CCS Installation Guide

Symantec Control Compliance Suite Installation Guide
Version 9.0
Control Compliance Suite Installation Guide

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 9.0
Legal Notice
Copyright 2008 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, ActiveAdmin, BindView, bv-Control, Enterprise Security Manager, and LiveUpdate are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, Rights in Commercial Computer Software or Commercial Computer Software Documentation, as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 http://www.symantec.com
Technical Support
Symantec Technical Support maintains support centers globally. Technical Supports primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantecs maintenance offerings include the following:
A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week Advanced features, including Account Management Services
For information about Symantecs Maintenance Programs, you can visit our Web site at the following URL: www.symantec.com/techsupp/
Contacting Technical Support

Customers with a current maintenance agreement may access Technical Support information at the following URL: www.symantec.com/techsupp/ Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available:

Product release level Hardware information Available memory, disk space, and NIC information Operating system
Version and patch level Network topology Router, gateway, and IP address information Problem description:

Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes
Licensing and registration

If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.licensing.symantec.com
Customer service
Customer service information is available at the following URL: www.symantec.com/techsupp/ Customer Service is available to assist with the following types of issues:

Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and maintenance contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals
Maintenance agreement resources

If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows:
Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America contractsadmin@symantec.com semea@symantec.com supportsolutions@symantec.com
Additional enterprise services

Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following:
Symantec Early Warning Solutions These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. Managed Security Services These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring, and management capabilities. Each is focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs.
Consulting Services
Educational Services
To access more information about Enterprise services, please visit our Web site at the following URL: www.symantec.com Select your country or language from the site index.
Contents
Technical Support ............................................................................................... 4 Chapter 1 Control Compliance Suite overview .................................. 9

Control Compliance Suite 9.0.1 ......................................................... 9 Control Compliance Suite infrastructure requirements ....................... 10 Control Compliance Suite server requirements .................................. 10 Client requirements ...................................................................... 13 RMS data collector requirements .................................................... 15 RMS Console requirements ...................................................... 15 Information Server requirements .............................................. 16 bv-Control for Windows requirements ....................................... 16 bv-Control for UNIX requirements ............................................ 17 bv-Control for Oracle requirements ........................................... 20 bv-Control for Microsoft SQL Server requirements ....................... 23
Chapter 2
Installing Control Compliance Suite components .................................................................... 25

Prerequisites for installing the product components ........................... General installation sequence of Control Compliance Suite ................. About the root security certificate ................................................... User Privileges for installing the components ................................... Configuring service accounts with unconstrained delegation ..................................................................................... Configuring the S4U and constrained delegation .......................... About configuring the Web Portal to contact RAM ....................... Infrastructure network ports .......................................................... About licensing of the product components ...................................... Installing RMS Console and Information Server ................................. Prerequisites for RMS installation ............................................. Preinstallation requirements .................................................... Types of Installations ............................................................. Installing the data collection infrastructure ................................ Securing MSDE or the SQL Server ............................................. Upgrading the data collection infrastructure ............................... 25 28 29 30 34 35 36 37 38 39 39 40 40 41 43 43
Contents
Installing the Control Compliance Suite components in a single setup mode ................................................................................... Installing the Control Compliance Suite components in a distributed setup mode ........................................................................... Installing the CCS Directory Server ........................................... Creating a DPS or an Application Server certificate ...................... Installing the CCS Application Server ........................................ Installing the Data Processing Service ....................................... Installing the Web Portal ......................................................... Installing the Control Compliance Suite Console .......................... About using special characters in credentials ..............................
45 54 55 59 61 69 71 74 75
Chapter 3
Configuring Control Compliance Suite components .................................................................... 77

Configure the Control Compliance Suite ........................................... About registration of the Data Processing Service .............................. Configuring the RMS data collection infrastructure ............................ About using LiveUpdate mechanism in Control Compliance Suite .................................................................................... 77 78 79 80
Chapter 4
Modifying or repairing the installed Control Compliance Suite components ................................... 83

Adding or upgrading the Control Compliance Suite components ........... 83 Repairing or reinstalling Control Compliance Suite ............................ 84
Chapter 5
Uninstalling Control Compliance Suite components .................................................................... 85

Uninstalling the Control Compliance Suite components from a single setup ................................................................................... 85 Uninstalling a Control Compliance Suite component from a distributed setup ................................................................................... 86 Uninstalling RMS Console and Information Server ............................ 87
Appendix A
Silent Installation ................................................................ 89

Silent installation ........................................................................ 89 Creating a response file for silent installation .............................. 90 Installing the product in the silent mode .................................... 93
Index
.................................................................................................................... 95
Chapter
Control Compliance Suite overview

This chapter includes the following topics:

Control Compliance Suite 9.0.1 Control Compliance Suite infrastructure requirements Control Compliance Suite server requirements Client requirements RMS data collector requirements
Control Compliance Suite 9.0.1

The Control Compliance Suite automates key IT risk and compliance management tasks. Control Compliance Suite ensures the coverage of external mandates through written policy creation, dissemination, acceptance logs, and exception management. Control Compliance Suite demonstrates compliance to both external regulatory mandates and internal policies. Control Compliance Suite allows customers to link the written policy to specific technical and procedural standards. Customers can assess those policies using a highly scalable agentless or agent-based tool. The Control Compliance Suite scores assessment results against specified risk criteria. The Control Compliance Suite supports automated assessment of the system security configuration, permissions, patches, and vulnerabilities. The Control Compliance Suite includes system reporting capabilities. Control Compliance Suite also supports the assessment of procedural controls and entitlement review through a manual attestation process.
10
Control Compliance Suite overview Control Compliance Suite infrastructure requirements
Control Compliance Suite infrastructure requirements

The Control Compliance Suite components have minimum requirements for hardware and software. Symantec recommends that you do not install the Control Compliance Suite on any computers that do not meet these requirements. You must ensure that the computers that you use for your Control Compliance Suite deployment meet the following minimum requirements:
Control Compliance Suite server requirements See Control Compliance Suite server requirements on page 10. Control Compliance Suite client requirements See Client requirements on page 13.
In addition to these minimum requirements, each component has recommendations to ensure the highest performance. Some recommendations vary with the size of the deployment.
Control Compliance Suite server requirements

You must ensure that the computers that host the Control Compliance Suite infrastructure components meet the minimum requirements. These requirements are for a minimum system, and are sufficient only to run the components and experiment with a limited test environment. Before you plan your Control Compliance Suite deployment, review the component recommendations individually. For a minimum system in a lab setting, you can install all components on one or two servers. If you do so, Control Compliance Suite performance diminishes. Any production Control Compliance Suite deployment should plan for separate servers for separate roles. In addition to these minimum requirements, each component has recommendations to ensure the highest performance. Some recommendations vary with the size of the deployment. In particular, multiple SQL Servers are normally used to host the databases. These server requirements do not take into account the needs of the data collector deployments that collect data from the network. Note: You must deploy the Control Compliance Suite Application Server and Directory Server in a Windows Active Directory domain. You should deploy the Data Processing Service in an Active Directory domain, although you can deploy the service in a Windows workgroup when required.
Control Compliance Suite overview Control Compliance Suite server requirements
11
The domain where you install the Application Server and the Directory Server must be a Windows Server 2003 or a Windows Server 2008 domain. The functional level of the domain can be any of the following:

Windows Server 2008 Windows Server 2003 Windows 2000 native
The Control Compliance Suite has not been validated on Windows Server 2008 "Server Core only" installations. Table 1-1 contains the minimum requirements for each component. Table 1-1 Component name
Application Server
Control Compliance Suite server requirements Other requirements

Microsoft .NET 3.0
Minimum memory
2 GB
Minimum Required Required operating system processor hard disk size

2.8 GHz 80 GB Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Windows Server 2008 Windows Server 2008 x64
Directory Server
2 GB
2.8 GHz
80 GB
Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Windows Server 2008 Windows Server 2008 x64
Microsoft .NET 3.0
Production database or reporting database
2 GB
2.8 GHz
160 GB
Microsoft SQL Server 2005 SP2 The reporting database requires SSIS SP2
Note: Microsoft SQL

Server 2008 is not supported.
12
Control Compliance Suite overview Control Compliance Suite server requirements
Table 1-1 Component name Minimum memory
Control Compliance Suite server requirements (continued) Other requirements

Both Microsoft .NET 3.0 and Microsoft .NET 2.0 SP1
Minimum Required Required operating system processor hard disk size

2.8 GHz 80 GB Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Windows Server 2008 Windows Server 2008 x64
Data Processing 2 GB Services
Web Portal server
2 GB
2.8 GHz
80 GB
Internet Information Services (IIS) 6.0. The 32-bit version and the 64-bit version are both supported. If the computer that hosts the Web Portal uses Windows Server 2008, the computer must have the Window Authentication role added.
If .NET is not installed, the Control Compliance Suite installer prompts you to install it. Note: The %temp% folder drive must have at least 600 MB free during the installation of any Control Compliance Suite component. The installer deletes the files that are created in the %temp% folder when the installation is complete. The %temp% folder is normally on the C:\ drive. In addition, the installer places a copy of the installation files in a media cache folder. On Windows Server 2003 computers, the media cache folder is C:\Documents and Settings\All
Users\Application Data\Symantec\Symantec Control Compliance Suite R and A\MediaCache. On Windows Server 2008 computers, the media cache folder
is C:\ProgramData\Symantec\Symantec Control Compliance Suite - R and A\MediaCache. These files require approximately 700 MB.
Control Compliance Suite overview Client requirements
13
Note: The %temp% folder drive must have at least 700 MB free during the installation of any Control Compliance Suite component. The installer deletes the files that are created in the %temp% folder when the installation is complete. The %temp% folder is normally on the C:\ drive. In addition, the installer places a copy of the installation files in a media cache folder. On Windows Server 2003 computers, the media cache folder is C:\Documents and Settings\All
Users\Application Data\Symantec\Symantec Control Compliance Suite R and A\MediaCache. On Windows Server 2008 computers, the media cache folder
is C:\ProgramData\Symantec\Symantec Control Compliance Suite - R and A\MediaCache. These files require approximately 750 MB. The computers that host the following components must be in the same LAN segment:

Application Server Directory Server Data Processing Service Load Balancer Data Processing Service Evaluator Data Processing Service Reporter Control Compliance Suite Production database Control Compliance Suite Reporting database Control Compliance Suite Evidence database Control Compliance Suite Web Portal
Client requirements
Before you install the Control Compliance Suite clients, you must ensure that the target computers meet the minimum requirements. Table 1-2 contains the minimum requirements for the Control Compliance Suite clients.
14
Control Compliance Suite overview Client requirements
Table 1-2 Component name

Control Compliance Suite client
Control Compliance Suite client requirements Required Required operating system hard disk size
80 GB Windows XP Professional SP2
Minimum memory
1 GB
Minimum processor
2.8 GHz
Other requirements
Adobe Flash Player
Windows XP Professional SP2 x64 Microsoft Office Primary Interop Windows Vista Business or Assemblies Enterprise Windows Vista Business or Enterprise x64 Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Windows Server 2008 Windows Server 2008 x64
Control Compliance Suite Web client
512 MB
1.2 GHz
40 GB
Windows XP Professional SP2 Windows XP Professional SP2 x64 Windows Vista Business or Enterprise Windows Vista Business or Enterprise x64 Windows Server 2003 SP2 Windows Server 2003 SP2 x64 Windows Server 2003 R2 SP2 Windows Server 2003 R2 SP2 x64 Windows Server 2008 Windows Server 2008 x64
Internet Explorer 6.0 or Internet Explorer 7.0
The Control Compliance Suite has not been validated on Windows Server 2008 "Server Core only" installations. Microsoft Office and the Microsoft Office Primary Interop Assembly are required to import Microsoft Word documents as policies. You can use Microsoft Office XP or Microsoft Office 2003. The Control Compliance Suite dashboards require the Adobe Flash Player.
Control Compliance Suite overview RMS data collector requirements
15
You can download the Adobe Flash Player Installer from the Adobe Web site. http://www.adobe.com/products/flashplayer/ To create user-defined reports, you must install Crystal Reports Developer 2008, part of the third-party Crystal Reports 2008 product. Crystal Reports Developer is required only on the Control Compliance Suite client that you use to create the user-defined reports.
RMS data collector requirements

Before you install the RMS data collector components, you must ensure that the computers that you select for the installation meet the minimum requirements. If you install multiple components on the same computer, the requirements for all of the installed components must be met. When you plan the RMS deployment, assume one RMS Information Server for every 2000 nodes that you want to monitor in the Control Compliance Suite.
RMS Console requirements

Your RMS data collector deployment requires at least one RMS Console and a single RMS Information Server. If you install multiple RMS Consoles, then the additional RMS Consoles can be installed on a computer without any other RMS components. If you install a Console and Information Server on the same computer, the computer must meet all of the listed system requirements. Before you install the RMS Console, make sure that your workstation environment and network environment meet the following minimum requirements:
Hardware Pentium II 450 MHz 256 MB RAM 1000 MB of free disk space SVGA monitor that supports 256 colors with the display set to 800x600 pixels or greater
16
Software
Microsoft Windows 2000 SP4 (server or workstation) Windows XP Professional SP1 Windows Server 2003 or later Microsoft Internet Explorer 5.5 SP2 or later Microsoft Outlook 2000, Novell GroupWise 5.5, Lotus Notes 5.0, or Lotus Domino (only required for emailing export files) Microsoft Excel (required for Excel (using OLE) export files) Client for Microsoft Networks
Information Server requirements

