SSIM Database Extension
Pack 4.0 for Oracle® on
Linux Installation Guide
SSIM Database Extension Pack 4.0 for Oracle® on Linux
Installation Guide
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Legal Notice
SYMANTEC PROPRIETARY/CONFIDENTIAL — INTERNAL USE ONLY Copyright © 2005 Symantec Corporation.
Chapter 1
Planning for installation
About the SSIM Database Extension Pack 4.0 for Oracle on Linux ... 5
Installation requirements ... 6
Installation prerequisites ... 7
Chapter 2
Installing and configuring the database
About the installation files ... 9Installation checklist ... 9
Installing the JDK ... 10
Installing the database ... 10
Running the sesa-setup RPM ... 11
Creating the database ... 11
Installing the schema ... 15
Configuring Oracle as the primary database for Information Manager ... 16
Appendix A
Purging data
About the DMU purge tool ... 17Using the GUI-based DMU utility to delete partitions ... 18
Using the DMU command-line tool to delete partitions ... 18
Automating partition purges ... 20
Example 1 ... 20
Example 2 ... 21
Index
Contents 4
Planning for installation
This chapter includes the following topics:
■ About the SSIM Database Extension Pack 4.0 for Oracle on Linux
■ Installation requirements
■ Installation prerequisites
About the SSIM Database Extension Pack 4.0 for
Oracle on Linux
The SSIM Database Extension Pack 4.0 for Oracle® on Linux enables Symantec™ Security Information Manager (Information Manager) customers to store event and incident data in an Oracle database that is installed on a separate server. It is designed for large enterprises with high volumes of security information. By storing Information Manager data on an Oracle database server, instead of on the Information Manager appliance, customers can do the following:
■ Maximize the ability to receive and process high volumes of security information.
■ Store up to 20 terabytes of security event data.
■ Increase security event throughput.
■ Archive data to meet regulatory compliance requirements.
■ Utilize existing Oracle expertise in their organization.
1
Note: SSIM Database Extension Pack 4.0 for Oracle on Linux is an advanced solution that requires extensive Oracle knowledge and experience. It is
recommended that an Oracle Database Administrator (Oracle DBA) be responsible for deploying and maintaining the solution. In addition, Symantec Consulting Services should be leveraged for the initial deployment.
Installation requirements
To install the SSIM Database Extension Pack 4.0 for Oracle on Linux, the Oracle database server must meet the following requirements:
Red Hat® Enterprise Linux 3, release 4; 32-bit; updated with the latest patches from Red Hat.
Operating system
32-bit Oracle, version 10.1.0.4, updated with the latest patches from Oracle, and with Index Range Partitioning enabled. Ensure that you have installed the October 2005 Oracle Critical Patch Update. This patch addresses security issues with Oracle. For more information, see the Oracle Web site.
Oracle
Dell 6650 server, or the equivalent: dual processors, 8 GB RAM. Hardware
Storage Area Network (SAN) or Network Attached Storage (NAS), Class 1 storage (such as Symmetrix DMX 3000).
Storage
RAID 1+0 array consisting of 14 disks, each disk 133 GB. 13 disks are used for data storage and parity; one disk is used for backup:
■ Volume 1 (> 400 GB) holds base event tables and other event table indexes.
■ Volume 2 (> 200 GB) holds base event table indexes, user definition tables, and cache tables.
■ Volume 3 (> 1000 GB) holds other event tables. ■ Volume 4 (> 150 GB) holds log and tempdb.
■ Volume 5 (> 100 GB) holds OS and software installations. Disk layout
Note: Symantec does not make available for sale or resale any Oracle product, including Oracle database software. You must purchase the Oracle database software and the Oracle Index Range Partitioning license separately.
Planning for installation Installation requirements 6
Installation prerequisites
Before you install the SSIM Database Extension Pack 4.0 for Oracle on Linux, ensure that the following prerequisites have been met:
■ Symantec Security Information Manager 4.0.1 is installed and configured. If Symantec Security Information Manager 4.0 is already installed, the 4.0.1 service pack should be applied. If not, Symantec Security Information Manager 4.0.1 should be installed and configured.
