Click here to load reader

ArcSight ESM Installation and Configuration Guide · 2017-11-15 · WhentheCORR-Engineisfilledtocapacity,asneweventscomein,theManagerstartsdeleting existingeventsstartingfromtheoldestevent

  • View
    4

  • Download
    0

Embed Size (px)

Text of ArcSight ESM Installation and Configuration Guide · 2017-11-15 ·...

  • HP ArcSight ESMSoftware Version: 6.8c

    Installation and Configuration Guide

    January 29, 2015

  • Legal Notices

    WarrantyThe onlywarranties for HP products and servicesare set forth in the expresswarranty statements accompanying such productsand services. Nothing herein should be construed as constituting an additionalwarranty. HP shall not be liable for technical oreditorial errors or omissions contained herein.

    The information contained herein is subject to change without notice.

    The network information used in the examples in this document (including IP addressesand hostnames) is for illustrationpurposesonly.

    HPArcSight products are highly flexible and function as you configure them. The accessibility, integrity, and confidentiality ofyour data is your responsibility. Implement a comprehensive security strategyand follow good security practices.

    This document is confidential.

    Restricted Rights LegendConfidential computer software. Valid license fromHP required for possession, use or copying. Consistent with FAR 12.211and 12.212, CommercialComputer Software, Computer Software Documentation, and TechnicalData for Commercial Itemsare licensed to the U.S. Government under vendor's standard commercial license.

    Copyright Notice©Copyright 2015 Hewlett-Packard Development Company, L.P.

    Follow this link to see a complete statement of copyrights and acknowledgements:http://www.hpenterprisesecurity.com/copyright

    Support

    Phone A list of phone numbers is available on the HPArcSight TechnicalSupportPage: https://softwaresupport.hp.com/documents/10180/14684/esp-support-contact-list

    Support Web Site https://softwaresupport.hp.com

    Protect 724 Community https://protect724.hp.com

    Contact Information

    HP ESM (6.8c) Page 2 of 79

    http://www.hpenterprisesecurity.com/copyrighthttps://softwaresupport.hp.com/documents/10180/14684/esp-support-contact-listhttps://softwaresupport.hp.com/documents/10180/14684/esp-support-contact-listhttps://softwaresupport.hp.com/https://protect724.hp.com/welcome

  • Contents

    Chapter 1: What Is ESMWith CORR-Engine Storage? 7

    ESMComponents 7ArcSight Manager 7CORR-Engine 8ArcSight CommandCenter 8ArcSight Console 8SmartConnectors 8ArcSight Web 8

    Deployment Overview 9

    ESMCommunication Overview 9Effect on CommunicationWhenComponents Fail 9Using PKCS #11 10Import Control Issues 10

    Directory Structure for ESM Installation 11

    References to ARCSIGHT_HOME 11

    Securing Your ESM System 11Protecting ArcSight Manager 11ArcSightBuilt-In Security 13Physical Security for the Hardware 13Operating System Security 14General Guidelines and Policies about Security 15

    Chapter 2: Installing ESM 16

    System Requirements 16Supported Platforms 16

    Before you Install ESM 17Keep these TCP Ports Open 17Install Time Zone Package 18

    Preparing to Install 19Set the /tmp Directory Size 19Sizing Guidelines for CORR-Engine 19Create User arcsight 21Create /opt/arcsight Directory 22Increase User Process Limit 22

    HP ESM (6.8c) Page 3 of 79

  • Untar the tar File 23

    Running the Installation File 23Rerunning The Suite Installer 25Running the ConfigurationWizard In ConsoleMode 25Configuring ESM 25

    Handling a Time Zone Update Error 28Changing theManager Heap Size 28Rerunning the ESMConfigurationWizard 29

    Rerunning the ESMConfigurationWizard 29

    Uninstalling ESM 29

    Setting Up ESMReports to Display in a Non-English Environment 30On theManager 30On the Console 31

    Improving the Performance of Your Server 32

    The Next Steps 32

    Chapter 3: Installing ArcSight Console 33

    Console Supported Platforms 33

    Required Libraries for RHEL and CentOS (64 Bit) 33

    Using PKCS 34

    Installing the Console 34Configuring the ArcSight Console 36Importing the Console’s Certificate into the Browser 42Character Set Encoding 43

    Starting the ArcSight Console 43Logging into the Console 45

    Reconnecting to the ArcSight Manager 45

    Reconfiguring the ArcSight Console 45

    Uninstalling the ArcSight Console 45

    Appendix A: Troubleshooting 47

    Location of Log Files for Components 47

    If You Encounter an Unsuccessful Installation 49

    Customizing ESMComponents Further 50ArcSight Manager 50ArcSight Web 50

    Installation and Configuration Guide

    HP ESM (6.8c) Page 4 of 79

  • Fatal Error when Running the First Boot Wizard 51

    Changing the Hostname of Your Machine 51

    Changing the Host Name of theMachine after Running the First Boot Wizard 53

    Appendix B: Default Settings For Components 56

    General Settings 56

    CORR-Engine Settings 56

    Manager Settings 56

    ArcSight Web Settings 58

    Using PKCS 59

    PKCS#11 59

    PKCS#11 Token Support in ESM 59

    PKCS#12 60

    Setting Up to Use a CAC Card 60Install the CAC Provider’s Software 60Map a User’s External ID to the CAC’s Subject CN 61Obtain the CAC’s Issuers’ Certificate 63Extract the Root CA Certificate From the CAC Certificate 64Import the CAC Root CA Certificate into the ArcSight Manager 66Select Authentication Option in ArcSight Console Setup 67Logging in to the ArcSight Console Using CAC 69

    Logging in to ArcSight CommandCenter Using CAC 69

    Appendix C: Locales and Encodings 70

    Terminology 70Character Set 70Code Point 70Code Set 70Encoding 70Internationalization 70Locale 71Localization 71Unicode 71UTF-8 71

    Before you Install a Localized Version of ArcSight ESM 71

    ArcSight Console andManager 71

    Installation and Configuration Guide

    HP ESM (6.8c) Page 5 of 79

  • ArcSight SmartConnectors 72Setting the Encoding for Selected SmartConnectors 72Localizing Date Formats in Tokens andOperations 72agent.parser.locale.name Values 72Key-Value Parsers for Localized Devices 78

    Send Documentation Feedback 79

    Installation and Configuration Guide

    HP ESM (6.8c) Page 6 of 79

  • Chapter 1: What Is ESM With CORR-EngineStorage?ESM is a Security Information and Event Management (SIEM) solution that collects and analyzessecurity data from heterogeneous devices on your network and provides you a central, real-time view ofthe security status of all devices of interest to you.

    ESM components gather and store events generated by the devices you identify. These events arefiltered and correlated with events from other devices or collection points to discover risks and assessvulnerabilities.

    ESM uses the Correlation Optimized Retention and Retrieval Engine (CORR-Engine) storage, aproprietary data storage and retrieval framework that receives and processes events at high rates, andperforms high-speed searches. This provides a number of benefits, including increased performance,ease of management, and use of less disk space.

    ESM ComponentsThe ESM system comprises the following components:

    l "ArcSight Manager" below

    l "CORR-Engine" on the next page (Correlation Optimized Retention and Retrieval Engine)

    l "ArcSight CommandCenter" on the next page

    l "ArcSight Console" on the next page

    l "SmartConnectors" on the next page

    l "ArcSight Web" on the next page

    ArcSight ManagerThe ArcSight Manager is at the center of the ESM system. TheManager is a software component thatfunctions as a server that receives event data from Connectors and correlates and stores them in thedatabase. TheManager also provides advanced correlation and reporting capabilities. TheManagerand CORR-Engine are integrated components and get installed on the samemachine.

    HP ESM (6.8c) Page 7 of 79

  • CORR-EngineThe CORR-Engine is a long term data storage and retrieval engine that enables the product to receiveevents at high rates. TheManager and CORR-Engine are integrated components and get installed onthe samemachine.

    ArcSight Command CenterThe ArcSight CommandCenterESM is a web-based user interface for ESM. This user interface hasthe following characteristics:

    l Enables you to perform many of the functions found in the ArcSight Console and ArcSight Web,which are still provided with ESM.

    l Provides dashboards, a variety of search types, reports, casemanagement, notifications,channels, and administrative functions for managing content, users, connectors, storage, archives,search filters, saved searches, and peer configuration.

    ArcSight ConsoleThe ArcSight Console provides a user interface for you to perform administrative tasks, such as finetuning the ESM content, creating rules, andmanaging users. The ArcSight Console is installedseparately on client machines.

    SmartConnectorsSmartConnectors are software components that forward security events from awide variety of devicesand security event sources to CORR-Engine. SmartConnectors are not bundled with ESM and areinstalled separately.

    ArcSight WebArcSight Web is a web server that enables you to access theManager securely using a browser.

    ArcSight Web is intended for users who need to view information on theManager, but not author oradminister it; for example, operators in a Security Operations Center (SOC) and customers of aManaged Security Service Provider (MSSP).

    Installation and Configuration GuideChapter 1: What Is ESMWith CORR-Engine Storage?

    HP ESM (6.8c) Page 8 of 79

  • Deployment OverviewThe following is an example of how various ESM components can be deployed in a network.