Your RMS deployment requires a single Information Server. The Information Server must also have a copy of the RMS Console installed. Before you install the Information Server, make sure that your computer and your network environment meet the following minimum requirements:
Hardware Pentium III 800 MHz 512 MB RAM 1500 MB of free disk space Software Microsoft Windows 2000 SP4 (server or workstation), Windows XP Professional SP1, or Windows Server 2003 or later A Local installation of SQL Server 2005 Express SP2 or later, or Microsoft SQL Server 2005 SP2 or later Microsoft Internet Explorer 5.5 SP1 or later Microsoft Outlook 2000, Novell GroupWise 5.5, Lotus Notes 5.0, or Lotus Domino (only required for emailing export files) Microsoft Excel (required for Excel (using OLE) export files) Client for Microsoft Networks
Note: For enhanced security, performance, and to simplify installation, only a local SQL Server is supported. The Control Compliance Suite 9.0.1 supports only the default instance of the SQL Server. Named instances are not supported.
bv-Control for Windows requirements

The RMS data collector uses the bv-Control for Windows snap-in module to collect data from Windows computers. When you use bv-Control for Windows, you must
17
install additional components to perform the actual data collection from your network. The individual components have the following requirements:
Enterprise Configuration Service Pentium III 600 MHz 128 MB RAM 300 MB of free disk space Microsoft Windows 2000 SP3 (Server or Professional), Microsoft Windows XPProfessional, Microsoft Windows Server 2003, or later Query Engines Pentium III 600 MHz 256 MB RAM 500 MB of free disk space Microsoft Windows 2000 SP3 (Server or Professional), Microsoft Windows XPProfessional, Microsoft Windows Server 2003, or later Microsoft Internet Explorer 5.0 or later Support Service 32 MB RAM Microsoft Windows 2000 SP3 (Server or Professional), Microsoft Windows XPProfessional, Microsoft Windows Server 2003, or later
In large enterprises, the support service may require additional disk space for last logon data storage. These minimum hardware requirements are the minimum requirements for the default installation configuration, and do not reflect the needs of real-world environments. Actual processor speed and RAM requirements are a function of the number of simultaneous users. Query engine processor speed and RAM requirements are a function of the number of agents that the Slave Query Engine employs.
bv-Control for UNIX requirements

The RMS data collector uses the bv-Control for UNIX snap-in module to collect data from UNIX computers. The snap-in can operate in both agent-based and agentless modes. The agentless mode uses software on the Information Server to
18
collect data from assets. The agent-based mode uses a software agent that you install on each computer to collect data. For additional information on using agent-based or agentless data collection in bv-Control for UNIX, see the bv-Control for UNIX Help. Make sure the operating systems on all UNIX computers have the latest patches installed. Consult your UNIX vendor documentation for information on the latest patches for your operating system. Note: You must have administrative rights for each computer where you install the agent. The bv-Control for UNIX agent installation has the following hardware requirements:

Sun SPARCstation 1 or UltraSPARC for Solaris HP 9000 UNIX servers, or HP Visualize UNIX workstations (classes B, C, and J) IBM RS/6000 UNIX workstations and servers Intel or equivalent for Red Hat and SUSE Linux 20 MB disk space TCP/IP network
The bv-Control for UNIX agent installation on the target computer has the following software requirements:
Sun Solaris operating environment versions 5.8, 5.9, and 5.10 of both SPARC and x86 architecture Red Hat Linux versions 8.0 and 9.0 Red Hat Enterprise Linux AS/ES version 3.0, 4.0 and Red Hat Enterprise Linux 5.0, and 5.0 of Intel Itanium architecture Hewlett-Packard HP-UX versions 11.00, 11.11(11iv1), 11.23(11iv2), 11.23 (11iv2) of Intel Itanium architecture, and 11.31 (of both PA-RISC and Itanium architecture) IBM AIX versions 5.1, 5.2, and 5.3 SUSE Linux versions 8.2, 9.0, and 9.1 SUSE Linux Enterprise Server (ES) versions 9.0, 9.2, 9.3, 10.0, and 10.0 of Intel Itanium architecture openSSH installed on each UNIX target computer
19
Because bv-Control for UNIX packages the x86 32-bit package for RHEL and SLES Itanium platforms, the IA32 emulation layer is required to run the agent. The following packages must be present on the RHEL Itanium target computers and SLES Itanium target computers along with their respective dependencies:

bash-x86 coreutils-x86 cracklib-x86 db-x86 glibc-x86 Ia32el libgcc-x86 libxcrypt-x86 ncurses-x86 pam-modules-x86 pam-x86 readline-x86 libstdc++-x86
The Ia32el service that is required for query execution must be running on the target computers before installation of the UNIX agent. The command to run the service is as follows:
[root@rhel5ita rpm]# service ia32el status Intel IA-32 Execution Layer in use [root@rhel5ita rpm]#
The operating systems that are supported by the target computers in the agentless registration mode only are as follows:
VMware ESX The supported versions for the VMware ESX operating system are as follows:

Version 3.0 Version 3.5
20
Linux
The supported versions for Linux are as follows:

Linux is supported on zSeries of IBM computers Red Hat Linux Advanced Server (AS) 2.1 SUSE Linux 8.0 and 8.1 SUSE Linux Enterprise Server (ES) 8.1
The architecture that is supported by the operating systems, when configured in both the agent-based and agentless registration modes is as follows:
AMD Opteron The operating systems are as follows:

Red Hat Enterprise Linux 5.0 SUSE Linux Enterprise Server 10.0 Sun OS 5.10
bv-Control for Oracle requirements

The RMS data collector uses the bv-Control for Oracle snap-in module to collect data from Oracle databases. Before you deploy bv-Control for Oracle, you must evaluate your environment to ensure that your workstations meet the minimum system requirements for running the product. To successfully validate credentials in bv-Control for Oracle, you must have the appropriate permissions on the Information Server, the databases, and the operating systems. The bv-Control for Oracle installation has the following system requirements:
Microsoft Windows 2000 SP4 server or workstation, Windows XP Professional SP1, or Windows Server 2003 or later Microsoft Internet Explorer 5.5 SP2 or later 50 MB disk space TCP/IP network
On UNIX hosts, some information that bv-Control for Oracle requires is based on the underlying UNIX operating system. The bv-Control for UNIX snap-in can collect the data if the bv-Control for UNIX snap-in is installed. If you do not use bv-Control for UNIX, you must install the bv-Control for Oracle UNIX agent. Note: Make sure that the operating systems on all UNIX computers have the latest patches installed. Consult your UNIX vendor documentation for information on the latest patches for your operating system.
21
The UNIX agent for bv-Control for Oracle (UNIX agent) can be installed only on the computers that meet certain requirements. You must ensure that your workstation is compliant with the system requirements before you install and execute the UNIX agents. Note: You must have administrative rights on the computer where you install the UNIX agent for bv-Control for Oracle. The UNIX agent for bv-Control for Oracle installation on the target computer has the following hardware requirements:

Sun SPARCstation1 or UltraSPARC for Solaris, or x86 Solaris HP9000 UNIX servers, HP Visualize UNIX workstations (classes B, C, and J) IBM RS/6000 UNIX workstations and servers Intel or equivalent for Red Hat and SUSE Linux 20 MB disk space TCP/IP network
The UNIX agent installation on the target computer has the following software requirements:

Sun Solaris Operating Environment 5.8, 5.9, and 10 Red Hat Linux 8.0 and 9.0 Red Hat Linux Advanced Server (AS) 2.1, and Red Hat Enterprise Linux AS/ES version 3.0, and 4.0 Hewlett-Packard HP-UX 11.00, 11.11(11iv1), and 11.23(11iv2) IBM AIX 5.1, 5.2, and 5.3 SUSE Linux 8.0, 8.1, 8.2, 9.0, and 9.1 SUSE Linux Enterprise Server (ES) 8.1, 9.0, 9.2, and 9.3 openSSH installed on each UNIX target computer xterm terminal on each UNIX target computer
You must address some additional requirements to install the UNIX agents for bv-Control for Oracle. The additional requirements are as follows:

All UNIX target computers with open SSH installed All UNIX target computers with xterm terminal
22
The domain of the Windows credentials that are supplied for connecting with the Oracle server must have a one-way trust with the Information Server domain. Otherwise, the server is displayed as Unknown during the product configuration. The credential user needs certain privileges to run queries on database-related data sources. For information on specific SELECT privileges to query database-related data sources, see the bv-Control for Oracle Getting Started Guide. For Oracle Database Version 9i and later, you can provide the following privileges:
SELECT ANY DICTIONARY Allows access to the required data dictionary objects. Allows access to the SYSTEM.PRODUCT_USER_PROFILE synonym, which is used for reporting in the SQL*Plus Security data source.
SELECT ON SYSTEM.PRODUCT_USER_PROFILE
For Oracle Database Version 8i, you can provide the following privileges:
SELECT_CATALOG_ROLE Allows access to the required DBA_ views and the V$ dynamic performance views. Allows access to the SYSTEM.PRODUCT_USER_PROFILE synonym, which is used for reporting in the SQL*Plus Security data source.
SELECT ON SYSTEM.PRODUCT_USER_PROFILE
Note: Oracle 8i does not have SELECT ANY DICTIONARY privilege, and the SELECT ANY TABLE PRIVILEGE is not useful if O7_DICTIONARY_ACCESSIBILITY is set to false. The following privileges grant access to the dictionary objects that are required for reporting on the Database Audit Trail data source:

SELECT ON SYS.OBJAUTH$ SELECT ON SYS.OBJ$ SELECT ON SYS.USER$ SELECT ON SYS.COL$ SELECT ON SYS.TABLE_PRIVILEGE_MAP
23
For Oracle 8i, you must grant the SELECT privileges on individual data dictionary objects because Oracle 8i does not support the SELECT ANY DICTIONARY privilege. Also, the SELECT ANY TABLE privilege does not allow access to data dictionary objects when the O7_DICTIONARY_ACCESSIBILITY parameter is set to FALSE. bv-Control for Oracle normally does not require the Oracle Client to be installed on the Information Server. The Oracle client must be installed with Oracle Advanced Security that is enabled only in the case that network data encryption is required. For more information on configuring Network Data Encryption, see the bv-Control for Oracle Help.
bv-Control for Microsoft SQL Server requirements

The RMS data collector uses the bv-Control for Microsoft SQL Server snap-in module to collect data from Microsoft SQL Server databases. Before you install bv-Control for Microsoft SQL Server, ensure that your workstation and SQL Server environment meet the minimum requirements to run the product. In addition to the general system requirements for the Information Server, your Information Server should have a minimum of 1 GB RAM. bv-Control for Microsoft SQL Server can query and report on various versions of the Microsoft SQL Server. The bv-Control for Microsoft SQL Server snap-in supports the following Microsoft SQL Server platforms:

Microsoft SQL Server Desktop Edition 1.0 and 2000 Microsoft SQL Server Standard Edition 7.0, 2000, and 2005 Microsoft SQL Server Personal Edition 2000 Microsoft SQL Server Enterprise Edition 7.0, 2000, and 2005 Microsoft SQL Server Developer Edition 2000 and 2005 Microsoft SQL Server Workgroup Edition 2005 Microsoft SQL Server Express Edition 2005 (the auditing feature is not supported)
Note: To query against Microsoft SQL Server 2005, you must install the SQL Distributed Management Object component, SQLDMO.dll, on the Information Server. You can install the component either separately or from the CCS_DataCollection\Redist folder on the product disc.
24
Certain minimum rights are required for querying against the data sources. You specify the credentials that meet these minimum rights in the Credentials Database. The following minimum user rights are required to query the SQL Server:
The user credentials for Windows or SQL Server that are supplied for connecting to the SQL Server must be a user for the SQL Server. Otherwise, the credential verification in bv-Control for Microsoft SQL Server fails. User credentials for Windows or SQL Server that are supplied for connecting to the SQL Server must have read rights on the master database. This master database must belong to the SQL Server that is queried. Otherwise, the credential verification in bv-Control for Microsoft SQL Server fails. For a query on a particular database on the SQL Server, the read rights are required on that database.
The product supports queries for the target SQL Servers in an untrusted domain. You should use SSL to encrypt application traffic between the Information Server and the target SQL Server. The bv-Control for Microsoft SQL Server functionality does not require SSL communication to be enabled. The product works seamlessly with the encrypted or non-encrypted protocols to communicate with the SQL Server. The communications preferences are set in the SQL Server client configuration. You should also ensure that your SQL Server is patched appropriately and regularly for any vulnerabilities that are related to the open SQL port. When you use SQL audits, you may configure bv-Control for SQL Server to collect only the required information. SQL audits can generate large data sets. The large data sets can have an impact on the disk space requirement or the network bandwidth requirements. In addition, the amount of data might degrade SQL Server performance.
Chapter
Installing Control Compliance Suite components


Prerequisites for installing the product components General installation sequence of Control Compliance Suite About the root security certificate User Privileges for installing the components Infrastructure network ports About licensing of the product components Installing RMS Console and Information Server Installing the Control Compliance Suite components in a single setup mode Installing the Control Compliance Suite components in a distributed setup mode
Prerequisites for installing the product components

