This section provides the following information:
If you are using the evaluation license key, you must add the enterprise license key before the evaluation key expires to avoid any interruption in the Change Guardian functionality. For information about how to purchase the license, see the Change Guardian Product Web site.
You can also add a server license by using the Change Guardian web console.
To add a license key:
Log in to the Change Guardian server as root.
Change to the /opt/novell/sentinel/bin directory.
Change to the novell user:
su novell
Run the softwarekey.sh script:
./softwarekey.sh
Enter 1 to insert the license key.
Specify the license key, then press Enter.
The SHMMAX setting configures the maximum size, in bytes, of a shared memory segment for PostgreSQL. Desirable values for SHMMAX ranges from hundreds of megabytes to a few gigabytes.
To change the kernel SHMMAX parameter, append the following information to the /etc/sysctl.conf file:
# for Postgresql kernel.shmmax=1073741824
NOTE:By default, in RHEL SHMMAX is a low value, so it is important to modify it when installing to this platform.
To determine the current date and time configured on the Change Guardian server, run the following command: date -u
To synchronize the Change Guardian server date and time with an external time service, configure NTP.
You have the option to install the Change Guardian server using a static IP address or a dynamic (DHCP) IP address mapped to a hostname. For the Change Guardian server to work correctly when configured to DHCP, ensure that the system can return its hostname correctly by using the following procedure:
Verify the hostname configuration:
cat /etc/HOSTNAME
Check the server hostname setting:
hostname -f
Verify the DHCP configuration:
cat /etc/sysconfig/network/dhcp
NOTE:The DHCLIENT_HOSTNAME_OPTION setting should reflect the fully-qualified hostname of the Change Guardian server.
Resolve the hostname to the IP address:
nslookup FULLY_QUALIFIED_HOSTNAME
Resolve the server hostname from the client by running the following command entered from the remote server:
nslookup FULLY_QUALIFIED_CHANGEGUARDIANSERVER_HOSTNAME
Complete the following steps to configure SMTP:
You can also configure email servers by using Policy Editor.
To configure:
Export the certificate from the respective SMTP server site.
Browse to the Sentinel bin directory. The default location is /opt/novell/sentinel/bin.
Import the certificate:
convert_to_fips -i <certificate_path>
Restart the Change Guardian server using the following command:
rcsentinel restart
To configure:
Export the certificate from the respective SMTP server site.
Import the certificate:
/opt/novell/sentinel/jdk/jre/bin/keytool
NOTE:If you have used a custom path for installation, modify the command accordingly.
Restart the Change Guardian server:
rcsentinel restart
To receive alerts on emails, complete the following steps:
To add email servers to Change Guardian server and change the default email host settings:
Change directory:
cd /opt/netiq/cg/scripts
Set the email host settings:
configure.sh udei --admin-account=<admin_account> --admin-password=<admin_account_password> --mail-host=<SMTP_hostname> --mail-port=<SMTP_port> --mail-from=<e-mail_address> --secure-connection=<true/false>
NOTE:To configure secure connection with STARTTLS, set the following option:
--secure-connection=true
Change Guardian uses the profile_javos profile for secure communication.
This section provides the following information:
By default, TLS 1.1 is disabled for new installations. Enable TLS 1.1 if you want Change Guardian to run on FIPS mode.
To enable TLS 1.1:
Log in to the Change Guardian server as root.
Edit the /opt/novell/sentinel/jdk/jre/lib/security/java.security file.
Remove TLSv1.1 from the following list of disabled algorithms:
jdk.tls.disabledAlgorithms=TLSv1,TLSv1.1,SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
Restart the Change Guardian server:
/opt/netiq/cg/scripts/cg_services.sh restart
Install valid certificates on the Change Guardian server by configuring trusted connections. This is required when authenticating to both the Change Guardian web console and the console that opens by clicking ADMINISTRATION from the web console.
Following sections provide information about configuring certificates:
To install certificates:
Log in to the Change Guardian server as root.
Switch user to novell.
Go to the /opt/novell/sentinel/setup directory.
(Optional) Generate request to sign certificate:
./ssl_certs_cg
Select Web Server.
Specify the certificate signing request (.csr) filename.
Specify to get the .csr file signed by a certificate authority (CA).
Copy the CA root certificate chain (ca.crt) and the signed certificate (.crt) to /opt/novell/sentinel/setup.
Import the CA root certificate chain and the web server certificate:
Generate request to sign certificate:
./ssl_certs_cg
Select Import certificate authority root certificate.
Enter the CA root certificate chain file name (ca.crt).
Select Import certificate signed by certificate authority.
Select Web Server.
Specify the name of the file that contains the CA signed digital certificate.
Select another service if necessary or select Done and exit from the service option.
Select Exit to exit from the TLS/SSL certificate configuration.
Restart the Change Guardian server:
service sentinel restart
Import the CA root certificate change to the computer where you want to use the Change Guardian web console.
You can use CA-signed certificates in place of the self-signed certificates provided by Change Guardian.
To replace the self-signed certificates on the server:
Log in to the Change Guardian server as root.
Switch user to novell.
Backup of the existing certs folder, which is located at /opt/netiq/cgutils/certs.
