Académique Documents
Professionnel Documents
Culture Documents
Version 9.0
Legal Notice
Copyright 2008 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, ActiveAdmin, BindView, bv-Control, Enterprise Security Manager, and LiveUpdate are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, Rights in Commercial Computer Software or Commercial Computer Software Documentation, as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
Technical Support
Symantec Technical Support maintains support centers globally. Technical Supports primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantecs maintenance offerings include the following:
A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week Advanced features, including Account Management Services
For information about Symantecs Maintenance Programs, you can visit our Web site at the following URL: www.symantec.com/techsupp/
Product release level Hardware information Available memory, disk space, and NIC information Operating system
Version and patch level Network topology Router, gateway, and IP address information Problem description:
Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes
Customer service
Customer service information is available at the following URL: www.symantec.com/techsupp/ Customer Service is available to assist with the following types of issues:
Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and maintenance contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals
Consulting Services
Educational Services
To access more information about Enterprise services, please visit our Web site at the following URL: www.symantec.com Select your country or language from the site index.
Contents
Chapter 2
Contents
Installing the Control Compliance Suite components in a single setup mode ................................................................................... Installing the Control Compliance Suite components in a distributed setup mode ........................................................................... Installing the CCS Directory Server ........................................... Creating a DPS or an Application Server certificate ...................... Installing the CCS Application Server ........................................ Installing the Data Processing Service ....................................... Installing the Web Portal ......................................................... Installing the Control Compliance Suite Console .......................... About using special characters in credentials ..............................
45 54 55 59 61 69 71 74 75
Chapter 3
Chapter 4
Chapter 5
Appendix A
Index
.................................................................................................................... 95
Chapter
Control Compliance Suite 9.0.1 Control Compliance Suite infrastructure requirements Control Compliance Suite server requirements Client requirements RMS data collector requirements
10
Control Compliance Suite server requirements See Control Compliance Suite server requirements on page 10. Control Compliance Suite client requirements See Client requirements on page 13.
In addition to these minimum requirements, each component has recommendations to ensure the highest performance. Some recommendations vary with the size of the deployment.
11
The domain where you install the Application Server and the Directory Server must be a Windows Server 2003 or a Windows Server 2008 domain. The functional level of the domain can be any of the following:
The Control Compliance Suite has not been validated on Windows Server 2008 "Server Core only" installations. Table 1-1 contains the minimum requirements for each component. Table 1-1 Component name
Application Server
Minimum memory
2 GB
Directory Server
2 GB
2.8 GHz
80 GB
Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Windows Server 2008 Windows Server 2008 x64
2 GB
2.8 GHz
160 GB
Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Windows Server 2008 Windows Server 2008 x64
Microsoft SQL Server 2005 SP2 The reporting database requires SSIS SP2
12
2 GB
2.8 GHz
80 GB
Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Windows Server 2008 Windows Server 2008 x64
Internet Information Services (IIS) 6.0. The 32-bit version and the 64-bit version are both supported. If the computer that hosts the Web Portal uses Windows Server 2008, the computer must have the Window Authentication role added.
If .NET is not installed, the Control Compliance Suite installer prompts you to install it. Note: The %temp% folder drive must have at least 600 MB free during the installation of any Control Compliance Suite component. The installer deletes the files that are created in the %temp% folder when the installation is complete. The %temp% folder is normally on the C:\ drive. In addition, the installer places a copy of the installation files in a media cache folder. On Windows Server 2003 computers, the media cache folder is C:\Documents and Settings\All
Users\Application Data\Symantec\Symantec Control Compliance Suite R and A\MediaCache. On Windows Server 2008 computers, the media cache folder
is C:\ProgramData\Symantec\Symantec Control Compliance Suite - R and A\MediaCache. These files require approximately 700 MB.
13
Note: The %temp% folder drive must have at least 700 MB free during the installation of any Control Compliance Suite component. The installer deletes the files that are created in the %temp% folder when the installation is complete. The %temp% folder is normally on the C:\ drive. In addition, the installer places a copy of the installation files in a media cache folder. On Windows Server 2003 computers, the media cache folder is C:\Documents and Settings\All
Users\Application Data\Symantec\Symantec Control Compliance Suite R and A\MediaCache. On Windows Server 2008 computers, the media cache folder
is C:\ProgramData\Symantec\Symantec Control Compliance Suite - R and A\MediaCache. These files require approximately 750 MB. The computers that host the following components must be in the same LAN segment:
Application Server Directory Server Data Processing Service Load Balancer Data Processing Service Evaluator Data Processing Service Reporter Control Compliance Suite Production database Control Compliance Suite Reporting database Control Compliance Suite Evidence database Control Compliance Suite Web Portal
Client requirements
Before you install the Control Compliance Suite clients, you must ensure that the target computers meet the minimum requirements. Table 1-2 contains the minimum requirements for the Control Compliance Suite clients.
14
Control Compliance Suite client requirements Required Required operating system hard disk size
80 GB Windows XP Professional SP2
Minimum memory
1 GB
Minimum processor
2.8 GHz
Other requirements
Adobe Flash Player
Windows XP Professional SP2 x64 Microsoft Office Primary Interop Windows Vista Business or Assemblies Enterprise Windows Vista Business or Enterprise x64 Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Windows Server 2008 Windows Server 2008 x64
512 MB
1.2 GHz
40 GB
Windows XP Professional SP2 Windows XP Professional SP2 x64 Windows Vista Business or Enterprise Windows Vista Business or Enterprise x64 Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Windows Server 2008 Windows Server 2008 x64
The Control Compliance Suite has not been validated on Windows Server 2008 "Server Core only" installations. Microsoft Office and the Microsoft Office Primary Interop Assembly are required to import Microsoft Word documents as policies. You can use Microsoft Office XP or Microsoft Office 2003. The Control Compliance Suite dashboards require the Adobe Flash Player.
15
You can download the Adobe Flash Player Installer from the Adobe Web site. http://www.adobe.com/products/flashplayer/ To create user-defined reports, you must install Crystal Reports Developer 2008, part of the third-party Crystal Reports 2008 product. Crystal Reports Developer is required only on the Control Compliance Suite client that you use to create the user-defined reports.
16
Software
Microsoft Windows 2000 SP4 (server or workstation) Windows XP Professional SP1 Windows Server 2003 or later Microsoft Internet Explorer 5.5 SP2 or later Microsoft Outlook 2000, Novell GroupWise 5.5, Lotus Notes 5.0, or Lotus Domino (only required for emailing export files) Microsoft Excel (required for Excel (using OLE) export files) Client for Microsoft Networks
Note: For enhanced security, performance, and to simplify installation, only a local SQL Server is supported. The Control Compliance Suite 9.0.1 supports only the default instance of the SQL Server. Named instances are not supported.
17
install additional components to perform the actual data collection from your network. The individual components have the following requirements:
Enterprise Configuration Service Pentium III 600 MHz 128 MB RAM 300 MB of free disk space Microsoft Windows 2000 SP3 (Server or Professional), Microsoft Windows XPProfessional, Microsoft Windows Server 2003, or later Query Engines Pentium III 600 MHz 256 MB RAM 500 MB of free disk space Microsoft Windows 2000 SP3 (Server or Professional), Microsoft Windows XPProfessional, Microsoft Windows Server 2003, or later Microsoft Internet Explorer 5.0 or later Support Service 32 MB RAM Microsoft Windows 2000 SP3 (Server or Professional), Microsoft Windows XPProfessional, Microsoft Windows Server 2003, or later
In large enterprises, the support service may require additional disk space for last logon data storage. These minimum hardware requirements are the minimum requirements for the default installation configuration, and do not reflect the needs of real-world environments. Actual processor speed and RAM requirements are a function of the number of simultaneous users. Query engine processor speed and RAM requirements are a function of the number of agents that the Slave Query Engine employs.
18
collect data from assets. The agent-based mode uses a software agent that you install on each computer to collect data. For additional information on using agent-based or agentless data collection in bv-Control for UNIX, see the bv-Control for UNIX Help. Make sure the operating systems on all UNIX computers have the latest patches installed. Consult your UNIX vendor documentation for information on the latest patches for your operating system. Note: You must have administrative rights for each computer where you install the agent. The bv-Control for UNIX agent installation has the following hardware requirements:
Sun SPARCstation 1 or UltraSPARC for Solaris HP 9000 UNIX servers, or HP Visualize UNIX workstations (classes B, C, and J) IBM RS/6000 UNIX workstations and servers Intel or equivalent for Red Hat and SUSE Linux 20 MB disk space TCP/IP network
The bv-Control for UNIX agent installation on the target computer has the following software requirements:
Sun Solaris operating environment versions 5.8, 5.9, and 5.10 of both SPARC and x86 architecture Red Hat Linux versions 8.0 and 9.0 Red Hat Enterprise Linux AS/ES version 3.0, 4.0 and Red Hat Enterprise Linux 5.0, and 5.0 of Intel Itanium architecture Hewlett-Packard HP-UX versions 11.00, 11.11(11iv1), 11.23(11iv2), 11.23 (11iv2) of Intel Itanium architecture, and 11.31 (of both PA-RISC and Itanium architecture) IBM AIX versions 5.1, 5.2, and 5.3 SUSE Linux versions 8.2, 9.0, and 9.1 SUSE Linux Enterprise Server (ES) versions 9.0, 9.2, 9.3, 10.0, and 10.0 of Intel Itanium architecture openSSH installed on each UNIX target computer
19
Because bv-Control for UNIX packages the x86 32-bit package for RHEL and SLES Itanium platforms, the IA32 emulation layer is required to run the agent. The following packages must be present on the RHEL Itanium target computers and SLES Itanium target computers along with their respective dependencies:
bash-x86 coreutils-x86 cracklib-x86 db-x86 glibc-x86 Ia32el libgcc-x86 libxcrypt-x86 ncurses-x86 pam-modules-x86 pam-x86 readline-x86 libstdc++-x86
The Ia32el service that is required for query execution must be running on the target computers before installation of the UNIX agent. The command to run the service is as follows:
[root@rhel5ita rpm]# service ia32el status Intel IA-32 Execution Layer in use [root@rhel5ita rpm]#
The operating systems that are supported by the target computers in the agentless registration mode only are as follows:
VMware ESX The supported versions for the VMware ESX operating system are as follows:
20
Linux
Linux is supported on zSeries of IBM computers Red Hat Linux Advanced Server (AS) 2.1 SUSE Linux 8.0 and 8.1 SUSE Linux Enterprise Server (ES) 8.1
The architecture that is supported by the operating systems, when configured in both the agent-based and agentless registration modes is as follows:
AMD Opteron The operating systems are as follows:
Red Hat Enterprise Linux 5.0 SUSE Linux Enterprise Server 10.0 Sun OS 5.10
Microsoft Windows 2000 SP4 server or workstation, Windows XP Professional SP1, or Windows Server 2003 or later Microsoft Internet Explorer 5.5 SP2 or later 50 MB disk space TCP/IP network
On UNIX hosts, some information that bv-Control for Oracle requires is based on the underlying UNIX operating system. The bv-Control for UNIX snap-in can collect the data if the bv-Control for UNIX snap-in is installed. If you do not use bv-Control for UNIX, you must install the bv-Control for Oracle UNIX agent. Note: Make sure that the operating systems on all UNIX computers have the latest patches installed. Consult your UNIX vendor documentation for information on the latest patches for your operating system.