Before the installation of the Control Compliance Suite components, the product setup prepares your computer with the installation prerequisites. You must ensure that your computer has the latest patch updates installed. The prerequisites of the Control Compliance Suite are as follows:
26
Installing Control Compliance Suite components Prerequisites for installing the product components
Visual C++ 2005 redistributable framework The setup installs the software automatically during the installation of the distributed components. Microsoft .NET 3.0 redistributable framework The setup installs the software automatically during the installation of the distributed components. Microsoft SQL Server 2005 SP2 You must manually install the software or use an existing installation. Control Compliance Suite creates a production database and a reporting database to store the compliance data. Depending on the scale of the deployment, you might require one or more Microsoft SQL Server 2005 SP2 installations. Microsoft SQL Server Integration Services SP2 (SSIS) You must manually install the software to create the SSIS database, which is used for reporting purposes. The SQL Server connects to the msdb database and deploys the SQL agent jobs and the SSIS packages. The SQL agents and the SSIS packages synchronize data between the production and the reporting databases. Microsoft SQL Server 2005 management object collection The setup installs the software automatically during the installation. Note: The Application Server must be configured to use the SSL connections for the Microsoft SQL Server instances that host the Control Compliance Suite databases. If you use SSL connections, you must ensure that you configure them before you install the Control Compliance Suite. Refer to the Microsoft SQL Server documentation (http://support.microsoft.com/kb/316898) for information about configuring SSL connections. Crystal Reports 2008 The setup installs the software automatically on the computer that is installed with the Data Processing Service (DPS) component. You must install Crystal Reports 2008 only on the DPS computer that is configured with the role of a reporter. If you fail to install Crystal Reports 2008, then you can manually install the software, CrystalReportsDotNet.MSI from the <installation directory>/Symantec/CCS/Reporting and Analytics/Application Server/REDIST folder of the CCS Application Server. You can also install CrystalReportsDotNet.MSI from the product disc folder, CCS_Reporting\Redist. ADAM SP1 instance
Installing Control Compliance Suite components Prerequisites for installing the product components
27
The setup installs the software automatically on the computer that is installed with the CCS Directory Server component.
Symantec LiveUpdate Client The setup installs the software automatically during the installation of the distributed components. Macromedia Flash 11 You must manually install the software that is required for the Reporting module of Control Compliance Suite. To install CCS Web Portal, ensure that the following configurations are performed:
Internet Explorer (IE) Configure the following for the IE: Add the URL to the Local Intranet Zone. Enable the Windows Integrated Authentication. Logon automatically with the current username and password or logon automatically only in the intranet zone.
Internet Information Service (IIS)
Check the Windows Integrated Authentication option. Add the following: http/<computer-name>:<port> <iis-computer-name> http/<FQDN> <iis computer-name>
Service Principal Name (SPN)
Note: You can associate an SPN with a

single user account. Domain Controller (DC) Do the following for the DC configuration: Navigate to Active Directory Users and Computers -> <Domain> -> Computers and select the IIS server. Right click, Properties -> Delegation tab. Select Trust this Computer for delegation to any service (Kerberos only) option. This option appears only if the domain functional level is Windows Server 2003. Do the specific operation as per the instructions to install the application.
ASP.NET v2.0.50727
28
Installing Control Compliance Suite components General installation sequence of Control Compliance Suite
ASP.NET v2.0.50727 Web Service Extension
Run the following command to install the Web Service Extension: C:\WINDOWS\Microsoft.NET \Framework\v2.0.50727 aspnet_regiis.exe -i
Active Server Pages Web Service Extension The setup automatically installs the application.
General installation sequence of Control Compliance Suite

Control Compliance Suite installation in the distributed setup mode involves implementation of meticulous and defined procedures. Every Control Compliance Suite component is packaged with the service components that are installed along with the product on the computer. The service components are the Directory Support Service, Management Services, Application Server Service, and the Data Processing Service. Before installation, you must know about the prerequisites for installing the product components. See Prerequisites for installing the product components on page 25. The product setup installs the Control Compliance Suite components in the following order:
Installation of the CCS Directory Server. The CCS Directory Server installation involves the following tasks:

Installation of the Directory Support Service Installation of the ADAM SP1 instance The ADAM SP1 installation is a prerequisite for installing the Directory Support Service. On the Windows Server 2008 computer, you need to manually install the component ADLDS, which is the equivalent of ADAM SP1. Installation of the Management Services The root certificate is encrypted, stored, and managed by the Management Services. Installation of the Certificate Management Console The Certificate Management Console is used to create the certificates that are deployed on the computers on which the components are installed. See Creating a DPS or an Application Server certificate on page 59.
Installing Control Compliance Suite components About the root security certificate
29
Installation of the CCS Application Server. The CCS Application Server installation involves the following tasks:

Installation of the Application Server Service Installation of the Technical Standards Pack Installation of the Regulations and Frameworks Pack Installation of the production database Installation of the reporting database Installation of the SSIS packages
Installation of the Data Processing Service
For any deployment scenario, you can deploy one CCS Directory Server and one CCS Application Server. There can be multiple installations of the Data Processing Service components. The installation logs that are generated during the installation of the product and their location for various operating systems are as follows:
On all supported versions of Windows Server C:\Documents and Settings\<user 2003 computers name>\Local Settings\Temp\CSMSetup On all supported versions of Windows Server system_drive:\Users\ADMINI 2008 computers -1.C1Q\AppData\Local\Temp\CSMSetup
About the root security certificate

In Control Compliance Suite, the Application Server is the central component and communicates with all other Control Compliance Suite components. The communication is established between the components through the certificates. A root certificate is the core authentication entity, which contains the blueprint information to create certificates on the distributed components. The root certificate is created on the CCS Directory Server and contains the details that are used to create certificates for the other components. The root certificate is created using the Installation Wizard during the installation of the product. The other certificates that are to be deployed on the distributed components can be created using the Certificate Management Console. The Certificate Management Console is installed on the CCS Directory Server computer along with the installation of the Directory Support Service. See Creating a DPS or an Application Server certificate on page 59.
30
Installing Control Compliance Suite components User Privileges for installing the components
The properties that are to be specified for creating the root certificate and their descriptions are as follows:
Organization Division The name of your organization. The division to which your organization belongs. The name of the city of your organization. The name of the state or province to which the city belongs. The name of the country. The country code must consist of two alphabet characters. The expiration time period of the root certificate. The password to authenticate the certificate. Re-authenticate the password that you have typed.
City State/Province
Country
Expire in
Password Re-type password
User Privileges for installing the components

The Control Compliance Suite infrastructure supports multiple deployments of the product components. Every component such as the CCS Directory Server, CCS Application Server, and DPS comprises of the services that are a part of the deploying component. To install the components successfully, you require specific permissions and privileges. Besides, you must also configure the user accounts with specific privileges to run the services that are a part of the components. The user in which context the product component is installed need not necessarily be a regular user of the component. Sometimes, the user might need to have higher permissions and privileges than the regular user.
31
Table 2-1 Deployment type
Lists the privileges of the user to install the CCS components Components installed
The following components are installed for the CCS Directory Server:

User privileges for CCS component installation

You must have all the following user privileges to install the component:
CCS Directory Server
ADAM / ADLDS
Domain user
Directory Support Service Local administrator (of the local computer) Management Services
Certificate Management Console (CMC) You must have all the following user privileges to install the component: Domain user if using Windows authentication for the SQL Server or local user if using SQL authentication for the SQL server Local administrator (of the local computer) sysadmin role (in the SQL server)
CCS Application Server
The following components are installed for the CCS Application Server:

Application Server Databases
CCS Additional Services with Data Processing Service You must have all the DPS in the reporting role component that is configured following user privileges to in the reporting role install the component:

Local or domain user Local administrator
CCS Additional Services with Data Processing Service You must have all the DPS in the data evaluator component that is configured following user privileges to role in the data evaluator role install the component:

32
Table 2-1
Lists the privileges of the user to install the CCS components (continued) Components installed User privileges for CCS component installation
Deployment type
CCS Additional Services with Data Processing Service You must have all the DPS in other roles component that is configured following user privileges to with roles of load balancer or install the component: data collector Local or domain user
Local administrator
Control Compliance Suite infrastructure uses three types of SQL databases such as, production, reporting, and evidence. The Application Server uses the databases that are created. You can install the SQL Server on the same computer on which the Application Server component is installed or on a separate computer. You can either provide different credentials for all the three database or use the same credential for all three of them. During the SQL Server installation, you can choose between using Windows credentials (integrated security) and SQL credentials to connect to the SQL Server. If you use the Windows authentication, then the credentials of the user installing the Application Server is used to connect to the SQL Server. The credentials of the service user are used in the post-installation. In this case, during installation, the service account that is specified is added to the role, Public in the SQL Server with db_owner privilege for the databases. If SQL authentication is used, the same credentials are used during installation and by the service account. Table 2-2 Deployment type
CCS Directory Server
Lists the privileges of the user for the CCS services CCS services User privileges for CCS service accounts
The following services are You must have all the specific to the CCS Directory following user privileges for Server: the services: Symantec Directory Support Service Symantec Management Services Service

Domain user Local administrator
33
Lists the privileges of the user for the CCS services (continued) CCS services User privileges for CCS service accounts
CCS Application Server
Symantec Application Server You must have all the Service following user privileges for the service:

SQLAgentUserRole, db_datareader, and db_dtsoperator roles for msdb database Logon as a batch job on the SSIS computer CCS Additional Services with Symantec Data Processing You must have all the DPS in the reporting role Service for the reporting role following user privileges for the service:

Logon Locally for service account of Application Server on DPS machine db_datareader and db_datawriter roles for CSM_Reports database Delete, execute, insert, and update permissions on CSM_Reports database CCS Additional Services with Symantec Data Processing DPS in the data evaluator Service for the data role evaluation role You must have all the following user privileges for the service:

Local or domain user Local administrator Logon locally for the service account of the Application Server on the DPS computer
34
Lists the privileges of the user for the CCS services (continued) CCS services User privileges for CCS service accounts
You must have all the following user privileges for the service:

CCS Additional Services with Symantec Data Processing DPS in other roles Service for roles of a load balancer or data evaluator
Note: You must set up the Microsoft SQL Agent Service as a local system account. If your domain account is used, then the account must be assigned to the sysadmin role for the Microsoft SQL Server. In addition, the account must be added to the group SQLServer2005SQLAgentUserComputer NameInstance Name.
Configuring service accounts with unconstrained delegation

You need to configure the service accounts for the Directory Support Service (DSS) and the Application Server to operate with unconstrained delegation in distributed setup. Note: Setting up of Service Principal Names (SPNs) are important for a successful installation and configuration of a distributed setup. You must execute the procedure to configure the service accounts for unconstrained delegation before you install the CCS components. To configure the service accounts with unconstrained delegation
Identify the user accounts that you want to use as the service accounts for DSS and Application Server. The user accounts must have the necessary privileges.
Create the Service Principal Name (SPN) for the Application Server and the DSS services. The SPN for both the short NetBIOS name and the fully-qualified host name (FQDN) is created. While delegation can work without SPN in Windows Server 2000 domains, it can also fail depending on the operating system that is in use. You must associate an SPN to a single user account. The service-name portion of the SPN must match the following:
35
SetSpn -A Symantec.CSM.AppServer/appserver_machine domain\appserver_account SetSpn -A Symantec.CSM.AppServer/appserver_machine.fqn domain\appserver_account SetSpn -A Symantec.CSM.DSS/dss_machine domain\dss_account SetSpn -A Symantec.CSM.DSS/dss_machine.fqn domain\dss_account
Enable delegation for the Application Servers service account. The following service accounts are to be enabled:
Windows Server 2000 Domain In the user properties for the Application Server account, go to Account tab and check the option, Account is trusted for delegation. In the user properties, go to the Delegation tab and select the option, Trust this user for delegation to any service (Kerberos only).
Windows Server 2003 Domain
When installing the Application Server, specify the FQDN when prompted by the setup for the computer that installed the DSS. It is not mandatory to specify the FQDN, but sometimes specifying a short NetBIOS name can cause problems.
Configuring the S4U and constrained delegation

Before configuring the Service for User (S4U) and constrained delegation, ensure that you configure the service accounts with unconstrained delegation. The S4U configuration is a modification of the unconstrained delegation configuration and is therefore an optional task for you to perform. See Configuring service accounts with unconstrained delegation on page 34. To configure S4U with constrained delegation
Set up delegation on the Application Server account. For AD users and computers, open the properties for the Application Servers service account and make the following changes on the Delegation tab:

Select Trust this user for delegation to specified services only Select Use any authentication protocol
36
Under Services to which this account can provide delegated credentials do the following:
Click Add and type in the name of the machine where DSS is installed. From the list of services, select the service, LDAP that has the same port number as the port where the ADAM instance is running and click OK. Click Add and type the name of the service account for which the DSS service is running. You can view the custom SPN that was created for the DSS before installation. Select the service and click OK.
On the Application Server computer, open the Local Security Policy editor. Navigate to Under Local Policies -> User Rights Assignment and grant the privilege, Act as part of the operating system to the Application Server.
Configure the Application Server in the following manner to use S4U authentication:

In the CCS Console, go to Settings -> System Topology. Select the Application Server component, and open Edit Settings . Change the Authentication type to, "Use controlled delegation of security rights".
Reboot the Application Server computer so that the delegation settings can take effect.
About configuring the Web Portal to contact RAM

The Control Compliance Suite (CCS) Web Portal works with the Response Assessment module (RAM) Web client. Several settings may be changed to enable connection with RAM. The IIS CCS application pool uses the Network Server account as the identity. The account is a local account. The account may or may not connect to RAM. You should use the same account that is used as the identity in the RAM application pool. The identity account has the following requirements:

