spectrum security manager (ssm)...

SPECTRUM Security Manager (SSM) 1.2

Installation Guide

Document 9035072-01

Revision 01

October 2001

NoticeCopyright Notice Copyright © 2001 by Aprisma Management Technologies, Inc. All rights reserved worldwide. Use, duplication, or disclosure by the United States government is subject to the restrictions set forth in DFARS 252.227-7013(c)(1)(ii) and FAR 52.227-19.

Copyright © 2001 by Intellitactics, Inc. All rights reserved.

Liability Disclaimer Aprisma Management Technologies, Inc. (�Aprisma�) reserves the right to make changes in specifications and other information contained in this document without prior notice. In all cases, the reader should contact Aprisma to inquire if any changes have been made.

The hardware, firmware, or software described in this manual is subject to change without notice.

IN NO EVENT SHALL APRISMA, ITS EMPLOYEES, OFFICERS, DIRECTORS, AGENTS, OR AFFILIATES BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT NOT LIMITED TO LOST PROFITS) ARISING OUT OF OR RELATED TO THIS MANUAL OR THE INFORMATION CONTAINED IN IT, EVEN IF APRISMA HAS BEEN ADVISED OF, HAS KNOWN, OR SHOULD HAVE KNOWN, THE POSSIBILITY OF SUCH DAMAGES.

Trademark, Service Mark, and Logo Information SPECTRUM, IMT, and the SPECTRUM IMT/VNM logo are registered trademarks of Aprisma Management Technologies, Inc., or its affiliates. APRISMA, APRISMA MANAGEMENT TECHNOLOGIES, the APRISMA MANAGEMENT TECHNOLOGIES logo, MANAGE WHAT MATTERS, DCM, VNM, SpectroGRAPH, SpectroSERVER, Inductive Modeling Technology, Device Communications Manager, SPECTRUM Security Manager, and Virtual Network Machine are unregistered trademarks of Aprisma Management Technologies, Inc., or its affiliates. For a complete list of Aprisma trademarks, service marks, and trade names, go to:

http://www.aprisma.com/manuals/trademark-list.htm.

jSNMP Enterprise� copyright © 1997-2001 OutBack Resource Group, Inc. All rights reserved. All referenced trademarks, service marks, and trade names identified in this document, whether registered or unregistered, are the intellectual property of their respective owners. No rights are granted by Aprisma Management Technologies, Inc., to use such marks, whether by implication, estoppel, or otherwise. If you have comments or concerns about trademark or copyright references, please send an e-mail to [email protected]; we will do our best to help.

Restricted Rights Notice (Applicable to licenses to the United States government only.)This software and/or user documentation is/are provided with RESTRICTED AND LIMITED RIGHTS. Use, duplication, or disclosure by the government is subject to restrictions as set forth in FAR 52.227-14 (June 1987) Alternate III(g)(3) (June 1987), FAR 52.227-19 (June 1987), or DFARS 52.227-7013(c)(1)(ii) (June 1988), and/or in similar or successor clauses in the FAR or DFARS, or in the DOD or NASA FAR Supplement, as applicable. Contractor/manufacturer is Aprisma Management Technologies, Inc. In the event the government seeks to obtain the software pursuant to standard commercial practice, this software agreement, instead of the noted regulatory clauses, shall control the terms of the government's license.

Virus Disclaimer Aprisma makes no representations or warranties to the effect that the licensed software is virus-free. Aprisma has tested its software with current virus-checking technologies. However, because no antivirus system is 100-percent effective, we strongly recommend that you write protect the licensed software and verify (with an antivirus system with which you have confidence) that the licensed software, prior to installation, is virus-free.

Contact Information Aprisma Management Technologies, Inc., 273 Corporate Drive, Portsmouth, NH 03801 USA

Phone: 603.334.2100U.S. toll-free: 877.468.1448Web site: http://www.aprisma.com

SPECTRUM Security Manager (SSM) 1.2Installation Guide

Document 9035072-01Revision 01

October 2001

http://www.aprisma.com/manuals/trademark-list.htm

Contents

Notice ........................................................................................... 2

Preface ......................................................................................... 6

Intended Audience ..................................................................... 6

Text Conventions ....................................................................... 6

Document Feedback ................................................................... 7

Online Documents ...................................................................... 7

Installation Prerequisites ............................................................. 8

Reference Documentation ........................................................... 9

Prerequisite Actions ...................................................................10

System Requirements for Windows NT .........................................11

System Requirements for Solaris ................................................12

Preinstallation Considerations .....................................................13

Component Definitions ..........................................................14

Sample Network Configuration ...............................................15

Installation Checklist .................................................................16

SSM Keys ................................................................................18

Extraction Keys ...................................................................18

Activation Keys ....................................................................18

Upgrading ...........................................................................20

Installing SSM ............................................................................ 21

Java 2 Virtual Machine 1.3 Requirement .......................................22

JDBC Configuration Wizard .........................................................23

SSM Installation Options ............................................................24

Installing SSM and the JVM for Windows NT ..................................25

Installing SSM and the JVM for Solaris .........................................28



October 2001

Installing the Normalizer Pack ................................................... 30

Upgrading ................................................................................31

Installing the Normalizer Pack for Windows NT ..............................32

Installing the Normalizer Pack for Solaris .....................................33

Installing Agents .......................................................................34

Installing SSM�s Event2Message Service .......................................35

Starting the Event2Message Service ............................................36

Installing the McAfee Agent for Windows NT .................................37

Starting the McAfee Agent in Windows NT ....................................39

Installing the McAfee Agent for Solaris .........................................40

Starting the McAfee Agent in Solaris ............................................42

SSM Databases ........................................................................... 43

MS SQL Server Database Integration ...........................................44

Creating an MS SQL Server Database ..........................................45

Creating a User with DBO Rights .................................................46

Oracle Database Integration .......................................................48

Creating an Oracle Database ......................................................49

Specifying the Name of the Driver ...............................................50

The JDBC Configuration Wizard ...................................................51

Creating the JDBC Database Connection ..................................53

Removing a Database from the JDBC Configuration Wizard .............55

Query Servlet ............................................................................. 56

Explaining What the Query Servlet Is ...........................................57

Installing Apache Web Server .....................................................58

Installing Apache for Windows NT ...............................................59

Installing Apache for Solaris .......................................................60

Completing the Apache Web Server Installation for Windows NT ......61

Completing the Apache Web Server Installation for Solaris .............62

Appending the httpd.conf File ...................................................63

Configuring the httpd.conf File for Windows NT ...........................64

Configuring the httpd.conf File for Solaris ..................................65

Initializing Apache Web Server ....................................................66



October 2001

Stopping the Apache Service ......................................................67

Installing Jakarta-Tomcat for Windows NT ....................................68

Installing Jakarta-Tomcat for Solaris ............................................69

Starting Jakarta-Tomcat for Windows NT ......................................70

Starting Jakarta-Tomcat for Solaris .............................................71

Configuring the Audit.properties File ........................................72

Configuring the Audit.properties File for MS SQL Server .............73

Configuring the Audit.properties File for Oracle .........................74

Starting SSM ............................................................................... 75

Starting SSM on the Central Server .............................................76

Starting SSM on an Event Concentrator .......................................77

Configuring the Syncrules Graph ................................................ 78

Establishing a Connection between the Central Server and Event Concentrators ........................................................................79

Installing Netscape for Windows NT .............................................82

Installing Netscape for Solaris .....................................................83

Documentation ........................................................................... 84

Installing the SSM 1.2 Documentation .........................................85

Installing Adobe Acrobat Reader for Windows NT ...........................86

Installing Adobe Acrobat Reader for Solaris ..................................87

Removing SSM ............................................................................ 88

Removing SSM for Windows NT ..................................................89

Removing SSM for Solaris ..........................................................90

Removing the Normalizer Pack for Windows NT .............................91

Removing the Normalizer Pack for Solaris ....................................92

Index .......................................................................................... 93



October 2001

Preface

In this section:

Intended Audience []

Text Conventions [Page 6]

Document Feedback [Page 7]

Online Documents [Page 7]

Intended Audience

This guide is intended for novice, intermediate, or advanced users of SPECTRUM Security Manager (SSM). It provides SSM installation information in a task-based format that can be employed as a personal reference guide or as part of a training materials package.