21
The UNIX agent for bv-Control for Oracle (UNIX agent) can be installed only on the computers that meet certain requirements. You must ensure that your workstation is compliant with the system requirements before you install and execute the UNIX agents. Note: You must have administrative rights on the computer where you install the UNIX agent for bv-Control for Oracle. The UNIX agent for bv-Control for Oracle installation on the target computer has the following hardware requirements:
Sun SPARCstation1 or UltraSPARC for Solaris, or x86 Solaris HP9000 UNIX servers, HP Visualize UNIX workstations (classes B, C, and J) IBM RS/6000 UNIX workstations and servers Intel or equivalent for Red Hat and SUSE Linux 20 MB disk space TCP/IP network
The UNIX agent installation on the target computer has the following software requirements:
Sun Solaris Operating Environment 5.8, 5.9, and 10 Red Hat Linux 8.0 and 9.0 Red Hat Linux Advanced Server (AS) 2.1, and Red Hat Enterprise Linux AS/ES version 3.0, and 4.0 Hewlett-Packard HP-UX 11.00, 11.11(11iv1), and 11.23(11iv2) IBM AIX 5.1, 5.2, and 5.3 SUSE Linux 8.0, 8.1, 8.2, 9.0, and 9.1 SUSE Linux Enterprise Server (ES) 8.1, 9.0, 9.2, and 9.3 openSSH installed on each UNIX target computer xterm terminal on each UNIX target computer
You must address some additional requirements to install the UNIX agents for bv-Control for Oracle. The additional requirements are as follows:
All UNIX target computers with open SSH installed All UNIX target computers with xterm terminal
22
The domain of the Windows credentials that are supplied for connecting with the Oracle server must have a one-way trust with the Information Server domain. Otherwise, the server is displayed as Unknown during the product configuration. The credential user needs certain privileges to run queries on database-related data sources. For information on specific SELECT privileges to query database-related data sources, see the bv-Control for Oracle Getting Started Guide. For Oracle Database Version 9i and later, you can provide the following privileges:
SELECT ANY DICTIONARY Allows access to the required data dictionary objects. Allows access to the SYSTEM.PRODUCT_USER_PROFILE synonym, which is used for reporting in the SQL*Plus Security data source.
SELECT ON SYSTEM.PRODUCT_USER_PROFILE
For Oracle Database Version 8i, you can provide the following privileges:
SELECT_CATALOG_ROLE Allows access to the required DBA_ views and the V$ dynamic performance views. Allows access to the SYSTEM.PRODUCT_USER_PROFILE synonym, which is used for reporting in the SQL*Plus Security data source.
SELECT ON SYSTEM.PRODUCT_USER_PROFILE
Note: Oracle 8i does not have SELECT ANY DICTIONARY privilege, and the SELECT ANY TABLE PRIVILEGE is not useful if O7_DICTIONARY_ACCESSIBILITY is set to false. The following privileges grant access to the dictionary objects that are required for reporting on the Database Audit Trail data source:
SELECT ON SYS.OBJAUTH$ SELECT ON SYS.OBJ$ SELECT ON SYS.USER$ SELECT ON SYS.COL$ SELECT ON SYS.TABLE_PRIVILEGE_MAP
23
For Oracle 8i, you must grant the SELECT privileges on individual data dictionary objects because Oracle 8i does not support the SELECT ANY DICTIONARY privilege. Also, the SELECT ANY TABLE privilege does not allow access to data dictionary objects when the O7_DICTIONARY_ACCESSIBILITY parameter is set to FALSE. bv-Control for Oracle normally does not require the Oracle Client to be installed on the Information Server. The Oracle client must be installed with Oracle Advanced Security that is enabled only in the case that network data encryption is required. For more information on configuring Network Data Encryption, see the bv-Control for Oracle Help.
Microsoft SQL Server Desktop Edition 1.0 and 2000 Microsoft SQL Server Standard Edition 7.0, 2000, and 2005 Microsoft SQL Server Personal Edition 2000 Microsoft SQL Server Enterprise Edition 7.0, 2000, and 2005 Microsoft SQL Server Developer Edition 2000 and 2005 Microsoft SQL Server Workgroup Edition 2005 Microsoft SQL Server Express Edition 2005 (the auditing feature is not supported)
Note: To query against Microsoft SQL Server 2005, you must install the SQL Distributed Management Object component, SQLDMO.dll, on the Information Server. You can install the component either separately or from the CCS_DataCollection\Redist folder on the product disc.
24
Certain minimum rights are required for querying against the data sources. You specify the credentials that meet these minimum rights in the Credentials Database. The following minimum user rights are required to query the SQL Server:
The user credentials for Windows or SQL Server that are supplied for connecting to the SQL Server must be a user for the SQL Server. Otherwise, the credential verification in bv-Control for Microsoft SQL Server fails. User credentials for Windows or SQL Server that are supplied for connecting to the SQL Server must have read rights on the master database. This master database must belong to the SQL Server that is queried. Otherwise, the credential verification in bv-Control for Microsoft SQL Server fails. For a query on a particular database on the SQL Server, the read rights are required on that database.
The product supports queries for the target SQL Servers in an untrusted domain. You should use SSL to encrypt application traffic between the Information Server and the target SQL Server. The bv-Control for Microsoft SQL Server functionality does not require SSL communication to be enabled. The product works seamlessly with the encrypted or non-encrypted protocols to communicate with the SQL Server. The communications preferences are set in the SQL Server client configuration. You should also ensure that your SQL Server is patched appropriately and regularly for any vulnerabilities that are related to the open SQL port. When you use SQL audits, you may configure bv-Control for SQL Server to collect only the required information. SQL audits can generate large data sets. The large data sets can have an impact on the disk space requirement or the network bandwidth requirements. In addition, the amount of data might degrade SQL Server performance.
Chapter
Prerequisites for installing the product components General installation sequence of Control Compliance Suite About the root security certificate User Privileges for installing the components Infrastructure network ports About licensing of the product components Installing RMS Console and Information Server Installing the Control Compliance Suite components in a single setup mode Installing the Control Compliance Suite components in a distributed setup mode
26
Installing Control Compliance Suite components Prerequisites for installing the product components
Visual C++ 2005 redistributable framework The setup installs the software automatically during the installation of the distributed components. Microsoft .NET 3.0 redistributable framework The setup installs the software automatically during the installation of the distributed components. Microsoft SQL Server 2005 SP2 You must manually install the software or use an existing installation. Control Compliance Suite creates a production database and a reporting database to store the compliance data. Depending on the scale of the deployment, you might require one or more Microsoft SQL Server 2005 SP2 installations. Microsoft SQL Server Integration Services SP2 (SSIS) You must manually install the software to create the SSIS database, which is used for reporting purposes. The SQL Server connects to the msdb database and deploys the SQL agent jobs and the SSIS packages. The SQL agents and the SSIS packages synchronize data between the production and the reporting databases. Microsoft SQL Server 2005 management object collection The setup installs the software automatically during the installation. Note: The Application Server must be configured to use the SSL connections for the Microsoft SQL Server instances that host the Control Compliance Suite databases. If you use SSL connections, you must ensure that you configure them before you install the Control Compliance Suite. Refer to the Microsoft SQL Server documentation (http://support.microsoft.com/kb/316898) for information about configuring SSL connections. Crystal Reports 2008 The setup installs the software automatically on the computer that is installed with the Data Processing Service (DPS) component. You must install Crystal Reports 2008 only on the DPS computer that is configured with the role of a reporter. If you fail to install Crystal Reports 2008, then you can manually install the software, CrystalReportsDotNet.MSI from the <installation directory>/Symantec/CCS/Reporting and Analytics/Application Server/REDIST folder of the CCS Application Server. You can also install CrystalReportsDotNet.MSI from the product disc folder, CCS_Reporting\Redist. ADAM SP1 instance
Installing Control Compliance Suite components Prerequisites for installing the product components
27
The setup installs the software automatically on the computer that is installed with the CCS Directory Server component.