    ESM Communication OverviewThe ArcSight Console, Manager, and SmartConnectors communicate using HTTP (HyperTextTransfer Protocol) over SSL (Secure Sockets Layer), often referred to as HTTPS (HyperText TransferProtocol Secure). The HTTPS protocol provides for data encryption, data integrity verification, andauthentication for both server and client.

    SSL works over TCP (Transport Control Protocol) connections. The default incoming TCP port on theManager is 8443.

    TheManager never makes outgoing connections to the Console or SmartConnectors. TheManagerconnects to the CORR-Engine through a loopback interface using a propriety protocol.

    Effect on Communication When Components FailIf any one of the software components is unavailable, it can affect communication between othercomponents.

    If the CORR-Engine is unavailable for any reason, theManager stops accepting events and cachesany events that were not committed to the CORR-Engine. The SmartConnectors also start cachingnew events they receive, so there is no event data loss. The Console gets disconnected.

    Installation and Configuration GuideChapter 1: What Is ESMWith CORR-Engine Storage?

    HP ESM (6.8c) Page 9 of 79

  • When the CORR-Engine is filled to capacity, as new events come in, theManager starts deletingexisting events starting from the oldest event.

    If theManager is unavailable, the SmartConnectors start caching events to prevent event data loss.The CORR-Engine is idle. The Console is disconnected.

    If a SmartConnector fails, whether event data loss will occur or not depends on the SmartConnectortype. SmartConnectors that listen for events from devices such as the SNMP SmartConnectors willstop accepting events. However, a SmartConnector that polls a device, such as the NT CollectorSmartConnector, may be able to collect events that were generated while the SmartConnector wasdown, after the SmartConnector comes back up.

    Using PKCS #11ArcSightESM supports the use of a PKCS#11 token such as the Common Access Card (CAC) (whichis used for identity verification and access control) to log into the Console or ArcSight Web. PKCS#11is Public-Key Cryptography Standard (PKCS), published by RSA Laboratories which describes it as “atechnology-independent programming interface, called Cryptoki, for cryptographic devices such assmart cards and PCMCIA cards.”

    PKCS#11 authentication is not supported with Radius, LDAP and Active Directory authenticationmethods.

    Import Control IssuesIf you are a customer in the United States, you can skip reading this section. If you are a customeroutside of the United States, you need to be aware of your country's restrictions on allowedcryptographic strengths. The embedded JRE in ESM components, ship with the Java CryptographyExtension (JCE) Unlimited Strength Jurisdiction Policy Files and they are enabled by default. Thesefiles are:

    l jre\lib\security\local_policy.jar

    l jre\lib\security\US_export_policy.jar

    This is appropriate for most countries. However, if your government mandates restrictions, back up theabove two *.jar files and use the restricted version files instead. They are available at:

    jre\lib\security\local_policy.jar.original

    jre\lib\security\US_export_policy.jar.original

    Rename *.jar.original to *.jar.

    The only impact of using the restricted version files would be that you cannot use ESM’s keytoolgui toimport unrestricted strength key pairs. Also, you cannot save the keystore if you use passwords thatare longer than four characters. No other ESM functionality is impacted.

    Installation and Configuration GuideChapter 1: What Is ESMWith CORR-Engine Storage?

    HP ESM (6.8c) Page 10 of 79

  • Directory Structure for ESM InstallationBy default, the ESM software is installed in a directory tree under a single root directory. Other third-party software is not necessarily installed under this directory, however. The path to this root directoryis called /opt/arcsight.

    The directory structure below /opt/arcsight is also standardized across components and platforms.The following table lists a few of the commonly used directories across the components.

    Port Directory

    ESM Software /opt/arcsight//bin

    Properties files /opt/arcsight//config

    Log files /opt/arcsight//logs

    References to ARCSIGHT_HOME in the paths represents:

    l /opt/arcsight/manager for the ArcSight Manager

    l /opt/arcsight/web for ArcSight Web

    l Whatever path you specified when you installed the ArcSight Console

    Securing Your ESM SystemUse the information in the following sections to protect your ArcSight components.

    Note: By default, theminimum length for passwords is six characters and themaximum length is20 characters. For information on password restrictions see the Administrator's Guide, chapter 2."Configuration," "Managing Password Configuration," "Password Character Sets."

    Protecting ArcSight ManagerDo not use demo SSL certificates in production. Make sure when switching that you remove the demoCA from cacerts on all SmartConnectors and ArcSight Consoles.

    Installation and Configuration GuideChapter 1: What Is ESMWith CORR-Engine Storage?

    HP ESM (6.8c) Page 11 of 79

  • Closely control access to files, using the principle of least privilege, which states that a user should begiven only those privileges that the user needs to complete his or her tasks. The following files areparticularly sensitive:

    Note: is the root directory for a component. For example for theManagercomponent, is: /opt/arcsight/manager.

    l \config\jetty\keystore (to prevent the ArcSight Manager private keyfrom being stolen)

    l \config\jetty\truststore (w/ SSLClient authentication only, toprevent injection of new trusted CAs)

    l \config\server.properties (has keystore and database passwords)

    l \config\jaas.config (w/ RADIUS or SecurID enabled only, has sharednode secret)

    l \config\client.properties (w/ SSLClient authentication only, haskeystore passwords)

    l \reports\sree.properties (to protect the report license)

    l \reports\archive\* (to prevent archived reports from being stolen)

    l \jre\lib\security\cacerts (to prevent injection of new trusted CAs)

    l \lib\* (to prevent injection of malicious code)

    l \rules\classes\* (to prevent code injection)

    Use a host-based firewall. On the ArcSight Manager, block everything except for the following ports.Make sure you restrict the remote IP addresses that may connect to those that actually need to talk.

    Port Flow Description

    22/TCP Inbound SSH log in (Unix only)

    53/UDP Inbound/Outbound DNS requests and responses

    8443/TCP Inbound SmartConnectors and Consoles

    25/TCP Outbound SMTP tomail server

    110/TCP Outbound POP3 tomail server, if applicable

    143/TCP Outbound IMAP tomail server, if applicable

    1645/UDP Inbound/Outbound RADIUS, if applicable

    1812/UDP Inbound/Outbound RADIUS, if applicable

    Installation and Configuration GuideChapter 1: What Is ESMWith CORR-Engine Storage?

    HP ESM (6.8c) Page 12 of 79

  • Port Flow Description

    389/TCP Outbound LDAP to LDAP server, if applicable

    636/TCP Outbound LDAP over SSL to LDAP server, if applicable

    As another layer of defense (or if no host-based firewall is available), you can also restrict whichconnections are accepted by the ArcSight Manager using the following properties in theserver.properties file:

    web.accept.ips=xmlrpc.accept.ips=agents.accept.ips=

    Each of these properties takes a list of IP addresses or subnet specifications, separated by commas orspaces. Once specified, only connections originating from those addresses are accepted. Thexmlrpc.accept.ips property restricts access for ArcSight Consoles and the ArcSight Web server.The agents.accept.ips property restricts access for SmartConnectors. For registration, theSmartConnectors need to be in xmlrpc.accept.ips as well, so that they can be registered. The formatfor specifying subnets is quite flexible, as shown in the following example:

    web.accept.ips=192.0.2.0/24 192.0.2.5xmlrpc.accept.ips=192.0.2.0 192.0.2.5agents.accept.ips=10.*.*.*,192.0.2.0/255.255.0.0

    ArcSightBuilt-In SecurityHPArcSight user accounts have user types that control the functions which users can access in theArcSight Manager. The "Normal User" type has themost privileges. Where possible, usemorerestrictive types, such as "Manager SmartConnector," "Management Tool," or "Archive Utility" for non-human user accounts. This is particularly important when user passwords must be stored in scripts forunattended execution.

    Apply the principle of least privilege when creating user accounts in ESM andwhen granting access toresources or events. Users should not havemore privileges than their tasks require.

    Physical Security for the HardwareIn addition to establishing security policies for passwords, keystores, and other software facilities, it isimportant to provide physical security for the hardware used by the ESM system. Physical hardwareincludes computers running ArcSight Console, and SmartConnector software, as well as the networkwhich connects them.

    Physical access to computers running ArcSight softwaremust be restricted.

    l Use the lockingmechanisms provided by most rack-mount cases to prevent malicious/accidentaltampering with themachine

    l Use locks on disk drive enclosures

    Installation and Configuration GuideChapter 1: What Is ESMWith CORR-Engine Storage?

    HP ESM (6.8c) Page 13 of 79

  • l Use redundant power and uninterruptible power supplies (UPS)

    l Protect the BIOS (x86 systems only) or firmware:n Disable all CD-ROM drives for booting so that the system can only be booted from the hard disk

    n Disable COM, parallel, and USB ports so that they cannot be used to extract data

    n Disable powermanagement

    Operating System Securityl On Linux, set up a boot loader password to prevent unauthorized people from booting into singleuser mode (see the LILO or GRUB documentation for details).

    l On Linux, disable reboot by Ctrl-Alt-Del in /etc/inittab. Comment out the line that refers to“ctrlaltdel.”

    l Set up a screen saver that prompts for a password with amoderately short delay (such as fiveminutes).

    l Disable powermanagement in the OS.

    l When installing the OS, select packages individually. Only install what you know will be needed.You can always install missing packages as you encounter them.

    l Run automated update tools to obtain all security fixes. Use up2date on Red Hat Linux (may requireRed Hat Network subscription).

    l Uninstall (or at least turn off) all services that you do not need. In particular: finger, r-services,telnet, ftp, httpd, linuxconf (on Linux), Remote Administration Services and IIS Services onWindows.

    l OnUnix machines, disallow remote root logins (for OpenSSH, this can be done using thePermitRootLogin no directive in /etc/ssh/sshd_config). This will force remote users to log in asa non-root user and su to root, thus requiring knowledge of two passwords to gain root access to thesystem. Restrict access to su, using a “wheel group” pluggable authenticationmodule (PAM) sothat only one non-root user on themachine can su to root. Make that user different from the“arcsight” user. That way, even if the root password is known and an attacker gains access throughESM in someway, they won't be able to log in as root.

    l Rename the Administrator/root account to make brute force attacks harder.