Member of the IIS_WPG local group Full permissions to the .NET directory Full permissions to the Windows\Temp directory
Installing Control Compliance Suite components Infrastructure network ports
37
The Control Compliance Suite Web Portal is installed with anonymous access setting for the CCS_Web site. You should change the setting to use Windows Integrated authentication. You should disable anonymous access. In the web.config file for the Control Compliance Suite Web Portal, you must set the SPN value. The format for the value should be
account@domain_name.com
Verify that the computer name is used in the following settings:

AppServer RAMServer
If you use Control Compliance Suite assets with the RAM questionnaires, you must have use Kerberos authentication.
Infrastructure network ports

The Control Compliance Suite components use your existing TCP/IP network to communicate with each other. Based on your network configuration and on the location of your components, the communications may need to pass through a firewall. When the communications need to pass through a firewall, you must configure the firewall ports to allow components to access each other. You can configure the ports that each component uses if you choose. Firewalls are often located between the Control Compliance Suite and the Application Server. In addition, firewalls are found between the Application Server and the Data Processing Service (DPS) Load Balancers or Collectors. The Application Server and the Control Compliance Suite Directory should be located with no firewalls in between. The default ports that the Control Compliance Suite components use are as follows:
Application Server Directory Server 1431 3890 (LDAP) 6360 (SSL) 445 12467 12468 Data Processing Service Production database or reporting database 3993 1433
38
Installing Control Compliance Suite components About licensing of the product components
Management Service Response Assessment module Web Portal
12367 1977 80
In addition, the following ports must be open:

53 (DNS) 135 137 139 145 445
The following ports must be open to allow the DPS Collector to connect to a Symantec RMS data collector:

3027 135 137 139
Port 5600 must be open to allow the DPS Collector to connect to a Symantec ESM data collector. Note: You must use a port in the range from 1024 to 65535 for the Directory Server.
About licensing of the product components

Control Compliance Suite categorizes the components that require mandatory licenses during installation and the components that can be licensed in the post-installation of the product. The components are licensed with the Symantec Enterprise License Service (ELS), which constitute the .slf files. The licenses can be provided either through the Installation Wizard during installation of the product or in the post-installation of the product. The Control Compliance Suite licenses are stored in the ELS store of the product (C:\Program Files\Common Files\Symantec Shared\Licenses). Control Compliance Suite contains a core license (CCS_Core.slf) that is required for installing the Directory Support Service(DSS) and the CCS Application Server
Installing Control Compliance Suite components Installing RMS Console and Information Server
39
components. In an ideal distributed setup, the DSS must be installed first followed by the installation of the Application Server. In such a scenario, the core license is not mandatory for the Application Server installation. For the Policy module of Control Compliance Suite, you need to provide the license in the post-installation of the product.
Installing RMS Console and Information Server

The RMS Console and Information Server and one or more bv-Control snap-in modules form the data collection infrastructure for the Symantec Control Compliance Suite. The Control Compliance Suite Standards and Entitlement modules rely on data that is collected from the RMS data collection infrastructure. Use the Symantec Control Compliance Suite 9.0 product disc to install the RMS Console and Information Server. You can install one or more RMS Consoles, and ensure that every RMS Console is connected to an Information Server. Most of the bv-Control products require a Console and an Information Server. During installation, you must assign the RMS Console to an Information Server. You can choose to install a local Information Server, or you can connect the Console to an existing Information Server. The Information Server you install or connect to is the default Information Server for the Console. After you install the data collection infrastructure, you must configure each bv-Control snap-in. For more information about configuration, see the Getting Started Guide for each module.
Prerequisites for RMS installation

The Symantec Control Compliance Suite 9.0 product disc includes Microsoft installers for the following required Microsoft software:

Microsoft SQL Server 2005 Express SP2 Windows Installer 3.1 Microsoft .NET Framework 2.0
If the installation program determines that you need to install one or more of these requirements, an error message appears. The installation program prompts you to install the required software. When the installation is complete, the data collection infrastructure installation continues.
40
Preinstallation requirements
Before you install a Console or Information Server on a computer, the computer must meet the minimum system requirements. Note: If the selected computer does not meet the minimum requirements, the installation can fail. In addition, ensure the following:
You are a Windows Administrator of the computer where you install the Console or Information Server. You have rights to the Microsoft SQL Server database if the Information Server computer also hosts Microsoft SQL Server.
Before you install your infrastructure, review the Release Notes files for the RMS Console and Information Server and the bv-Control products. The Release Notes folder resides inside the Documentation folder of the product disc. Note: You can install the RMS Console and Information Server in a Windows Workgroup, but Symantec does not recommend that you do so. If you install in a Windows Workgroup, the RMS Console and Information Server must use the same user name and password on each host computer.
Types of Installations
The Symantec Control Compliance Suite setup program provides different installation options to suit different network configurations. The following installation options are available:

RMS Console with local Information Server RMS Console only (connects to an existing Information Server)
When you install the Console with a local Information Server, both products are installed on the same computer. Users of other consoles can remotely connect to the Information Server that you install if they have access rights. When you install only a console, you must select an existing remote Information Server for the console to use. If your network has a dedicated remote Information Server for the enterprise-wide queries, or for area-specific queries, you can install the connecting consoles.
41
Installing the data collection infrastructure

The RMS Console and Information Server and one or more associated bv-Control snap-in modules make up the Control Compliance Suite data collection infrastructure. After you review the pre-installation requirements, you can use the Install panel to install your infrastructure products. Before you install the data collection infrastructure, review the Release Notes for the RMS Console and Information Server and the bv-Control product that you install. You can use Terminal Services or Remote Desktop Connection to install the RMS Console and Information Server on a remote computer. If you do so, the installer cannot be located on a mapped drive. During the installation, the installer prompts you to select a location where the Control Compliance Suite data collection infrastructure must be installed. During the installation, the installer creates log files that document the installation steps in the Windows TEMP folder. Usually, this folder is located in C:\temp, but you may have specified a different folder. When you restart the computer, these log files are deleted automatically. If a problem occurs during the installation, temporarily change your computer's Local Profile settings to, delete the files. You can also use the Windows Explorer to make copies of these files for Symantec Technical Support before you restart. The log files help Symantec Technical Support to correct any issues. To install data collection infrastructure products
1 2
Insert your Symantec Control Compliance Suite 9.0 product disc into the disk drive on your computer. In the Symantec Control Compliance Suite DemoShield, click Data Collection. The installation wizard starts and checks for the prerequisites.
3 4
If any prerequisites are absent, a warning message appears. In the warning message, click Yes to install the missing prerequisites. In the End-User License Agreement panel, read the license agreement and click I accept the terms in the License Agreement to accept the terms of the agreement. Click Next to continue.
42
In the Install Type panel, select the type of installation to perform. Click RMS Console to install only the RMS Console on your computer. This option adds Consoles to the RMS network that connect to an existing remote Information Server. You must have an existing Information Server to use this option. Click RMS Console & Information Server to install both the RMS Console and a new Information Server. You must install at least one Information Server. If your computer does not have access to a product disk drive, contact Symantec Technical Support for assistance.
The Licensing panel lets you add licenses to your RMS Console and Information Server. Drag and drop license files into the window, or click Browse to locate the license files. After you add all of the licenses, click Next to continue. In the Feature Selection panel, select the features that you want to install. Only licensed features appear in the list of available features. Click the box nest to a feature name to select it. Click Next to continue.
In the Target Path panel, specify the folder for the software installation. You can accept the default location, or type a path, or click Browse to select a new location. Click Next to continue.
The Prerequisites panel lists the prerequisites for the features that you have selected. Any missing prerequisites are marked with a red X icon. You must manually add the prerequisites before you can complete the installation. The installer can help you to install prerequisites. Click the plus(+)symbol beside a prerequisite with a red X icon to list additional details. Click Install to install the prerequisite. If you install a service such as MSDE, you must start it manually using the Services control panel. When the prerequisite installation is complete, click Refresh to update the prerequisite list. When all prerequisites have a green check icon, click Next to continue with the installation.
43
10 The Summary panel lists the features to update or install. Click Next to
proceed with the installation. If the MSDE or Microsoft SQL Server that the Information Server is assigned to is not properly secured, a Security Alert dialog box appears. See Securing MSDE or the SQL Server on page 43.
11 When the installation is complete, the Finish panel lists the results of the
installation. Click Finish to complete the installation and close the Installation Wizard. If you have installed the RMS Console, click Launch RMS Console and then click Finish to start the RMS Console and close the wizard. If no other RMS Console and Information Server have been installed, you must launch and configure the console. See Configuring the RMS data collection infrastructure on page 79.
Securing MSDE or the SQL Server

The RMS Console requires MSDE or Microsoft SQL Server on the Information Server computer to function. To secure your Microsoft SQL Server properly, perform the following steps:

Set the logon mode for your database server to Integrated Security. Set the Everyone group rights to Read & Execute for the MSDE or Microsoft SQL Server installation directory. Remove the system stored procedure xp_cmdshell from your master database. Use the SQL Server Password Setup dialog box that appears during installation to set a password for the database server. You can select Generate random password to have a password created for you, or you can clear this option and enter a password.
Upgrading the data collection infrastructure

The RMS Console, the Information Server, and one or more associated bv-Control snap-in modules, make up the Control Compliance Suite data collection infrastructure. After you review the pre-installation requirements, you can use the Install panel to upgrade your infrastructure products. The Install panel appears automatically when you insert the Symantec Control Compliance Suite 9.0 product disc. Before you upgrade the data collection infrastructure, review the Release Notes files for the RMS Console and Information Server. You can also review the Release
44
Notes of any bv-Control products that you upgrade.You can use Terminal Services or Remote Desktop Connection to upgrade the RMS Console and Information Server on a remote computer. If you do so, the installer cannot be located on a mapped drive. You must upgrade your existing installation to version 8.60 with the June 2008 Update before you begin the upgrade to version 9.0. During the upgrade, the installer places the new Control Compliance Suite data collection infrastructure components in the same location as your existing components. To upgrade data collection infrastructure products
1 2 3 4 5
Insert your Symantec Control Compliance Suite 9.0 product disc into the disk drive on your computer. In the Symantec Control Compliance Suite 9.0 panel, click Data Collection. In the Data Collection panel, click Data Collection. The Installation Wizard starts and checks for prerequisites. If any prerequisites are absent, a warning message appears. In the warning message, click Yes to install the missing prerequisites. In the End-User License Agreement panel, read the license agreement and click I accept the terms in the License Agreement to accept the terms of the agreement. Click Next to continue. The Licensing panel lets you add licenses to your RMS Console and Information Server. Drag and drop license files into the window, or click Browse to locate the license files. After you add all the licenses, click Next to continue. In the Upgrade panel, select the installed bv-Control products to upgrade. Click an item's name for more information about the item. Click Next to continue. In the Add Features panel, select any new features to add to the existing installation. Only licensed features appear in the list of available features. Click the box beside a features name to select it. Click Next to continue.
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a single setup mode
45
The Prerequisites panel lists the prerequisites for the features that you have selected. Any missing prerequisites are marked with a red X icon. You must manually add the prerequisites before you can complete the installation. The installer can install some prerequisites. Click the plus (+) symbol beside a prerequisite with a red X icon to list additional details and click Install to install the prerequisite. If you install a service such as MSDE, you must start it manually using the Services control panel. When the prerequisite installation is complete, click Refresh to update the prerequisite list. When all prerequisites have a green check icon, click Next to continue with the installation.
10 The Summary panel lists the features to update or to install. Click Next to
proceed with the installation. If the MSDE or Microsoft SQL Server that the Information Server is assigned to is not properly secured, then a Security Alert dialog box appears. See Securing MSDE or the SQL Server on page 43.
11 When the installation is complete, the Finish panel lists the results of the
installation. Click Finish to complete the installation and close the Installation Wizard. If you upgraded an RMS Console, click Launch RMS Console and click Finish to start the RMS Console and close the wizard. If no other RMS Console and Information Server have been installed, you should launch and configure the Console now.
Installing the Control Compliance Suite components in a single setup mode