Symantec LiveUpdate Client The setup installs the software automatically during the installation of the distributed components. Macromedia Flash 11 You must manually install the software that is required for the Reporting module of Control Compliance Suite. To install CCS Web Portal, ensure that the following configurations are performed:
Internet Explorer (IE) Configure the following for the IE: Add the URL to the Local Intranet Zone. Enable the Windows Integrated Authentication. Logon automatically with the current username and password or logon automatically only in the intranet zone.
Check the Windows Integrated Authentication option. Add the following: http/<computer-name>:<port> <iis-computer-name> http/<FQDN> <iis computer-name>
ASP.NET v2.0.50727
28
Installing Control Compliance Suite components General installation sequence of Control Compliance Suite
Run the following command to install the Web Service Extension: C:\WINDOWS\Microsoft.NET \Framework\v2.0.50727 aspnet_regiis.exe -i
Active Server Pages Web Service Extension The setup automatically installs the application.
Installation of the CCS Directory Server. The CCS Directory Server installation involves the following tasks:
Installation of the Directory Support Service Installation of the ADAM SP1 instance The ADAM SP1 installation is a prerequisite for installing the Directory Support Service. On the Windows Server 2008 computer, you need to manually install the component ADLDS, which is the equivalent of ADAM SP1. Installation of the Management Services The root certificate is encrypted, stored, and managed by the Management Services. Installation of the Certificate Management Console The Certificate Management Console is used to create the certificates that are deployed on the computers on which the components are installed. See Creating a DPS or an Application Server certificate on page 59.
Installing Control Compliance Suite components About the root security certificate
29
Installation of the CCS Application Server. The CCS Application Server installation involves the following tasks:
Installation of the Application Server Service Installation of the Technical Standards Pack Installation of the Regulations and Frameworks Pack Installation of the production database Installation of the reporting database Installation of the SSIS packages
For any deployment scenario, you can deploy one CCS Directory Server and one CCS Application Server. There can be multiple installations of the Data Processing Service components. The installation logs that are generated during the installation of the product and their location for various operating systems are as follows:
On all supported versions of Windows Server C:\Documents and Settings\<user 2003 computers name>\Local Settings\Temp\CSMSetup On all supported versions of Windows Server system_drive:\Users\ADMINI 2008 computers -1.C1Q\AppData\Local\Temp\CSMSetup
30
Installing Control Compliance Suite components User Privileges for installing the components
The properties that are to be specified for creating the root certificate and their descriptions are as follows:
Organization Division The name of your organization. The division to which your organization belongs. The name of the city of your organization. The name of the state or province to which the city belongs. The name of the country. The country code must consist of two alphabet characters. The expiration time period of the root certificate. The password to authenticate the certificate. Re-authenticate the password that you have typed.
City State/Province
Country
Expire in
Installing Control Compliance Suite components User Privileges for installing the components
31
Lists the privileges of the user to install the CCS components Components installed
The following components are installed for the CCS Directory Server:
ADAM / ADLDS
Domain user
Directory Support Service Local administrator (of the local computer) Management Services
Certificate Management Console (CMC) You must have all the following user privileges to install the component: Domain user if using Windows authentication for the SQL Server or local user if using SQL authentication for the SQL server Local administrator (of the local computer) sysadmin role (in the SQL server)
The following components are installed for the CCS Application Server:
CCS Additional Services with Data Processing Service You must have all the DPS in the reporting role component that is configured following user privileges to in the reporting role install the component:
CCS Additional Services with Data Processing Service You must have all the DPS in the data evaluator component that is configured following user privileges to role in the data evaluator role install the component:
32
Installing Control Compliance Suite components User Privileges for installing the components
Table 2-1
Lists the privileges of the user to install the CCS components (continued) Components installed User privileges for CCS component installation
Deployment type
CCS Additional Services with Data Processing Service You must have all the DPS in other roles component that is configured following user privileges to with roles of load balancer or install the component: data collector Local or domain user
Local administrator
Control Compliance Suite infrastructure uses three types of SQL databases such as, production, reporting, and evidence. The Application Server uses the databases that are created. You can install the SQL Server on the same computer on which the Application Server component is installed or on a separate computer. You can either provide different credentials for all the three database or use the same credential for all three of them. During the SQL Server installation, you can choose between using Windows credentials (integrated security) and SQL credentials to connect to the SQL Server. If you use the Windows authentication, then the credentials of the user installing the Application Server is used to connect to the SQL Server. The credentials of the service user are used in the post-installation. In this case, during installation, the service account that is specified is added to the role, Public in the SQL Server with db_owner privilege for the databases. If SQL authentication is used, the same credentials are used during installation and by the service account. Table 2-2 Deployment type
CCS Directory Server
Lists the privileges of the user for the CCS services CCS services User privileges for CCS service accounts
The following services are You must have all the specific to the CCS Directory following user privileges for Server: the services: Symantec Directory Support Service Symantec Management Services Service
Installing Control Compliance Suite components User Privileges for installing the components
33
Lists the privileges of the user for the CCS services (continued) CCS services User privileges for CCS service accounts
Symantec Application Server You must have all the Service following user privileges for the service:
SQLAgentUserRole, db_datareader, and db_dtsoperator roles for msdb database Logon as a batch job on the SSIS computer CCS Additional Services with Symantec Data Processing You must have all the DPS in the reporting role Service for the reporting role following user privileges for the service:
Logon Locally for service account of Application Server on DPS machine db_datareader and db_datawriter roles for CSM_Reports database Delete, execute, insert, and update permissions on CSM_Reports database CCS Additional Services with Symantec Data Processing DPS in the data evaluator Service for the data role evaluation role You must have all the following user privileges for the service:
Local or domain user Local administrator Logon locally for the service account of the Application Server on the DPS computer
34
Installing Control Compliance Suite components User Privileges for installing the components
Lists the privileges of the user for the CCS services (continued) CCS services User privileges for CCS service accounts
You must have all the following user privileges for the service:
CCS Additional Services with Symantec Data Processing DPS in other roles Service for roles of a load balancer or data evaluator
Note: You must set up the Microsoft SQL Agent Service as a local system account. If your domain account is used, then the account must be assigned to the sysadmin role for the Microsoft SQL Server. In addition, the account must be added to the group SQLServer2005SQLAgentUserComputer NameInstance Name.
Identify the user accounts that you want to use as the service accounts for DSS and Application Server. The user accounts must have the necessary privileges.
Create the Service Principal Name (SPN) for the Application Server and the DSS services. The SPN for both the short NetBIOS name and the fully-qualified host name (FQDN) is created. While delegation can work without SPN in Windows Server 2000 domains, it can also fail depending on the operating system that is in use. You must associate an SPN to a single user account. The service-name portion of the SPN must match the following:
Installing Control Compliance Suite components User Privileges for installing the components
35
SetSpn -A Symantec.CSM.AppServer/appserver_machine domain\appserver_account SetSpn -A Symantec.CSM.AppServer/appserver_machine.fqn domain\appserver_account SetSpn -A Symantec.CSM.DSS/dss_machine domain\dss_account SetSpn -A Symantec.CSM.DSS/dss_machine.fqn domain\dss_account
Enable delegation for the Application Servers service account. The following service accounts are to be enabled:
Windows Server 2000 Domain In the user properties for the Application Server account, go to Account tab and check the option, Account is trusted for delegation. In the user properties, go to the Delegation tab and select the option, Trust this user for delegation to any service (Kerberos only).
When installing the Application Server, specify the FQDN when prompted by the setup for the computer that installed the DSS. It is not mandatory to specify the FQDN, but sometimes specifying a short NetBIOS name can cause problems.
Set up delegation on the Application Server account. For AD users and computers, open the properties for the Application Servers service account and make the following changes on the Delegation tab:
Select Trust this user for delegation to specified services only Select Use any authentication protocol
36
Installing Control Compliance Suite components User Privileges for installing the components
Under Services to which this account can provide delegated credentials do the following:
Click Add and type in the name of the machine where DSS is installed. From the list of services, select the service, LDAP that has the same port number as the port where the ADAM instance is running and click OK. Click Add and type the name of the service account for which the DSS service is running. You can view the custom SPN that was created for the DSS before installation. Select the service and click OK.
On the Application Server computer, open the Local Security Policy editor. Navigate to Under Local Policies -> User Rights Assignment and grant the privilege, Act as part of the operating system to the Application Server.
Configure the Application Server in the following manner to use S4U authentication:
In the CCS Console, go to Settings -> System Topology. Select the Application Server component, and open Edit Settings . Change the Authentication type to, "Use controlled delegation of security rights".
Reboot the Application Server computer so that the delegation settings can take effect.
Member of the IIS_WPG local group Full permissions to the .NET directory Full permissions to the Windows\Temp directory
37
The Control Compliance Suite Web Portal is installed with anonymous access setting for the CCS_Web site. You should change the setting to use Windows Integrated authentication. You should disable anonymous access. In the web.config file for the Control Compliance Suite Web Portal, you must set the SPN value. The format for the value should be
account@domain_name.com
AppServer RAMServer
If you use Control Compliance Suite assets with the RAM questionnaires, you must have use Kerberos authentication.
38
Installing Control Compliance Suite components About licensing of the product components
12367 1977 80
The following ports must be open to allow the DPS Collector to connect to a Symantec RMS data collector:
Port 5600 must be open to allow the DPS Collector to connect to a Symantec ESM data collector. Note: You must use a port in the range from 1024 to 65535 for the Directory Server.
Installing Control Compliance Suite components Installing RMS Console and Information Server
39
components. In an ideal distributed setup, the DSS must be installed first followed by the installation of the Application Server. In such a scenario, the core license is not mandatory for the Application Server installation. For the Policy module of Control Compliance Suite, you need to provide the license in the post-installation of the product.