    Installation and Configuration GuideChapter 1: What Is ESMWith CORR-Engine Storage?

    HP ESM (6.8c) Page 14 of 79

  • General Guidelines and Policies about SecurityEducate system users about “social engineering” tricks used to discover user account information. Noemployee of HP will ever request a user’s password. When HP representatives are on site, theadministrator of the system will be asked to enter the password and, if needed, to temporarily changethe password for the HP team to work effectively.

    Educate users to use securemeans of communication—such as SSL to upload tosoftware.arcsight.com or PGP for e-mail—when transferring configuration information or log files toHP.

    Set up a login banner stating the legal policies for use of the system and the consequences of misuse.(Instructions for creating a login banner vary by platform.) ArcSight Consoles can also display a customlogin banner. Contact the Customer Support using the HP SSO site for more information.

    Choose secure passwords. (No password used in two places, seemingly random charactersequences, eight characters or longer, containing numbers and special (non-letter) characters). Forinformation on password restrictions see the Administrator's Guide, chapter 2. "Configuration,""Managing Password Configuration."

    Passwords are used in the following places—if any one is breached, the system is compromised:

    l All database accounts (arcsight)

    l The “arcsight” user and root user on the system that runs the ArcSight Manager

    l All users created in ESM

    l The SSL keystores

    l The boot loader (Linux)

    l The BIOS (x86 systems only)

    l The RADIUS node secret

    l The LDAP password for ArcSight Manager (w/ basic authentication only), where applicable

    l The Active Directory domain user password for ArcSight Manager where applicable

    Consider purchasing and using a PKI solution to enable SSL client authentication on Consoles andSmartConnectors.

    Consider purchasing and using a two-factor authentication solution such as RSA SecurID.

    Make sure that all the servers with which ESM interacts (DNS, Mail, RADIUS, etc.) are hardenedequivalently.

    Use a firewall and intrusion detection systems to secure the network that the ArcSight ManagerCORR_Engine use.

    Installation and Configuration GuideChapter 1: What Is ESMWith CORR-Engine Storage?

    HP ESM (6.8c) Page 15 of 79

  • Chapter 2: Installing ESMWe recommend that you read the ESM Release Notes before you begin installing ESM.If you are going to use the ESM High Availability Module with ESM and this is a new ESM installation, install the HA Module first. Refer to the ESM High Availability Module Guide for instructions.NOTE: ESM does not support FIPS in this release.

    System RequirementsThe hardware requirements for ESM 6.8c are as follows:

    Minimum Mid-Range High Performance

    Processors 8 cores (16 preferred) 32 cores 40 cores

    Memory 36GB RAM (64 preferred) 64GB RAM 1 TB RAM

    Hard Disk Six 600GB disks (1.5 TB)(RAID 10)

    15,000 RPM

    20 1 TB disks (10 TB)(RAID 10)

    10,000 RPM

    12 TB(RAID 10)

    Solid state

    Caution: The "Minimum" values apply to systems running base system content at low EPS(typical in lab environments). It should not be used for systems running high number of customer-created resources, or for systems that need to handle high event rates. Use the "Mid Range" or"High Performance" specifications for production environments that handle a sizable EPS loadwith additional content and user activity.

    Using Pattern Discovery or large numbers of Assets and Actors puts additional load on the systemthat can reduce the search and event processing performance. For further assistance in sizingyour ESM installation, contact your HP ArcSight Sales or Field Representative.

    If you anticipate that you will have large lists (a list with roughly fivemillion entries) or 500,000Actors, ensure that your systemmeets theMid-Range requirements or better.

    Supported PlatformsESM 6.8c is supported on RedHat Enterprise Linux 6.4 and 6.5 and CentOS 6.5 and SUSE LinuxEnterprise 11 SP3 platforms (all 64-bit) installed using at least the "Basic Server" option with added"compatibility libraries" at the time of installation. Refer to the Product Lifecycle document available onthe Protect 724 site for further information on supported platforms and browsers.

    HP ESM (6.8c) Page 16 of 79

  • Note:

    l To install the product you may also install the X Window system package if it is not already installed. This is optional. Use xorg-x11-server-utils-7.5-13.el6.x86_64or a later version for RHEL. Use xorg-x11-server-7.4-27.81.7 or a later version for SUSE Linux.

    l For RHEL, the XFS and EXT4 file system formats are supported.

    l For SUSE Linux, the EXT3 file system format is supported.

    l The atd servicemust be running all the time. At the end of the ESM installation, if the serviceis not already running, it starts when you run the setup_services.sh command.

    l If you plan to use this instance of ESM with the HA Module, do not use SUSE Linux; the HA Module does not support SUSE Linux.

    Before you Install ESMBefore you begin to install ESM, do the following:

    l The ESM 6.8c installation package is available for download from HP athttps://softwaresupport.hp.com/. Download the ArcSightESMSuite-6.8.0.xxxx.0.tar file andcopy it on to the system where you will be installing ESM. The xxxxx in the file name stands for thebuild number.

    l After you download the .tar file from the HP Software Depot, initiate license procurement byfollowing the instructions in the Electronic Delivery Receipt you receive from HP in an email afterplacing the order.

    Note: You do not need to unzip the license zip file. ESM recognizes the license file in thezipped state.

    l If you plan to install the Risk Insight software with ESM, create an new partition with at least 25 GBfor it in addition to the space allocation youmake for ESM.Consult theArcSight Risk Insight Deployment Guide for details.

    Keep these TCP Ports OpenBefore installing ESM, open the following TCP ports on your system if not already open and ensure thatno other process is using these TCP ports:

    Open the following TCP ports for external incoming connections:

    844394439000

    Installation and Configuration GuideChapter 2: Installing ESM

    HP ESM (6.8c) Page 17 of 79

    https://softwaresupport.hp.com/

  • The following TCP ports are used internally for inter-component communication by ESM:

    1976, 28001, 2812, 3306, 5555, 6005, 6009, 6443, 7777, 7778, 7779, 7780, 8005, 8009, 8080, 8088,8089, 8666, 8766, 8808, 8880, 8888, 8889, 9000, 9001, 9002, 9003, 9004, 9005, 9006, 9007, 9008,9095, 9090, 9123, 9124, 9999, 45450

    If you are using the ESM High Availability Module, check its documentation for ports that it uses.

    Install Time Zone PackageESM uses the time zone update package in order to automatically handle changes in time zone orchanges between standard and daylight savings time. During installation, ESM checks to see if theappropriate operating system time zone package is installed. If it is not, you have the option of exitingthe installer to install the latest operating system timezone update or continuing the ESM installationand skipping the timezone update for ESM components. We recommend installing the time zoneupdate package.

    l For RHEL 6.4/6.5 and CentOS 6.5 use tzdata-2014f-1.el6.noarch.rpm.

    l For SuSE 11.x use timezone-2014f-8.1.When installing the timezone package on SuSE, some dependencies need to be resolved. Pleasecheck with your system administrator if you have a problem resolving these dependencies.

    In both cases, the "f" can be f or any later version. To install them use the command:rpm -Uvh

    You should also check tomake sure that the /etc/localtime link is pointing to a valid time zone. Todo that, run the following command:

    ls -altrh /etc/localtime

    You should get a response similar to this (below), where is your time zone such asAmerica/Los_Angeles.

    lrwxrwxrwx. 1 root root 39 Nov 27 08:28 /etc/localtime ->/usr/share/zoneinfo/

    If this is not correct, run the following commands as user root:

    source /etc/sysconfig/clockmv /etc/localtime /etc/localtime.oldln -s /usr/share/zoneinfo/ /etc/localtime

    Verify that /etc/localtime is pointing to the correct time zone or use the date command.

    If you quit the installation to fix these, you can simply run the installation again.

    If you complete the installation without fixing these, you can still set up the time zone package aftercompleting the installation. Use the following procedure (after ensuring that you have downloaded andinstalled the correct package and the link is set correctly):

    Installation and Configuration GuideChapter 2: Installing ESM

    HP ESM (6.8c) Page 18 of 79

  • 1. As user arcsight, shut down all arcsight services. (This is important.) Run/opt/arcsight/services/init.d/arcsight_services killAllFast

    2. As user root, run the following command (this is one line):

    /opt/arcsight/manager/bin/arcsight tzupdater /opt/arcsight /opt/arcsight/manager/lib/jre-tools/tzupdater

    3. Monitor for any failure.

    4. Restart all arcsight services.

    Preparing to InstallBefore you run the installation file, youmust prepare your system.