Text Conventions

The following text conventions are used in this document:

Element Convention Used Example

User-supplied parameter names

Courier in angle brackets <>.

The user needs to type the password in place of <password>.

On-screen text Courier The following line displays:path=”/audit”

User-typed text Courier Type the following path name: C:\ABC\lib\db

Cross-references Underlined and hypertext-blue

See Document Feedback [Page 7].

References to SPECTRUM documents (title and number)

Italic SPECTRUM Installation Guide (9030675)

Functionality enabled by SPECTRUM Alarm Notification Manager (SANM)

SANM in brackets []. [SANM] AGE_FIELD_ID


Page 6


October 2001

Document Feedback

Please send feedback regarding SPECTRUM documents to the following e-mail address:

[email protected]

Thank you for helping us improve our documentation.

Online Documents

SPECTRUM documents are available online at:

http://www.aprisma.com/manuals

Check this site for the latest updates and additions.



October 2001

http://www.aprisma.com/manuals

Installation Prerequisites

Before installing SSM, make sure you have the necessary hardware and software installed on your system. The listed requirements are the minimum specifications for running SSM. Meeting or exceeding these requirements ensures that SSM will perform optimally on your system.

Important: After installing SSM, review the release note.htm file for updates.

In this section:

Reference Documentation [Page 9]

Prerequisite Actions [Page 10]

System Requirements for Windows NT [Page 11]

System Requirements for Solaris [Page 12]

Preinstallation Considerations [Page 13]

Installation Checklist [Page 16]

SSM Keys [Page 18]



October 2001

Reference Documentation

Aprisma�s SPECTRUM Security Manager (SSM) 1.2 Installation Guide (9035072) introduces SSM, outlines the conceptual design of SSM, explains how to install and navigate through SSM, and gives procedures and examples of SSM operations.

This guide is intended to help you understand SSM, starting with basic functionality and progressing to more complex operations.

For more information on using SSM, refer to the complete documentation set:

� SPECTRUM Security Manager (SSM) 1.2 Getting Started Guide (9035086)

� SPECTRUM Security Manager (SSM) 1.2 Administrator Guide (9035073)

� SPECTRUM Security Manager (SSM) 1.2 Normalizer and Agent Configuration Guide (9035088)



October 2001

Prerequisite Actions

Complete the following actions on the SPECTRUM computer:

� Install the SSMI Management Module on the SPECTRUM computer before running SSM.

� Create a user model in the SPECTRUM database for the user running SSM.

� Add the computer running SSM to the SPECTRUM computer�s host security file (.hostrc.).



October 2001

System Requirements for Windows NT

Operating System Windows NT 4.0 Server with Service Pack 6a

Processor Pentium III 733.

Space Minimum 200 MB of hard drive space and 512 MB RAM

Database MS SQL Server 7 with Service Pack 2, or Oracle 8i. Be sure to allot enough database space to accommodate the expected number of events.

Important: The use of Pentium 4-based workstations for SSM is not recommended. Performance comparison tests indicate that a 1.4 GHz P4 Central Server or Event Concentrator has less event throughput performance than a PIII 933 MHz Xeon computer.

To ensure maximum performance, Aprisma recommends using a dual-processor PIII-1.0 GHz computer. However, before installing SSM, contact your Aprisma sales representative for the latest system recommendations.



October 2001

System Requirements for Solaris

Operating System Solaris 8 with Solaris Common Desktop Environment (CDE)

Processor Sun Ultra 10 Model 440 1x440MHz UltraSPARC-lli

Database Oracle 8i. Be sure to allot enough database space to accommodate the expected number of events.



October 2001

Preinstallation Considerations

Before installing SSM, read the following information and review the sample network configuration on page 15 to determine the best way to set up your enterprise network.

There are five component categories to SSM:

� Central Server,

� Event Concentrator(s),

� Normalizers and Agents,

� Database, and

� Query Servlet.



October 2001

Component Definitions

Central Server is considered the root level of SSM. It has a user interface to build and edit rules. Once rules are created, they are sent to the Event Concentrators, which use those rules to send events to SSM.

Event Concentrators perform a function similar to Central Servers and are used to help manage network load. They do not have a user interface, so they cannot be used to build and edit rules. In general, one Event Concentrator can handle 90 events per second.

Normalizers are installed on both Central Servers and Event Concentrators. They take messages from network devices and reformat them into the SSM message format. Agents can be installed throughout the network. They are proprietary applications that extract information from various types of logs and send this information to SSM. Normalizers and agents are included in the Normalizer Pack.

SSM database is either an Oracle or MS SQL Server database. The Central Server is connected to the database by the JDBC Configuration Wizard. The Central Server uses this connection to send events to the database. These events can be queried from the database using the Query Servlet, which is connected through the JDBC-ODBC bridge created by the Audit.properties file.

Query Servlet lets authenticated users query the SSM database using a Web browser. It consists of Apache Web Server and the Jakarta-Tomcat Servlet engine, both of which must be installed on the same computer. The Query Servlet cannot function until the appropriate configurations are made to the Audit.properties file.



October 2001

Sample Network Configuration

The following figure shows a sample network:

For more information about how to best configure SSM for your enterprise network, contact your Aprisma sales representative.



October 2001

Installation Checklist

You require administrator rights for the computer on which you install SSM.

Before installing SSM, make sure the following software is installed on your server:

Remove the following software (if already installed):

Have the following information handy:

Windows NT 4, with service pack 6a (for Windows NT installation)

Solaris 8, with the appropriate service packs (for Solaris installation)

Internet Explorer 5.0 (or later) or Netscape 4.6 (or later)

Jakarta-Tomcat Servlet Engine 3.1 (or any similar servlet engine)

Apache Web Server 1.3.14 (or any similar Web service)

SSM�s Event2Message service

Extraction and activation keys for SSM

Your database computer name (or an IP address, username, and password for it)

Apache document root

Your SNMP public community name

Your mail server IP address

The Central Server IP address and port number (if installing Event Concentrators)



October 2001

Before installing SSM 1.2, you should:

� Remove all previous versions of SSM�s Event2Message, McAfee agent, and Query Servlet; these components cannot be upgraded.

� Save all existing SSM rules to the scripts folder, and

� Save the scripts folder to a different location.

Once SSM 1.2 is installed, copy the contents of the saved scripts folder over the corresponding files to restore your existing rules.

After installing the necessary software, you�re ready to proceed. Go to page 21 to begin the SSM installation process.



October 2001

SSM Keys

SSM requires two types of keys: extraction keys and activation keys.

Extraction Keys

Extraction keys enable SSM to be installed as either a Central Server or an Event Concentrator, and are supplied by the Aprisma Customer Service department; see page 2 for contact information. Extraction keys can be used for multiple installations.

Activation Keys

Activation keys are generated from the Aprisma Web site (http://www.aprisma.com).

Generate an activation key for each Central Server and Event Concentrator that you purchased. A valid activation key is required each time SSM is started.

Note: If you have an evaluation copy of SSM, the activation key causes SSM to shut down once the evaluation period expires; a message indicating that the license has expired appears in the SSM console.



October 2001

http://www.aprisma.com

Procedure

1. Open a Web browser; then navigate to http://www.aprisma.com/swmfg/act-keygen/.

2. Have the following information handy; it should be included in the post-sales e-mail from the Aprisma Customer Service department:

� Your SPECTRUM license number,

� Your purchase order (P.O.) number,

� The first 12 characters of your extraction key value,

� Your authorization code, and

� The version of SPECTRUM you are running.

3. At the bottom of the Web page, it says, �To generate a SPECTRUM Security Manager activation key, click here.� Follow this link.

4. Type your username and password in the appropriate fields.

This information is sent from Aprisma by e-mail. If you do not receive this information or have issues logging in, contact the Aprisma Technical Assistance Center (ATAC); see page 2 for contact information.

Note: Type your username and password exactly as they appear in the e-mail.

5. Click Login.

6. Enter the IP addresses for each Central Server and Event Concentrator. You do not have to generate all the keys at once.

7. Make sure you enter the correct IP addresses. SSM cannot run if you enter an incorrect IP address.

8. When finished, click Get_Keys. Your activation keys display in the right column.

9. Click Logout to exit.



October 2001

http://www.aprisma.com/swmfg/act-keygen/

http://www.aprisma.com/swmfg/act-keygen/

Upgrading

SSM 1.2 supports the following upgrade paths.