Microsoft SQL Server 2005 Express SP2 Windows Installer 3.1 Microsoft .NET Framework 2.0
If the installation program determines that you need to install one or more of these requirements, an error message appears. The installation program prompts you to install the required software. When the installation is complete, the data collection infrastructure installation continues.
40
Installing Control Compliance Suite components Installing RMS Console and Information Server
Preinstallation requirements
Before you install a Console or Information Server on a computer, the computer must meet the minimum system requirements. Note: If the selected computer does not meet the minimum requirements, the installation can fail. In addition, ensure the following:
You are a Windows Administrator of the computer where you install the Console or Information Server. You have rights to the Microsoft SQL Server database if the Information Server computer also hosts Microsoft SQL Server.
Before you install your infrastructure, review the Release Notes files for the RMS Console and Information Server and the bv-Control products. The Release Notes folder resides inside the Documentation folder of the product disc. Note: You can install the RMS Console and Information Server in a Windows Workgroup, but Symantec does not recommend that you do so. If you install in a Windows Workgroup, the RMS Console and Information Server must use the same user name and password on each host computer.
Types of Installations
The Symantec Control Compliance Suite setup program provides different installation options to suit different network configurations. The following installation options are available:
RMS Console with local Information Server RMS Console only (connects to an existing Information Server)
When you install the Console with a local Information Server, both products are installed on the same computer. Users of other consoles can remotely connect to the Information Server that you install if they have access rights. When you install only a console, you must select an existing remote Information Server for the console to use. If your network has a dedicated remote Information Server for the enterprise-wide queries, or for area-specific queries, you can install the connecting consoles.
Installing Control Compliance Suite components Installing RMS Console and Information Server
41
1 2
Insert your Symantec Control Compliance Suite 9.0 product disc into the disk drive on your computer. In the Symantec Control Compliance Suite DemoShield, click Data Collection. The installation wizard starts and checks for the prerequisites.
3 4
If any prerequisites are absent, a warning message appears. In the warning message, click Yes to install the missing prerequisites. In the End-User License Agreement panel, read the license agreement and click I accept the terms in the License Agreement to accept the terms of the agreement. Click Next to continue.
42
Installing Control Compliance Suite components Installing RMS Console and Information Server
In the Install Type panel, select the type of installation to perform. Click RMS Console to install only the RMS Console on your computer. This option adds Consoles to the RMS network that connect to an existing remote Information Server. You must have an existing Information Server to use this option. Click RMS Console & Information Server to install both the RMS Console and a new Information Server. You must install at least one Information Server. If your computer does not have access to a product disk drive, contact Symantec Technical Support for assistance.
The Licensing panel lets you add licenses to your RMS Console and Information Server. Drag and drop license files into the window, or click Browse to locate the license files. After you add all of the licenses, click Next to continue. In the Feature Selection panel, select the features that you want to install. Only licensed features appear in the list of available features. Click the box nest to a feature name to select it. Click Next to continue.
In the Target Path panel, specify the folder for the software installation. You can accept the default location, or type a path, or click Browse to select a new location. Click Next to continue.
The Prerequisites panel lists the prerequisites for the features that you have selected. Any missing prerequisites are marked with a red X icon. You must manually add the prerequisites before you can complete the installation. The installer can help you to install prerequisites. Click the plus(+)symbol beside a prerequisite with a red X icon to list additional details. Click Install to install the prerequisite. If you install a service such as MSDE, you must start it manually using the Services control panel. When the prerequisite installation is complete, click Refresh to update the prerequisite list. When all prerequisites have a green check icon, click Next to continue with the installation.
Installing Control Compliance Suite components Installing RMS Console and Information Server
43
10 The Summary panel lists the features to update or install. Click Next to
proceed with the installation. If the MSDE or Microsoft SQL Server that the Information Server is assigned to is not properly secured, a Security Alert dialog box appears. See Securing MSDE or the SQL Server on page 43.
11 When the installation is complete, the Finish panel lists the results of the
installation. Click Finish to complete the installation and close the Installation Wizard. If you have installed the RMS Console, click Launch RMS Console and then click Finish to start the RMS Console and close the wizard. If no other RMS Console and Information Server have been installed, you must launch and configure the console. See Configuring the RMS data collection infrastructure on page 79.
Set the logon mode for your database server to Integrated Security. Set the Everyone group rights to Read & Execute for the MSDE or Microsoft SQL Server installation directory. Remove the system stored procedure xp_cmdshell from your master database. Use the SQL Server Password Setup dialog box that appears during installation to set a password for the database server. You can select Generate random password to have a password created for you, or you can clear this option and enter a password.
44
Installing Control Compliance Suite components Installing RMS Console and Information Server
Notes of any bv-Control products that you upgrade.You can use Terminal Services or Remote Desktop Connection to upgrade the RMS Console and Information Server on a remote computer. If you do so, the installer cannot be located on a mapped drive. You must upgrade your existing installation to version 8.60 with the June 2008 Update before you begin the upgrade to version 9.0. During the upgrade, the installer places the new Control Compliance Suite data collection infrastructure components in the same location as your existing components. To upgrade data collection infrastructure products
1 2 3 4 5
Insert your Symantec Control Compliance Suite 9.0 product disc into the disk drive on your computer. In the Symantec Control Compliance Suite 9.0 panel, click Data Collection. In the Data Collection panel, click Data Collection. The Installation Wizard starts and checks for prerequisites. If any prerequisites are absent, a warning message appears. In the warning message, click Yes to install the missing prerequisites. In the End-User License Agreement panel, read the license agreement and click I accept the terms in the License Agreement to accept the terms of the agreement. Click Next to continue. The Licensing panel lets you add licenses to your RMS Console and Information Server. Drag and drop license files into the window, or click Browse to locate the license files. After you add all the licenses, click Next to continue. In the Upgrade panel, select the installed bv-Control products to upgrade. Click an item's name for more information about the item. Click Next to continue. In the Add Features panel, select any new features to add to the existing installation. Only licensed features appear in the list of available features. Click the box beside a features name to select it. Click Next to continue.
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a single setup mode
45
The Prerequisites panel lists the prerequisites for the features that you have selected. Any missing prerequisites are marked with a red X icon. You must manually add the prerequisites before you can complete the installation. The installer can install some prerequisites. Click the plus (+) symbol beside a prerequisite with a red X icon to list additional details and click Install to install the prerequisite. If you install a service such as MSDE, you must start it manually using the Services control panel. When the prerequisite installation is complete, click Refresh to update the prerequisite list. When all prerequisites have a green check icon, click Next to continue with the installation.
10 The Summary panel lists the features to update or to install. Click Next to
proceed with the installation. If the MSDE or Microsoft SQL Server that the Information Server is assigned to is not properly secured, then a Security Alert dialog box appears. See Securing MSDE or the SQL Server on page 43.
11 When the installation is complete, the Finish panel lists the results of the
installation. Click Finish to complete the installation and close the Installation Wizard. If you upgraded an RMS Console, click Launch RMS Console and click Finish to start the RMS Console and close the wizard. If no other RMS Console and Information Server have been installed, you should launch and configure the Console now.
46
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a single setup mode
Launch the Installation Wizard See To launch the Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard on page 46. Install the product on a single computer See To install Control Compliance Suite on a single computer on page 46. Provide details to install components and databases See To provide details for installing the components and databases on page 47.
To launch the Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard
Insert the CCS 9.0 product disc into the drive on your computer and then click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
In the DemoShield, click Reporting and Analytics. You can find the splash screen, which displays the list of prerequisites that are required for the product installation. The setup installs the listed prerequisites such as .NET framework. See Prerequisites for installing the product components on page 25.
In the Welcome panel of the launched Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard, read and select the license agreement and then click Next. In the Installation Modes panel, select all the product components for installation and then click Next. In the Component Selection panel, select the components from the list and then click Next. By default, all the components are selected. If you do not want any component that is listed under the Application Server, then you can uncheck the selection. The Directory Support Service, Application Server, and the Data Processing Service are mandatory components for installation.
2 3
In the Licensing panel, click Add Licenses to add licenses for the components that require mandatory licenses to install. See About licensing of the product components on page 38.
Click Next.
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a single setup mode
47
In the Prerequisites panel, review the prerequisites that are required for the installation. Install any prerequisite application that is required to be installed. Click Check again to verify whether the installation is successful. In the Installation Path panel, review the target path for the Control Compliance Suite installation, and click Next. Click Browse to specify a different installation path to install the product.
1 2
In the launched Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard, perform steps 1 to 7 In the Certificate Information panel, enter the required values in the text boxes and click Next. The fields of the Certificate Information panel and their descriptions are as follows:
Organization Division Enter the name of your organization. Enter the division to which your organization belongs. Enter the name of the city of your organization. Enter the name of the state or province to which the city belongs. Enter the name of the country. The country code must consist of two alphabet characters. Select the expiration time period of the root certificate. Enter the password to authenticate the certificate. Re-authenticate the password that you have typed.
City
State/Province
Country
Expire in
Password
Re-type password
48
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a single setup mode
In the CCS Directory Server - User Account and Port Information panel, enter the requisite values in the text boxes and click Next. The fields of the CCS Directory Server - User Account and Port Information panel and their descriptions are as follows:
User name Enter the user name in whose context the Management Services is run on the computer. Enter the password that authenticates the specified user account. Enter the LDAP port number of the computer that hosts the CCS Directory Server. By default, the CCS Directory Server connects with the CCS Application Server through the port, 3890. Enter the SSL port number of the computer that hosts the CCS Directory Server. By default, the CCS Directory Server connects with the CCS Application Server through the SSLport, 6360.