■ The Oracle server meets operating system, hardware, and storage requirements.
■ The RAID system is configured for the Oracle server.
■ A supported version of Oracle is installed on the server.
■ Oracle Index Range Partitioning is enabled on the Oracle server.
Index Range Partitioning requires a license, which must be purchased from Oracle.
■ The startup database is not installed on the Oracle server.
Do not select the option to create a database when you install Oracle. Use the scripts that are provided in the database extension pack to create a database that is properly configured for use with Information Manager.
■ The Oracle server can communicate with the Information Manager appliance over a network.
The Oracle database and the Information Manager appliance communicate over normal unencrypted SQL*Net. Therefore, this connection should be on a private network. Access to the Oracle server should be available only to authorized users through a firewall.
■ All required connection and authentication information is available during the installation and configuration process.
Table 1-1lists the connection information that is needed during installation. Table 1-1 Connection and authentication information required for installation
Description Item
If your installation includes multiple Information Manager appliances, this should be the appliance on which the directory service is configured.
IP address of the appliance
The default port number is 636. LDAP listening port on the
appliance
7 Planning for installation Installation prerequisites
Table 1-1 Connection and authentication information required for installation
(continued)
Description Item
The LDAP directory administrator account, as configured on the appliance.
LDAP account name and password
The administrative domain, as configured on the appliance. Domain name
The administrator account for the Information Manager database on the Oracle server.
The default database account name is symcmgmt. Database account name and
password Planning for installation
Installation prerequisites 8
Installing and configuring
the database
This chapter includes the following topics:
■ About the installation files
■ Installation checklist
■ Installing the JDK
■ Installing the database
■ Configuring Oracle as the primary database for Information Manager
About the installation files
The SSIM Database Extension Pack 4.0 for Oracle on Linux includes the following components:
■ sesa-jdk-1.5.0_04-1.i686.rpm
This file includes the Java Development Kit (JDK) that is required for the installation.
■ sesa-setup-2.5-ds25_only_<n>.i686.rpm
In the file name, <n> represents the build number. This file includes the installation script.
Installation checklist
To install the SSIM Database Extension Pack 4.0 for Oracle on Linux, you must perform the following tasks:
2
Ensure that all prerequisites have been met. See“Installation prerequisites”on page 7. 1.
Install the Java Development Kit (JDK). See“Installing the JDK”on page 10. 2.
Create the database and apply the schema. See“Installing the database”on page 10. 3.
Configure Oracle as the primary database for Information Manager. See“Configuring Oracle as the primary database for Information Manager”
on page 16. 4.
Installing the JDK
Before you run the database setup program, you must install the JDK that is included in the database extension pack.
To install the JDK
1
Copy the following RPM files to the Oracle server:■ sesa-jdk-1.5.0_04-1.i686.rpm
■ sesa-setup-2.5-ds25_only_<n>.i686.rpm
2
To install the JDK, type the following command:rpm -ivh sesa-jdk-1.5.0_04.i636.rpm
Installing the database
To install and configure the database, you do the following:
■ Run the sesa-setup RPM file that you previously copied to the Oracle server. See“Running the sesa-setup RPM”on page 11.
■ Create the Information Manager database. See“Creating the database”on page 11.
■ Install the appropriate schema to the database, and configure it with the necessary information to communicate with the Information Manager appliance.
See“Installing the schema”on page 15.
Installing and configuring the database Installing the JDK
Running the sesa-setup RPM
Before you can create and configure the database, you must run the RPM file that installs the database installation script and related files. This is one of the two RPM files that you copied to the Oracle server before you installed the Java SDK. See“Installing the JDK”on page 10.
To run the sesa-setup RPM
◆ Type the following command:
rpm -ivh sesa-setup-2.5-ds25_only_<n>.i636.rpm --nodeps
In the command, replace <n> with the actual build number in the RPM filename.