� SSM 1.0 to SSM 1.2

� NSM 3.2 to SSM 1.2

SSM�s Event2Message, McAfee agent, and Query Servlet cannot be upgraded; therefore, remove all previous versions of these components before installing SSM 1.2.

Make sure you back up your scripts directory before upgrading.



October 2001

Installing SSM

This section includes installation requirements for installing SSM as a Central Server or an Event Concentrator.

Before starting the SSM installation process, make sure you have all necessary extraction and activation keys; see page 18 for more information.

Important: After installing SSM, review the release note.htm file for updates.

In this section:

Java 2 Virtual Machine 1.3 Requirement [Page 22]

JDBC Configuration Wizard [Page 23]

SSM Installation Options [Page 24]

Installing SSM and the JVM for Windows NT [Page 25]

Installing SSM and the JVM for Solaris [Page 28]



October 2001

Java 2 Virtual Machine 1.3 Requirement

SSM requires the Java 2 Virtual Machine (JVM), version 1.3. If SSM does not detect the JVM, or detects an earlier version, the SSM InstallShield Wizard activates the JVM InstallShield Wizard; the JVM is then installed on your computer before the SSM installation begins. A JVM is required for every SSM installation.



October 2001

JDBC Configuration Wizard

The Edit Schema button lets you configure the database layout. If you make a change to your SQL/ORACLE server, update the schema to reflect those changes. For example, if your database administrator changes the size of a field because the value is truncated, use the schema editor to inform SSM that field is changed. The schema is in schema.nsm in the SSM/classes/wizards directory.

While making changes, a copy of the current schema is saved in the schema.bak file. Once a new schema is saved, it is passed to the database operator through the con-base and cs-base files. Duplicate fields are not allowed in the Database Schema Editor.

Procedure

1. From the JDBC Configuration Wizard, click Edit Schema. The Database Schema Editor opens with the current schema loaded.

2. Make the appropriate changes; then click OK. A Finished dialog appears indicating the changes are not saved.

3. Click OK. You return to the JDBC Configuration Wizard.

4. Click Finished to apply the changes.

Note: Changes are not saved or applied until you click Finished in the JDBC Configuration Wizard.



October 2001

SSM Installation Options

� The first choice is to install SSM as a Central Server. The Central Server is an integral part of SSM. For more information, refer to the SPECTRUM Security Manager (SSM) 1.2 Administrator Guide (9035073).

� The second choice is to install SSM as an Event Concentrator. This option is used to create an efficient network by distributing specific tasks to various computers. For more information, refer to the SPECTRUM Security Manager (SSM) 1.2 Administrator Guide (9035073).

Ideally, the Central Server should be installed on either your administrator computer, or the computer regulating network activity.

It is best to install the Central Server first and record the IP address and port number of that computer. You need this information for the Event Concentrator installation.



October 2001

Installing SSM and the JVM for Windows NT

The following procedure is similar for both the Central Server and Event Concentrator installations. The extraction key value entered determines whether SSM is installed as a Central Server or an Event Concentrator.

Procedure

1. Insert the SSM CD into the CD-ROM drive.

2. Select Start > Run.

3. Type D:\SSM\SSMsetup.exe (assuming that D: is your CD-ROM drive).

4. Click OK. The InstallShield begins.

5. Read the Welcome screen; then click Next to continue.

or

Click Cancel to exit the installer program.

6. Once you�ve read and agreed to the software license agreement by selecting the appropriate option, click Next.

7. Complete the user information fields (Name, Organization, and Extraction Key); then click Next.

Note: Make sure you type the appropriate extraction key value (either Central Server or Event Concentrator).

8. If the extraction key value specified in Step 7 is for a Central Server, go to Step 9. If the extraction key is for an Event Concentrator, type the Central Server IP address and the Central Server Port (by default, 9317); then click Next.



October 2001

9. This screen displays the default directory name: C:\SSM. You can use this default

or

Click Browse to change the destination to an existing folder.

Note: For Windows NT, it is strongly recommended to leave the default directory name as C:\SSM. The folder that SSM is installed in must be part of a short directory name and not contain any spaces for SSM to register properly.

10. Click Next.

11. A dialog box appears indicating that the directory does not exist. Click Yes to create the directory on your computer.

12. Enter the spectroSERVER name; then click Next.

13. Information about the location, features, and total size of the installation appears. Click Next. The SSM installation begins.

14. If JVM 1.3 is already installed, go to Step 16. If the SSM InstallShield Wizard does not detect the correct version of the JVM, the Question dialog box appears indicating that the JVM is needed to complete the SSM install. Click Yes, so the SSM InstallShield Wizard activates the JVM InstallShield Wizard.

15. If a previous version of the JVM is installed, a prompt appears asking if you want to overwrite the contents of this directory. Click Yes.

Note: Canceling the JVM installation can cause the InstallShield to hang.

The JVM InstallShield Wizard completes the installation and returns you to the SSM installation. The JDBC Configuration Wizard appears.



October 2001

16. If you want to configure the SSM database, follow the procedure specified in either �MS SQL Server Database Integration� on page 44 or �Oracle Database Integration� on page 48 of this guide. Otherwise, click Cancel to return to the SSM installation and configure the database later.

17. Once the installation is complete, the SSM Release Notes display. Read these release notes before using SSM.

Note: After SSM is installed, access the SSM Release Notes by selecting Start > Programs > Spectrum Security Manager > Release Notes.

18. Click Finish to complete the SSM installation.



October 2001

Installing SSM and the JVM for Solaris

The following procedure is similar for both Central Server and Event Concentrator installations. The extraction key value entered determines whether SSM is installed as a Central Server or an Event Concentrator.

Note: To support the servlet in Solaris, SSM ships with a JDBC driver.

Procedure

1. Insert the SSM CD into the CD-ROM drive.

2. Double-click the SSMsetup.bin file in the SSM directory. The JVM InstallShield Wizard begins.


or


4. Once you�ve read the software license and agreed to it by selecting the appropriate option, click Next.

5. Complete the user information fields (Name, Organization, and Extraction Key); then click Next.

6. If the extraction key value specified in Step 5 is for a Central Server, go to Step 7. If the extraction key is for an Event Concentrator, type the Central Server IP address and the Central Server Port (by default, 9317); then click Next.

Note: If the installer asks if you want to replace any *.property files, click Yes.

7. This screen displays the default directory name: /opt/SSM. Use this default.

or


8. Click Next.

9. A dialog box appears indicating that the directory does not exist. Click Yes to create the directory on your computer.



October 2001

10. Enter the spectroSERVER name; then click Next.

11. Information about the location, features, and total size of the installation appears. Click Next. The SSM installation begins.

12. If you have already installed JVM 1.3, go to Step 14. If the SSM InstallShield does not detect the correct version of the JVM, the Question dialog box appears indicating that the JVM is needed to complete the SSM installation. Click Yes, so the SSM InstallShield Wizard activates the JVM InstallShield Wizard.

13. If a previous version of the JVM is installed, a prompt appears asking if you want to overwrite the contents of this directory. Click Yes.

The JVM InstallShield Wizard completes the installation and returns you to the SSM installation. The JDBC Configuration Wizard appears.

14. If you want to configure the SSM database, follow the procedure specified in �Oracle Database Integration� on page 48 of this guide. Otherwise, click Cancel to return to the SSM installation and configure the database later.

15. Once the installation is complete, the SSM Release Notes display. Read these release notes before using SSM.

Note: After SSM is installed, you can continue to access the SSM Release Notes by double-clicking the ReleaseNotes.htm file in the /opt/SSM directory.

16. Click Finish to complete the SSM installation.

Note: The console window might not close after SSM is installed. It is safe to close this window after completing Step 18.



October 2001

Installing the Normalizer Pack

Before starting SSM, you must install the Normalizer Pack; it contains all of the normalizers and agents you need to use with SSM.

On the Central Server, install the normalizers that correspond to all network devices that send information to SSM. If you do not install the corresponding normalizers, you cannot build rules for those network devices.