Password
When you install the CCS Directory Server on a domain controller or on any other computer on which the Active Directory is installed, change the default port numbers. The recommended port number for LDAP is 50000 and for SSL is 50001.
In the Application Server- User Account Information panel, enter the required values in the text boxes and click Next. See About using special characters in credentials on page 75. The fields of the Application Server- User Account Information panel and their descriptions are as follows:
User name Enter the user name in whose context the Application Server Service is run on the computer. Enter the password that authenticates the specified user account.
Password
In the Application Server- SQL Server Information panel, enter the required values in the text boxes and click Next.
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a single setup mode
49
The SQL server is used to create the production database for the CCS Application Server. The production database stores the queried data. The fields of the Application Server- SQL Server Information panel and their descriptions are as follows:
SQL Server Enter the computer name that hosts the SQL server. Enter the SQL server instance name. By default, the configured SQL instance that is created on the computer appears in the text box. Enter the port number of the computer that hosts the SQL server. By default, CCS Application Server connects through the port, 1433 of the SQL server computer. Check this option if your computer that hosts the SQL server is SSL enabled for communication. If you use SSL connections, you must configure them before you install the Control Compliance Suite. Refer to the Microsoft SQL Server documentation (http://support.microsoft.com/kb/316898) for information about configuring SSL connections. Use existing empty database Check this option if you want to use the CSM_DB database if that is already created and is empty. By default, the setup creates a production database, CSM_DB on the computer, which is empty. Even if a single record exists in the database, then you cannot use this option. Use Windows NT Integrated Security Select this option if you have installed the SQL server in the Windows NT user context.
Instance name
Port number
Use SSL
50
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a single setup mode
Select this option if you have installed the SQL server in a different user context. You must specify the authentication details of the user in the respective text boxes.
Check either or both the options if you want to replicate the same configuration for the Reporting and the SSIS databases. The options are as follows:
SSIS database and server settings Reporting Server and database settings
On checking either or both the options, the corresponding panels do not appear when you click Next. For example, if you check against SSIS database and server settings option, then the setup skips the SSIS-SQL Server Information panel.
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a single setup mode
51
In the Reporting Server-SQL Server Information panel, enter the requisite values in the text boxes and click Next. The SQL server information is used to create the reporting database for the Reporting Server. The reporting database is used to store the reports that are generated for the evaluated data. The fields of the Reporting Server- SQL Server Information panel and their descriptions are as follows:
SQL Server Enter the computer name that hosts the SQL server. Enter the SQL server instance name. By default, the configured SQL instance that is created on the computer appears in the text box. Enter the port number of the computer that hosts the SQL server. By default, CCS Application Server connects through the port, 1433 of the SQL server computer. Check this option if your computer that hosts the SQL server is SSL enabled for communication. If you use SSL connections, you must configure them before you install the Control Compliance Suite. Refer to the Microsoft SQL Server documentation (http://support.microsoft.com/kb/316898) for information about configuring SSL connections. Use existing empty database Check this option if you want to reuse the existing database. By default, the setup creates a production database, CSM_DB on the computer. You must ensure that the database is created and empty before you check the option. Use Windows NT Integrated Security Select this option if you have installed the SQL server in the Windows NT user context.
Instance name
Port number
Use SSL
52
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a single setup mode
Select this option if you have installed the SQL server in a different user context. You must specify the authentication details of the user in the respective text boxes.
Check the option, SSIS database and server settings if you want to replicate the same configuration for the SSIS database. On checking the option, the panel, SSIS -SQL Server Information does not appear on clicking Next.
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a single setup mode
53
In the SSIS-SQL Server Information panel, enter the requisite values in the text boxes and click Next. The SQL Server Integration Service (SSIS) information is used to create the SSIS database. The production database uses the information for reporting purposes. The information that is provided on this panel is used to connect to the msdb and deploy SSIS packages and SQL agent jobs. The fields of the SSIS- SQL Server Information panel and their descriptions are as follows:
SQL Server Enter the computer name that hosts the SQL server. Enter the SQL server instance name. By default, the configured SQL instance that is created on the computer appears in the text box. Enter the port number of the computer that hosts the SQL server. By default, CCS Application Server connects through the port, 1433 of the SQL server computer. Check this option if your computer that hosts the SQL server is SSL enabled for communication. If you use SSL connections, you must configure them before you install the Control Compliance Suite. Refer to the Microsoft SQL Server documentation (http://support.microsoft.com/kb/316898) for information about configuring SSL connections. Use Windows NT Integrated Security Select this option if you have installed the SQL server in the Windows NT user context. Select this option if you have installed the SQL server in a different user context. You must specify the authentication details of the user in the respective text boxes.
Instance name
Port number
Use SSL
54
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode
In the Data Processing Service - Port Information panel, enter the Server port number and click Next. By default, the computer that hosts the Data Processing Service communicates through the port, 3993. If your computer is configured to run in the native Windows Server 2003 domain mode, then the Application Server - Security Settings for Scheduled Jobs panel appears. You can refer to the next step for the panel details. If your computer is configured to run in any mixed domain, then you can skip the next step.
In the Application Server - Pass Phrase panel, enter the pass phrase and click Next. The pass phrase is used to generate a symmetric key for encrypting or decrypting sensitive data such as, passwords and connection details. You must remember the pass phrase for future reference.
10 In the Summary panel, review the installation details and click Install.
The Installation Progress panel indicates the progress of the component installation. After the installation finishes, the last panel of the wizard appears.
For a distributed installation, you can install one CCS Directory Server and one CCS Application Server component only. The distributed setup mode involves installation of the CCS Directory Server, the CCS Application Server and one or
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode
55
more Data Processing Service (DPS) components. The components are installed on different computers. The DPS can be configured with different roles such as data collector, data evaluator, reporter, and load balancer. You can install and configure multiple DPS with various roles in the distributed infrastructure of Control Compliance Suite.
Launch the Installation Wizard See To launch the Installation Wizard on page 55. Install the CCS Directory Server See To install the CCS Directory Server on page 56.
Insert the Symantec Control Compliance Suite 9.0 product disc into the drive on your computer and click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
In the DemoShield, click Reporting and Analytics. You can find the splash screen, which displays the list of prerequisites that are required for the product installation. The setup installs the listed prerequisites such as .NET framework and so on.
56
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode
See Prerequisites for installing the product components on page 25. To install the CCS Directory Server
In the Welcome panel of the launched Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard, read and select the license agreement and then click Next. In the Installation Modes panel, select CCS Directory Server and then click Next. In the Selected Component Information panel, read the information displayed in the panel and then click Next. In the Component Selection panel, check Directory Support Service and then click Next. The services and the components that the CCS Directory Server installs and the descriptions are as follows:
Directory Support Service Uses the CCS Directory to store business objects such as asset information and job definitions. It also works with the CCS Directory to check the user rights and preferences on the directory objects. It comprises the Management Services and the Certificate Management Console. Management Services The root certificate authority service that generates, manages, and signs certificates for the Control Compliance Suite components. This service is installed on the computer in which the Directory Support Service is installed. SymCert Stores and manages the certificates in the local computer. This utility is installed with every CCS component and can be run from a command line on any component workstation.
2 3 4
In the Licensing panel, click Add Licenses to add licenses for the Directory Support Service. See About licensing of the product components on page 38. Click Next.
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode
57
In the Prerequisites panel, review the prerequisites that are required for the installation. Install any prerequisite application that is required to be installed. Click Check Again to verify whether the installation is successful. Click Next. In the Installation Path panel, review the target path for the Control Compliance Suite installation and then click Next. Click Browse to specify a different installation path to install the product.
7 8
In the Certificate Information panel, enter the required values to create the root certificate in the text boxes and then click Next. The fields of the Certificate Information panel and their descriptions are as follows:
Organization Division Enter the name of your organization. Enter the division to which your organization belongs. Enter the name of the city of your organization. Enter the name of the state or province to which the city belongs. Enter the name of the country. The country code must consist of two alphabet characters. Select the expiration time period of the root certificate. Enter the password to authenticate the certificate. Re-authenticate the password that you have typed.
City
State/Province
Country
Expire in
Password
Re-type password
10 In the CCS Directory Server - User Account and Port Information panel, enter
the required values in the text boxes and then click Next. The fields of the CCS Directory Server - User Account and Port Information panel and their descriptions are as follows:
58
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode
User name
Enter the user name in whose context the Management Services is run on the computer. Enter the password that authenticates the specified user account. Enter the port number of the Directory Support Service, which runs on the computer that hosts the CCS Directory Server. By default, the Directory Support Service connects through the port, 12467. Enter the port number of the Management Services, which runs on the computer that hosts the CCS Directory Server. By default, the Management Services connects through the port, 12468.
Password
11 In the CCS Directory - CCS Directory Port Information panel, enter the
required values in the text boxes and then click Next.
LDAP port number Enter the LDAP port number of the computer that hosts the CCS Directory Server. By default, the CCS Directory Server connects with the CCS Application Server through the port, 3890. Enter the SSL port number of the computer that hosts the CCS Directory Server. By default, the CCS Directory Server connects with the CCS Application Server through the SSL port, 6360.
12 In the Management Services- Pass Phrase panel, enter the pass phrase and
then click Next. You must remember the pass phrase so you can use it to uninstall the product from a different user context.
13 In the Summary panel, review the installation details and then click Install.
The Installation Progress panel indicates the progress of the component installation. After the installation completes, the last panel of the wizard appears.
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode
59
After you install the Directory Support Service you need to create certificates to distribute them to the other components for communication. The certificates are created using the CMC tool, which is installed on the CCS Directory Server computer. See Creating a DPS or an Application Server certificate on page 59.