Creating the database
To create the database, you run a shell script called create.sh. Before you run create.sh, you should edit the create.sh file to set certain parameters. For example, you should change the default values of variables that specify the database name and the default location of the data files in the Oracle database.
See“About create.sh”on page 11. See“Editing create.sh”on page 12. See“Running create.sh”on page 13.
See“About running create.sql manually”on page 14.
About create.sh
The create.sh script creates the database configuration files and the SQL script that is run to create the database.
Table 2-1lists and describes the files that are created by create.sh. Table 2-1 Files created by create.sh
Description File name
A SQL script that is used to create the <DBNAME> database. create.sql
The configuration file that contains all of the initialization parameters for the <DBNAME> database.
init<DBNAME>.ora
The configuration file for the Oracle listener that makes the database available over the network to the Manager and other clients.
listener.ora
11 Installing and configuring the database
Table 2-1 Files created by create.sh (continued) Description
File name
A sample tnsnames file that can be used by Oracle clients, such as SQL*Plus, to connect remotely.
tnsnames.ora
An SQL script that can be run manually to drop and recreate the SYMCMGMT database user, without having to drop and recreate the entire database.
recreate.sql
The create.sh script includes a number of variables that define the database name, Oracle version, data file path, and more. You should edit create.sh to set these variables as appropriate for your installation.
See“Editing create.sh”on page 12.
Editing create.sh
In the create.sh file, the parameters that are most commonly changed are presented at the beginning of the file as variables with default values that can be edited. You should review the contents of the file before you run it. At minimum, you should set the appropriate values for the DBVERSION and ORACLE_HOME variables.
Note: If you edit a path name prefix in create.sh, ensure that the directory path that you specify actually exists.
By default, the SQL database creation script, which is called create.sql, is run automatically by create.sh. If you are an experienced user, you may want to change the RUN_SCRIPTS value to false, so that the create.sql file is not run automatically. You can then edit create.sql before you run it to create a configuration that takes full advantage of your hardware.
Table 2-2lists the most commonly edited variables in the create.sh file. For a complete list of these variables and their default values, review the contents of the file.
Installing and configuring the database Installing the database
Table 2-2 Commonly edited parameters in create.sh Description
Parameter
Default: true
Set to false if you do not want create.sh to both generate and run the database creation script, which is called create.sql. You are then responsible for running create.sql manually.
RUN_SCRIPTS
Default: 10.1.0
This variable is referenced in the ORACLE_HOME path. DBVERSION
Default: /u01/app/oracle/product/$DBVERSION/Db_1 Set this to match the ORACLE_HOME path that was used when installing Oracle.
ORACLE_HOME
Default: "$ORACLE_HOME/jdk/bin/java -cp ." (This is a Solaris example.)
Set to the location of the Java executable that is installed and used by Oracle. Unless the version of Java that is used by Oracle is installed to a non-default path, you do not need to change this.
JAVA
Default: SESA
Set to the name you want to use for the database instance. DBNAME
Default: 1600M
Increase as necessary to take full advantage of your hardware.
SGA_TARGET
Running create.sh
Once you have edited create.sh, you can run it to generate the database
configuration files and to generate and run the database creation script, create.sql. Unless you have set RUN_SCRIPTS to false in the create.sh file, create.sql is run automatically.
13 Installing and configuring the database
To run create.sh
1
To give Oracle ownership of the installation files, in a shell, as superuser, type the following:chown -R oracle;oinstall
/var/lib/Symantec/Files/Sql/Oracle/install
2
Edit the following shell script as necessary:/var/lib/Symantec/Files/Sql/Oracle/install/create.sh See“Editing create.sh”on page 12.
3
Ensure that the following command has been run:/u01/app/oracle/product/10.1.0/Db_1/root.sh
4
Log on as oracle user, change to the local directory that contains the edited copy of create.sh, and then typesh create.shBy default, the database creation files are generated, and create.sql is run immediately to create a database.
5
When prompted, type the passwords to use for the following user accounts:Information Manager administrative account for the new database.