    Set the /tmp Directory SizeMake sure that the partition in which your /tmp directory resides has at least 3 GB of space.

    Sizing Guidelines for CORR-EngineWhen installing ESM 6.8c, the default CORR-Engine storage sizes are automatically calculated basedon your hardware according to the default values in the table below. These are the recommended sizingguidelines. You can change any of the default storage sizes in the “CORR-Engine Configuration” panelof the wizard, but when doing so, be sure that you take theminimum andmaximum values allowed intoconsideration.

    System Storage - non-event storage, for example, resources, trends, and lists

    Event Storage - storage for events

    Online Event Archive - archive of online events

    Recommended Minimum Maximum

    SystemStorageSize

    Specify about one-sixth of calculated usable space. Usablespace is shown on the CORR-Engine Configuration panelduring installation.

    3 GB 500GB

    EventStorageSize

    Specify about two thirds of the usable space shown duringinstallation.

    10 GB 12 TB

    Installation and Configuration GuideChapter 2: Installing ESM

    HP ESM (6.8c) Page 19 of 79

  • Recommended Minimum Maximum

    EventArchiveSize

    Youmay specify the remaining space after the System andEvent storage have been allocated.

    1 GB No limit

    The system reserves 10 percent of the /opt/arcsight partition for its own use.

    During installation, the system will show the size of the /opt/arcsight partition as "Available Space,"and the size of that partition less 10 percent reserved space as "usable Space." Themaximum eventstorage volume size is calculated by the system using this formula:Maximum Event Storage = /opt/arcsight partition x 0.9 - system storage - event archives.

    After installation, the allocated event storage space consists of a default storage group and an internalstorage group whose size is initially set by the installer. These storage groups do not fill themaximumsize of the event storage volume. Youmay expand the size of these storage groups or add up to four ofyour own storage groups until the allocated size of the event storage reaches themaximum size of theevent storage volume. Use the ArcSight CommandCenter user interface to add or change the size ofstorage groups.

    In the ArcSight CommandCenter, select Administration > Storage and Archive to see and changethe storage allocations. Refer to theArcSight CommandCenter User's Guide for details.

    The following diagrams clarify the various terms used in the configuration wizard and in the ArcSightCommandCenter user interface:

    Installation and Configuration GuideChapter 2: Installing ESM

    HP ESM (6.8c) Page 20 of 79

  • Create User arcsightYou can skip this step if you are installing the ESM High Availability Module and already created thisuser and group as part of the HA Module planning and installation.

    While logged in as user root, create a new user called arcsight by entering the following commands in aterminal:

    groupadd arcsightuseradd -c “arcsight_software_owner” -g arcsight -d /home/arcsight -m -s/bin/bash arcsight

    Change the password for user arcsight:

    passwd arcsight

    Enter a new password when prompted and reenter it when prompted to confirm.

    Installation and Configuration GuideChapter 2: Installing ESM

    HP ESM (6.8c) Page 21 of 79

  • Make sure that the useradd operating system command successfully created a file in/home/arcsight called .bash_profile. If the operating system does not create this file, theinstallation will fail. If the file is not created, consult your operating system administrator.

    Create /opt/arcsight DirectoryESM 6.8c is installed in /opt/arcsight/. If the /opt/arcsight/ directory does not exist, createit while logged in as a root user.

    Make sure that the user arcsight has write and execute permission for the /opt/arcsight/ directory.

    Change the owner and group of /opt/arcsight/ to the arcsight user and group by issuing the followingcommands while logged in as root:

    chown arcsight:arcsight /opt/arcsight

    Increase User Process LimitThe operating system's default user process limit is not necessarily sufficient. This may cause an errorwhen theManager tries to createmore threads. To ensure that the system has adequate processingcapacity, increase this default limit, while logged in as user root:

    1. If you do not already have a file /etc/security/limits.d/90-nproc.conf, create it (andthe limits.d directory, if necessary).

    If the file already exists, delete all entries in the file.

    2. Add the following lines:* soft    nproc   10240* hard    nproc   10240* soft    nofile  65536* hard    nofile  65536

    Caution: Be sure to include the asterisk (*) in the new entries. It is important that you add allof the entries exactly as specified. Any omissions can cause system runtime errors.

    3. Reboot themachine.

    4. Log in as user arcsight.

    5. Run the following command to verify the new settings:

    ulimit -a

    6. Verify that the output shows the following values for Open files andMax user processes:

    open files 65536max user processes 10240

    Installation and Configuration GuideChapter 2: Installing ESM

    HP ESM (6.8c) Page 22 of 79

  • Untar the tar File

    Note:

    l Using an ssh -X session to run the ESM 6.8c installation file causes errors and the wizard doesnot complete. Instead of using ssh -X to run the installation wizard, use ssh to connect to themachine where you will be installing ESM 6.8c and set your DISPLAY environment variable topoint to a valid X11 display.

    l Spaces in directory names appearing within paths are not supported.

    1. Untar the tar file in order to obtain the installation file. To do so:

    a. Log in as user arcsight.

    b. Transfer the license file and the .tar file to this machine since you will be installing ESM on it.

    Important!

    The .tar file should be owned by the user arcsight.

    c. Change directory to the location where you downloaded the .tar file.

    d. Run the following command to untar the file:

    tar xvf ArcSightESMSuite-6.8.0.xxxx.0.tar

    2. If not already granted, give the ArcSightESMSuite.bin file the execute permission. To do so,enter:

    chmod +x ArcSightESMSuite.bin

    Running the Installation FileStart the installation while logged in as user arcsight.

    1. Run the following command:

    export LC_ALL=[language].UTF-8

    ...where [language] is one of these:en_US (English)zh_CN (Simplified Chinese)zh_TW (Traditional Chinese)ja_JP (Japanese)

    Installation and Configuration GuideChapter 2: Installing ESM

    HP ESM (6.8c) Page 23 of 79

  • fr_FR (French)ko_KR (Korean)ru_RU (Russian)

    2. Run the installation file as follows:

    ./ArcSightESMSuite.bin

    (or ./ArcSightESMSuite.bin -i console, for consolemode.)

    The installation wizard opens.

    Note:

    n To run in GUI mode, X Windows must be running. If it is not, the installer automaticallyruns in Consolemode.

    n To run in Consolemode, make sure X Windows is not running. Consolemode requests thesame information as GUI mode and is not documented separately.

    n The log files for this installation appear in the /home/arcsight directory.

    3. Read the Introduction message and click Next.

    4. On the License Agreement panel, the “I accept the terms of the License Agreement” radio buttonis disabled until you scroll to the bottom of the agreement text. After reading the LicenseAgreement, click the I accept the terms of the License Agreement radio button and click Next.

    5. Read theSpecial Notice and click Next.

    6. On theChoose Link Folder panel, select the location where you would like the installer to placethe links for this installation and click Next.

    7. Review thePre-Installation Summary. If need be, click Previous to make any changes. Whenyou are ready to proceed, click Install.

    The Installing ArcSight ESM 6.8c Suite screen appears with a progress bar at the bottom.

    8. The installer first places all the installation files in the appropriate folders. When it is done, the FileDelivery Complete screen opens. Click Next.

    The Suite Installer installs each component. After the GUI completes, the ConfigurationWizard GUIopens automatically. See "Running the ConfigurationWizard In ConsoleMode" on the next page fordetails on configuring ESM.

    Installation and Configuration GuideChapter 2: Installing ESM

    HP ESM (6.8c) Page 24 of 79

  • Rerunning The Suite InstallerIf the installation is interrupted and the process exits (for any reason) before you get to "File DeliveryComplete:"

    1. Remove all install.dir.xxxx directories from the /tmp directory.

    2. Remove all directories and files in the /opt/arcsight directory.

    3. Rerun the installer.

    Running the Configuration Wizard In Console ModeIf you are using the GUI mode (as instructed above) to install ESM, skip this topic and go to"Configuring ESM" below. If you started installing ESM in consolemode (from the command line), theinstallation stops at this point when the Suite Installer is done, but it does not automatically continuewith the ConfigurationWizard. You will explicitly need to start the configuration wizardmanually byissuing the following command:

    /opt/arcsight/manager/bin/arcsight firstbootsetup -boxster -soft -i console

    Configuring ESMOnce the Suite Installer (GUI) completes, the ConfigurationWizard opens automatically.

    Note:

    If you run the installer in consolemode via the command line, you havetomanually start thewizard. See "Running the ConfigurationWizard In ConsoleMode" above for details on how to dothis.

    1. Read theWelcome screen and click Next.

    2. On the Language Options panel, select the language for interface displays and click Next.

    3. On theCORR-Engine Password panel, set a password for the CORR-Engine and reenter it inthe Password confirmation text box and click Next. For information on password restrictions, seethe Administrator's Guide for ESM, chapter “Configuration”, section “Managing PasswordConfiguration”.

    4. On theCORR-Engine Configuration panel, enter the CORR-Engine storage allocationinformation and click Next.

    Installation and Configuration GuideChapter 2: Installing ESM

    HP ESM (6.8c) Page 25 of 79

  • System Storage Size - the size of the storage space set aside to store resources

    Event Storage Size - the size of the storage space set aside to store events

    Online Event Archive Size - themaximum number of gigabytes of disk space for event archives.This only applies to default online event archive.