You only need to install the normalizers on each Event Concentrator for each downstream network device (i.e., the network devices that send information to their respective Event Concentrator); however, it is easier to install all SSM normalizers on each Event Concentrator.

For more information about normalizers, refer to the SPECTRUM Security Manager (SSM) 1.2 Normalizer and Agent Configuration Guide (9035088).

Note: SSM must be installed before installing the Normalizer Pack.

In this section:

Upgrading [Page 31]

Installing the Normalizer Pack for Windows NT [Page 32]

Installing the Normalizer Pack for Solaris [Page 33]

Installing Agents [Page 34]

Installing SSM�s Event2Message Service [Page 35]

Starting the Event2Message Service [Page 36]

Installing the McAfee Agent for Windows NT [Page 37]

Starting the McAfee Agent in Windows NT [Page 39]

Installing the McAfee Agent for Solaris [Page 40]

Starting the McAfee Agent in Solaris [Page 42]



October 2001

Upgrading

To upgrade your syslog and snmp rules from SSM 1.0 to SSM 1.2, you first must change the following extensions of the following files to .rebranded.

• con-snmp.nsm

• cs-snmp.nsm

• con-syslog.nsm

• cs-syslog.nsm

After you install Normalizer Pack 1.2, change the file extensions back to .nsm to restore your rules.



October 2001

Installing the Normalizer Pack for Windows NT

1. Double-click Normalizer_Pack.exe on the SSM CD in the Normalizer_Pack folder. The InstallShield begins.


or



4. If SSM is installed in a directory other than the default, the screen prompts you to select the path to SSM.

5. The next screen displays the normalizers for the network devices that can be used with SSM. Check the boxes for the normalizers you want to install; then click Next.

Note: If the Replace Existing File dialog box appears indicating that a file already exists on the system, click Yes to All to continue with the Normalizer Pack installation.

6. The installer displays your chosen installation directory, normalizers, and the total size of the files it is installing. Click Next.

7. Click Finish to complete the Normalizer Pack installation.



October 2001

Installing the Normalizer Pack for Solaris

1. Double-click the Normalizer_Pack.bin file in the Normalizer_Pack directory on the SSM CD. The InstallShield begins and the screen displays a message that the Java Virtual Machine is being prepared.


or



4. If SSM is installed in a directory other than the default, the screen prompts you to select the path to SSM.

5. The next screen displays the normalizers for the network devices that can be used with SSM. Clear the checkboxes for the normalizers that you do not want to install; then click Next.

6. If the Replace Existing File dialog box appears indicating that a file already exists on the system, click Yes to All to continue with the installation.

7. The installer displays your chosen installation directory, normalizers, and the total size of the files it is installing. Click Next.

8. Click Finish to complete the Normalizer Pack installation.

Note: The console window might not close after the installation. It is safe to close this window after completing Step 8.



October 2001

Installing Agents

An agent is a proprietary program that performs an information-gathering or processing task in real-time. In SSM, agents extract information from network devices and send the information to SSM. Currently, there are two agents used by SSM:

� SSM�s Event2Message service

� McAfee agent

Agents are installed on the computer that the third-party software sends events to, which is either an Event Concentrator or the Central Server, depending on your network configuration.

For example, if McAfee is pointing to an Event Concentrator, the agent should be installed there. Likewise, if you are collecting logs from several NT Server computers and pointing to an Event Concentrator, the agent should be installed there.



October 2001

Installing SSM’s Event2Message Service

If you want to use CyberCop, Snort, or NT Eventlog, you must install SSM�s Event2Message service on the computer that receives the events (either an Event Concentrator or the Central Server, depending on your network configuration). You must install the service on the computer with the browse function activated.

Note: Event2Message can only be installed on Windows NT computers.

Procedure

1. Double-click Setup.exe in the Event2Message folder on the SSM CD.

2. The Choose Destination Location screen appears. The default C:/Program Files/NT Collector is recommended. Use the default.

or

Click Browse to change this location.

3. Click Next. The installation begins.

4. Once the screen displays a message indicating this phase of the installation is successful, click OK. The NT Collector Console opens.

Note: At this point, configure the Event2Message service for your network. For information about configuring and initializing the Event2Message Service, refer to the SPECTRUM Security Manager (SSM) 1.2 Normalizer and Agent Configuration Guide (9035088).

5. Type the IP address of the Central Server in the Concentrator Address field. Be sure to enter a valid IP address.

6. Type the port number of the Central Server in the Concentrator Port field.

7. Click Update.

8. Click Exit.

9. Once the installation is complete, click Finish.



October 2001

Starting the Event2Message Service

1. Select Start > Settings > Control Panel.

2. Double-click Services.

3. Select the Event2Message service.

4. Click Start.



October 2001

Installing the McAfee Agent for Windows NT

The McAfee agent is required if you intend to use McAfee Dr. Solomon Netshield. Install this agent on the computer that McAfee Dr. Solomon NetShield points to (should be an SSM Central Server or Event Concentrator).

Procedure

1. Double-click McAfee_Agent.exe in the SSM\agents\mcafee folder on the SSM CD.

2. Read the welcome screen; then click Next to continue.

or


3. The following screen appears:



October 2001

4. Type the name of the McAfee server, as well as the timeout value, username, password, and name of the McAfee database (default = NaiEvents) in the appropriate fields; then click Next.

5. Type the IP address of the SSM Central Server or Event Concentrator that receives the events (default = the loopback address).

6. Click Next.

7. The screen displays the default Directory name (default = C:\McAfee_Agent). The default is recommended; use the default.

or

Click Browse to choose an existing folder.

8. If a dialog box appears indicating that the directory does not exist, click Yes to create the directory on your computer.

9. Information about the location, features, and total size of the installation appears. Click Next. The McAfee agent installation begins.

10. Click Finish to complete the McAfee agent installation.



October 2001

Starting the McAfee Agent in Windows NT

Double-click McAfee_Agent.exe in the default C:\McAfee_Agent directory.

or

Select Start > Programs > Spectrum Security Manager > Agent > McAfee Agent. This opens a command console that displays debugging information if the Debug value in the Mcafee.conf file is set to true.

Note: For information on setting the Debug value, refer to the SPECTRUM Security Manager (SSM) 1.2 Normalizer and Agent Configuration Guide (9035088).



October 2001

Installing the McAfee Agent for Solaris

The McAfee agent is required if you intend to use McAfee Dr. Solomon Netshield. Install this agent on the computer that McAfee Dr. Solomon NetShield points to (should be an SSM Central Server or Event Concentrator).

Procedure

1. Double-click McAfee_Agent.bin in the /SSM/agents/mcafee folder on the SSM CD.

2. Read the welcome screen; then click Next to continue.

or


3. The following screen appears:



October 2001

4. Type the name of the McAfee server, as well as the timeout value, username, password, and name of the McAfee database (default = NaiEvents) in the appropriate fields; then click Next.

5. Type the IP address of the SSM Central Server or Event Concentrator that receives the events (default = the loopback address).

6. Click Next.

7. The screen displays the default Directory name (default = /opt/McAfee_agent). The default is recommended. Use the default.

or


8. If a dialog box appears indicating that the directory does not exist, click Yes to create the directory on your computer.

9. Information about the location, features, and total size of the installation appears. Click Next. The McAfee agent installation begins.

10. Click Finish to complete the McAfee agent installation.



October 2001

Starting the McAfee Agent in Solaris

Double-click McAfee_Agent.bin in the default /opt/mcafee_agent directory.



October 2001

SSM Databases

You must create the SSM database on your server before you can store SSM messages in it. You only need to create the database once, since additional SSM installations can use the same database. It is important to allot enough database space to accommodate the expected number of events.

The Central Server has its own database to store all events sent to it from Event Concentrators. Additional data sources can be added to each Event Concentrator to store information not sent to the Central Server.

SSM supports and provides default JDBC drivers for the Oracle 8i and MS SQL Server 7 databases.

In this section:

MS SQL Server Database Integration [Page 44]

Creating an MS SQL Server Database [Page 45]

Creating a User with DBO Rights [Page 46]

Oracle Database Integration [Page 48]

Creating an Oracle Database [Page 49]

Specifying the Name of the Driver [Page 50]

The JDBC Configuration Wizard [Page 51]

Removing a Database from the JDBC Configuration Wizard [Page 55]



October 2001

MS SQL Server Database Integration

For the MS SQL Server to function with SSM, complete the following two steps:

� Create an MS SQL Server database.

