=users,dc=domain,dc=lab. After upgrading Change Guardian, edit the pre-configured AD servers by specifying the domain name as the Active Directory Server. Similarly, modify the user name with an administrator or a user that has access to the domain.

To edit:

  1. Open the following URL and click CONFIGURATION > LDAP CONNECTIONS:

    https://<IP_Address_Change_Guardian_server>:<port_number>

    The default port is 8443. You can use a custom port if Change Guardian was installed with custom configurations.

  2. Select the desired servers and edit the settings.

For more information about configuring LDAP, see Configuring LDAP for AD Browsing.

13.6.3 Re-indexing Event Data Partition

If indexing libraries are upgraded during Change Guardian upgrade, the underlying data formats also get updated and the data cannot be searched. Therefore, all event data partitions in the system should be indexed so that it can be searched. If the partitions are not re-indexed after an upgrade, search results and reports shows inconsistent data.

NOTE:Perform the re-indexing steps if you have upgraded from Change Guardian 5.2 or 6.0.

Re-indexing is required only for the existing event data partitions and not for the new incoming events.

You can re-index using one or both methods:

Re-indexing Using the Web Console

  1. Open the following URL: https://<IP_Address_Change_Guardian_server>:<port_number>

    The default port is 8443. You can use a custom port if Change Guardian was installed with custom configurations.

  2. Open ADMINISTRATION tab and click Storage > Event Partition Administration.

    NOTE:You can also the Event Partition Administration page from the Change Guardian web console. Click the Event Partition Administration link in the warning message at the top of the page.

  3. Select either Primary Storage or Secondary Storage, depending on the type of event partition that you want to re-index.

  4. Select the event partitions to re-index, by clicking Date Range.

  5. Click Start Re-indexing.

    The approximate time required to complete the operation is displayed depending on the storage type and the event data time range selected.

After the re-indexing operation completes, all log files related to the operation are available in the following log file: <installation_path>/var/opt/novell/sentinel/log/reindex0.0.log

Re-Indexing in the Offline Mode

You can also use a tool to re-index event data partition, in the offline mode. The tool uses minimal number of resources without affecting any of the existing processes. Re-indexing operation in the offline mode takes longer when compared to reindexing by using the online mode.

You can run the tool outside the Change Guardian server. However, you must copy the Java files and the Change Guardian libraries folder to the machine from which you want to run the re-indexing tool.

Before you proceed, ensure that you have the following information:

  • The path to the folder where Java 1.8 is located. For a default installation, the path is:

    <installation_path>/opt/novell/sentinel/jre/bin/java

  • The path to folder where Change Guardian libraries are present. For a default installation, the path is:

    <installation_path>/opt/novell/sentinel/lib

  • The location of event data partitions. For a default installation, the path for primary partitions is:

    <installation_path>/var/opt/novell/sentinel/data/eventdata/events/

To re-index:

  1. Log in to the Change Guardian server as root.

  2. Run the following command:

    <installation_path>/opt/novell/sentinel/jdk/bin/java -cp /opt/novell/sentinel/lib/ccsapp-8.4.0.0-RELEASE.jar esecurity.ccs.comp.event.indexedlog.IndexedLogRebuild -forcerebuild <partition-directory>/<partition_ID>

    • -forcerebuild is an optional parameter. If this option is not specified, the tool creates a backup of index folder and temporary files, which occupies additional disk-space.

    • <partition-directory> refers to the path where all the partitions are present. You can add multiple IDs separated by space.

    • <partition_ID> refers to the ID of the partition in the following format: 0200428_6E1CCA35-4BD4-102D-91CD-000C2907C76D or 20200428_6E1CCA35-4BD4-102D-91CD-000C2907C76D_20200607

    If there are more than one partition, specify the IDs separated by space. You can also use the wild cards for ID such as, 202004*.