    Retention Period - the amount of time that you want to retain the events before they are purgedfrom the system

    5. On theNotification Emails panel, Configure the following e-mail addresses:

    Error Notification Recipients: The email address of the person to receive email notifications iftheManager goes down or encounters some other problem.

    From email address: The email address used for the notifications sender.

    Click Next.

    6. On the License File panel, Enter or browse to the location of the license file you downloaded.Click Next.

    If you have a valid existing ESM license, you can use it with ESM6.8c.

    7. On theManager Information panel, enter theManager’s hostname or IP address and set apassword for the admin user and click Next.

    Caution: Manager host name is the local host name, IP address, or fully-qualified domainname of themachine where theManager is installed. This name is what all clients (forexample, ArcSight Console) specify to talk to theManager. Using a host name and especiallya fully-qualified domain name instead of an IP address is recommended for flexibility.

    Installation and Configuration GuideChapter 2: Installing ESM

    HP ESM (6.8c) Page 26 of 79

  • TheManager host name is used to generate a self-signed certificate. The CommonName(CN) in the certificate is theManager host name that you specify in this screen.

    Although theManager uses a self-signed certificate by default, you can switch to using a CA-signed certificate if needed. You can do this after installation. Refer to the Administrator’sGuide for instructions.

    8. On the Foundation Packages panel, check the system content packages to install. The SystemContent is delivered in the form of packages. System content packages are automaticallyinstalled as a part of ESM to provide out-of-box resource suites that you can use immediately tomonitor and protect your network.

    By default, it installs the ArcSight Administration package that provides you information about thisESM instance. You can select other packages to install from the list.

    For more information about packages, see theESM System Content Guide.

    9. The next screen is About to Configure ESM 6.8c. It informs you of the ESM configuration stepsit will perform when you click Next.

    Caution: Review the selections youmade in the previous screens of this wizard andmakesure that they are to your satisfaction. Once you click Next, the product is installed asspecified.

    If you are satisfied, click Next.

    10. Upon successful configuration, theConfiguration Completed Successfully screen appears.Click Finish.

    11. Click Done on the Install Complete screen.

    Installation and Configuration GuideChapter 2: Installing ESM

    HP ESM (6.8c) Page 27 of 79

  • 12. Important! This step is required in order to start the services. Log in as user root and run thefollowing script to set up the required services:

    /opt/arcsight/manager/bin/setup_services.sh

    After you have completed the installation, check the location and size of your storage volumes andmake any necessary changes. You can do this in the ArcSight CommandCenter. Refer to theArcSight CommandCenter User's Guide, the "Administration" chapter under "Storage andArchive” section for details regarding your storage volumes.

    Handling a Time Zone Update Error

    There are two possible errors that can happen when the installer tries to update the time zoneinformation for the ESM components.

    1. A timezone version 2014f or later rpm for your operating system is not installed.

    2. The /etc/localtime link is pointing to invalid or non-existent timezone.

    You can choose to continue with the installation even if the right timezone package is unavailable orincorrectly setup. If you choose to do so, you can update timezone info for the ESM components post-installation. Refer to "Install Time Zone Package" on page 18, to correct one of these time zone issues.

    Changing the Manager Heap Size

    If you need to change theManager’s heap size after the installation completes, you can do so from theArcSight CommandCenter. Refer to theArcSight CommandCenter User's Guide for further details.

    Installation and Configuration GuideChapter 2: Installing ESM

    HP ESM (6.8c) Page 28 of 79

  • Rerunning the ESM Configuration Wizard

    You can rerun the wizardmanually only if you exit it at any point before you reach the first configurationscreen called “About to Configure ESM v6.8c”. See "Rerunning the ESMConfigurationWizard" belowfor details.

    Rerunning the ESM Configuration WizardYou can rerun the wizardmanually only if you exit it at any point before you click Next on the screencalled "About to Configure ESM "

    If for any reason you cancel out of the wizard or run into an error before the configuration screen, youcan re-run the wizardmanually.

    1. To rerun the wizard run:

    rm /opt/arcsight/manager/config/fbwizard*

    2. To run the First Boot Wizard, run the following from the /opt/arcsight/manager/bin directorywhile logged in as user arcsight:

    In GUI mode

    ./arcsight firstbootsetup -boxster -soft

    In console mode

    ./arcsight firstbootsetup -boxster -soft -i console

    Caution: Make sure that X-Windows is not running when running the first boot wizard inconsolemode.

    If you encounter a failure during the configuration stage, uninstall and reinstall ESM.

    Uninstalling ESMUse the following procedure to uninstall ESM.

    1. Log in as user root.

    2. Run the following command:

    Installation and Configuration GuideChapter 2: Installing ESM

    HP ESM (6.8c) Page 29 of 79

  • /opt/arcsight/manager/bin/remove_services.sh

    3. Log in as user arcsight.

    4. Shut down any arcsight processes that are still running.

    To check for running arcsight processes, run:

    ps -elf | grep "/opt/arcsight"

    To shut down any arcsight processes that are running, run:

    kill -9

    5. Run the uninstaller program from either the directory where you have created the links whileinstalling the product or if you had opted not to create links, then run this from the/opt/arcsight/suite/UninstallerData directory:

    ./Uninstall_ArcSight_ESM_Suite_6.8

    Alternatively, you can run the following command from the /home/arcsight (or wherever youinstalled the shortcut links) directory:

    ./Uninstall_ArcSight_ESM_Suite_6.8

    6. Verify that the /tmp and /opt/arcsight directories contain no ESM-related files. If that is not thecase:

    a. While logged in as user arcsight kill all arcsight processes.

    b. Delete all remaining arcsight-related files/directories in /opt/arcsight/ and /tmp directorymanually.

    c. Delete any links created during installation.

    Setting Up ESM Reports to Display in a Non-EnglishEnvironmentTo enable international characters in string-based event fields to be retrieved by queries, you need tostore such characters correctly. Following the processes in this section allows ESM to correctly storeand recognize international characters.

    On the ManagerThis procedure is required only if you plan to output reports that use international characters in PDFformat. You will need to purchase the ARIALUNI.TTF font file.

    Installation and Configuration GuideChapter 2: Installing ESM

    HP ESM (6.8c) Page 30 of 79

  • 1. On theManager host, place the font file ARIALUNI.TTF in a folder. For example:

    /usr/share/fonts/somefolder

    2. Modify the ESM reports properties file, sree.properties, located in/opt/arcsight/manager/reports/ directory by default.

    Add the following line:

    font.truetype.path=/usr/share/fonts/somefolder

    Save the file.

    3. Restart theManager by running:

    /etc/init.d/arcsight_services restart manager

    4. In the ArcSight Console, select the Arial UnicodeMS font in all the report elements, including thereport template. This is described in the next topic.

    On the ConsoleSet preferences in the Console and on the Console host machine.

    1. Install the Arial UnicodeMS font on the Console host operating system if not already present.

    2. Edit the following script located in /current/bin/scripts directory by default:

    On Windows:Edit console.bat

    On Linux:No edits required. The coding is set correctly.

    Find the section ARCSIGHT_JVM_OPTIONS and append the following JVM option:

    " -Dfile.encoding=UTF8"

    3. In the ArcSight Console Preferences menu, set Arial UnicodeMS as the default font:

    Go toEdit > Preferences > Global Options > Font

    On Windows:Select Arial Unicode MS from the drop-down

    On Linux:Enter Arial Unicode MS

    4. Set the font preferences for your reports, as described in, "Using Report Templates" in theArcSight Console User's Guide.

    Installation and Configuration GuideChapter 2: Installing ESM

    HP ESM (6.8c) Page 31 of 79

  • Improving the Performance of Your ServerFor HP hardware, you can improve the server performance by tuning your BIOS as follows:

    l HyperThreading - Disable this. This setting exists on any Intel processor that supportsHyperThreading. Most recent server class processors have this. AMD processors do not have anequivalent setting.

    l Intel VT-d - Disable this. This setting is specific to Intel processors and is likely to be present onmost recent server class processors. AMD has an equivalent feature named AMD-Vi.

    l HP Power Regulator - set to Static High Performance: This setting tells the CPU(s) to always runat high speed, rather than slowing down to save power when the system senses that load hasdecreased. Most modern CPUs have some equivalent setting.

    l Thermal Configuration - set to Increased cooling: This setting increases fan speed in the server tohelp deal with the increased heat resulting from running the CPU(s) at high speed all the time.

    l Minimum Processor Idle Power Package State - This setting tells the CPU not to use any of itsC-states (various states of power saving in the CPU). All CPUs have C-states, somost servershave a setting like this.

    l HP Power Profile - set this to Maximum Performance. This is not likely to have an equivalent onnon-HP servers, although some of the individual settings may exist.

    This setting changes the following:

    n QPI link powermanagement (link between physical CPU sockets) gets disabled

    n PCIe support gets forced to Gen 2

    n C-states get disabled as part of this profile

    n This setting also disables the lower speed settings on the CPU(s) so they run at high speed allthe time

    The Next StepsDownload the ArcSight Console and install it on a supported platform. Refer to the chapter on installingthe Console, for details on how to do this. You can also access theManager from the ArcSightCommandCenter using a browser. To do so, enter the following URL in the browser’s address bar:

    https://:8443

    Refer to the ArcSight CommandCenter User’s Guide for more information on using the ArcSightCommandCenter.