� Create a user with database ownership (DBO) rights.

Note: MS SQL Server is only supported for Windows NT computers.



October 2001

Creating an MS SQL Server Database

The following procedure is the same for both the Central Server and the Event Concentrators.

Procedure

1. Start SQL Server Query Analyzer.

2. Log in as the SQL server system administrator.

3. Open the following file on the SSM CD: DB_Scripts\SqlServer.sql.

Note: This script is designed to replace any existing database named Generic with a new, empty version. If a database named Generic already exists on your system and you want to save the data, back up the database before running the script.

4. Press F5 to run the script that creates the Generic database and tables.

5. Create a new user or assign an existing one. This user must have full rights and privileges to the Generic database. Typically, this is done by assigning the db_owner role to the user.

Note: This username and password are required later during the installation.



October 2001

Creating a User with DBO Rights

The following example explains:

� How to create a database that is not the default database, and

� How to assign a user to the Generic database.

Procedure

1. Start SQL Server Enterprise Manager. This program enables you to connect to all of your SQL databases.

2. Connect to the SQL server that contains the Generic database.

3. To create a new user, select Console Root > Microsoft SQL Servers > [name of your server] > Security.

4. Right-click Logins.

5. Select New Login from the shortcut menu.

6. Type the Name of the new user.

7. Select the SQL Server authentication option.

8. Type a Password.

9. Change the default database to the Generic database; then click OK.

10. Confirm the new password; then click OK.

11. To set the owner rights for the Generic user, select Console Root > Microsoft SQL Servers > [name of your server] > Databases > SSM.

12. Right-click Users.



October 2001

13. Select New Database User from the shortcut menu.

14. Select the Login name from the drop-down list.

or

Assign a different User name.

15. In the Database role membership list, check the db_owner box to assign the new user rights to the Generic database.

16. Click OK. The user appears as a new item in the right pane.

17. Exit SQL Server Enterprise Manager.

Note: To assign the db_owner role for the default SSM database to the existing user, skip Step 3 to Step 10 and follow Step 11 to Step 17. Without this role assignment, the existing user cannot access the Generic database.



October 2001

Oracle Database Integration

For Oracle to function with SSM, complete the following two steps:

� Create an Oracle database, and

� Specify the name of the Oracle driver in the Audit.properties file.



October 2001

Creating an Oracle Database

1. Log into the SQL Plus Worksheet as the user assigned DBO rights.

2. Open the following file from the SSM CD: DB_Scripts\Oracle.sql. The script creates the SSM database.

Note: This script replaces any existing database named Generic with a new, empty version. If a database named Generic already exists on your system and you want to save the data, back up the database before running the script.

3. Once the script is finished, select Worksheet > Execute.

4. Exit the SQL Plus Worksheet.

Note: This username and password are required later during the installation.



October 2001

Specifying the Name of the Driver

You do not have to create an ODBC connection if you are using an Oracle database. Instead, native drivers for Oracle are provided in the classes12.zip file in the Jakarta-tomcat/lib directory.

To use one of these drivers, specify the proper name in the driverName field of the Audit.properties file.

Note: This file is not created, so it cannot be edited until Jakarta-Tomcat is installed and initialized.

The syntax for an Oracle driver in the driverName field of the Audit.properties file is: oracle.jdbc.driver.OracleDriver

For more information about Jakarta-Tomcat, refer to �Installing Jakarta-Tomcat Servlet Engine� on page 68 of this guide.

For more information about the Audit.properties file, refer to �Completing the Apache Web Server Installation for Windows NT� on page 61 of this guide.



October 2001

The JDBC Configuration Wizard

SSM uses a JDBC Configuration Wizard to create and maintain the database connection to SSM; the wizard automatically starts up at the end of the SSM installation process.

Connecting the JDBC driver to the database is an integral part of the pre-installation process. If this connection is not working or fails for any reason, SSM cannot store messages or query table information within the database. The wizard enables you to create a connection to the database using this driver, and saves this information as the new default settings.

Note: If you want to add a different database, download the driver and specify the settings.

The six information fields necessary to create the database connection are:

Connection Name specifies the name of the database connection as it appears in the JDBC Configuration Wizard.

Location of JAR File specifies the location of the database driver on your local drive. This default should not be changed for the Oracle or SQL databases. If you�re adding a new driver for another database, save it in the C:\SSM\lib\db directory.

Name of Driver contains the name of the driver used for the database. The default entry for Oracle and SQL should not be changed. If adding a new driver, look for this information in the driver�s documentation.

JDBC URL specifies the location of the driver. This field must include the following elements: jdbc, the name of the driver, the IP address of the database server, and the SSM database name. For example, the default SQL entry is jdbc:inetdae7:127.0.0.1:1433?database=SSM. Only change the IP address and the name of the database for the default Oracle or SQL settings.

Username specifies the user�s name used to connect to the database. Change the default.

Password specifies the password that corresponds to the user�s name used to connect to the database. Change the default.



October 2001

The JDBC Configuration Wizard saves this information by writing it to the jdbc.dat file. This information appears in each field when the JDBC Configuration Wizard is run.

The default SQL server database information is loaded when the JDBC Configuration Wizard starts. You can change the default database to Oracle, or add another database by adding a new driver and entering the information. Look for this new information in the driver�s documentation. You cannot duplicate database connections using one database driver. Also, any type of native driver can be used.

Note: If you add an Oracle driver on a Windows NT computer, specify the name of the class path and file in the tomcat.bat file in the jarkarta-tomcat/bin folder.

Restart SSM to implement any database changes.



October 2001

Creating the JDBC Database Connection

1. [Windows NT] Select Start > Programs > Spectrum Security Manager > Administration Tools; then select Driver Configuration.

or

[Solaris] Double-click JDBCWizard.bin in the /opt/SSM/classes/ wizards directory.

2. The JDBC Configuration Wizard appears:



October 2001

3. In the Connect to Database field, pick the drop-down list; then select the database you want to connect to. You can select Database name, Default Oracle, Default SQL, or Add New Driver.

4. In the Connection Name field, type the name of the database.

5. If you selected the Default Oracle option:

� In the JDBC URL field, change the IP address to that of the Oracle server and the TCP port number to the port the database is monitoring.

� Do not change the Name of Driver or Location of JAR File fields.

Once this step is complete, go to Step 7.

6. If you selected the Default SQL option:

� In the JDBC URL field, change the IP address to that of the SQL Server. Also, change the name of the database to Generic or the name of the database to which you want to connect.

� Do not change the Name of Driver or Location of JAR File fields.

Once this step is complete, continue with Step 7.

7. If you selected Add New Driver, change the default value of each field in the JDBC Configuration Wizard. The Name of Driver and JDBC URL information should be in the documentation for the new driver.

8. In the Username and Password fields, specify the user�s name and password used to connect to the database.

9. Click Finished.

10. A dialog box appears, notifying you that the changes were successful and that you should restart your system. Click OK to complete the database connection.



October 2001

Removing a Database from the JDBC Configuration Wizard

You can also remove a database connection using the JDBC Configuration Wizard, provided that it is not your default database.

Procedure

1. From the drop-down list, select the database you want to delete.

2. Click Remove. A warning message appears, confirming your request to delete the selected database connection.

3. Click Yes to delete the database.



October 2001

Query Servlet

In this section:

Explaining What the Query Servlet Is [Page 57]

Installing Apache Web Server [Page 58]

Installing Apache for Windows NT [Page 59]

Installing Apache for Solaris [Page 60]

Completing the Apache Web Server Installation for Windows NT [Page 61]

Completing the Apache Web Server Installation for Solaris [Page 62]

Appending the httpd.conf File [Page 63]

Configuring the httpd.conf File for Windows NT [Page 64]

Configuring the httpd.conf File for Solaris [Page 65]

Initializing Apache Web Server [Page 66]

Stopping the Apache Service [Page 67]

Installing Jakarta-Tomcat for Windows NT [Page 68]

Installing Jakarta-Tomcat for Solaris [Page 69]

Starting Jakarta-Tomcat for Windows NT [Page 70]

Starting Jakarta-Tomcat for Solaris [Page 71]

Configuring the Audit.properties File [Page 72]

Configuring the Audit.properties File for MS SQL Server [Page 73]

Configuring the Audit.properties File for Oracle [Page 74]



October 2001

Explaining What the Query Servlet Is

The Query Servlet allows you to query the SSM database using either Internet Explorer or Netscape Navigator. There are a number of ways to query the database. Querying can occur from the local computer, or it can occur from another computer on the network; as the query servlet is designed to allow multiple clients access to an SSM database.