SYMCMGMT
Oracle privileged administrative account for the new database.
SYSTEM
Oracle administrative account for the new database. SYS
If you set RUN_SCRIPTS to false in create.sh, you will not be asked to provide these passwords. Instead, when the create.sh operation is completed, you must run create.sql manually.
See“About running create.sql manually”on page 14.
About running create.sql manually
If you set RUN_SCRIPTS to false in the create.sh file, the create.sql script will not be run automatically.
If you run create.sql manually, you will not be prompted to create passwords for SYMCMGMT, SYSTEM, and SYS, as you are when create.sh runs create.sql automatically. Instead, the placeholder value for SYMCMGMT in the create.sql script, which is password, will be used for the new database. For SYSTEM and SYS, the Oracle default values will be used.
Installing and configuring the database Installing the database
Before you run create.sql, you can replace the value with the actual password you want to use. If you do so, however, you must re-edit the file immediately after running it to ensure that this unencrypted file is not stored with the actual password. Alternatively, you can use the default SYMCMGMT password when you create the database, and then immediately change the passwords for all three user accounts in Oracle, either from the SQL*Plus command line or in the Oracle Enterprise Manager.
Installing the schema
Once you have created the database, you need to install the appropriate schema for Information Manager. The installation script is called sesa-setup and it is installed to /usr/sbin.
The sesa-setup command takes the following parameters:
The type of component to install. --datastore
The name of the device, such as eth0. --device <device-name>
The IP address of the LDAP directory. This should be the IP address of the Information Manager appliance. If your deployment includes multiple appliances, use the IP address of the appliance that is configured for directory service. --ldap-ip <IP-address>
The domain that is configured on the appliance. --ldap-domain <domain-name>
The port number on which the LDAP directory listens. By default, the port number is 636. --ldap-port <port-number>
The name of the account that has administrator privileges to the LDAP directory.
--ldap-user <user-name>
The password for the LDAP user account. --ldap-pass <password>
The type of database. --oracle-db
The name of the database.
This parameter is optional unless you change the default value of DBNAME when you edit the create.sh script. The default name is SESA. --db-instance-name <instance-name>
The command that disallows the storage of binary data in RAW format.
--no-raw
The name of the Information Manager administrative account for the database. --db-user symcmgmt
15 Installing and configuring the database
The password for the symcmgmt account. --db-pass <password>
To install the schema
◆ To run the installation script, type the following command:
/usr/sbin/sesa-setup --datastore --device <device-name> --ldap-ip <IP-address> --ldap-domain <domain-name> --ldap-port <port-number> --ldap-user <user-name> --ldap-pass <password> --oracle-db --db-instance-name <instance-name> --no-raw --db-user symcmgmt --db-pass <password>
Replace the variable values, such as <domain-name>, with the actual values for your installation.
Configuring Oracle as the primary database for
Information Manager
You configure Information Manager to use the Oracle database in the Information Manager Console.
To configure Oracle as the primary database for Information Manager
1
In the Information Manager Console, press F4 to access the Configurations Viewer.2
In the left pane of the Configurations Viewer, expand SESA 2.5 > ManagerConnection Configurations, and then click Default.
3
In the right pane, in the SESA DataStore Failover tab, from the Primary DataStore drop-down list, select the Oracle database, and then click Save.4
To distribute the configuration, on the toolbar, click Distribute.Installing and configuring the database
Configuring Oracle as the primary database for Information Manager 16
Purging data
This appendix includes the following topics:
■ About the DMU purge tool
■ Using the GUI-based DMU utility to delete partitions
■ Using the DMU command-line tool to delete partitions
■ Automating partition purges
About the DMU purge tool
The SSIM Database Extension Pack 4.0 for Oracle on Linux installs a Database Maintenance Utility (DMU) on the Oracle server.
The DMU deletes inactive partitions from the database. Just as database partitioning improves the speed of event insertion and report generation, partition-based purging of data is faster and more efficient in high-volume environments.