Installation of the Control Compliance Suite components on a single computer is recommended for demonstration purposes only. To install the components in a single setup mode, you must ensure that your computer meets the recommended system requirements. Note: You must enable delegation in the domain controller to establish secure communication between the components. You must enable the delegation for the user account in whose context the CCS Application Server and the CCS Console is launched. You must check the option, Account is trusted for delegation for the user account of the domain controller. Do the following to install the components in a single setup mode:
46
Launch the Installation Wizard See To launch the Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard on page 46. Install the product on a single computer See To install Control Compliance Suite on a single computer on page 46. Provide details to install components and databases See To provide details for installing the components and databases on page 47.
To launch the Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard
Insert the CCS 9.0 product disc into the drive on your computer and then click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
In the DemoShield, click Reporting and Analytics. You can find the splash screen, which displays the list of prerequisites that are required for the product installation. The setup installs the listed prerequisites such as .NET framework. See Prerequisites for installing the product components on page 25.
To install Control Compliance Suite on a single computer
In the Welcome panel of the launched Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard, read and select the license agreement and then click Next. In the Installation Modes panel, select all the product components for installation and then click Next. In the Component Selection panel, select the components from the list and then click Next. By default, all the components are selected. If you do not want any component that is listed under the Application Server, then you can uncheck the selection. The Directory Support Service, Application Server, and the Data Processing Service are mandatory components for installation.
2 3
In the Licensing panel, click Add Licenses to add licenses for the components that require mandatory licenses to install. See About licensing of the product components on page 38.
Click Next.
47
In the Prerequisites panel, review the prerequisites that are required for the installation. Install any prerequisite application that is required to be installed. Click Check again to verify whether the installation is successful. In the Installation Path panel, review the target path for the Control Compliance Suite installation, and click Next. Click Browse to specify a different installation path to install the product.
To provide details for installing the components and databases
1 2
In the launched Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard, perform steps 1 to 7 In the Certificate Information panel, enter the required values in the text boxes and click Next. The fields of the Certificate Information panel and their descriptions are as follows:
Organization Division Enter the name of your organization. Enter the division to which your organization belongs. Enter the name of the city of your organization. Enter the name of the state or province to which the city belongs. Enter the name of the country. The country code must consist of two alphabet characters. Select the expiration time period of the root certificate. Enter the password to authenticate the certificate. Re-authenticate the password that you have typed.
City
State/Province
Country
Expire in
Password
Re-type password
48
In the CCS Directory Server - User Account and Port Information panel, enter the requisite values in the text boxes and click Next. The fields of the CCS Directory Server - User Account and Port Information panel and their descriptions are as follows:
User name Enter the user name in whose context the Management Services is run on the computer. Enter the password that authenticates the specified user account. Enter the LDAP port number of the computer that hosts the CCS Directory Server. By default, the CCS Directory Server connects with the CCS Application Server through the port, 3890. Enter the SSL port number of the computer that hosts the CCS Directory Server. By default, the CCS Directory Server connects with the CCS Application Server through the SSLport, 6360.
Password
LDAP port number
SSL port number
When you install the CCS Directory Server on a domain controller or on any other computer on which the Active Directory is installed, change the default port numbers. The recommended port number for LDAP is 50000 and for SSL is 50001.
In the Application Server- User Account Information panel, enter the required values in the text boxes and click Next. See About using special characters in credentials on page 75. The fields of the Application Server- User Account Information panel and their descriptions are as follows:
User name Enter the user name in whose context the Application Server Service is run on the computer. Enter the password that authenticates the specified user account.
Password
In the Application Server- SQL Server Information panel, enter the required values in the text boxes and click Next.
49
The SQL server is used to create the production database for the CCS Application Server. The production database stores the queried data. The fields of the Application Server- SQL Server Information panel and their descriptions are as follows:
SQL Server Enter the computer name that hosts the SQL server. Enter the SQL server instance name. By default, the configured SQL instance that is created on the computer appears in the text box. Enter the port number of the computer that hosts the SQL server. By default, CCS Application Server connects through the port, 1433 of the SQL server computer. Check this option if your computer that hosts the SQL server is SSL enabled for communication. If you use SSL connections, you must configure them before you install the Control Compliance Suite. Refer to the Microsoft SQL Server documentation (http://support.microsoft.com/kb/316898) for information about configuring SSL connections. Use existing empty database Check this option if you want to use the CSM_DB database if that is already created and is empty. By default, the setup creates a production database, CSM_DB on the computer, which is empty. Even if a single record exists in the database, then you cannot use this option. Use Windows NT Integrated Security Select this option if you have installed the SQL server in the Windows NT user context.
Instance name
Port number
Use SSL
50
Use a SQL user name and password
Select this option if you have installed the SQL server in a different user context. You must specify the authentication details of the user in the respective text boxes.
Use the same configuration for
Check either or both the options if you want to replicate the same configuration for the Reporting and the SSIS databases. The options are as follows:

SSIS database and server settings Reporting Server and database settings
On checking either or both the options, the corresponding panels do not appear when you click Next. For example, if you check against SSIS database and server settings option, then the setup skips the SSIS-SQL Server Information panel.
51
In the Reporting Server-SQL Server Information panel, enter the requisite values in the text boxes and click Next. The SQL server information is used to create the reporting database for the Reporting Server. The reporting database is used to store the reports that are generated for the evaluated data. The fields of the Reporting Server- SQL Server Information panel and their descriptions are as follows:
SQL Server Enter the computer name that hosts the SQL server. Enter the SQL server instance name. By default, the configured SQL instance that is created on the computer appears in the text box. Enter the port number of the computer that hosts the SQL server. By default, CCS Application Server connects through the port, 1433 of the SQL server computer. Check this option if your computer that hosts the SQL server is SSL enabled for communication. If you use SSL connections, you must configure them before you install the Control Compliance Suite. Refer to the Microsoft SQL Server documentation (http://support.microsoft.com/kb/316898) for information about configuring SSL connections. Use existing empty database Check this option if you want to reuse the existing database. By default, the setup creates a production database, CSM_DB on the computer. You must ensure that the database is created and empty before you check the option. Use Windows NT Integrated Security Select this option if you have installed the SQL server in the Windows NT user context.
Instance name
Port number
Use SSL
52
Check the option, SSIS database and server settings if you want to replicate the same configuration for the SSIS database. On checking the option, the panel, SSIS -SQL Server Information does not appear on clicking Next.
53
In the SSIS-SQL Server Information panel, enter the requisite values in the text boxes and click Next. The SQL Server Integration Service (SSIS) information is used to create the SSIS database. The production database uses the information for reporting purposes. The information that is provided on this panel is used to connect to the msdb and deploy SSIS packages and SQL agent jobs. The fields of the SSIS- SQL Server Information panel and their descriptions are as follows:
SQL Server Enter the computer name that hosts the SQL server. Enter the SQL server instance name. By default, the configured SQL instance that is created on the computer appears in the text box. Enter the port number of the computer that hosts the SQL server. By default, CCS Application Server connects through the port, 1433 of the SQL server computer. Check this option if your computer that hosts the SQL server is SSL enabled for communication. If you use SSL connections, you must configure them before you install the Control Compliance Suite. Refer to the Microsoft SQL Server documentation (http://support.microsoft.com/kb/316898) for information about configuring SSL connections. Use Windows NT Integrated Security Select this option if you have installed the SQL server in the Windows NT user context. Select this option if you have installed the SQL server in a different user context. You must specify the authentication details of the user in the respective text boxes.
Instance name
Port number
Use SSL
54
Installing Control Compliance Suite components Installing the Control Compliance Suite components in a distributed setup mode
In the Data Processing Service - Port Information panel, enter the Server port number and click Next. By default, the computer that hosts the Data Processing Service communicates through the port, 3993. If your computer is configured to run in the native Windows Server 2003 domain mode, then the Application Server - Security Settings for Scheduled Jobs panel appears. You can refer to the next step for the panel details. If your computer is configured to run in any mixed domain, then you can skip the next step.
In the Application Server - Pass Phrase panel, enter the pass phrase and click Next. The pass phrase is used to generate a symmetric key for encrypting or decrypting sensitive data such as, passwords and connection details. You must remember the pass phrase for future reference.
10 In the Summary panel, review the installation details and click Install.
The Installation Progress panel indicates the progress of the component installation. After the installation finishes, the last panel of the wizard appears.
11 In the Installation Complete panel, click Finish.
Installing the Control Compliance Suite components in a distributed setup mode

You can install the Control Compliance Suite components in a distributed setup mode on different computers. Installation of the components in the distributed mode is conducive for load sharing and provides better scalability. Before you start the installation of the distributed components, you must know about the user privileges in whose context the components are installed. See User Privileges for installing the components on page 30. The main components that can be installed in a distributed mode are as follows:

CCS Directory Server CCS Application Server Data Processing Service
For a distributed installation, you can install one CCS Directory Server and one CCS Application Server component only. The distributed setup mode involves installation of the CCS Directory Server, the CCS Application Server and one or
55
more Data Processing Service (DPS) components. The components are installed on different computers. The DPS can be configured with different roles such as data collector, data evaluator, reporter, and load balancer. You can install and configure multiple DPS with various roles in the distributed infrastructure of Control Compliance Suite.
Installing the CCS Directory Server

The CCS Directory Server is the main component of Control Compliance Suite. The component comprises the Directory Support Service (DSS), the Management Services and the Certificate Management Console (CMC). The component uses the CCS directory to store the user rights and permissions, the asset information, and the jobs and schedules. The CMC is a tool that is installed along with the CCS Directory Server component. The tool is used to create the certificates that are based on the root certificate information. The root certificate is created through the Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard. You must use the CMC tool to create the certificates, which are required by the other installed components. The distributed components use the certificates to communicate with the DSS. See Creating a DPS or an Application Server certificate on page 59. Note: For a distributed setup, you must install the CCS Directory Server component first before you proceed with the installation of the other components. Do the following to install the CCS Directory Server component:
Launch the Installation Wizard See To launch the Installation Wizard on page 55. Install the CCS Directory Server See To install the CCS Directory Server on page 56.
To launch the Installation Wizard
Insert the Symantec Control Compliance Suite 9.0 product disc into the drive on your computer and click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
In the DemoShield, click Reporting and Analytics. You can find the splash screen, which displays the list of prerequisites that are required for the product installation. The setup installs the listed prerequisites such as .NET framework and so on.
56
See Prerequisites for installing the product components on page 25. To install the CCS Directory Server
In the Welcome panel of the launched Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard, read and select the license agreement and then click Next. In the Installation Modes panel, select CCS Directory Server and then click Next. In the Selected Component Information panel, read the information displayed in the panel and then click Next. In the Component Selection panel, check Directory Support Service and then click Next. The services and the components that the CCS Directory Server installs and the descriptions are as follows:
Directory Support Service Uses the CCS Directory to store business objects such as asset information and job definitions. It also works with the CCS Directory to check the user rights and preferences on the directory objects. It comprises the Management Services and the Certificate Management Console. Management Services The root certificate authority service that generates, manages, and signs certificates for the Control Compliance Suite components. This service is installed on the computer in which the Directory Support Service is installed. SymCert Stores and manages the certificates in the local computer. This utility is installed with every CCS component and can be run from a command line on any component workstation.
2 3 4
In the Licensing panel, click Add Licenses to add licenses for the Directory Support Service. See About licensing of the product components on page 38. Click Next.
57
In the Prerequisites panel, review the prerequisites that are required for the installation. Install any prerequisite application that is required to be installed. Click Check Again to verify whether the installation is successful. Click Next. In the Installation Path panel, review the target path for the Control Compliance Suite installation and then click Next. Click Browse to specify a different installation path to install the product.
7 8
In the Certificate Information panel, enter the required values to create the root certificate in the text boxes and then click Next. The fields of the Certificate Information panel and their descriptions are as follows:
Organization Division Enter the name of your organization. Enter the division to which your organization belongs. Enter the name of the city of your organization. Enter the name of the state or province to which the city belongs. Enter the name of the country. The country code must consist of two alphabet characters. Select the expiration time period of the root certificate. Enter the password to authenticate the certificate. Re-authenticate the password that you have typed.
City
State/Province
Country
Expire in
Password
Re-type password
See About the root security certificate on page 29.
10 In the CCS Directory Server - User Account and Port Information panel, enter
the required values in the text boxes and then click Next. The fields of the CCS Directory Server - User Account and Port Information panel and their descriptions are as follows:
58
User name
Enter the user name in whose context the Management Services is run on the computer. Enter the password that authenticates the specified user account. Enter the port number of the Directory Support Service, which runs on the computer that hosts the CCS Directory Server. By default, the Directory Support Service connects through the port, 12467. Enter the port number of the Management Services, which runs on the computer that hosts the CCS Directory Server. By default, the Management Services connects through the port, 12468.
Password
Directory Support Service port number
Management Services port number
11 In the CCS Directory - CCS Directory Port Information panel, enter the
required values in the text boxes and then click Next.
LDAP port number Enter the LDAP port number of the computer that hosts the CCS Directory Server. By default, the CCS Directory Server connects with the CCS Application Server through the port, 3890. Enter the SSL port number of the computer that hosts the CCS Directory Server. By default, the CCS Directory Server connects with the CCS Application Server through the SSL port, 6360.
SSL port number
12 In the Management Services- Pass Phrase panel, enter the pass phrase and
then click Next. You must remember the pass phrase so you can use it to uninstall the product from a different user context.
13 In the Summary panel, review the installation details and then click Install.
The Installation Progress panel indicates the progress of the component installation. After the installation completes, the last panel of the wizard appears.
59
After you install the Directory Support Service you need to create certificates to distribute them to the other components for communication. The certificates are created using the CMC tool, which is installed on the CCS Directory Server computer. See Creating a DPS or an Application Server certificate on page 59.
Creating a DPS or an Application Server certificate

You create the certificate that is based on the service type. You should verify that the service type that you select creates the appropriate certificate. You can create certificates for either the Data Processing Service (DPS) or Application Server. When the certificate file is created, the file name uses the service name and the host name of the certificate. You cannot use the comma character in the certificate file name. The certificate file is created with a .p12 extension. You can create multiple certificates. Certain property items are used as the default information from the previous certificate, but all of the items can be edited. Every item in the Create Certificates dialog box is required. The information that you provide in the certificate is not validated. You should verify that the information is accurate. You must have local administrator rights to create a certificate and you must be a CCS administrator and know the root certificate password. You are not prompted for a root certificate password if the following events have occurred:

You have recently opened the Certificate Management console You are logged on in the context of the user who installed the system
You can find a list of the country codes at: http://www.iso.org/iso/country_codes/iso_3166_code_lists/ english_country_names_and_code_elements.htm The Certificate Management console fails to create certificates on a Microsoft Windows Server 2008 unless the console is run as the administrator. To create a DPS or an Application Server certificate
1 2
Click Start > All Programs > Symantec Control Compliance, and select Certificate Management Console You may be prompted to provide the Root Certificate Password. The Root Certificate password is created during installation.
3 4
Click OK. In the Certificate Management Console toolbar, click Create Certificates.
60
In the Create Certificate dialog box, in the Service Type area, do one of the following:

Click AppServer Click DPS
The default selection is DPS.
In the Expired In box, select the number of years. The default value is 25.
In the Organization box, provide a name. You can change the default name during certification creation.
In the Division box, provide a name. You can change the default name during certification creation.
In the City box, provide a name. You can change the default name during certification creation.
10 In the State/Province box, provide a name.