There are five steps that must be performed to initialize the query servlet:

� Install Apache Web Server.

� Complete the Apache installation.

� Install Jakarta-Tomcat.

� Start Jakarta-Tomcat.

� Configure the Audit.properties file.



October 2001

Installing Apache Web Server

Apache Web Server is a general purpose, public-domain Web server. Apache's sophisticated design and excellent performance makes it easy to use and very reliable. Apache is the only Web server that SSM 1.2 supports. It is required to run queries on the SSM database. No other part of SSM uses Apache.

Apache is not required on every computer that sends information to the database; it is only required on the computer that Jakarta-Tomcat will be installed and running on. For more information on querying a database, refer to the SPECTRUM Security Manager (SSM) 1.2 Administrator Guide (9035073).

Note: SSM supports Apache Web Server 1.3.14. It is recommended that you uninstall any other Web servers on your computer before running SSM.



October 2001

Installing Apache for Windows NT

1. On the SSM CD, double-click apache_1_3_14_win32_r2.exe under Query_Engine\ThirdParty\Apache.

2. Read the Welcome screen and click Next to proceed, or click Cancel to exit the Setup program.

3. Once you have read and agreed to the software license agreement, click Yes.

4. The Information screen appears. Click Next. The Installer installs the Apache files.

5. The Choose Destination Location screen appears. The default Destination Folder is: C:\Program Files\Apache Group\Apache.

Note: You can use this default, or click Browse to change the destination to an existing folder. It is recommended that you use the default.

6. Click Next.

7. The Setup Type screen appears. The default option is Typical. Click Next.

8. The Select Program Folder screen appears. The default Program Folder is: Apache. You can use the default, or select another program folder from the Existing Folders list. Click Next.

9. Click Finish to exit the Installer and view the Apache README file.



October 2001

Installing Apache for Solaris

You should have root privileges for this installation.

Procedure

1. Copy the apache_1.3.17-sun4u-sun-solaris2.280.tar.gz file on the SSM CD in the /Query_Engine/ThirdParty/Apache directory.

2. Paste it in the /tmp directory on your hard drive.

3. Unzip the file (i.e., gunzip <filename>).

Note: Once you have unpacked this file, delete it from the /tmp directory.

4. Open a terminal window. From the /tmp directory, type:tar -xvf apache_1.3.17-sun4u-sun-solaris2.280.tar

5. From the /apache_1.3.17 directory, type: ./install-bindist.sh

Apache is now installed in the /user/local/apache directory.



October 2001

Completing the Apache Web Server Installation for Windows NT

You must copy files from the SSM CD to the Apache directory. This allows Apache and Jakarta-Tomcat to work together.

Procedure

1. On the SSM CD, copy the contents of the conf, modules and htdocs folders from the Query_Engine\Itactics\Apache Group\Apache directory. The following table lists the files that must be copied from the SSM CD to the hard drive, and their corresponding directories.

2. Paste the files in the appropriate Apache folders; the default directory is C:\Program Files\Apache Group\Apache.

At this point, you should initialize Apache to verify that it installed properly.

Directory File

conf add_to_httpd.conf

passwd

modules mod_jserv.so

htdocs helper-classes

images

scripts

StartAudit

StartAuditStandalone



October 2001

Completing the Apache Web Server Installation for Solaris

You must copy files from the SSM CD to the Apache directory. This allows Apache and Jakarta-Tomcat to work together. Ensure that only the files and not the entire contents of the folder are copied.

Procedure

1. On the SSM CD, copy the contents of the conf, modules, and htdocs folders from the Query_Engine\Itactics\Apache Group\Apache directory.

The following table lists the files that must be copied from the SSM CD to the hard drive and their corresponding directories:

Paste the files in the appropriate Apache folders (the default directory is: /usr/local/apache/).

Directory File

conf add_to_httpd.conf

htdocs helper-classes

images

scripts



October 2001

Appending the httpd.conf File

Text from the SSM CD must be copied and appended to the httpd.conf file. This new text allows Apache and Jakarta-Tomcat to work together, and it also creates the authentication required for the query servlet.

By default, the secure directory is the Apache root. If you want to use a different directory as the secure directory, the full path must be specified in the httpd.conf file.



October 2001

Configuring the httpd.conf File for Windows NT

1. On your computer, open the add_to_httpd.conf file in a text editor The file is in the C:\Program Files\Apache Group\Apache\conf directory). Copy the contents of the file.

Note: Make sure you copy everything after the ===== line.

2. Paste the contents at the end of the httpd.conf file (located in the same directory).

3. If you want to use a different directory as the secure directory, type the full path after the / in the <Directory /> value; for example <Directory C:\securedirectory>

Note: Do not remove the space between Directory and /.

4. Save and close the httpd.conf file.



October 2001

Configuring the httpd.conf File for Solaris

1. On your computer, open the add_to_httpd.conf file in the /usr/local/apache/conf directory. Copy all of the content after the ===== line in the file.

2. In the /usr/local/apache/conf directory, paste the copied content at the end of the httpd.conf file.

3. If you want to use a different directory as the secure directory, type the full path after the / in the <Directory /> value; for example <Directory C:/securedirectory>

Note: Do not remove the space between Directory and <drive letter:>/.

4. Save and close the httpd.conf file.



October 2001

Initializing Apache Web Server

You must install Jakarta-Tomcat before initializing the Apache Web Server. Complete the procedure on page 68 for Windows NT or page 69 for Solaris; then return to this procedure.

Procedure

1. [Windows NT] Select Start > Programs > Apache Web Server > Apache as a service; then select Start Service.

or

[Solaris] Type /usr/local/Apache/bin. The Start Service console opens. Minimize this window.

2. Open a Web browser.

3. In the Address path box, type http://[Host name]. The following default Web page produced by Apache should appear:

4. Once you have successfully loaded this page, you can close your Web browser.



October 2001

Stopping the Apache Service

[Windows NT] Select Start > Programs > Apache Web Server > Apache as a service; then select Stop Service.

or

[Solaris] Type bin/apachectl stop.

You are now ready to install Jakarta-Tomcat.



October 2001

Installing Jakarta-Tomcat for Windows NT

Jakarta-Tomcat is a servlet engine that provides commercial-quality server solutions based on the Java Platform. Only the Query Servlet requires Jakarta-Tomcat.

Procedure

1. Double-click Jakarta-Tomcat.exe on the SSM CD under Jakarta-Tomcat.

2. Read the Welcome screen; then click Next to proceed

or

Cancel to exit the Installer program.

3. The next screen displays the default Directory name: C:\Jarkarta-Tomcat.

Note: You must have Jakarta-Tomcat in: C:\Jakarta-Tomcat to ensure that Web querying with SSM works properly for Windows NT. If you have another copy of Jakarta-Tomcat located in any other directory on your local drive, SSM will not acknowledge it.

4. A prompt appears indicating that the directory does not exist on your system. Click Yes to create this directory.

5. Click Finish to complete the installation of Jakarta-Tomcat.



October 2001

Installing Jakarta-Tomcat for Solaris

1. In the Jakarta_Tomcat directory on the SSM CD, double-click the jakarta_tomcat.bin file. The installation begins.

2. Read the Welcome screen; then click Next to proceed

or

Cancel to exit the Installer program.

3. This screen displays the default Directory name: /opt/Jakarta-Tomcat.

4. A prompt appears indicating that the directory does not exist on your system. Click Yes to create this directory.

5. Click Finish to complete the installation of Jakarta-Tomcat.

Note: The console window may not close after the installation of Jakarta-Tomcat. It is safe to close this window after clicking Finish.



October 2001

Starting Jakarta-Tomcat for Windows NT

There should be two icons on your desktop from the installation of Jakarta-Tomcat: Start Jakarta-tomcat and Stop Jakarta-tomcat. You must start Jakarta-Tomcat to extract the necessary files for the Web query. The Audit.properties file is not created until you start Jakarta-Tomcat.