Partitions are created at regular intervals, and events are stored in a partition based on the event time. Deleting the oldest partition avoids the overhead associated with issuing complex queries to the database, and ensures that the oldest data is purged first.
A consecutive range of partitions can be deleted, from the oldest inactive partition up to a specified inactive partition. The active partition is never deleted.
The same tablespace is never used by two different partitions. When a partition is deleted, all tablespaces that are associated with the partition are also deleted. You can use a simple, GUI-based DMU utility to purge partitions, or you can use the DMU command-line tool. The command-line option is applicable when you want to automate the purge process, and when the Oracle server does not have a graphical desktop interface.
A
Note: The DMU requires you to provide the necessary credentials to authenticate to the manager on the Information Manager appliance. The network environment must enable the DMU to contact the manager.
Using the GUI-based DMU utility to delete partitions
The GUI-based DMU utility is located in the following path: /opt/Symantec/sesa/DMU/sesadmu.sh
To use the GUI-based DMU utility to delete partitions
1
To launch the DMU, on the Oracle server, in a shell, type the following: /opt/Symantec/sesa/DMU/sesadmu.sh2
In the Logon panel, provide the following information:The Information Manager Administrator account. Name
Password for the logon account. Password
Name of the administrative domain. This field is optional.
Domain
Host name or IP address of the Information Manager appliance. SESA Manager
IP/Hostname
3
In the Database Operation Selection panel, select the database from the drop-down list.4
In the Partition Purge panel, select one or more inactive partitions, starting with the oldest. The oldest partition is located at the top of the list.At minimum, the oldest partition must be selected. All selected partitions must be in a single, continuous range. The active partition cannot be selected.
5
To delete the selected partitions, click Execute.Using the DMU command-line tool to delete partitions
The DMU command-line tool is located in the following directory path: /opt/Symantec/sesa/DMU/sesadmucmd.sh
You can use sesadmucmd.sh to perform the following operations, which are performed consecutively in the order listed:
Purging data
Using the GUI-based DMU utility to delete partitions 18
■ List Databases
Lists all databases that are managed by a specified Manager. The name of the database and the name of the database host are listed.
■ Partition List
Lists all partitions for a specified database on a specified host. The partition name is in the form PRT_<n>.
■ Partition Purge
Purges the specified partition. The partition is deleted, along with any older partitions that may exist. Partitions are purged in order, from oldest to newest. The sesadmucmd.sh command has the following syntax:
sesadmucmd.sh --user <admin-name> --password <admin-pass> --managerHost <hostname-or-IP> --operation "List Databases"
List Databases operation
sesadmucmd.sh --user <admin-name> --password <admin-pass> --managerHost <hostname-or-IP> --databaseHost <hostname> --databaseName <db-name> --operation "Partition List" Partition List operation
sesadmucmd.sh --user <admin-name> --password <admin-pass> --managerHost <hostname-or-IP> --databaseHost <hostname> --databaseName <db-name> --purgeToPartition <partition-name> --operation "Partition Purge"
Partition Purge operation
The sesadmucmd.sh command takes the following parameters:
The Information Manager Administrator account. Required.
--user <admin-name>
Password for the logon account. Required.
--password <admin-pass>
Name of the administrative domain. Optional.
--domain <domain-name>
Host name or IP address of the Information Manager appliance.
Required. --managerHost <hostname-or-IP>
19 Purging data Using the DMU command-line tool to delete partitions
Type of operation to perform. Use one of the three options that are specified.
Required. --operation ["List Databases" |
"Partition List" | "Partition Purge"]
Host name of the database computer, as specified by the output of the "List Databases" operation. Required with --operation "Partition List" and --operation "Partition Purge".
--databaseHost <hostname>
Name of the database, as specified by the output of the "List Databases" operation.
Required with --operation "Partition List" and --operation "Partition Purge".
--databaseName <db-name>
Name of the partition to purge, as specified by the output of the "Partition List" operation. Required with --operation "Partition Purge". --purgeToPartition <partition-name>
Automating partition purges
You can automate the deletion of partitions. In a shell script, more than one approach can be used to specify the partition name value in the sesadmucmd.sh purgeToPartition parameter.