You have recently opened the Certificate Management console You are logged on in the context of the user who installed the system
You can find a list of the country codes at: http://www.iso.org/iso/country_codes/iso_3166_code_lists/ english_country_names_and_code_elements.htm The Certificate Management console fails to create certificates on a Microsoft Windows Server 2008 unless the console is run as the administrator. To create a DPS or an Application Server certificate
1 2
Click Start > All Programs > Symantec Control Compliance, and select Certificate Management Console You may be prompted to provide the Root Certificate Password. The Root Certificate password is created during installation.
3 4
Click OK. In the Certificate Management Console toolbar, click Create Certificates.
60
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode
In the Create Certificate dialog box, in the Service Type area, do one of the following:
In the Expired In box, select the number of years. The default value is 25.
In the Organization box, provide a name. You can change the default name during certification creation.
In the Division box, provide a name. You can change the default name during certification creation.
In the City box, provide a name. You can change the default name during certification creation.
13 In the FQDN box, provide the name. 14 In the IP Address box, provide the information. 15 Click (+) plus icon to add multiple TCP/IP addresses, if needed. 16 In the Destination folder box, provide the location for the saved certificate
file. You can browse to select the location.
17 In the Password box, type a password. 18 In the Retype Password box, type the same password to confirm the spelling. 19 Click Create Certificate. 20 In the Success message box, click OK. 21 In the Create Certificate message box, click Yes to create another certificate,
if needed.
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode
61
Launch the Installation Wizard. See To launch the Installation Wizard on page 61. Install the CCS Application Server See To install the CCS Application Server on page 61.
Insert the Symantec Control Compliance Suite 9.0 product disc into the disk drive on your computer and then click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
In the DemoShield, click Reporting and Analytics. You can find the splash screen, which displays the list of prerequisites that are required for the product installation. The setup installs the listed prerequisites such as .NET framework and so on. See Prerequisites for installing the product components on page 25.
In the Welcome panel of the launched Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard, read and select the license agreement and click Next. In the Installation Modes panel, select CCS Application Server and click Next.
62
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode
3 4
In the Selected Component Information panel, read the information displayed in the panel and click Next. In the Component Selection panel, check Application Server and click Next. The components that the Application Server comprises and their descriptions are as follows:
Application Server Manages the data storage and the workflow of production database. It comprises the Technical Standards Pack (TSP). Technical Standards Pack (TSP) Represents the security and configuration best practices for various operating systems and applications. The TSPs for the various operating systems and the applications are as follows:
Windows Technical Standards Pack UNIX Technical Standards Pack Oracle Technical Standards Pack SQL Technical Standards Pack ESM Technical Standards Pack
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode
63
Lists the regulations and frameworks that Control Compliance Suite supports. Regulations are published government mandates such as HIPAA, Sarbanes-Oxley, or GLBA. These regulations describe the business functions and the security functions. The list of regulations that are supported are as follows:
FDA FISMA GLBA HIPAA Identity Theft Red Flags FDIC Sarbanes-Oxley
Frameworks are published best practices, which describe the implementation details. For example, a framework can describe a password policy that must contain entries for length, complexity, and rotation. The list of frameworks that are supported are as follows:
SymCert
Stores and manages the certificates in the local computer. This utility is installed with every CCS component and can be run from a command line on any component workstation.
In the Licensing panel, click Add Licenses to add licenses for the Directory Support Service. See About licensing of the product components on page 38.
Click Next.
64
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode
In the Prerequisites panel, review the prerequisites that are required for the installation. Install any prerequisite application that is required to be installed. Click Check Again to verify whether the installation is successful. Click Next. In the Installation Path panel, review the target path for the Control Compliance Suite installation and click Next. Click Browse to specify a different installation path to install the product.
8 9
Password
Port number
11 In the CCS Application Server - User Account and Port Information panel,
enter the required values in the text boxes and click Next. See About using special characters in credentials on page 75. The fields of the CCS Application Server - User Account and Port Information panel and their descriptions are as follows:
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode
65
User name
Enter the user name in which context the Application Server Service runs on the computer. The user account must be a domain user account with read or write access on the SQL Server CSM_DB. The account must also be set as trusted for delegation.
Password
12 In the Application Server- SQL Server Information panel, enter the required
values in the text boxes and then click Next. The SQL server is used to create the production database for the CCS Application Server. The production database stores the queried data. The production database must be configured to use Windows authentication. The fields of the Application Server- SQL Server Information panel and their descriptions are as follows:
SQL Server Enter the computer name that hosts the SQL server. Enter the SQL server instance name. By default, the configured SQL instance that is created on the computer appears in the text box. Enter the port number of the computer that hosts the SQL server. By default, CCS Application Server connects through the port, 1433 of the SQL server computer.
Instance name
Port number
66
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode
Use SSL
Check this option if your computer that hosts the SQL server is SSL enabled for communication. If you use SSL connections, you must configure them before you install the Control Compliance Suite. Refer to the Microsoft SQL Server documentation (http://support.microsoft.com/kb/316898) for information about configuring SSL connections.
Check this option if you want to reuse the existing database. By default, the setup creates a production database, CSM_DB on the computer. You must ensure that the database is created and empty before you check the option.
Select this option if you have installed the SQL server in the Windows NT user context. Select this option if you have installed the SQL server in a different user context. You must specify the authentication details of the user in the respective text boxes.
Check either or both the options if you want to replicate the same configuration for the Reporting and the SSIS databases. The options are as follows:
SSIS database and server settings Reporting Server and database settings
On checking either or both the options, the corresponding panels do not appear on clicking Next. For example, if you check against SSIS database and server settings option, then the setup skips the SSIS-SQL Server Information panel.
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode
67
The SQL server information is used to create the reporting database for the Reporting Server. The reporting database stores the evaluated data that is used for generating reports. The reporting database must be configured to use SQL authentication. If you do not want to use SQL authentication, then do the following:
Set the authentication to Windows authentication. After the installation is complete, set the user context for the Data Processing Service that is configured in a reporting role.
The fields of the Reporting Server- SQL Server Information panel and their descriptions are as follows:
SQL Server Enter the computer name that hosts the SQL server. Enter the SQL server instance name. By default, the configured SQL instance that is created on the computer appears in the text box. Enter the port number of the computer that hosts the SQL server. By default, CCS Application Server connects through the port, 1433 of the SQL server computer. Check this option if your computer that hosts the SQL server is SSL enabled for communication. Check this option if you want to reuse the existing database. By default, the setup creates a reporting database, CSM_Reports on the computer. You must ensure that the database is created and empty before you check the option. Use Windows NT Integrated Security Select this option if you have installed the SQL server in the Windows NT user context.
Instance name
Port number
Use SSL
68
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode
Select this option if you have installed the SQL server in a different user context. You must specify the authentication details of the user in the respective text boxes.
Check the option, SSIS database and server settings if you want to replicate the same configuration for the SSIS database. On checking the option, SSIS-SQL Server Information does not appear on clicking Next.
14 In the SSIS-SQL Server Information panel, enter the required values in the
text boxes and then click Next. The SQL Server Integration Service (SSIS) information is used for the reporting purpose. The information is used to connect to the msdb database and deploy SSIS packages and SQL agent jobs. The fields of the SSIS- SQL Server Information panel and their descriptions are as follows:
SQL Server Enter the computer name that hosts the SQL server. Enter the SQL server instance name. By default, the configured SQL instance that is created on the computer appears in the text box. Enter the port number of the computer that hosts the SQL server. By default, CCS Application Server connects through the port, 1433 of the SQL server computer. Check this option if your computer that hosts the SQL server is SSL enabled for communication. Select this option if you have installed the SQL server in the Windows NT user context.
Instance name
Port number
Use SSL
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode
69
Select this option if you have installed the SQL server in a different user context. You must specify the authentication details of the user in the respective text boxes.
If your computer is configured to run in the native Windows 2003 domain mode, then the Application Server - Security Settings for Scheduled Jobs panel appears. You can refer to the next step for the panel details. If your computer is configured to run in any mixed domain, then you can skip the next step.
15 In the Application Server - Pass Phrase panel, enter the pass phrase, confirm
the pass phrase, and click Next. The pass phrase is used to generate symmetric key for encrypting or decrypting sensitive data such as, passwords, and connection details. You must remember the pass phrase for future reference.
17 In the Summary panel, review the installation details and then click Install.
The Installation Progress panel indicates the progress of the component installation. After the installation completes, the last panel of the wizard appears.
70
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode
Note: DPS cannot be installed simultaneously along with the installation of the Application Server on the same computer. The component can be installed only after the Application Server installation completes. After DPS installation is complete, you must configure the Control Compliance Suite. Note: For the ESM application, if the ESM Manager is installed on the Windows computer, then you can also install the DPS on that computer. You must ensure that the computer meets the hardware and software requirements for installing the ESM Manager and the DPS. To install the Data Processing Service component
Insert the Symantec Control Compliance Suite 9.0 product disc into the disk drive on your computer and then click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
In the DemoShield, click Reporting and Analytics. You can find the splash screen, which displays the list of prerequisites that are required for the product installation. The setup installs the listed prerequisites such as .NET framework and so on. See Prerequisites for installing the product components on page 25.
In the Welcome panel of the launched Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard, read and select the license agreement and then click Next. In the Installation Modes panel, select CCS Additional Services and then click Next. In the Selected Component Information panel, read the information displayed in the panel and then click Next. In the Component Selection panel, select Data Processing Service from the list and then click Next.