Create a new certs folder at /opt/netiq/cgutils/.
Copy the CA-signed certificates to /opt/netiq/cgutils/certs.
Change the permission of the certs folder:
chmod 700 /opt/netiq/cgutils/certs
Rename the CA-signed certificate files as below:
cgca-cert.pem: Root CA certificate
cgca-pk.pem: Private key
cgca-pk.pem.pass: Private key password
Change the ownership of the CA-signed files:
chown novell:novell /opt/netiq/cgutils/certs/*
Go to the /opt/netiq/cgutils/bin directory and run the following command:
./cg_cert_setup.sh
The required certificates are created in the /opt/netiq/cgutils/certs/ directory.
Verify that the new certificates have the new CA name in the issuer field:
openssl x509 -in amsca-cert.pem -noout -text
openssl x509 -in javosca-cert.pem -noout -text
Go to the /opt/netiq/ams/ams/bin directory, and run the following commands:
./ams_cert_setup.sh --setup --profile=ams_new_profile_name
./ams_cert_setup.sh --enable --profile=ams_new_profile_name
NOTE:Consider not changing default profile names and create profile with a new name.
Confirm that the profile is enabled:
./ams_cert_setup.sh --show
Go to the /opt/netiq/cg/javos/bin/ directory and run the following commands:
./javos_cert_setup.sh --setup --profile=javos_new_profile_name
./javos_cert_setup.sh --enable --profile=javos_new_profile_name
Confirm that the profile is enabled:
./javos_cert_setup.sh --show
(Conditional) If the Change Guardian server is in FIPS mode, run the following commands:
./opt/netiq/ams/ams/bin/convert_to_fips.sh
./opt/netiq/cg/javos/bin/convert_to_fips.sh
(Optional) To test if the certificates are replaced successfully, remotely deploy an agent using Agent Manager and generate an event.
Change Guardian contains embedded third-party products such as JRE, Jetty, PostgreSQL, and ActiveMQ. Change Guardian includes patches to address security vulnerabilities (CVE) for these products with Change Guardian releases.
The third-party products have their own release cycles and new CVEs might be discovered before a Change Guardian release. You must review the CVEs for each embedded third-party product and decide whether to apply these updates to your Change Guardian deployment before getting a corresponding Change Guardian patch from Micro Focus. If you decide to apply patches to address these CVEs, contact Technical Support.
Change Guardian offers enhanced protection against security threats and compliance with United States federal government standards by supporting FIPS. Change Guardian leverages the FIPS 140-2 compliant features to meet the security requirements of United States federal agencies and customers with highly secure environments. Change Guardian is re-certified by Common Criteria at EAL3+ and provides FIPS 140-2 Inside.
Complete the following steps to configure FIPS:
To convert Change Guardian server:
As a root user, ensure that Mozilla Network Security Services (NSS) and Mozilla NSS Tools are installed on the Change Guardian server.
NOTE:To enable FIPS mode in SLES 12 SP3, you must install libfreebl3-hmac and libsoftokn3-hmac packages.
(Conditional) If you want to change the keystore password:
At the Change Guardian server command prompt, switch to novell user.
Change directory to /opt/novell/sentinel/bin, and run the following command: chg_keystore_pass.sh
Follow the on-screen prompts to change the web server keystore passwords. You need this password later during this procedure.
Switch to root user.
Change directory to /opt/novell/sentinel/bin, and run the following command:
./convert_to_fips.sh
Specify n to backup the server.
Provide a password that meets the stated criteria. This password is required later during this procedure.
Specify y to insert external certificates in the keystore database.
Specify the path of the Elasticsearch certificate:
<installation_path>/opt/novell/sentinel/3rdparty/elasticsearch/config/http.pks
Specify the alias name of the certificate.
Specify y to restart the Sentinel server.
Ensure that the file /var/opt/novell/sentinel/log/server0.0.log contains the following entry:
Date_Timestamp|INFO|JAVOS listener|com.netiq.cg.capi.dao.UpgradeDao.upgrade
Upgrading EventDestination.Upgrade to fips compatible
Date_Timestamp|INFO|JAVOS listener|com.netiq.cg.capi.dao.UpgradeDao.upgrade
records updated=1 data={"service-host":"Server_Name","password":"Encrypted_Password","protocol":"vosrestdispatcher:rest
To convert javos services:
Change directory to /opt/netiq/cg/javos/bin, and run the following command:
./convert_to_fips.sh
Provide the password for the FIPS keystore database (the password you created in Step 5.b).
When prompted to restart the javos service, select y.
Ensure that the following entry is present in the opt/netiq/cg/javos/log/javos.log file:
Creating a FIPS SSL listener on 8094
To convert ams service:
Change directory to /opt/netiq/ams/ams/bin, and run the following command:
./convert_to_fips.sh
Specify a password for the FIPS keystore database.
When prompted to restart the Agent Manager service, select y.
Ensure that the /opt/netiq/ams/ams/log/ams.log file contains the following entry:
INFO [Date_Timestamp,446] com.netiq.commons.security.FIPSProvider: Running in FIPS mode. Changing the SSL security provider from JSSE to FIPS. /opt/netiq/ams/ams/security/nss