Note: To automate the partition purge process, you must store the Information Manager Administrator password in the script file. Be sure to store the file securely.
Example 1
#!/bin/sh
# run the command line version of the DMU
# set the java command
PARTITION_PREFIX=PRT_
PARTITION=1
FILE=partition.txt Purging data
Automating partition purges 20
PASSWORD=password MANAGER=10.1.1.1
DATABASE_HOST=testmachince DATABASE_NAME=SESA
#see if file with next partition to remove exists if [-e $FILE] then if [-r $FILE -a -w $FILE] then PARTITION='cat $FILE' else
echo "$FILE must be writable and readable by current process." exit -1
fi else
echo $PARTITION > $FILE fi
echo "Deleting up to partition->$PARTITION_PREFIX$PARTITION"
./sesadmucmd.sh -user $USER -password $PASSWORD -managerHost $MANAGER -databaseHost $DATABASE_HOST -databaseName -$DATABASE_NAME -operation "Partition Purge" -purgeToPartition $PARTITION_PREFIX$PARTITION
let PARTITION=PARTITION+1 echo $PARTITION > $FILE
Example 2
#!/bin/sh
# run the command line version of the DMU
# set the java command
PARTITION_PREFIX=PRT_ USER=administrator PASSWORD=password MANAGER=10.1.1.1 DATABASE_HOST=testmachince DATABASE_NAME=SESA 21 Purging data Automating partition purges
PARTITION=
FILE=partitions.txt
./sesadmucmd.sh -user $USER -password $PASSWORD -managerHost $MANAGER -databaseHost $DATABASE_HOST -databaseName -$DATABASE_NAME -operation "Partition List" > $FILE
#see if file with next partition to remove exists if [-e $FILE]
then
if [-r $FILE] then
PARTITION='cat $FILE | grep $PARITION_PREFIX | cut -f2 -d'_' | head -1'
else
echo "$FILE must be writable and readable by current process." exit -1
fi else
echo $PARTITION > $FILE fi
echo "Deleting up to partition->$PARTITION_PREFIX$PARTITION"
./sesadmucmd.sh -user $USER -password $PASSWORD -managerHost $MANAGER -databaseHost $DATABASE_HOST -databaseName -$DATABASE_NAME -operation "Partition Purge" -purgeToPartition $PARTITION_PREFIX$PARTITION Purging data
Automating partition purges 22
C
connection information 8 create.sh editing 12 files created by 11 running 13 create.sql 14D
databaseconfiguring as primary Information Manager database 16
creating 10
creating manually 14 listing name and host 19 listing partitions 19 partitions 17 purging partitions
automated 20
from command line 18 using GUI 18
schema installation 15 SYMCMGMT account 14
Database Maintenance Utility. See DMU DBNAME 13 DBVERSION 13 Dell 6650 6 DMU about 17 command-line 18 GUI 18
H
hardware requirements 6I
Index Range Partitioning 6 init<DBNAME>.ora 11 installation checklist 9 installation (continued) database 10 database schema 15 files 9
Java Development Kit ( JDK) 10 prerequisites 7
requirements 6
J
Java Development Kit ( JDK) 10
L
LDAP connection information 7 listener.ora 11
O
operating system requirements 6 Oracle
configuration files 11
configuring in Information Manager Console 16 user accounts 14 version 6 ORACLE_HOME 13
P
partitions about 17 listing 19 purging automated 20from command line 18 using GUI 18
prerequisites for installation 7
R
RAID array 6 recreate.sql 12 Red Hat Linux 6
requirements for installation 6
Index
RUN_SCRIPTS 13
S
sesa-setup command parameters 15 sesadmu.sh 18
sesadmucmd.sh 18 parameters 19 SGA_TARGET 13 storage requirements 6
Symantec Security Information Manager connection information 8
version required 7
SYMCMGMT database account 14
T
tsnames.ora 12 Index