    Read the Release Notes available on the HP ArcSight Customer Support download site.

    Installation and Configuration GuideChapter 2: Installing ESM

    HP ESM (6.8c) Page 32 of 79

  • Chapter 3: Installing ArcSight ConsoleThe ArcSight Console provides a host-based interface (as opposed to the browser-based interface ofthe ArcSight CommandCenter) to ArcSight ESM. This chapter explains how to install and configurethe ArcSight Console in default mode.

    Make sure theManager is running before installing the ArcSight Console. The ArcSight Consolemaybe installed on the same host as theManager, or on a different machine. Typically, ArcSight Console isdeployed on several perimeter machines located outside the firewall which protects the ArcSightManager.

    Console Supported PlatformsRefer to the Product Lifecycle document available on the Protect 724 site for themost currentinformation on supported platforms and browsers.

    Required Libraries for RHEL and CentOS (64 Bit)On the RHEL and CentOS 6.5 64-bit workstations, the Console requires the latest versions of followinglibraries, if available:

    pam-1.1.1-10.el6.x86_64.rpmpam-1.1.1-10.el6.i686.rpmlibXtst-1.0.99.2-3.el6.x86_64.rpmlibXtst-1.0.99.2-3.el6.i686.rpmlibXp-1.0.0-15.1.el6.x86_64.rpmlibXp-1.0.0-15.1.el6.i686.rpmlibXmu-1.0.5-1.el6.x86_64.rpmlibXmu-1.0.5-1.el6.i686.rpmlibXft-2.1.13-4.1.el6.x86_64.rpmlibXft-2.1.13-4.1.el6.i686.rpmlibXext-1.1-3.el6.x86_64.rpmlibXext-1.1-3.el6.i686.rpmlibXrender-0.9.7-2.el6.i686.rpmgtk2-engines-2.18.4-5.el6.x86_64.rpmgtk2-2.18.9-6.el6.x86_64.rpmcompat-libstdc++-33-3.2.3-69.el6.x86_64.rpmcompat-libstdc++-33-3.2.3-69.el6.i686.rpmcompat-db-4.6.21-15.el6.x86_64.rpmcompat-db-4.6.21-15.el6.i686.rpm

    HP ESM (6.8c) Page 33 of 79

  • Using PKCSPublic-Key Cryptography Standard (PKCS) comprises standards used for reliable and secure publickey cryptography. Public Key Cryptography works by encrypting the data at the sender's end anddecrypting it at the receiver's end.

    ArcSight ESM supports the use of a PKCS#11 token such as the Common Access Card (CAC) foridentity verification and access control. It is used to log into theManager from a user interface.PKCS#11 is Public-Key Cryptography Standard (PKCS), published by RSA Laboratories whichdescribes it as “a technology-independent programming interface, called Cryptoki, for cryptographicdevices such as smart cards and PCMCIA cards.”

    PKCS#11 authentication is not supported with Radius, LDAP and Active Directory authenticationmethods.

    Installing the Console  

    Note: This box includes several important notes related to Installing the ArcSight Console.

    OnMacintosh platforms, pleasemake sure that:

    l You are using an intel processor based system.

    l You have the JRE installed on your system before installing the Console. Refer to the ReleaseNotes for the version of JRE to install.

    l If you are installing the Console on a new system for the first time, or if you have upgraded yoursystem causing the JRE update, your Console installationmight fail. To work around this,change the permissions on the cacerts file to give it write permission before you import it.

    l If your JRE gets updated, you will see the following error when you try to log into the Console:IOException: Keystore was tampered with or password was incorrect.

    This happens because theMac OS update changed the password for the cacerts file in thesystem's JRE. To work around this issue, before you start the Console, change the defaultpassword for the cacerts file by setting it to the following in the client.properties file(create the file if it does not exist) in the Console’s /current/config folder by adding:ssl.truststore.password=changeme

    Do not attempt to install the Console as the root user on Unix-basedmachines. If you do, theinstaller will prompt you to change ownership of certain directories after the installation completes,so we recommend you perform all of the following steps as a non-root user.This issue does not apply toWindows machines.

    Installation and Configuration GuideChapter 3: Installing ArcSight Console

    HP ESM (6.8c) Page 34 of 79

  • AWindows system was used for the sample screens. If you are installing on a Unix basedsystem, there are a few Unix-specific screens. Path separators are / for Unix and \ forWindows.

    Make sure that ArcSightESM is installed before installing the ArcSight Console.

    1. To install ArcSight Console, run the self-extracting archive file that is appropriate for your targetplatform. Go to the directory where the ArcSight Console Installer is located.

    Platform Installation File

    Linux ArcSight-6.8.x.nnnn.y-Console-Linux.bin

    Windows ArcSight-6.8.x.nnnn.y-Console-Win.exe

    Macintosh ArcSight-6.8.x.nnnn.y-Console-MacOSX.zip

    The location of the installer's log files are shown below:

    Platform Installation Log Files

    Linux /home/

    Windows C:\Users\

    Macintosh /Users/

    2. Click Next in the Installation Process Check screen.

    3. Read the introductory text in the Introduction panel and click Next.

    4. On the License Agreement panel, the “I accept the terms of the License Agreement” radio buttonis disabled until you scroll to the bottom of the agreement text. After you have read the text, clickthe “I accept the terms of the License Agreement” radio button and click Next.

    5. Read the text in theSpecial Notice panel and click Next.

    6. On theChoose ArcSight installation directory panel,you can accept the default installationdirectory, click Choose to navigate to an existing folder, or type in a path to where you want toinstall the Console. If you specify a folder that does not exist, the folder is created for you.

    Caution: On Linux andMacintosh systems, spaces are not supported in install paths.

    7. On theChoose Shortcut Folder panel, select where you would like to create a shortcut for theConsole and uninstall icons and click Next.

    8. View the summary in thePre-Installation Summary screen and click Install if you are satisfied

    Installation and Configuration GuideChapter 3: Installing ArcSight Console

    HP ESM (6.8c) Page 35 of 79

  • with the paths listed. If you want to make any changes, use the Previous button to do so.

    You can view the installation progress in the progress bar.

    Note: OnWindows, when the installer is configuring the Console (thePlease Wait panel), youmight see amessage that the TZData update was not successful. If you get that message, clickOK and continue. The Console installs successfully. Usually, TZData is correctly updatedregardless of this message. Tomake sure check that the time stamp on the files in theC:\arcsight\Console\current\jre\lib\zi.tzdata2014b\ directory matches the date andtime when you installed the Console. If the time stamp is old or the files aremissing, uninstall thenre-install the Console.

    Configuring the ArcSight ConsoleAfter the Console has been installed, you will need to configure it.

    1. The wizard asks if you would like to transfer configuration options from an existing installation ofArcSight Console. ChooseNo, I do not want to transfer the settings to create a new, cleaninstallation and click Next.

    2. Enter the host name of theManager to which the Console will connect.

    Caution: Do not change theManager’s port number.

    Click Next.

    Installation and Configuration GuideChapter 3: Installing ArcSight Console

    HP ESM (6.8c) Page 36 of 79

  • 3. Select Use direct connection option and click Next. You can set up a proxy server and connectto theManager using that server if you cannot connect to theManager directly.

    If you select the Use proxy server option, you will be prompted to enter the proxy serverinformation.

    Installation and Configuration GuideChapter 3: Installing ArcSight Console

    HP ESM (6.8c) Page 37 of 79

  • Enter the Proxy Host name and click Next.

    4. The ArcSight Console configuration wizard prompts you to choose the type of client authenticationyou want to use, as shown in the following screen:

    Caution: In order to use PKCS#11 authentication, youmust select thePassword Based orSSL Client Based Authenticationmethod.

    Note: Password Based and SSL Client Based Authentication option currently supportsonly client keystore for SSL based authentication. Using PKCS#11 token as your SSLClientBased authenticationmethod within the Password Based and SSL Client BasedAuthentication option is not currently supported.

    Installation and Configuration GuideChapter 3: Installing ArcSight Console

    HP ESM (6.8c) Page 38 of 79

  • If you select Password Based Authentication, you to log in with a user name and password.

    If you select Password Based and SSL Client Based Authentication, you need a clientcertificate to log in, in addition to your user name and password. Follow the procedure described inESM Administrator’s Guide to set up the client certificate.

    If you selectedPassword Based or SSL Client Based Authentication orSSL Client OnlyAuthentication, you will be required to select your SSL client based authenticationmethod.

    If you plan to use a PKCS #11 token, you should have the token’s software and hardware alreadyset up. If you have not set up the token yet, you can select Client Key Store and continue with theinstallation. After you have finished installing the Console, you can refer to "Setting Up to Use aCAC Card " on page 60 for instructions on how to set up the token.

    If you select Client Key Store, you will see amessage reminding you to set up the clientcertificate after the installation completes.

    After completing the ConfigurationWizard, follow the procedure described in ESM Administrator’sGuide to set up the client certificate.

    5. The ArcSight Console configuration wizard prompts you to specify the default web browser youwant to use to display reports, Knowledge Centered Support articles, and other web page content.Specify the location of the executable for the web browser that you want to use to display theKnowledge Centered Support articles and other web pages launched from the ArcSight Console.Click Next.