4 5 6
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode
71
In the Prerequisites panel, review the prerequisites that are required for the installation. Install any prerequisite application that is required to be installed. Click Check Again to verify whether the installation is successful. You must install Crystal Reports 2008 only on the DPS computer that is to be configured with the role of a reporter. If you fail to install Crystal Reports 2008, then you can manually install the software, CrystalReportsDotNet.MSI from the <installation directory>/Symantec/CCS/Reporting and Analytics/Application Server/REDIST folder of the CCS Application Server. You can also install CrystalReportsDotNet.MSI from the product disc folder, CCS_Reporting\Redist.
8 9
Click Next. In the Installation Path panel, review the target path for the component installation and click Next. Click Browse to specify a different installation path to install the product.
11 In the Data Processing Service - Port Information panel, enter the Server port
number and then click Next. By default, the computer that hosts the Data Processing Service communicates through the port, 3993.
12 In the Summary panel, review the installation details and then click Install.
The Installation Progress panel indicates the progress of the component installation. After the installation completes, the last panel of the wizard appears.
72
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode
Distribute policy notifications to end users across the enterprise and track when users read and acknowledge the policies. Request exceptions to policies. Request exceptions from control points.
By default, the Web Portal uses integrated Windows security. If the user domain and the Web Portal domain have a trust relationship, the Web Portal relies on the existing user credentials. The user does not need to enter a name and password to access the Web Portal. If no trust relationship exists, the user is prompted for a name and a password. By default, the WebPortal fails when Control Compliance Suite is installed on a 64-bit Windows computer. Although, the console and the services execute on the Windows On Windows (WOW) 32-bit emulator, the IIS is by default configured as a 64-bit system. So, you must configure the IIS to host 32-bit files and the .NET framework to use the 32-bit version of ASP.NET after installing Web Portal. To install the Web Portal
Insert the Symantec Control Compliance Suite 9.0 product disc into the disk drive on your computer and then click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
In the DemoShield, click Reporting and Analytics. You can find the splash screen, which displays the list of prerequisites that are required for the product installation. The setup installs the listed prerequisites such as .NET framework and so on. See Prerequisites for installing the product components on page 25.
In the Welcome panel of the launched Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard, read and select the license agreement and then click Next. In the Installation Modes panel, select CCS Additional Services and then click Next. In the Selected Component Information panel, read the information displayed in the panel and then click Next. In the Component Selection panel, select Web Portal from the list and then click Next. In the Installation Path panel, review the target path for the component installation and then click Next. Click Browse to specify a different installation path to install the product.
4 5 6 7
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode
73
In the Prerequisites panel, review the prerequisites that are required for the installation. Click Recheck to verify whether the installation was successful. You must install ASP.NET v2.0.50727, ASP.NET v2.0.50727 Web Service Extension, and Active Server Pages Web Service Extension on the computer.
Click Next. click Next. The fields and the descriptions are as follows:
Enter the IIS site Enter the Internet Information Service site that hosts the Web Portal. Enter the server name that hosts the Response Assessment module (RAM). Enter the port number of the server that hosts RAM. By default, the port number is 1977. Application server name The name of the computer that hosts the Application Server. The port number of the computer that hosts the Application Server. Enter the SPN for the Application Server and the DSS.
10 In the Web Portal - Information panel, enter values for the fields and then
11 In the Summary panel, review the installation details and then click Install.
The Installation Progress panel indicates the progress of the component installation. After the installation completes, the last panel of the wizard appears.
74
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode
1 2
Open a command prompt and navigate to the systemdrive\Inetpub\AdminScripts directory. Type the following command:
cscript.exe adsutil.vbs set W3SVC/AppPools/Enable32BitAppOnWin64 true.
Press Enter.
1 2
Open a command prompt and navigate to thesystemroot\Microsoft.NET\Framework\v2.0.50727 directory Type the following command:
aspnet_regiis -i -enable
Press Enter
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode
75
1 2 3
Install the CCS Application Server through the Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard. From the client computer, access the shared folder of the computer in which the CCS Application Server component is installed. Navigate to the shared installation folder in the computer that hosts the CCS Application Server. By default, the component installation folder is C:\Program Files\Symantec\CCS\Reporting And Analytics\.
Directory Support Service Application server Service Data Processing service (DPS) running in the reporter role
The following special characters are supported in the user account user name:
The following special characters are supported in the user account password:
76
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode
Chapter
Configure the Control Compliance Suite About registration of the Data Processing Service Configuring the RMS data collection infrastructure About using LiveUpdate mechanism in Control Compliance Suite
Create asset folders. Assign trustees to roles. Assign asset folder permissions to trustees. Define sites. Register and configure the installed Data Processing Service instances.
78
Configuring Control Compliance Suite components About registration of the Data Processing Service
Define reconciliation rules. Create site-based data import jobs. Create any CSV-based data import jobs. Create data collection jobs. Create data evaluation jobs. Create data reporting jobs.
For additional information about these configuration steps, see the Symantec Control Compliance Suite Help or the Symantec Control Compliance Suite User Guide. When you assign trustees, at a minimum, you must assign trustees to the following roles:
You can register the DPS through the Control Compliance Suite Console. Note: The first DPS that you register must be assigned the load balancer role. The role of a data collector is to collect data from the enterprise network. The Control Compliance Suite can collect data from any data collection infrastructure such as RMS, ESM, and the data that is stored in Comma Separated Value (CSV) files. The data collection is triggered through the data collection jobs. The collected
Configuring Control Compliance Suite components Configuring the RMS data collection infrastructure
79
data is evaluated for the standards by the data evaluator. The data evaluation jobs trigger the data evaluation of the collected data. The load balancer routes the data collection and the data evaluation jobs evenly to the configured data collectors and the data evaluators respectively. The DPS can be configured as the following data collectors:
Windows data collector UNIX data collector SQL data collector Oracle data collector ESM data collector CSV data collector
For additional information about DPS configuration, see the Control Compliance Suite Online Help or the Control Compliance Suite User Guide.
1 2
In the RMS Console Configuration Wizard Welcome panel, click Next. The Add/Remove Products panel lists all bv-Control products present on the RMS Console and Information Server computer. Select the bv-Control products you want to appear on the Console, and then click Next. In the Add/Remove Products in progress panel, add products in the Console and then click Next. Each time you open the Console, the added bv-Control products appear in the Console tree.
80
Configuring Control Compliance Suite components About using LiveUpdate mechanism in Control Compliance Suite
In the Add Users panel, add RMS Console users by typing the fully qualified user name in the Users frame. You may also click the browse (...) icon to browse for the user name. Assign the appropriate properties to each user and then click Next to continue. In the User Name drop-down list in the ActiveAdmin Options panel, select each added user in turn. Click the check box beside each product name to enable or disable ActiveAdmin for that user on that product. Click Next to continue. Review the summary information for the added users and then click Next. Click Finish. The RMS Console and Information Server are configured with the items that you have selected in the RMS Console Configuration Wizard. The configuration wizard contains the minimum required configuration items for the RMS Console. For information on the bv-Control snap-in modules configuration, refer to the individual bv-Control module Getting Started Guide.
5 6
7 8
Configuring Control Compliance Suite components About using LiveUpdate mechanism in Control Compliance Suite
81
LU component. The administrator must decide whether the content or the system updates are required for the installed components and configure the LUA appropriately. The following two types of updates are available for the Control Compliance Suite components:
All packages are downloaded, distributed, and installed manually. Optionally, some organizations can use third-party applications such as Altiris and SMS, and so on instead of using LiveUpdate. The packages can be downloaded using the LiveUpdate Administrator and are repackaged for manual distribution. Other distribution methods such as direct download from the Web site are available as per Symantec policies. All computers are installed with LiveUpdate Client (LU) and are configured with a host file pointing to the LUA distribution area.
82
Configuring Control Compliance Suite components About using LiveUpdate mechanism in Control Compliance Suite
Chapter
Adding or upgrading the Control Compliance Suite components Repairing or reinstalling Control Compliance Suite
84
Modifying or repairing the installed Control Compliance Suite components Repairing or reinstalling Control Compliance Suite
Insert the Symantec Control Compliance Suite 9.0 product disc into the disk drive on your computer and click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
2 3 4
In the DemoShield, click Reporting and Analytics. In the Maintenance panel of the Symantec Control Compliance Suite 9.0Reporting and Analytics, select Add/Upgrade. In the Upgrade panel, select the components that you want to add or modify and click Next. The panel lists the component that is not installed on your computer. You can select any component from the list whether it belongs to the CCS Directory Server, CCS Application Server, or the DPS. The next panel that appears is dependent on the component you select. See Installing the Control Compliance Suite components in a distributed setup mode on page 54.
Insert the Symantec Control Compliance Suite 9.0 product disc into the disk drive on your computer and click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
2 3 4
In the DemoShield, click Reporting and Analytics. In the Maintenance panel, select Repair/Reinstall. In the Summary panel, review the components for repair by the setup and click Repair.
Chapter
Uninstalling the Control Compliance Suite components from a single setup Uninstalling a Control Compliance Suite component from a distributed setup Uninstalling RMS Console and Information Server
Insert the Symantec Control Compliance Suite 9.0 product disc into the drive on your computer and click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
2 3
In the DemoShield, click Reporting and Analytics. In the Maintenance panel, select Uninstall.
86
Uninstalling Control Compliance Suite components Uninstalling a Control Compliance Suite component from a distributed setup
4 5 6
Under the Uninstall option, select All. Click Next. In the CCS Directory Server- Remove ADAM instance panel, select either of the following options and click Next.
Remove the ADAM instance that Control Compliance Suite uses. Do not remove the ADAM instance that Control Compliance Suite uses.
In the Application Server - Delete Databases panel, select the databases that are to be removed and click Next. The databases that can be removed are production, reporting, and evidence.
In the Summary panel, review the components that are to be uninstalled and click Uninstall.