    For example, to re-index a single event data partition, specify the following command:

    <installation_path>/opt/
    novell/sentinel/jdk/bin/java -cp /opt/novell/sentinel/lib/ccsapp-
    8.4.0.0-RELEASE.jar 
    esecurity.ccs.comp.event.indexedlog.IndexedLogRebuild -forcerebuild /
    var/opt/novell/sentinel/data/eventdata/events/20200428_6E1CCA35-4BD4-
    102D-91CD-000C2907C76D

    For example, to re-index multiple event data partitions for April 2020, specify the following command:

    <installation_path>/opt/
    novell/sentinel/jdk/bin/java -cp /opt/novell/sentinel/lib/ccsapp-
    8.4.0.0-RELEASE.jar 
    esecurity.ccs.comp.event.indexedlog.IndexedLogRebuild -forcerebuild /
    var/opt/novell/sentinel/data/eventdata/events/202004*

13.6.4 Importing Certificates to FIPS Keystore Database

To import:

  1. Change directory to /opt/novell/sentinel/bin, and run the following command:

    ./convert_to_fips.sh -i

  2. Specify the password for the FIPS keystore database.

  3. Specify the path of Elasticsearch certificate file:

    <installation_path>/opt/novell/sentinel/3rdparty/elasticsearch/config/http.pks

  4. Specify the certificate alias.

13.6.5 Updating the Keystore Password

The chg_keystore_pass.sh script allows you to change the keystore passwords. As a security best practice, change the keystore passwords immediately after upgrading Change Guardian.

NOTE:Do not perform this procedure if Change Guardian server is in FIPS mode.

To change the keystore passwords:

  1. Log in to the Change Guardian server as root.

  2. Switch user to novell.

  3. Go to the /opt/novell/sentinel/bin directory.

  4. Run the chg_keystore_pass.sh script and follow the on-screen prompts to change the keystore passwords.

NOTE:When you upgrade Change Guardian to 5.1 or later and change the keystore database password with specific special characters, the following exception are displayed: Failed to initialize Communicator.

13.6.6 Setting the Polling Interval in Agent Manager

The heartbeat of Change Guardian Agent for Windows (displayed as Polling Interval) and Security Agent for UNIX (displayed as Heartbeat) determines the frequency at which Change Guardian server checks health of agents. It is the interval at which any policy changes on the server is synced to agents. If you have less than 500 agents and configured up to 15 policies per agent, consider setting Polling Interval to 15 minutes. If you have more than 500 agents or configured more than 15 policies per agent, consider setting the interval to 60 minutes. This ensures that there is no congestion of network traffic due to exchange of policy and agent health data at frequent intervals.

In Agent Manager, click Manage Installation > Reconfigure, and set the desired Polling Interval.

NOTE:This interval is referred to as Heartbeat in Policy Editor.

13.6.7 Upgrading Python

During a traditional Change Guardian upgrade, when the base operating system version changes, you must check the Python version after upgrading both Change Guardian and the operating system. Change Guardian requires a compatible version of Python library to function properly and to ensure that the Change Guardian agents are upgraded successfully.

For example, consider that the base operating system changes from RHEL 6.10 to RHEL 7.9. If running the python –V command at the RHEL 6.10 server prompt shows Python version is 2.6.x, then after upgrading the command shows 2.7.x on RHEL 7.9. Although the operating system is using Python 2.7.x, Python shared object file (.so) might be built on Python 2.6.x.

Prerequisite: Before planning to upgrade Python, check which Python version the plpython2.so file is built on:

ldd <installation_path>/opt/novell/sentinel/3rdparty/postgresql/lib/postgresql/plpython2.so

If the output is as below, it indicates that this .so file is based on Python 2.6.x and you must upgrade Python after upgrading both Change Guardian and the operating system.

libpython2.6.so.1.0 => /usr/lib64/libpython2.6.so.1.0

If the output is as below, it indicates the .so file is not linked to a Python version, and you must upgrade Python after upgrading both Change Guardian and the operating system.

libpython2.6.so.1.0 => not found

To upgrade Python:

  1. Stop the Sentinel services:

    rcsentinel stop

  2. Change to the directory where plpython2.so file is present

    cd <installation_path>/opt/novell/sentinel/3rdparty/postgresql/lib/postgresql

  3. Remove the existing .so file which is pointing to 2.6.x:

    rm plpython2.so

  4. Extract the Python 2.7.x.so file, which is present in <installation_path>/opt/novell/sentinel/3rdparty/postgresql/lib/postgresql

    tar zxf plpython2.7.so.tar.gz

  5. Set novell user permission on the file

    chown novell:novell plpython2.so

  6. Verify that the file is pointing to the correct Python version:

    ldd <installation_path>/opt/novell/sentinel/3rdparty/postgresql/lib/postgresql/plpython2.so

  7. Start the Sentinel services:

    rcsentinel start