    Installation and Configuration GuideChapter 3: Installing ArcSight Console

    HP ESM (6.8c) Page 39 of 79

  • 6. Select whether this installation of the Console will be used by a single user or multiple users.

    You can choose from these options:

    n This is a single system user installation

    Select this option when:

    o There is only one system account on this machine that one or more Console users will use toconnect to the Console. For example, a system account, admin, is used by Console usersJoe, Jack, Jill, and Jane.

    Installation and Configuration GuideChapter 3: Installing ArcSight Console

    HP ESM (6.8c) Page 40 of 79

  • OR

    o All Console users who will use this machine to connect to the Console have their own useraccounts on this machine AND these users have write permission to the ArcSight Console’s\current directory.

    Advantage: Logs for all Console users are written to one central location in ArcSightConsole’s \current\logs directory. The user preferences files (denoted by username.ast)for all Console users are located centrally in ArcSight Console’s \current.

    Disadvantage: You cannot use this option if your security policy does not allow all Consoleusers to share a single system user account or all users to write to the ArcSight Console’s\current directory.

    n Multiple system users will use this installation

    Select this option when:

    o All Console users who will be using this machine to connect to the Console have their ownuser accounts on this machine

    AND

    o These users do not have write permission to the ArcSight Console’s \current\logsdirectory

    By selecting this option, each user’s log and preferences files are written to the user’s localdirectory (for example, Document and Settings\username\.arcsight\console onWindows) on this machine.

    Advantage: You do not have to enable write permission for all Console users to the Console’s\current directory.

    Disadvantages: Logs are distributed. Therefore, to view logs for a specific time period, youwill have to access them from the local directory of the user who was connected at that time.

    If you do not enable write permission for all the Console users to the Console’s \currentdirectory, they can only run the following commands (found in the Console’s \bin\scripts)from the Console command-line interface:

    o sendlogs

    o console

    o exceptions

    o portinfo

    o websearch

    Installation and Configuration GuideChapter 3: Installing ArcSight Console

    HP ESM (6.8c) Page 41 of 79

  • All other commands require write permission to the Console’s \current directory.

    Note: The location from which the Console accesses user preference files and to which itwrites logs depends on the option you select above. Therefore, if you switch between theseoptions after the initial configuration, any customized user preferences may appear to be lost.For example, your Console is currently configured with the “This is a single system userinstallation” option on aWindows machine. Console user Joe’s customized preferences file islocated in the Console’s \current. Now, you run the consolesetupcommand and change the setting to ‘Multiple system users will use this installation.’ Next timeJoe connects to the Console, the Console will access Joe’s preference file from Documentand Settings\joe\.arcsight\console, which will contain the default preferences.

    OnWindows, when the installer is configuring the Console, youmight see amessage that theTZData update was not successful. If you get that message, click OK and continue. The Consoleinstalls successfully. Usually, TZData is correctly updated regardless of this message. Tomakesure, check that the time stamp on the files inC:\\current\jre\lib\zi.tzdata2014bmatch the date and time when you installed the Console. (The b in tzdata2014b could be adifferent letter.) If the time stamp is older or the files aremissing, finish the next two steps, thenuninstall and re-install the Console.

    7. You have completed configuring your ArcSight Console. Click Finish on the final panel to closethe configuration wizard.

    8. Click Done in the next screen.

    9. If you are installing the Console on a Linux machine in a different language than themachine onwhich theManager is installed, edit the file /home/arcsight/.bash_profile by adding the line:

    export LC_ALL=[language].UTF-8

    ...where [language] is one of these:en_US (English)zh_CN (Simplified Chinese)zh_TW (Traditional Chinese)ja_JP (Japanese)fr_FR (French)ko_KR (Korean)ru_RU (Russian)

    Importing the Console’s Certificate into the BrowserThe online help from the Console is displayed in a browser. Follow these steps in order to view theonline help in an browser if you are using SSLClient Based Authenticationmode:

    1. Export the keypair from the Console. Refer to the ESM Administrator’s Guide for in the "UsingKeytoolgui to Export a Key Pair" section.

    Installation and Configuration GuideChapter 3: Installing ArcSight Console

    HP ESM (6.8c) Page 42 of 79

  • 2. Import the Console’s keypair into the browser.

    You have installed the ArcSight Console successfully. Please be sure to install any available patchesfor the Console. Refer to the ArcSight ESM Patch Release Notes for instructions on how to install apatch for the Console.

    Character Set EncodingInstall the Console on amachine that uses the same character set encoding as theManager.

    If the character encodings do not match, then user IDs and passwords are restricted to using thefollowing characters:

    a-z A-Z [email protected]#$%^&*+?.{}|,()-[]

    If the Console encoding does not match and a user ID contains other characters, That user should notsave any custom shortcut key (hot key) schema. The user ID is not properly encoded in the keymap.xml file and that makes it impossible to establish the user’s shortcut schema during login. In thatcircumstance, all logins fail on that Console.

    If youmust use a non-UTF-8 encoding, and youmust have user IDs with other characters in them,custom shortcut keys are not supported on any Console where these users would log in. In thatsituation, add the following property to the console.properties file:console.ui.enable.shortcut.schema.persist=false. This property prevents custom shortcut keyschema changes or additions.

    If the Console encoding does not match and a password contains other characters, that user cannotlog in from that Console, as the password hash won’t match the one created on theManager when thepassword was created.

    Starting the ArcSight Console

    Note: On the ArcSight Consolemachine, for any special IPV4/IPV6 configurations that do notmatch the DNS server entries, you can instruct the ArcSight Console how to connect to ESM byproviding an additional option, java.net.preferIPv6Addresses. Do that by setting theenvironment variable ARCIGHT_JVM_NET_OPTIONS.

    For example, to instruct an ArcSight Console using IPV6DNS entries, use the followingcommands:

    On Unix

    export ARCIGHT_JVM_NET_OPTIONS=-Djava.net.preferIPv6Addresses=true

    On Windows set

    ARCIGHT_JVM_NET_OPTIONS=-Djava.net.preferIPv6Addresses=true

    Installation and Configuration GuideChapter 3: Installing ArcSight Console

    HP ESM (6.8c) Page 43 of 79

  • After installation and setup is complete, start ArcSight Console using the shortcuts installed or open acommandwindow on the Console’s bin directory and run:

    On Windows:

    arcsight console

    On Unix:

    ./arcsight console

    Depending on the client authenticationmethod you selected when installing the Console, you will seethe following buttons on the login screen:

    If you selected... You will see the following buttons...

    Password Based Authentication Login

    Cancel

    Password Based and SSLClient BasedAuthentication

    Login

    Cancel

    Password Based or SSLClient BasedAuthentication

    If you selected Client Keystore as your authenticationmethod, you will see

    l Login (username and password)

    l SSLClient Login

    l Cancel

    If you selected PKCS#11 Token, you will see

    l PKCS #11 Login

    l Login

    l Cancel

    SSLClient Only Authentication If you selected Client Keystore as your authenticationmethod, you will see

    l Login (username and password). This option isdisabled and cannot be used

    l Cancel

    If you selected PKCS #11 Token, you will see

    l PKCS #11 Login (SSL client authentication)

    l Cancel

    Installation and Configuration GuideChapter 3: Installing ArcSight Console

    HP ESM (6.8c) Page 44 of 79

  • Logging into the Console

    Note:While logging into aManager that has been configured to use Password Based or SSLClient Based Authentication, if you try to log in using a certificate and the login fails, all subsequentattempts to use the username/password login will also fail during the same session. To workaround this, restart the Console.

    To start the Console, click Login. When you start the Console for the first time, after you click Login,you will get a dialog asking you whether you want to trust theManager’s certificate. The prompt willshow details specific to your settings. Click OK to trust theManager’s certificate. The certificate will bepermanently stored in the Console’s truststore and you will not see the prompt again the next time youlog in.

    Reconnecting to the ArcSight ManagerIf the ArcSight Console loses the connection to the ArcSight Manager (for example, because theManager was restarted), a dialog box appears in the ArcSight Console stating that your connection tothe ArcSight Manager has been lost. Click Retry to re-establish a connection to the ArcSight Manageror click Relogin.

    Connections to the ArcSight Manager cannot be re-established while the ArcSight Manager isrestarting or if theManager refuses the connection. In addition, youmay see connection exceptionsduring the Retry process while the connection is lost or ArcSight Manager is restarting.

    Reconfiguring the ArcSight ConsoleYou can reconfigure ArcSight Console at any time by running the following commandwithin acommandwindow from the Console’s bin directory:

    On Windows: arcsight.bat consolesetup

    On Linux: ./arcsight consolesetup

    and follow the prompts.

    Uninstalling the ArcSight ConsoleBefore uninstalling the ArcSight Console, exit the current session.

