The following manual registration procedure must be used:
• To complete the registration of IWSA 3.1-SP1
• For any IWSx devices that are not enabled for remote login
Any problems should be diagnosed first. If remote login cannot be made functional for any reason, it should be disabled in the ARM information for the device by removing the “root” user ID from the “Host Superuser” information.
Note: For 3.1 devices, an ARM-specific patch is available that provides scripts for manual activation/deactivation and policy data migration. Use the latest patch available at the Trend Micro Update Center.
IWSA also has this patch though the special login shell may need to be changed to make them available. IWSA is still only usable with ARM via manual activation.
Manual registration limitations:
1. ARM’s manual registration function will not migrate device policies. To migrate IWSx policies, use the migration functionality provided for each device as follows:
• For IWSx 3.1 devices, there is a migration script supplied in the patch (armMigrate.sh).
• For IWSVA 5.x systems, there is a migrationscript included with the release.
• For IWSVA 5.1 SP1 or later devices, policy migration is not required.
2. After completing manual registration, the registered device’s status in the ARM Web console’s Gateway Devices > Device Registration screen is “Not Activated”.
This is because without SSH, ARM has no way of knowing status changes in the device. The device has in fact been activated and should be able to work properly with ARM.
If possible, it is best to fix the problem that prevented the automatic activation and try again.
To troubleshoot the automatic activation, testing the connection for IWSx devices can be done in the Device Registration process:
• If you are using the Registering a Standalone IWSx Server procedure, you can test the connection during Step 3 after you enter the username and password.
• If you are using the Registering an IWSVA HA Pair Member procedure, you can test the connection during Step 4 after you enter the username and password.
Once you have completed the procedures for Registering a Standalone IWSx Server, you must complete the following procedure to fully register IWSx devices. This procedure entails running a shell script from either the application console or a remote SSH session. The set-arm-env.sh shell script, located on the IWSx server, allows redirection of various data relevant to logging, reporting, metric, and policies to ARM as
the designated central management unit. The script is located in the /usr/iwss/
directory for IWSVA 5.x devices, and in the /etc/iscan directory on patched IWSx 3.1 devices.
Note: For any IWSA 3.1-SP1 participants using ARM as a centralized management unit, it is required to run the set-arm-env.sh script on each IWSA server to redirect to ARM as the remote database. The data import for logging, reporting, and dashboards is done individually for separate IWSA entities in the context of creating device groups on ARM.
Logging into the OS shell varies by IWSx type:
• IWSA uses a console text menu to gain access.
• IWSVA uses the CLI interface's privilege mode to gain access to the OS shell through the "admin shell" command.
• IWSS uses the native OS shell to access.
Log into your IWSx product using the appropriate method before starting the next procedure.
To manually register ARM with the InterScan Web Security product:
1. For IWSVA 5.0 and IWSVA 5.1 devices, export the existing policy data:
a. Run the migration.sh script with the "–E" option and specify the export package path.
The format of the command is:
su - iscan -c "/usr/iwss/migration/migration.sh -E
<exportPkgPath> --DBPolicy"
Example:
su - iscan -c "/usr/iwss/migration/migration.sh -E /tmp/MigratePkg.tar --DBPolicy"
Verify that the destination directory for the migration tables have read and write permission for the iscan user running the script.
For IWSx 3.1 devices only, export the existing policy data:
a. Run armMigrate.sh -e to export policy data before activating the device.
The format of the command is:
armMigrate.sh –e <exportPkgPath>
Example:
su - iscan -c "/etc/iscan/armMigrate.sh -e /migratedir/exportedtables.tar.gz"
b. Verify that the destination directory for the migration tables have read and write permission for the iscan user running the script.
Note: exportPkgPath designates the file to be created containing the contents of the Policy tables. This will be a gzipped tar file and the file name ends with .tar..gz.
2. To activate the device, run the set-arm-env.sh script from the application console or remote SSH session. Follow the procedure for the appropriate device as follows:
For activation, the format of the command is:
For IWSx 3.1:
su - iscan -c"/var/iwss/set-arm-env.sh -r
psqlparam=<armIpAddress>:<postgrePort>:<armDbName>:<dbUser>
:<dbPassword>"
For IWSVA 5.x:
/usr/iwss/set-arm-env.sh -r
psqlparam=<armIpAddress>:<postgrePort>:<armDbName>:<dbUser>
:<dbPassword>"
• armIpAddress is the IP address of ARM
• postgresPort is the listening port of the ARM Postgres instance (normally 5432)
• armDbName is the name of the ARM database (always cqdb)
• dbUser is the postgres user name (always sa)
• dbPassword is the Postgres password (not actually used, may be any value)
Note: Any errors encountered by the scripts will be recorded in /etc/iscan/log/arm_register.log and /etc/iscan/log/arm_migration.log.
Check these files if problems occur.
3. Verify that the IWSx logtodb service is running.
a. Run ps –ef |grep logtodb and look for an entry similar to the following:
iscan 381 1 0 11:19 ? 00:00:00 /usr/iwss/logtodbd root 399 340 0 11:20 pts/2 00:00:00 grep logtodb b. If it is not running, as shown above, manually restart the process.
i. To start the logtodb process, type: /etc/iscan/S99ISlogtodb start
ii. To stop the logtodb process for any reason, type:
/etc/iscan/S99ISlogtodb stop
4. It is a good practice to re-configure the policies now for IWSx servers.
5. Change the metric daemon logging interval in IWSx from 600 seconds to 60 seconds. See Modifying the Metric Daemon Logging Intervals.
6. For IWSVA 5.0 or IWSVA 5.1 devices, use the migration.sh script with the "–I"
option and specify the path to the export package created in Step 1 su - iscan -c "/usr/iwss/migration/migration.sh -I -O
<importPkgPath> --DBPolicy"
For IWSx 3.1 devices only, import the existing policy data:
armMigrate.sh –i <importPkgPath>
Where:
Note: importPkgPath designates the existing file containing the Policy table data to load (as created by armMigrate.sh –e).
armMigrate.sh only operates on certain policy related tables and uses the currently configured database information for the device.
7. After reconfiguring the database, restart the metric management daemon using:
/etc/iscan/S99ISMetricMgmtd stop /etc/iscan/S99ISMetricMgmtd start
Note: Certain types of dashboards shown in the ARM Web console require the metric daemon to be up and running on IWSx servers before the dashboards will display. Changing this metric allows these reports to display faster.