You can change the default name during certification creation.
11 In the Country box, provide a name.

You can change the default code during certification creation.
12 In the NetBIOS Name box, provide the name.

The NetBIOS Name must be less than 15 bytes in length.
13 In the FQDN box, provide the name. 14 In the IP Address box, provide the information. 15 Click (+) plus icon to add multiple TCP/IP addresses, if needed. 16 In the Destination folder box, provide the location for the saved certificate
file. You can browse to select the location.
17 In the Password box, type a password. 18 In the Retype Password box, type the same password to confirm the spelling. 19 Click Create Certificate. 20 In the Success message box, click OK. 21 In the Create Certificate message box, click Yes to create another certificate,
if needed.
61
Installing the CCS Application Server

The CCS Application Server component can be designated to be the kernel of the Control Compliance Suite infrastructure. The component interacts with the users through the console and manages data storage in the CCS Directory. The component also schedules jobs and workflow in the production database. The CCS Application Server requires certificates to communicate with the Directory Support Service of the CCS Directory Server. The Certificate Management Console that is installed on the CCS Directory Server computer creates the certificates. Note: You need to enable delegation in the domain controller to establish secure communication between the components. The delegation must be enabled for the user account in whose context the CCS Application Server and the CCS Console is launched. You must check the option, Account is trusted for delegation for the user account of the domain controller. You must ensure that only one CCS Application Server is installed for a Control Compliance Suite installation. Do the following to install the CCS Application Server component:
Launch the Installation Wizard. See To launch the Installation Wizard on page 61. Install the CCS Application Server See To install the CCS Application Server on page 61.
To launch the Installation Wizard
Insert the Symantec Control Compliance Suite 9.0 product disc into the disk drive on your computer and then click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
In the DemoShield, click Reporting and Analytics. You can find the splash screen, which displays the list of prerequisites that are required for the product installation. The setup installs the listed prerequisites such as .NET framework and so on. See Prerequisites for installing the product components on page 25.
To install the CCS Application Server
In the Welcome panel of the launched Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard, read and select the license agreement and click Next. In the Installation Modes panel, select CCS Application Server and click Next.
62
3 4
In the Selected Component Information panel, read the information displayed in the panel and click Next. In the Component Selection panel, check Application Server and click Next. The components that the Application Server comprises and their descriptions are as follows:
Application Server Manages the data storage and the workflow of production database. It comprises the Technical Standards Pack (TSP). Technical Standards Pack (TSP) Represents the security and configuration best practices for various operating systems and applications. The TSPs for the various operating systems and the applications are as follows:

Windows Technical Standards Pack UNIX Technical Standards Pack Oracle Technical Standards Pack SQL Technical Standards Pack ESM Technical Standards Pack
63
Regulations and Frameworks Pack
Lists the regulations and frameworks that Control Compliance Suite supports. Regulations are published government mandates such as HIPAA, Sarbanes-Oxley, or GLBA. These regulations describe the business functions and the security functions. The list of regulations that are supported are as follows:

FDA FISMA GLBA HIPAA Identity Theft Red Flags FDIC Sarbanes-Oxley
Frameworks are published best practices, which describe the implementation details. For example, a framework can describe a password policy that must contain entries for length, complexity, and rotation. The list of frameworks that are supported are as follows:

CobiT ISO NERC NIST PCI SB1386 J-SOX
SymCert
Stores and manages the certificates in the local computer. This utility is installed with every CCS component and can be run from a command line on any component workstation.
In the Licensing panel, click Add Licenses to add licenses for the Directory Support Service. See About licensing of the product components on page 38.
Click Next.
64
In the Prerequisites panel, review the prerequisites that are required for the installation. Install any prerequisite application that is required to be installed. Click Check Again to verify whether the installation is successful. Click Next. In the Installation Path panel, review the target path for the Control Compliance Suite installation and click Next. Click Browse to specify a different installation path to install the product.
8 9
10 In the Application Server - CCS Directory Server Information panel, enter

the required values in the text boxes and click Next. The fields of the Application Server- CCS Directory Server Information panel and their descriptions are as follows:
Computer name Enter the computer name on which the CCS Directory Server is installed. Specify the fully-qualified domain name (FQDN) of the computer on which the CCS Directory Server is installed. User name Enter the user name in which context the CCS Directory Server is installed. Enter the password for authenticating the user account of the CCS Directory Server installation. Enter the port number through which the CCS Directory Server listens. The CCS Application Server requires the port number for communication.
Password
Port number
11 In the CCS Application Server - User Account and Port Information panel,
enter the required values in the text boxes and click Next. See About using special characters in credentials on page 75. The fields of the CCS Application Server - User Account and Port Information panel and their descriptions are as follows:
65
User name
Enter the user name in which context the Application Server Service runs on the computer. The user account must be a domain user account with read or write access on the SQL Server CSM_DB. The account must also be set as trusted for delegation.
Password
Enter the password for the user account.
Note: The password must not contain

double quotes. The CCS Application Server fails to install if the password contains double quotes. Application Server port number Enter the port number through which the Application Server listens. By default, the port number is 1431.
12 In the Application Server- SQL Server Information panel, enter the required
values in the text boxes and then click Next. The SQL server is used to create the production database for the CCS Application Server. The production database stores the queried data. The production database must be configured to use Windows authentication. The fields of the Application Server- SQL Server Information panel and their descriptions are as follows:
SQL Server Enter the computer name that hosts the SQL server. Enter the SQL server instance name. By default, the configured SQL instance that is created on the computer appears in the text box. Enter the port number of the computer that hosts the SQL server. By default, CCS Application Server connects through the port, 1433 of the SQL server computer.
Instance name
Port number
66
Use SSL
Check this option if your computer that hosts the SQL server is SSL enabled for communication. If you use SSL connections, you must configure them before you install the Control Compliance Suite. Refer to the Microsoft SQL Server documentation (http://support.microsoft.com/kb/316898) for information about configuring SSL connections.
Use existing empty database
Check this option if you want to reuse the existing database. By default, the setup creates a production database, CSM_DB on the computer. You must ensure that the database is created and empty before you check the option.
Use Windows NT Integrated Security
Select this option if you have installed the SQL server in the Windows NT user context. Select this option if you have installed the SQL server in a different user context. You must specify the authentication details of the user in the respective text boxes.
Check either or both the options if you want to replicate the same configuration for the Reporting and the SSIS databases. The options are as follows:

SSIS database and server settings Reporting Server and database settings
On checking either or both the options, the corresponding panels do not appear on clicking Next. For example, if you check against SSIS database and server settings option, then the setup skips the SSIS-SQL Server Information panel.
13 In the Reporting Server-SQL Server Information panel, enter the required

values in the text boxes and click Next.
67
The SQL server information is used to create the reporting database for the Reporting Server. The reporting database stores the evaluated data that is used for generating reports. The reporting database must be configured to use SQL authentication. If you do not want to use SQL authentication, then do the following:

Set the authentication to Windows authentication. After the installation is complete, set the user context for the Data Processing Service that is configured in a reporting role.
The fields of the Reporting Server- SQL Server Information panel and their descriptions are as follows:
SQL Server Enter the computer name that hosts the SQL server. Enter the SQL server instance name. By default, the configured SQL instance that is created on the computer appears in the text box. Enter the port number of the computer that hosts the SQL server. By default, CCS Application Server connects through the port, 1433 of the SQL server computer. Check this option if your computer that hosts the SQL server is SSL enabled for communication. Check this option if you want to reuse the existing database. By default, the setup creates a reporting database, CSM_Reports on the computer. You must ensure that the database is created and empty before you check the option. Use Windows NT Integrated Security Select this option if you have installed the SQL server in the Windows NT user context.
Instance name
Port number
Use SSL
Use existing empty database
68
Check the option, SSIS database and server settings if you want to replicate the same configuration for the SSIS database. On checking the option, SSIS-SQL Server Information does not appear on clicking Next.
14 In the SSIS-SQL Server Information panel, enter the required values in the
text boxes and then click Next. The SQL Server Integration Service (SSIS) information is used for the reporting purpose. The information is used to connect to the msdb database and deploy SSIS packages and SQL agent jobs. The fields of the SSIS- SQL Server Information panel and their descriptions are as follows:
SQL Server Enter the computer name that hosts the SQL server. Enter the SQL server instance name. By default, the configured SQL instance that is created on the computer appears in the text box. Enter the port number of the computer that hosts the SQL server. By default, CCS Application Server connects through the port, 1433 of the SQL server computer. Check this option if your computer that hosts the SQL server is SSL enabled for communication. Select this option if you have installed the SQL server in the Windows NT user context.
Instance name
Port number
Use SSL
Use Windows NT Integrated Security
69
If your computer is configured to run in the native Windows 2003 domain mode, then the Application Server - Security Settings for Scheduled Jobs panel appears. You can refer to the next step for the panel details. If your computer is configured to run in any mixed domain, then you can skip the next step.
15 In the Application Server - Pass Phrase panel, enter the pass phrase, confirm
the pass phrase, and click Next. The pass phrase is used to generate symmetric key for encrypting or decrypting sensitive data such as, passwords, and connection details. You must remember the pass phrase for future reference.
16 In the Certificate Information - Local Installation panel, browse to retrieve

the security certificate and then click Next. The security certificate is created through the Certificate Management Console.
Installing the Data Processing Service

The installation of the Data Processing Service (DPS) instance is of paramount importance for collecting data and reporting to the Control Compliance Suite infrastructure. The component also plays roles of a load balancer and data evaluator. The data collector collects the data that is evaluated for the standards by the data evaluator. The collected data is stored in a SQL database where it can be further evaluated and reported against the standards. The reporter generates reports of the collected data and displays them in the console. The load balancer routes the data collection and the data evaluation jobs evenly to the configured data collectors and data evaluators respectively.
70
Note: DPS cannot be installed simultaneously along with the installation of the Application Server on the same computer. The component can be installed only after the Application Server installation completes. After DPS installation is complete, you must configure the Control Compliance Suite. Note: For the ESM application, if the ESM Manager is installed on the Windows computer, then you can also install the DPS on that computer. You must ensure that the computer meets the hardware and software requirements for installing the ESM Manager and the DPS. To install the Data Processing Service component
In the Welcome panel of the launched Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard, read and select the license agreement and then click Next. In the Installation Modes panel, select CCS Additional Services and then click Next. In the Selected Component Information panel, read the information displayed in the panel and then click Next. In the Component Selection panel, select Data Processing Service from the list and then click Next.
4 5 6
71
In the Prerequisites panel, review the prerequisites that are required for the installation. Install any prerequisite application that is required to be installed. Click Check Again to verify whether the installation is successful. You must install Crystal Reports 2008 only on the DPS computer that is to be configured with the role of a reporter. If you fail to install Crystal Reports 2008, then you can manually install the software, CrystalReportsDotNet.MSI from the <installation directory>/Symantec/CCS/Reporting and Analytics/Application Server/REDIST folder of the CCS Application Server. You can also install CrystalReportsDotNet.MSI from the product disc folder, CCS_Reporting\Redist.
8 9
Click Next. In the Installation Path panel, review the target path for the component installation and click Next. Click Browse to specify a different installation path to install the product.
10 In the Certificate Information - Local Installation panel, browse to retrieve

the security certificate and then click Next. The security certificate is created through the Certificate Management Console.
11 In the Data Processing Service - Port Information panel, enter the Server port
number and then click Next. By default, the computer that hosts the Data Processing Service communicates through the port, 3993.
Installing the Web Portal

The Control Compliance Suite Web Portal server is hosted by a computer that also hosts the Microsoft Internet Information Server (IIS). The Web Portal lets you access the Policy Manager and the Response Assessment module of Control Compliance Suite. The Control Compliance Suite Web Portal lets you do the following:
72
Distribute policy notifications to end users across the enterprise and track when users read and acknowledge the policies. Request exceptions to policies. Request exceptions from control points.
By default, the Web Portal uses integrated Windows security. If the user domain and the Web Portal domain have a trust relationship, the Web Portal relies on the existing user credentials. The user does not need to enter a name and password to access the Web Portal. If no trust relationship exists, the user is prompted for a name and a password. By default, the WebPortal fails when Control Compliance Suite is installed on a 64-bit Windows computer. Although, the console and the services execute on the Windows On Windows (WOW) 32-bit emulator, the IIS is by default configured as a 64-bit system. So, you must configure the IIS to host 32-bit files and the .NET framework to use the 32-bit version of ASP.NET after installing Web Portal. To install the Web Portal
In the Welcome panel of the launched Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard, read and select the license agreement and then click Next. In the Installation Modes panel, select CCS Additional Services and then click Next. In the Selected Component Information panel, read the information displayed in the panel and then click Next. In the Component Selection panel, select Web Portal from the list and then click Next. In the Installation Path panel, review the target path for the component installation and then click Next. Click Browse to specify a different installation path to install the product.
4 5 6 7
73
In the Prerequisites panel, review the prerequisites that are required for the installation. Click Recheck to verify whether the installation was successful. You must install ASP.NET v2.0.50727, ASP.NET v2.0.50727 Web Service Extension, and Active Server Pages Web Service Extension on the computer.
Click Next. click Next. The fields and the descriptions are as follows:
Enter the IIS site Enter the Internet Information Service site that hosts the Web Portal. Enter the server name that hosts the Response Assessment module (RAM). Enter the port number of the server that hosts RAM. By default, the port number is 1977. Application server name The name of the computer that hosts the Application Server. The port number of the computer that hosts the Application Server. Enter the SPN for the Application Server and the DSS.
10 In the Web Portal - Information panel, enter values for the fields and then
RAM server name
RAM server port number
Application server port number
Service principal name
Note: You can associate an SPN with a

single user account.
74
To configure IIS to use WOW and host 32-bit files
1 2
Open a command prompt and navigate to the systemdrive\Inetpub\AdminScripts directory. Type the following command:
cscript.exe adsutil.vbs set W3SVC/AppPools/Enable32BitAppOnWin64 true.
Press Enter.
To configure the .NET Framework to use the 32-bit version of ASP.NET
1 2
Open a command prompt and navigate to thesystemroot\Microsoft.NET\Framework\v2.0.50727 directory Type the following command:
aspnet_regiis -i -enable
Press Enter
Installing the Control Compliance Suite Console