1. Double-click the Start Jakarta-tomcat icon so Jakarta-Tomcat can extract certain files to your local drive. A DOS script window appears, showing the extraction process.

2. Double-click the Stop Jakarta-tomcat icon once the following line displays in the active window: Context log: path=”/admin” Adding context path=”/ admin” docBase=”C:\Jakarta-tomcat\webapps\admin”. The DOS script window closes.



October 2001

Starting Jakarta-Tomcat for Solaris

You must start Jakarta-Tomcat to extract the necessary files for the Web query. The Audit.properties file is not created until you start Jakarta-Tomcat.

1. Double-click startup.sh in the /opt/Jarkarta-Tomcat/bin directory so Jakarta-Tomcat can extract certain files to your local drive. A script window appears showing the extraction process.

2. From the /opt/Jarkarta-Tomcat/bin/shutdown.sh directory, type stop once the following line displays in the active window: Context log: path=”/admin” Adding context path=”/admin”. The script window closes.



October 2001

Configuring the Audit.properties File

The Audit.properties file is a text file used by the query servlet. It is generated when Jakarta-Tomcat is started for the first time. You can open this file with the Notepad application.

The file is in:

[Windows NT] C:\Jakarta-tomcat\webapps\audit\Web-inf\classes

or

[Solaris] /opt/Jakarta-Tomcat/webapps/audit/WEB-INF/classes/Audit.properties

Note: The Audit.properties file might be read-only. If this is the case, disable the file�s read-only attribute.

If you want to use a driver that is different from the drivers provided, add the name of the driver to the Audit.properties file.



October 2001

Configuring the Audit.properties File for MS SQL Server

Verify that the following values are correct. Edit the values that do not match the following information.

Procedure

1. In the #Database paragraph:

� The user and password fields for the database match those of the SSM database user�s name and password.

� If you want Apache to forward servlet requests to Jakarta-Tomcat instead of having Jakarta-Tomcat run in standalone mode, type: servletMode=standalone.

Note: The user specified must have db_owner rights on the SSM database.

2. From the JDBC Wizard, set the Connection to Database to Default SQL.

3. Copy the contents of the JDBC URL field and paste it into the dbURL field of the Audit.properties file.

4. Copy the contents of the Name of Driver field and paste it into the driverName field of the Audit.properties file.

5. Save the file.

6. Close Notepad.

You are now ready to test the query servlet.



October 2001

Configuring the Audit.properties File for Oracle

Verify that the following values are correct. Edit the values that do not match the following information:

Procedure

1. In the #Database paragraph:

� The user and password fields for the database match those of the SSM database user�s name and password.

� If you want Apache to forward servlet requests to Jakarta-Tomcat instead of having Jakarta-Tomcat run in standalone mode, type: servletMode=standalone.

2. From the JDBC Wizard, set the Connection to Database to Default Oracle.

3. Copy the contents of the JDBC URL field and paste it into the dbURL field of the Audit.properties file.

4. Copy the contents of the Name of Driver field and paste it into the driverName field of the Audit.properties file.

5. Save the file.

6. Close Notepad.



October 2001

Starting SSM

You are now ready to start SSM. The following procedures outline how to start SSM on the Central Server or on an Event Concentrator.

In this section:

Starting SSM on the Central Server [Page 76]

Starting SSM on an Event Concentrator [Page 77]



October 2001

Starting SSM on the Central Server

For Solaris installations, start with Step 2.

Procedure

1. [Windows NT] Double-click the icon on your desktop.

or

Select Start > Programs > Spectrum Security Manager > Spectrum Security Manager 1.2.

2. [Solaris] In the /opt/SSM directory, double-click SSMStart.bin.

3. The Activation Key dialog box appears:

4. Type your Company Name exactly as it appears in the Customer field of your purchase e-mail sent from the Aprisma Technical Assistance Center (ATAC); see page 2 for contact information.

5. In the Activation Key field, enter the key value you generated on the Aprisma Web site; then click OK.

6. Two windows open: The Java Console and the SSM Central Console.

7. Click the icon to display the SSM console options.



October 2001

Starting SSM on an Event Concentrator

For Solaris installations, start with Step 2.

Procedure

1. [Windows NT] Double-click the icon on your desktop.

or

Select Start > Programs > Spectrum Security Manager > Spectrum Security Manager 1.2.

2. [Solaris] In the /opt/SSM directory, double-click run.bin.

3. The Activation Key dialog box appears:

4. Type your Company Name exactly as it appears in the Customer field of your purchase e-mail sent from the Aprisma Technical Assistance Center (ATAC); see page 2 for contact information.

5. In the Activation Key field, enter the key value you generated on the Aprisma Web site; then click OK.

SSM is now running in the background on the Event Concentrator.

Note: If the Central Server is not receiving events from the Event Concentrator, this could indicate that SSM was not started properly on the Event Concentrator.

You are now ready to establish a connection between the Central Server and the Event Concentrator(s).



October 2001

Configuring the Syncrules Graph

Before you can create and edit rules in SSM, you must initiate a connection between the Central Server and Event Concentrators.

Rules are explained in further detail in the SPECTRUM Security Manager (SSM) 1.2 Administrator Guide (9035073).

In this section:

Establishing a Connection between the Central Server and Event Concentrators [Page 79]

Installing Netscape for Windows NT [Page 82]

Installing Netscape for Solaris [Page 83]



October 2001

Establishing a Connection between the Central Server and Event Concentrators

1. From the SSM Central Console, click Display Rules to access the rule graph domains.

2. In the Visualization window, right-click the syncrules domain; then select In from the shortcut menu.

3. The Syncrules graph appears:

4. Right-click the icon near the bottom of the main window.



October 2001

5. Select Node Attributes. The Node Attributes Setting dialog box appears:

6. Click in the value field that corresponds to the address attribute.

7. Delete the place marker; then type the IP addresses separated by a single space for each of the Event Concentrators on the network as the new values.

Note: Be sure to separate each IP address with only a single space.

8. Click Apply.

9. Click Close.



October 2001

10. Click the save icon on the toolbar.

or

Select File > Save.

Note: Make sure you stay in the default directory: C:\SSM\scripts. Save over cs-syncrules.nsm to ensure the changes you made initialize properly.

11. Close the Visualization window.

12. In the SSM Central Console, click Sync Consolidators.

13. Click ReStart Consolidators.

14. Click Shutdown to close the SSM Central Console and the MS-DOS Command Console.

You are now ready to configure your enterprise with SSM. Refer to the SPECTRUM Security Manager (SSM) 1.2 Normalizer and Agent Configuration Guide (9035088) for full details about additional device configuration procedures.



October 2001

Installing Netscape for Windows NT

You need a Web browser to query the SSM database. If you do not have a Web browser installed on your system, you can install Netscape 4.61 from the SSM CD.

Procedure

1. On the SSM CD, double-click cb32e461.exe under SSM\winnt\netscape.

2. Click Next in the Netscape Communicator 4.61 Setup (Typical) window.

3. Once you�ve read the software license and agreed to it, click Yes.

4. Select the type of setup (either Typical or Custom) in the Setup Type window.

5. In the same window, select the location for the Netscape folder. The default directory is: C:\Program Files\Netscape\Communicator. Use this default.

or


6. Click Next.

7. In the Netscape Desktop Preference Options window, select the preference options you want on your desktop.

8. Click Next.

9. The Select Program Folder window appears. The default program folder is: Netscape Communicator. You can use this default.

or

Select another program folder from the Existing Folders list.

10. Click Next.

11. The Start Copying Files window appears, providing you with a list of current settings. Click Install to begin installing Netscape.

12. A Question dialog box appears toward the end of the installation, asking if you would like to view the README file. Click No.

13. An information dialog box appears indicating the setup is complete. Click OK to complete the Netscape installation.



October 2001

Installing Netscape for Solaris

1. On the SSM CD, copy the navigator-v461-export.sparc-sun-solaris2.5.1.tar.gz file under SSM/sunsparc/netscape to the /tmp directory on your hard drive.

Note: Delete the file from the /tmp directory after it is uppacked.