Insert the CCS 9.0 product disc into the drive on your computer and click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
2 3 4 5 6
In the DemoShield, click Reporting and Analytics. In the Maintenance panel, select Uninstall. Under the Uninstall option, select Select Components. Click Next. In the Remove Components panel, select the component that you want to remove and click Next.
Uninstalling Control Compliance Suite components Uninstalling RMS Console and Information Server
87
In the CCS Directory Server- Remove ADAM instance panel, select either of the following options and click Next.
Remove the ADAM instance that Control Compliance Suite uses. Do not remove the ADAM instance that Control Compliance Suite uses.
In the Application Server - Delete Databases panel, select the databases that are to be removed and click Next. The databases that can be removed are production, reporting, and evidence.
In the Summary panel, review the components that are to be uninstalled and click Uninstall.
1 2 3 4 5
On each computer that hosts the RMS Console or an Information Server, open the Add or Remove Programs control panel. In the Add or Remove Programs control panel, click Symantec Control Compliance Suite 9.0 - Data Collection, and then click Change/Remove. In the Maintenance panel, click Uninstall. Click All. Click Next. The RMS Console and Information Server on the computer are removed automatically. When the removal is complete, the Add or Remove Programs control panel reappears. You do not need to restart your computer to complete the removal.
88
Uninstalling Control Compliance Suite components Uninstalling RMS Console and Information Server
Appendix
Silent Installation
This appendix includes the following topics:
Silent installation
Silent installation
The silent installation mode in Control Compliance Suite is about installation of the product components on different computers without navigating through the Installation Wizard. You must ensure that all computers on which the distributed components are to be installed in the silent mode belong to the same network. An XML file, which is known as the response file, triggers the silent installation. The response file contains inputs for the installing component such as Data Processing Service (DPS). The response file can be created, accessed, and modified only from the setup path of the product installation. The response file is not specific to any operating system. Usually, in Control Compliance Suite , Data Processing Service component is installed in a distributed mode since the component is configured to perform multiple roles. The CCS Application Server and the CCS Directory Server are mostly installed on a single computer. The silent installation process involves the following steps:
Create a response file. Provide inputs for the response file. Run the setup in the silent mode and browse to the response file path to start the installation.
90
Note: You must ensure that the computers on which the silent installation is to be triggered contain all the prerequisites that are to be installed manually. The Control Compliance Suite installs certain prerequisites automatically during the silent installation.
/ExportTo /Silent
/ResponseFile
/Uninstall
/Repair
/AddComponent
Insert the product disc into a computer from where you want to run the Control Compliance Suite installation setup.
91
Go to Start>Run and type the path of location of the installation setup. Append the Setup.exe with the /Export switch to create the response file. Type the following command to create the response file:
>Setup.exe /Export /ExportTo="C:\Input.xml"
The Installation Wizard is invoked displaying the Installation Modes panel. The command creates a response file and exports the properties that are selected through the Installation Wizard into the response file.
3 4 5
In the Installation Modes panel of the Installation Wizard, select CCS Additional Services and click Next. In the Selected Component Information panel, review the information about installing the Data Processing Service and then click Next. In the Component Selection panel of the wizard, the Data Processing Service option is selected, by default. Click Next.
6 7
In the Summary panel, review the components that are to be installed and then click Finish. Click Start>Run and type the following command to specify the response file path:
><install path>/Setup.exe /Export /ExportTo=<path and name of the response file
For example, if the response file is input.xml and is located in the C:\ drive, then the command is as follows:
><install path>/Setup.exe /Export /ExportTo="C:\Input.xml"
The created response file contains the default entries that are required for the installation of the component. You need to specify values for specific settings of the response file. The format of a sample response file is as follows:
92
<?xml version="1.0" encoding="utf-8"?> <Properties> <Settings Name="Selected Features"> <Feature Name="Directory Support Service" Enabled="False" /> <Feature Name="Directory Support Service Core" Enabled="True" /> <Feature Name="SymCert" Enabled="True" /> <Feature Name="Management Services" Enabled="False" /> <Feature Name="Technical Standards Pack" Enabled="False" /> <Feature Name="SQL Technical Standards Pack" Enabled="False" /> <Feature Name="Data Processing Service" Enabled="True" /> <Feature Name="DPS backend" Enabled="True" /> <Feature Name="ReportServer backend" Enabled="True" /> ... ... </Settings> <Settings Name="Installation Path"> <Property Name="Target path" Value="C:\Program Files\Symantec\CCS\Reporting and Analytics" /> </Settings> <Settings Name="Certificate Information - Local Installation"> <Property Name="Certificate location for Data Processing Service" Value="<specify the location of the certificate>" /> </Settings> <Settings Name="Data Processing Service - Port Information"> <Property Name="Server port number" Value="3993" /> </Settings> </Properties>
The settings for which you must specify values are as follows:
Certificate Information - Local Installation The setting is for specifying the location of the security certificate that is created for the DPS. Data Processing Service - Port Information The setting is for specifying the port number of the DPS. By default, the port number is 3993.
93
You must not edit the Settings tag of the Selected Features.
Note: Ensure that in the command, there is no space before or after the equal to (=) sign. For example, /ResponseFile="C:\Input.xml" To install Control Compliance Suite in the silent mode
1 2
Navigate to the computer that contains the setup binaries. Run the setup with the following command for a fresh installation:
>Setup.exe /Silent /ResponseFile="<full path of the response file>" /DPSCert.Password="<password>" For example, >Setup.exe /Silent /ResponseFile="C:\Input.xml" /DPSCert.Password="password"
94
1 2
Navigate to the computer that contains the setup binaries. Run the setup with the following command to add the DPS:
>Setup.exe /Silent /AddComponent/ResponseFile="<full path of the response file>" /DPSCert.Password="<password>" For example, >Setup.exe /Silent /AddComponent /ResponseFile="C:\Input.xml" /DPSCert.Password="password"
1 2
Navigate to the computer that contains the setup binaries. Run the setup with the following command to repair the installation:
>Setup.exe /Silent /Repair
1 2
Navigate to the computer that contains the setup binaries. Run the setup with the following command to uninstall the component:
>Setup.exe /Silent /Uninstall
Index
A
application server default ports 37 requirements 10
B
bv-Control for Microsoft SQL Server requirements 15, 23 upgrading 43 bv-Control for Oracle requirements 15, 20 upgrading 43 bv-Control for UNIX bv-Config requirements 15, 17 requirements 15, 17 upgrading 43 bv-Control for Windows bv-Config requirements 1516 enterprise configuration service requirements 1516 query engine requirements 1516 requirements 1516 support service requirements 1516 upgrading 43
component uninstallation in distributed mode 86 components communications between components 37 default ports 37 requirements 10 configuring MSDE 43 SQL 43 console requirements 10, 13 Control Compliance Suite adding new components 83 architecture 37 configure 77 defined 9 modify components 84 reinstall components 84 repair components 84 requirements 10 server components 37 uninstall components from distributed setup 86 uninstall components from single setup 85 upgrading components 83
D
data collection infrastructure configuring 79 installing 41 uninstalling 87 upgrading 43 data processing service certificates 37 default ports 37 installation 69 requirements 10 deployment initial configuration 77 directory server default ports 37 requirements 10 distributed setup mode of installation 54
C
CCS Application Server installation 61 CCS Console access from shared computer 74 installation 74 CCS Directory Server installation 55 certificates 37 creating 59 collector requirements 10 communications protocols 37 component uninstallation 85
96
Index
Q
quarterly content updates using LiveUpdate mechanism 80
E
evaluator requirements 10 evidence database requirements 10
R
register DPS 78 reinstallation of CCS 84 reporter requirements 10 reporting database default ports 37 requirements 10 requirements information server 16 RMS Console 15 response assessment module default ports 37 RMS bv-Control for Microsoft SQL Server requirements 15, 23 bv-Control for Oracle requirements 15, 20 bv-Control for UNIX requirements 15, 17 bv-Control for Windows requirements 1516 console requirements 15 information server requirements 15 requirements 1517, 20, 23 RMS and Information Server installation preinstallation requirements 39 prerequisites 39 RMS Console requirements 15 RMS Console and Information Server upgrading 43 root certificate properties to create the certificate 29
G
general installation sequence installation logs location 28
I
information server requirements 1516 installing CCS Application Server 61 CCS Console 74 CCS Directory Server 55 data collection infrastructure 41 Data Processing Service 69 MSDE configuration 43 SQL configuration 43 web portal 71
L
LiveUpdate mechanism in CCS Live Update Administrator 80 Live Update Client 80 load balancer requirements 10
M
management service default ports 37
S P
patches and packages update CCS through LiveUpdate 80 prerequisites for installation 25 product component licensing about core license 38 S4U configuring 35 constrained delegation 35 service accounts configuring 34 unconstrained delegation 34
Index
97
silent installation about repairing installation 89 DPS component installation 89 DPS component uninstallation 89 response file creation 89 silent mode installing the product 93 single setup mode of installation 45 single setup uninstallation 85 special characters credentials 75 SQL requirements 10
T
trusted communications 37
U
uninstallation data collection infrastructure 87 upgrading bv-Control for Microsoft SQL Server 43 bv-Control for Oracle 43 bv-Control for UNIX 43 bv-Control for Windows 43 data collection infrastructure 43 RMS Console and Information Server 43 user privileges to install components Application database server 30 CCS Application Server 30 CCS Directory Server 30 Data Processing Service 30 Reporting database server 30 SSIS database server 30 Symantec Application Server Service 30 Symantec Data Processing Service 30 Symantec Directory Support Service 30 Symantec Management Services 30
W
Web Portal requirements 13 web portal installation 71