The Control Compliance Suite Console is installed along with the CCS Application Server. You can also install and launch the console alone on a different client computer. The console can be installed from the console launcher that is located in the shared folder of the installed Application Server. The console launcher is an executable (CCS90.exe) and installs the console binaries on the client computer to launch the Control Compliance Suite Console. You can connect to the computer that is installed with the Application Server through port, 1431. You can create a shortcut of the Control Compliance Suite Console either through the client launcher or through the Start > Programs menu. Note: The Control Compliance Suite Console can be launched only from the computer on which the CCS Application Server component is installed. Ensure that the Application Server domain is in trust mode with the domain from where the CCS Console is launched. If the CCS Console is run in an untrusted mode domain or in no domain mode, then you must modify the shortcut, C:\Windows\System32\runas.exe /user:CONVERGENCE\Administrator /netonly. Here, /user: indicates the domain\user account in which context you want to run CCS Console.
75
To launch the Control Compliance Suite Console on a different client computer
1 2 3
Install the CCS Application Server through the Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard. From the client computer, access the shared folder of the computer in which the CCS Application Server component is installed. Navigate to the shared installation folder in the computer that hosts the CCS Application Server. By default, the component installation folder is C:\Program Files\Symantec\CCS\Reporting And Analytics\.
In the navigated folder, click CCS90.exe.
About using special characters in credentials

Control Compliance Suite supports using specific special characters in the credentials of the user accounts when you install the product components. Using any unsupported special characters in the credential of the user account can cause the component installation to fail. The supported special characters are applicable to the Windows user accounts for the following services:

Directory Support Service Application server Service Data Processing service (DPS) running in the reporter role
The supported special characters are applicable to the following databases:

Production database Reporting database SQL Server integration Service (SSIS)
The following special characters are supported in the user account user name:

A-Z, a-z 0-9 At sign (@) Hash (#)
The following special characters are supported in the user account password:

A-Z, a-z 0-9
76
At sign (@) Hash (#) Less-than (<) Greater-than (>)
Chapter
Configuring Control Compliance Suite components


Configure the Control Compliance Suite About registration of the Data Processing Service Configuring the RMS data collection infrastructure About using LiveUpdate mechanism in Control Compliance Suite
Configure the Control Compliance Suite

After you have installed the Control Compliance Suite, you must perform additional configuration steps. You use the Control Compliance Suite Console to perform these steps. The Console is automatically installed on the same computer as the Application Server. You can also install the console on additional computers. You must perform the following tasks to configure a newly deployed Control Compliance Suite:

Create asset folders. Assign trustees to roles. Assign asset folder permissions to trustees. Define sites. Register and configure the installed Data Processing Service instances.
78
Configuring Control Compliance Suite components About registration of the Data Processing Service
Define reconciliation rules. Create site-based data import jobs. Create any CSV-based data import jobs. Create data collection jobs. Create data evaluation jobs. Create data reporting jobs.
For additional information about these configuration steps, see the Symantec Control Compliance Suite Help or the Symantec Control Compliance Suite User Guide. When you assign trustees, at a minimum, you must assign trustees to the following roles:

Asset Import Manager Standards Administrator Reporting Administrator
You can assign trustees to additional roles as well.
About registration of the Data Processing Service

After you install a Data Processing Service (DPS) instance, you must register the service with the Control Compliance Suite. When the DPS is registered, the communication between the DPS and the CCS Application Server is established. DPS can play the following roles:

Data collector Data evaluator Reporter Load balancer
You can register the DPS through the Control Compliance Suite Console. Note: The first DPS that you register must be assigned the load balancer role. The role of a data collector is to collect data from the enterprise network. The Control Compliance Suite can collect data from any data collection infrastructure such as RMS, ESM, and the data that is stored in Comma Separated Value (CSV) files. The data collection is triggered through the data collection jobs. The collected
Configuring Control Compliance Suite components Configuring the RMS data collection infrastructure
79
data is evaluated for the standards by the data evaluator. The data evaluation jobs trigger the data evaluation of the collected data. The load balancer routes the data collection and the data evaluation jobs evenly to the configured data collectors and the data evaluators respectively. The DPS can be configured as the following data collectors:

Windows data collector UNIX data collector SQL data collector Oracle data collector ESM data collector CSV data collector
For additional information about DPS configuration, see the Control Compliance Suite Online Help or the Control Compliance Suite User Guide.
Configuring the RMS data collection infrastructure

The first time the RMS Console starts after it is installed, the RMS Console Configuration Wizard appears. This wizard lets you perform the required minimal RMS Console configuration. You can use the RMS Console Configuration Wizard to configure the RMS Console and Information Server. The configuration involves installation of the bv-Control products and user access rights and properties. You can also access the RMS Console Configuration Wizard from the RMS Configuration container shortcut menu. This shortcut menu also provides access to individual configuration wizards for specific items. To configure the RMS Console and Information Server using the RMS Console Configuration Wizard
1 2
In the RMS Console Configuration Wizard Welcome panel, click Next. The Add/Remove Products panel lists all bv-Control products present on the RMS Console and Information Server computer. Select the bv-Control products you want to appear on the Console, and then click Next. In the Add/Remove Products in progress panel, add products in the Console and then click Next. Each time you open the Console, the added bv-Control products appear in the Console tree.
80
Configuring Control Compliance Suite components About using LiveUpdate mechanism in Control Compliance Suite
In the Add Users panel, add RMS Console users by typing the fully qualified user name in the Users frame. You may also click the browse (...) icon to browse for the user name. Assign the appropriate properties to each user and then click Next to continue. In the User Name drop-down list in the ActiveAdmin Options panel, select each added user in turn. Click the check box beside each product name to enable or disable ActiveAdmin for that user on that product. Click Next to continue. Review the summary information for the added users and then click Next. Click Finish. The RMS Console and Information Server are configured with the items that you have selected in the RMS Console Configuration Wizard. The configuration wizard contains the minimum required configuration items for the RMS Console. For information on the bv-Control snap-in modules configuration, refer to the individual bv-Control module Getting Started Guide.
5 6
7 8
About using LiveUpdate mechanism in Control Compliance Suite

The installed Control Compliance Suite components that are updated with the latest content and system patches must be updated periodically. Symantec releases system patches and updates for the Control Compliance Suite components, which are downloaded using the LiveUpdate mechanism. LiveUpdate (LU) is a core Symantec technology that is used to simplify the maintenance and update of Symantec software post deployment. Symantec hosts an online database of all possible product updates. The LiveUpdate Client contacts the Symantec LiveUpdate Server and submits a list of products that are currently installed on the LU client. The LU server returns a list of appropriate updates. Various LU client types are available, but Control Compliance Suite uses the Windows LiveUpdate Client. In Control Compliance Suite, the LU is installed on the computer on which the CCS Application Server component and Data Processing Service are installed. The LU Client also requires the LiveUpdate Administrator (LUA) that is required for downloading the patches. You can install the LUA on the same LU Client computer or on any computer where Internet access is available. The LiveUpdate Administrator (LUA) is equipped with a distribution mechanism to distribute the updates to a distribution area. The LU Client is responsible for picking up the updates from the distribution area for the components that are installed on the
81
LU component. The administrator must decide whether the content or the system updates are required for the installed components and configure the LUA appropriately. The following two types of updates are available for the Control Compliance Suite components:

Quarterly content updates System patches and service pack updates
The process of downloading the updates involve the following:
All packages are downloaded, distributed, and installed manually. Optionally, some organizations can use third-party applications such as Altiris and SMS, and so on instead of using LiveUpdate. The packages can be downloaded using the LiveUpdate Administrator and are repackaged for manual distribution. Other distribution methods such as direct download from the Web site are available as per Symantec policies. All computers are installed with LiveUpdate Client (LU) and are configured with a host file pointing to the LUA distribution area.
82
Chapter
Modifying or repairing the installed Control Compliance Suite components


Adding or upgrading the Control Compliance Suite components Repairing or reinstalling Control Compliance Suite
Adding or upgrading the Control Compliance Suite components

You can add a new component or upgrade an existing component of the product. You can add a new component only if the component is not already installed on the computer. You can upgrade a component by applying the component update packages that are released in the post release of Control Compliance Suite. You can perform the addition or upgrade of a component through the Maintenance panel of the Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard.
84
Modifying or repairing the installed Control Compliance Suite components Repairing or reinstalling Control Compliance Suite
To add or upgrade a Control Compliance Suite component
Insert the Symantec Control Compliance Suite 9.0 product disc into the disk drive on your computer and click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
2 3 4
In the DemoShield, click Reporting and Analytics. In the Maintenance panel of the Symantec Control Compliance Suite 9.0Reporting and Analytics, select Add/Upgrade. In the Upgrade panel, select the components that you want to add or modify and click Next. The panel lists the component that is not installed on your computer. You can select any component from the list whether it belongs to the CCS Directory Server, CCS Application Server, or the DPS. The next panel that appears is dependent on the component you select. See Installing the Control Compliance Suite components in a distributed setup mode on page 54.
Repairing or reinstalling Control Compliance Suite

You can repair or reinstall the product components that are already installed on the computer. The requirement to repair the component can arise if the component was not installed properly during the first installation. The repair or reinstallation of a component is performed through the Maintenance panel of the Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard. To repair or reinstall a Control Compliance Suite component
Insert the Symantec Control Compliance Suite 9.0 product disc into the disk drive on your computer and click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
2 3 4
In the DemoShield, click Reporting and Analytics. In the Maintenance panel, select Repair/Reinstall. In the Summary panel, review the components for repair by the setup and click Repair.
Chapter
Uninstalling Control Compliance Suite components


Uninstalling the Control Compliance Suite components from a single setup Uninstalling a Control Compliance Suite component from a distributed setup Uninstalling RMS Console and Information Server
Uninstalling the Control Compliance Suite components from a single setup

You can uninstall all the components that are installed on a single computer as part of the single setup mode. The uninstallation of all the components can be performed through the Maintenance panel of the Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard. To uninstall all the components from a single setup mode
Insert the Symantec Control Compliance Suite 9.0 product disc into the drive on your computer and click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
2 3
In the DemoShield, click Reporting and Analytics. In the Maintenance panel, select Uninstall.
86
Uninstalling Control Compliance Suite components Uninstalling a Control Compliance Suite component from a distributed setup
4 5 6
Under the Uninstall option, select All. Click Next. In the CCS Directory Server- Remove ADAM instance panel, select either of the following options and click Next.

Remove the ADAM instance that Control Compliance Suite uses. Do not remove the ADAM instance that Control Compliance Suite uses.
In the Application Server - Delete Databases panel, select the databases that are to be removed and click Next. The databases that can be removed are production, reporting, and evidence.
In the Summary panel, review the components that are to be uninstalled and click Uninstall.
Uninstalling a Control Compliance Suite component from a distributed setup

You can uninstall any specific component that is installed in the distributed setup mode in an enterprise network. The uninstallation of a component can be performed through the Maintenance panel of the Symantec Control Compliance Suite 9.0- Reporting and Analytics Installation Wizard. Note: You must uninstall the Data Processing Service component first followed by uninstallation of the Application Server. Finally, you must uninstall the CCS Directory Server. To uninstall a component from a distributed setup mode
Insert the CCS 9.0 product disc into the drive on your computer and click Setup.exe. The Setup.exe is located inside the InstallSet folder of the media structure.
2 3 4 5 6
In the DemoShield, click Reporting and Analytics. In the Maintenance panel, select Uninstall. Under the Uninstall option, select Select Components. Click Next. In the Remove Components panel, select the component that you want to remove and click Next.
Uninstalling Control Compliance Suite components Uninstalling RMS Console and Information Server
87
In the CCS Directory Server- Remove ADAM instance panel, select either of the following options and click Next.