3. From the /tmp directory, type: tar -xvf navigator-v461-export.sparc-sun-solaris2.5.1.tar

4. At the command line, type: cd /tmp/navigator-v461.sparc-sun-solaris2.5.1

5. At the command line, type: ns-install.

6. At the command line, type SSOLRS/install/INSTALL.

7. Read the software license; then type either accept or decline.

8. Press Enter to accept the default directory (default = /opt/Netscape).

or

Enter a new default directory.

9. If a prompt indicates the directory does not exist, type y to create the directory.



October 2001

Documentation

During the SSM installation, the technical guides are copied to your hard drive. If you do not have Adobe® Acrobat® Reader installed on the Central Server, you cannot view the *.PDF version of this guide, as well as the *.PDF versions of the:

SPECTRUM Security Manager (SSM) 1.2 Installation Guide (9035072),

SPECTRUM Security Manager (SSM) 1.2 Administrator Guide (9035073), and

SPECTRUM Security Manager (SSM) 1.2 Normalizer and Agent Configuration Guide (9035088).

However, Acrobat Reader version 4.05 is provided on the SSM CD.

In this section:

Installing the SSM 1.2 Documentation [Page 85]

Installing Adobe Acrobat Reader for Windows NT [Page 86]

Installing Adobe Acrobat Reader for Solaris [Page 87]



October 2001

Installing the SSM 1.2 Documentation

[Windows NT] Select Start > Programs > Spectrum Security Manager > Documentation > [target document].

or

[Solaris] At a command line, type /opt/Acrobat4/bin ./acroread /opt/SSM/docs/[target document].



October 2001

Installing Adobe Acrobat Reader for Windows NT

1. On the SSM CD, double-click ar500enu.exe under SSM\winnt\adobe).

2. Click Next in the Acrobat Reader 4.05 Setup window.

3. In the Choose Destination Location window, select the location for the Acrobat folder (default directory = C:\Program Files\Adobe\Acrobat 5.0)

4. Click Next.

5. Click OK to complete the Acrobat Reader installation.



October 2001

Installing Adobe Acrobat Reader for Solaris

1. On the SSM CD, copy the sunsparc_rs_405.tar.gz file under SSM/ sunsparc/adobe to the /tmp directory on your hard drive.


3. From the /tmp directory, type: tar -xvf sunsparc-rs-405.tar

4. At the command line, type: cd /tmp/SSOLRS.install

5. At the command line, type: INSTALL

Note: Delete the file from the /tmp directory after unpacking it.

6. Read the software license; then type either accept or decline.

7. Press Enter to accept the default directory (default = /opt/Acrobat4).

or

Enter a new directory.

8. If a prompt indicates that the directory does not exist, type y to create the directory.



October 2001

Removing SSM

SSM 1.2 contains an Uninstall Wizard that uses Java Virtual Machine 1.3.

If you remove SSM without saving the scripts folder, scripts from previous versions of SSM will be lost. Since the scripts folder is the only folder that contains additions or changes you make to the SSM rules, the new installation creates a backup folder within the scripts folder and stores your old files there.

If you have any files other than the scripts that you want to save, save them in a temporary directory before reinstalling; SSM only creates a backup directory for the scripts folder.

In this section:

Removing SSM for Windows NT [Page 89]

Removing SSM for Solaris [Page 90]

Removing the Normalizer Pack for Windows NT [Page 91]

Removing the Normalizer Pack for Solaris [Page 92]



October 2001

Removing SSM for Windows NT

1. Select Start > Settings > Control Panel.

2. Double-click Add/Remove Programs.

3. Select the entry for SSM, according to the name you specified in the installation (default = SSM).

4. Click Next.

5. Confirm the location and program; then click Next.

6. Remove this entry; then click OK.

The uninstall process begins.



October 2001

Removing SSM for Solaris

1. Execute uninstall.bin in the /opt/SSM/_uninst directory.

2. Click Yes to All when prompted to delete a file modified since the installation.

3. Click Finish.

4. Close the console window.



October 2001

Removing the Normalizer Pack for Windows NT

Double-click the np_uninstall.exe file in the default C:\SSM\ _np_uninst directory. The Uninstaller begins.



October 2001

Removing the Normalizer Pack for Solaris

1. Execute the np_uninstall.bin* file in the /opt/SSM/_np_uninst directory. The Uninstaller begins.

2. Close the console window.



October 2001

Index

Aaccessing release notes [29]Acrobat Reader [84]activation keys [17]adding

agents [34]databases [43]normalizers [30]users [46]

Administrator Guide [84]Agents [14]agents

Event2Message [35]installing [34]McAfee [37], [40]

Apacheinitializing [66]installing [58]

audit servlet properties file [50], [61]Audit.properties [14]Audit.properties file [72], [73], [74]

CCentral Server [13], [14], [24], [43], [76]configuring

audit servlet properties file [61], [72]httpd.conf file [63]ODBC connection [50]

connectingCentral Server [78]databases [53]Event Consolidator [78]

creatingkeys [17]Oracle database [49]SQL Server database [45]users [46]users with dbo rights [46]

CyberCop [35]



October 2001

Ddatabase [13]Database Schema Editor [23]databases

configuring [43]integrating [48]removing [55]rights [46]SQL Server [44]SSM [43]

DBO rights [46]deleting

databases [55]normalizers [91]SSM [88]

documentation [29], [84]driver name [50]

EEdit Schema [23]editing

audit servlet file [72]httpd.conf file [63]ODBC connection [50]

Event Concentrator [24]Event Concentrators [14]event concentrators [13]Event Consolidator [24], [43], [77]Event2Message service [35]extraction keys [17]

Ffiles

Audit.properties [72]folders

scripts [21], [88]transferring [61]



October 2001

Ggenerating keys [17]guide

online [84]

Hhardware requirements [11], [12]help [84]

Iinitializing

Apache [66]Jakarta-Tomcat [70], [71]JDBC Configuration Wizard [53]SSM [75], [76], [77]

Installation Guide [84]installing

Acrobat Reader [86]agents [34]Apache [58]Event2Message service [35]Jakarta-Tomcat [58]JVM [25]McAfee agent [37], [40]normalizers [30]SSM [25]

integrationOracle [48]SQL Server [44]

JJakarta-Tomcat [50]

installing [58]Java 2 Virtual Machine

installing [22]JDBC Configuration Wizard [14], [23], [26], [29]

connecting a database [53]removing a database [55]

JDBC driver [51]JVM 1.3 [26]JVM InstallShield [29]



October 2001

Kkey generation [17]

Mmanual

online [84]McAfee agent [37], [40]McAfee Dr. Solomon Netshield [37], [40]

NNormalizer and Agent Configuration Guide [84]Normalizer Pack [14], [30]

removing [33]uninstalling [33]

Normalizers [14]normalizers

installing [30]removing [33]

normalizers and agents [13]NT Eventlog [35]

OODBC connection [50]online

guides [84]help [84]

OracleAudit.properties file [74]creating a database [49]database [43]databases [48]driver name [50]ODBC connection [50]

QQuery Servlet [13], [14]query servlet

Audit.properties file [72]



October 2001

Rrelease notes [29]removing

database [55]normalizers [30]SSM [88]

requirementshardware [11], [12]JVM [25]software [11], [12]

Sscripts [21], [45], [49]servers

SQL [43]web [58], [66]

services [35]servlet

engine [58]Jarkarta-Tomcat [58]

settingaudit servlet file [72]httpd.conf file [65]ODBC connection [50]

Snort [35]software requirements [11], [12]Solaris installation [12], [16], [33], [40], [60], [85], [87], [90]SQL Server

Audit.properties file [73]creating a database [45]creating DBO rights user [46]database [43]

SSMagents [34]databases [43]Event2Message service [35]initializing [75], [76], [77]installing [25]release notes [29]removing [88]starting [75], [76], [77]uninstalling [88]

SSM database [14]starting



October 2001

Apache [66]Jakarta-Tomcat [70], [71]JDBC Configuration Wizard [53]SSM [75], [76], [77]

Ttransferring folders [61]

Uuninstalling

Normalizer Pack [30]SSM [88]

Wweb server

installing [58]starting [66]

Windows NTinstallation [25], [59], [64], [68], [91]

wizardsJDBC Configuration [51]JVM InstallShield [21]SSM InstallShield [21]



October 2001