Remove the ADAM instance that Control Compliance Suite uses. Do not remove the ADAM instance that Control Compliance Suite uses.
In the Application Server - Delete Databases panel, select the databases that are to be removed and click Next. The databases that can be removed are production, reporting, and evidence.
In the Summary panel, review the components that are to be uninstalled and click Uninstall.
Uninstalling RMS Console and Information Server

You must use the Add or Remove Program Files control panel to remove the RMS Console and Information Server and any installed bv-Control snap-in modules. You must remove the components from each computer that hosts an RMS Console or the Information Server. In addition, some bv-Control snap-in modules install additional components. See each module Getting Started Guide for additional information on uninstalling any additional components. To uninstall the RMS Console and the Information Server
1 2 3 4 5
On each computer that hosts the RMS Console or an Information Server, open the Add or Remove Programs control panel. In the Add or Remove Programs control panel, click Symantec Control Compliance Suite 9.0 - Data Collection, and then click Change/Remove. In the Maintenance panel, click Uninstall. Click All. Click Next. The RMS Console and Information Server on the computer are removed automatically. When the removal is complete, the Add or Remove Programs control panel reappears. You do not need to restart your computer to complete the removal.
88
Uninstalling Control Compliance Suite components Uninstalling RMS Console and Information Server
Appendix
Silent Installation
This appendix includes the following topics:
Silent installation
Silent installation
The silent installation mode in Control Compliance Suite is about installation of the product components on different computers without navigating through the Installation Wizard. You must ensure that all computers on which the distributed components are to be installed in the silent mode belong to the same network. An XML file, which is known as the response file, triggers the silent installation. The response file contains inputs for the installing component such as Data Processing Service (DPS). The response file can be created, accessed, and modified only from the setup path of the product installation. The response file is not specific to any operating system. Usually, in Control Compliance Suite , Data Processing Service component is installed in a distributed mode since the component is configured to perform multiple roles. The CCS Application Server and the CCS Directory Server are mostly installed on a single computer. The silent installation process involves the following steps:

Create a response file. Provide inputs for the response file. Run the setup in the silent mode and browse to the response file path to start the installation.
90
Silent Installation Silent installation
Note: You must ensure that the computers on which the silent installation is to be triggered contain all the prerequisites that are to be installed manually. The Control Compliance Suite installs certain prerequisites automatically during the silent installation.
Creating a response file for silent installation

A response file contains the blueprint for installing a Control Compliance Suite component on a computer. This file can be created only on the computer in which the Control Compliance Suite setup files are located. The response files are later deployed on the computers in which the product components are to be installed. In the silent installation mode, a switch triggers the setup to perform a specific action. You must pass specific switches to the setup for creating the response file. The switches /Export and /ExportTo are used for creating the response file and for exporting the setup-related properties to the response file. See Installing the product in the silent mode on page 93. The switches that are defined to initiate the silent installation mode and their purposes are as follows:
/Export To run the install wizard user interface in the export mode so as to create a response file. To specify the response file to be created. To run the setup in silent mode without any UI being screened. To specify the response file that contains the user inputs. (required only during fresh installation or adding new components). To uninstall all the currently installed components. To repair all the currently installed components. To add a new component to the existing installation.
/ExportTo /Silent
/ResponseFile
/Uninstall
/Repair
/AddComponent
To create a response file and provide inputs
Insert the product disc into a computer from where you want to run the Control Compliance Suite installation setup.
91
The response file is created from the setup path.
Go to Start>Run and type the path of location of the installation setup. Append the Setup.exe with the /Export switch to create the response file. Type the following command to create the response file:
>Setup.exe /Export /ExportTo="C:\Input.xml"
The Installation Wizard is invoked displaying the Installation Modes panel. The command creates a response file and exports the properties that are selected through the Installation Wizard into the response file.
3 4 5
In the Installation Modes panel of the Installation Wizard, select CCS Additional Services and click Next. In the Selected Component Information panel, review the information about installing the Data Processing Service and then click Next. In the Component Selection panel of the wizard, the Data Processing Service option is selected, by default. Click Next.
6 7
In the Summary panel, review the components that are to be installed and then click Finish. Click Start>Run and type the following command to specify the response file path:
><install path>/Setup.exe /Export /ExportTo=<path and name of the response file
For example, if the response file is input.xml and is located in the C:\ drive, then the command is as follows:
><install path>/Setup.exe /Export /ExportTo="C:\Input.xml"
The created response file contains the default entries that are required for the installation of the component. You need to specify values for specific settings of the response file. The format of a sample response file is as follows:
92
<?xml version="1.0" encoding="utf-8"?> <Properties> <Settings Name="Selected Features"> <Feature Name="Directory Support Service" Enabled="False" /> <Feature Name="Directory Support Service Core" Enabled="True" /> <Feature Name="SymCert" Enabled="True" /> <Feature Name="Management Services" Enabled="False" /> <Feature Name="Technical Standards Pack" Enabled="False" /> <Feature Name="SQL Technical Standards Pack" Enabled="False" /> <Feature Name="Data Processing Service" Enabled="True" /> <Feature Name="DPS backend" Enabled="True" /> <Feature Name="ReportServer backend" Enabled="True" /> ... ... </Settings> <Settings Name="Installation Path"> <Property Name="Target path" Value="C:\Program Files\Symantec\CCS\Reporting and Analytics" /> </Settings> <Settings Name="Certificate Information - Local Installation"> <Property Name="Certificate location for Data Processing Service" Value="<specify the location of the certificate>" /> </Settings> <Settings Name="Data Processing Service - Port Information"> <Property Name="Server port number" Value="3993" /> </Settings> </Properties>
The settings for which you must specify values are as follows:
Certificate Information - Local Installation The setting is for specifying the location of the security certificate that is created for the DPS. Data Processing Service - Port Information The setting is for specifying the port number of the DPS. By default, the port number is 3993.
93
You must not edit the Settings tag of the Selected Features.
Installing the product in the silent mode

To install the Control Compliance Suite in the silent mode you must run the setup and pass the /Silent switch. In the silent mode of installation, no user interface is displayed. The main requisite for the silent installation is the response file, which contains the inputs of the components that are to be installed. See Creating a response file for silent installation on page 90. The switches that are defined to perform specific actions trigger the silent installation. The switches Currently, you can add the Data Processing Service component in the silent mode. Repair and uninstallation of the component can also be performed in the silent mode. During the silent installation of the component, you are prompted for secured inputs such as password of the certificate that is used for communication. The secured inputs must be passed in the command line during the component installation. For example, for the DPS installation, the secured input is, DPSCert.Password, which must be passed through the command line. For example, you can pass secured inputs to install the DPS in the following command:
> Setup.exe /Silent /ResponseFile="C:\Input.xml" /DPSCert.Password="password"
Note: Ensure that in the command, there is no space before or after the equal to (=) sign. For example, /ResponseFile="C:\Input.xml" To install Control Compliance Suite in the silent mode
1 2
Navigate to the computer that contains the setup binaries. Run the setup with the following command for a fresh installation:
>Setup.exe /Silent /ResponseFile="<full path of the response file>" /DPSCert.Password="<password>" For example, >Setup.exe /Silent /ResponseFile="C:\Input.xml" /DPSCert.Password="password"
94
To add the Data Processing Service component in the silent mode
1 2
Navigate to the computer that contains the setup binaries. Run the setup with the following command to add the DPS:
>Setup.exe /Silent /AddComponent/ResponseFile="<full path of the response file>" /DPSCert.Password="<password>" For example, >Setup.exe /Silent /AddComponent /ResponseFile="C:\Input.xml" /DPSCert.Password="password"
To repair the current installation in the silent mode
1 2
Navigate to the computer that contains the setup binaries. Run the setup with the following command to repair the installation:
>Setup.exe /Silent /Repair
To uninstall a component in the silent mode
1 2
Navigate to the computer that contains the setup binaries. Run the setup with the following command to uninstall the component:
>Setup.exe /Silent /Uninstall
Index
A
application server default ports 37 requirements 10
B
bv-Control for Microsoft SQL Server requirements 15, 23 upgrading 43 bv-Control for Oracle requirements 15, 20 upgrading 43 bv-Control for UNIX bv-Config requirements 15, 17 requirements 15, 17 upgrading 43 bv-Control for Windows bv-Config requirements 1516 enterprise configuration service requirements 1516 query engine requirements 1516 requirements 1516 support service requirements 1516 upgrading 43
component uninstallation in distributed mode 86 components communications between components 37 default ports 37 requirements 10 configuring MSDE 43 SQL 43 console requirements 10, 13 Control Compliance Suite adding new components 83 architecture 37 configure 77 defined 9 modify components 84 reinstall components 84 repair components 84 requirements 10 server components 37 uninstall components from distributed setup 86 uninstall components from single setup 85 upgrading components 83
D
data collection infrastructure configuring 79 installing 41 uninstalling 87 upgrading 43 data processing service certificates 37 default ports 37 installation 69 requirements 10 deployment initial configuration 77 directory server default ports 37 requirements 10 distributed setup mode of installation 54
C
CCS Application Server installation 61 CCS Console access from shared computer 74 installation 74 CCS Directory Server installation 55 certificates 37 creating 59 collector requirements 10 communications protocols 37 component uninstallation 85
96
Index
distribution area about LiveUpdate mechanism 80 DPS 37 default ports 37 requirements 10
production database default ports 37 requirements 10
Q
quarterly content updates using LiveUpdate mechanism 80
E
evaluator requirements 10 evidence database requirements 10
R
register DPS 78 reinstallation of CCS 84 reporter requirements 10 reporting database default ports 37 requirements 10 requirements information server 16 RMS Console 15 response assessment module default ports 37 RMS bv-Control for Microsoft SQL Server requirements 15, 23 bv-Control for Oracle requirements 15, 20 bv-Control for UNIX requirements 15, 17 bv-Control for Windows requirements 1516 console requirements 15 information server requirements 15 requirements 1517, 20, 23 RMS and Information Server installation preinstallation requirements 39 prerequisites 39 RMS Console requirements 15 RMS Console and Information Server upgrading 43 root certificate properties to create the certificate 29
G
general installation sequence installation logs location 28
I
information server requirements 1516 installing CCS Application Server 61 CCS Console 74 CCS Directory Server 55 data collection infrastructure 41 Data Processing Service 69 MSDE configuration 43 SQL configuration 43 web portal 71
L
LiveUpdate mechanism in CCS Live Update Administrator 80 Live Update Client 80 load balancer requirements 10
M
management service default ports 37
S P
patches and packages update CCS through LiveUpdate 80 prerequisites for installation 25 product component licensing about core license 38 S4U configuring 35 constrained delegation 35 service accounts configuring 34 unconstrained delegation 34
Index
97
silent installation about repairing installation 89 DPS component installation 89 DPS component uninstallation 89 response file creation 89 silent mode installing the product 93 single setup mode of installation 45 single setup uninstallation 85 special characters credentials 75 SQL requirements 10
T
trusted communications 37
U
uninstallation data collection infrastructure 87 upgrading bv-Control for Microsoft SQL Server 43 bv-Control for Oracle 43 bv-Control for UNIX 43 bv-Control for Windows 43 data collection infrastructure 43 RMS Console and Information Server 43 user privileges to install components Application database server 30 CCS Application Server 30 CCS Directory Server 30 Data Processing Service 30 Reporting database server 30 SSIS database server 30 Symantec Application Server Service 30 Symantec Data Processing Service 30 Symantec Directory Support Service 30 Symantec Management Services 30
W
Web Portal requirements 13 web portal installation 71

CCS Installation Guide

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

CCS Installation Guide

Transféré par

Droits d'auteur :

Formats disponibles

Symantec Control Compliance Suite Installation Guide

Control Compliance Suite Installation Guide

Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 http://www.symantec.com

Contacting Technical Support

Licensing and registration

Maintenance agreement resources

Additional enterprise services

Technical Support ............................................................................................... 4 Chapter 1 Control Compliance Suite overview .................................. 9

Installing Control Compliance Suite components .................................................................... 25

Configuring Control Compliance Suite components .................................................................... 77

Modifying or repairing the installed Control Compliance Suite components ................................... 83

Uninstalling Control Compliance Suite components .................................................................... 85

Silent Installation ................................................................ 89

Control Compliance Suite overview

Control Compliance Suite 9.0.1

Control Compliance Suite overview Control Compliance Suite infrastructure requirements

Control Compliance Suite infrastructure requirements

Control Compliance Suite server requirements

Control Compliance Suite overview Control Compliance Suite server requirements

Windows Server 2008 Windows Server 2003 Windows 2000 native

Control Compliance Suite server requirements Other requirements

Minimum Required Required operating system processor hard disk size

Microsoft .NET 3.0

Production database or reporting database

Note: Microsoft SQL

Control Compliance Suite overview Control Compliance Suite server requirements

Table 1-1 Component name Minimum memory

Control Compliance Suite server requirements (continued) Other requirements

Minimum Required Required operating system processor hard disk size

Data Processing 2 GB Services

Web Portal server

Control Compliance Suite overview Client requirements

Control Compliance Suite overview Client requirements

Table 1-2 Component name

Control Compliance Suite Web client

Internet Explorer 6.0 or Internet Explorer 7.0

Control Compliance Suite overview RMS data collector requirements

RMS data collector requirements

RMS Console requirements

Control Compliance Suite overview RMS data collector requirements

Information Server requirements

bv-Control for Windows requirements

Control Compliance Suite overview RMS data collector requirements

bv-Control for UNIX requirements

Control Compliance Suite overview RMS data collector requirements

Control Compliance Suite overview RMS data collector requirements

Version 3.0 Version 3.5

Control Compliance Suite overview RMS data collector requirements

The supported versions for Linux are as follows:

bv-Control for Oracle requirements

Control Compliance Suite overview RMS data collector requirements

Control Compliance Suite overview RMS data collector requirements

Control Compliance Suite overview RMS data collector requirements

bv-Control for Microsoft SQL Server requirements

Control Compliance Suite overview RMS data collector requirements

Installing Control Compliance Suite components

Prerequisites for installing the product components

Internet Information Service (IIS)

Service Principal Name (SPN)

Note: You can associate an SPN with a

ASP.NET v2.0.50727 Web Service Extension

General installation sequence of Control Compliance Suite

Installation of the Data Processing Service