    To uninstall onWindows, run theStart > All Programs > ArcSight ESM 6.8c Console > UninstallArcSight ESM Console 6.8c program. If a shortcut to the Console was not installed on the Startmenu, locate the Console’s UninstallerData folder and run:

    Installation and Configuration GuideChapter 3: Installing ArcSight Console

    HP ESM (6.8c) Page 45 of 79

  • Uninstall_ArcSight_ESM_Console_6.8c.exe

    To uninstall on Unix hosts, run the uninstaller program from either the directory where you created thelinks while installing the product or if you had opted not to create links, then run this from the/opt/arcsight/console/current/UninstallerData directory:

    ./Uninstall_ArcSight_ESM_Console_6.8c

    Alternatively, you can run the following command from the /home/arcsight (or wherever you installedthe shortcut links) directory:

    ./Uninstall_ArcSight_ESM_Console_6.8c

    Note: The UninstallerData directory contains a file .com.zerog.registry.xml with Read, Write,and Execute permissions for everyone. OnWindows hosts, these permissions are required for theuninstaller to work. However, on UNIX hosts, you can change the permissions to Read andWritefor everyone (that is, 666).

    Installation and Configuration GuideChapter 3: Installing ArcSight Console

    HP ESM (6.8c) Page 46 of 79

  • Appendix A: TroubleshootingThe following informationmay help solve problems that might occur when installing or using ESM. Insome cases, the solution can be found here or in other ESM documentation, but HP ArcSight CustomerSupport is available if you need it.

    If you intend to have HP ArcSight Customer Support guide you through a diagnostic process, pleaseprepare to provide specific symptoms and configuration information.

    Location of Log Files for ComponentsThe log files can be found in the following location:

    Log file name location Description

    First Boot Wizard Logs

    fbwizard.log /opt/arcsight/manager/logs/default/ Contains detailedtroubleshootinginformationlogged during thesteps in"ConfiguringESM" onpage 25.

    firstbootsetup.log /opt/arcsight/manager/logs/ Contains brieftroubleshootinginformation aboutcommands thatran during thesteps in"ConfiguringESM" onpage 25.

    CORR-Engine Log Files

    logger_server.log /opt/arcsight/logger/current/arcsight/logger/logs Containstroubleshootinginformation aboutthe CORR-Engine

    HP ESM (6.8c) Page 47 of 79

  • Log file name location Description

    logger_server.out.log

    /opt/arcsight/logger/current/arcsight/logger/logs CORR-Enginestdout log file

    arcsight_logger.log

    /opt/arcsight/logger/current/arcsight/logger/logs Logs for settingup the CORR-Engine

    logger_init_driver.log

    /opt/arcsight/logger/current/arcsight/logger/logs Logs for settingup the CORR-Engine

    logger_init.sh.log /opt/arcsight/logger/current/arcsight/logger/logs Logs for settingup the CORR-Engine

    logger_wizard.log /opt/arcsight/logger/current/arcsight/logger/logs Logs for settingup the CORR-Engine

    logger_wizard.out.log

    /opt/arcsight/logger/current/arcsight/logger/logs Logs for settingup the CORR-Engine

    Manager Log Files

    server.log /opt/arcsight/manager/logs/default Containstroubleshootinginformation abouttheManager

    server.std.log /opt/arcsight/manager/logs/default Contains thestdout output oftheManager

    server.status.log /opt/arcsight/manager/logs/default Contains a dumpof all theMBeans, thememory status,thread status,etc.

    ArcSight Web Log Files

    webserver.log /opt/arcsight/web/logs/default Containstroubleshootinginformation aboutArcSight Web

    Installation and Configuration GuideAppendix A: Troubleshooting

    HP ESM (6.8c) Page 48 of 79

  • Log file name location Description

    webserver.std.log /opt/arcsight/web/logs/default Contains thestdout output ofArcSight Web

    server.status.log /opt/arcsight/web/logs/default Manager statusmonitoring log file

    Log file for services

    arcsight_services.log

    /opt/arcsight/services/logs/ Containsinformation fromcommands thatmanage ArcSightserviceprocesses.

    monit.log /opt/arcsight/services/monit/data/ Contains timinginformation fromstartup andshutdown ofArcSight serviceprocesses.

    If You Encounter an Unsuccessful InstallationIf you encounter an unsuccessful installation, or if your installation is corrupted, there are two possiblecases.

    Case 1 – If your installation became corrupted after running setup_services.sh, run the followingscript as root user:

    remove_services.sh

    Then run the Recovery procedure below.

    Case 2 –If your installation became corrupted before running setup_services.sh, run the recoveryprocedure.

    Recovery Procedure – Run this for either case 1 or case 2, above.

    1. Kill any ArcSight services that are currently running. Either:

    a. Run:

    /opt/arcsight/services/init.d/arcsight_services killAllFast

    Or

    Installation and Configuration GuideAppendix A: Troubleshooting

    HP ESM (6.8c) Page 49 of 79

  • b. Query if there are any ArcSight processes running andmanually kill them.

    2. Delete all ArcSight-related files/directories under /opt/arcsight and /tmp directory.

    3. Delete any shortcuts created during installation (by default in the home directory of the arcsightuser).

    4. Re-install the product.

    Customizing ESM Components FurtherThe First Boot Wizard allows you to configure theManager and the CORR-Engine Storage. Tocustomize a component further, you can follow these instructions to start the setup program for thecomponent:

    ArcSight ManagerWhile logged in as user arcsight,

    1. Stop theManager if it is running:

    /etc/init.d/arcsight_services stop manager

    2. Run the following command from /opt/arcsight/manager/bin directory:

    ./arcsight managersetup

    3. Follow the prompts on the wizard screens. See the Administrator’s Guide for information on anyspecific screen.

    4. Restart theManager after the wizard completes by running:

    /etc/init.d/arcsight_services start manager

    ArcSight WebWhile logged in as user arcsight,

    1. Stop ArcSight Web if it is running:

    /etc/init.d/arcsight_services stop arcsight_web

    2. Run the following command from /opt/arcsight/web/bin directory:

    Installation and Configuration GuideAppendix A: Troubleshooting

    HP ESM (6.8c) Page 50 of 79

  • ./arcsight webserversetup

    3. Follow the prompts on the wizard screens. See the Administrator’s Guide for information on anyspecific screen.

    4. Start ArcSight Web after the wizard completes by running:

    /etc/init.d/arcsight_services start arcsight_web

    Fatal Error when Running the First Boot WizardIf you encounter a fatal error while running the First Boot Wizard, the wizard will display an errormessage and then exit. Check the log files for the particular component for any error messages. Thelog files are listed in the section "Location of Log Files for Components" on page 47.

    To resolve this issue, try the following steps:

    1. Check the /opt/arcsight/manager/logs/default/fbwizard.log file to figure out where theerror occurred.

    2. Check tomake sure that all the required TCP ports mentioned in the section "Keep these TCPPorts Open" on page 17 are open.

    3. The First Boot Wizard can only be rerun if it did not reach the point where it configures theManager. See section "Rerunning the ESMConfigurationWizard" on page 29 for more details onthis. If your error occurred before any component got configured, restart the First Boot Wizard byrunning the following command from the /opt/arcsight/manager/bin directory when logged inas user “arcsight”:

    In GUI mode:

    ./arcsight firstbootsetup -boxster -soft

    In consolemode:

    ./arcsight firstbootsetup -boxster -soft -i console

    Changing the Hostname of Your MachineWherever you see "hostname," youmay assume it means "hostname or IP address." If you haveconfigured peering, make sure to re-establish the peer relationship.

    If you are using the High Availability module, the procedure is different. Refer to theArcSight HighAvailability Module User's Guide for the proper procedure.

    In case you want to change the IP address of your machine after running the First Boot Wizardsuccessfully, follow these steps:

    Installation and Configuration GuideAppendix A: Troubleshooting

    HP ESM (6.8c) Page 51 of 79

  • Note: Run theManager setup commandwhen logged in as user arcsight.

    1. Stop all ArcSight services by running (as user arcsight):

    /etc/init.d/arcsight_services stop all

    2. Change the hostname of your machine.

    3. Reboot themachine.

    4. As the user arcsight, stop theManager by running::

    /etc/init.d/arcsight_services stop manager

    5. As the user arcsight, stop ArcSight Web by running:

    /etc/init.d/arcsight_services stop arcsight_web

    Youmight get error messages from this command indicating that ArcSight Webwas not stopped.This is normal and you should ignore it.

    6. As the user arcsight, run theManager’s setup program from the /opt/arcsight/manager/bindirectory:

    ./arcsight managersetup

    a. Enter the new host name (that you set for your machine in the steps above), in theManagerHost Name field when prompted by the wizard – and in every other field where the oldhostname is displayed.

    b. Make sure to select the self-signed keypair option when prompted by the wizard and enter therequired information to generate the self-signed certificate containing the new host name.

    7. As the user arcsight, start theManager by running:

    /etc/init.d/arcsight_services start manager

    8. As the user arcsight, see if themanager is running yet by running the command.

    /etc/init.d/arcsight_services status manager

    Run this command about once aminute, until you see the line “manager service is available."Then you can continue with the next step.

    9. As user arcsight, run the following to start the setup program for ArcSight Web from the/opt/arcsight/web/bin directory:

    ./arcsight websetup

    Installation and Configuration GuideAppendix A: Troubleshooting

    HP ESM (6.8c) Page 52 of 79

  • a. Enter the new host name inWebserver Host Name field and every other field containing theold host namewhen prompted.

    b. When the certificate from themanager is displayed, check the option “Trust the certificationfrom themanager.”

    c. Select the self-signed keypair option when prompted by the wizard and enter the requiredinformation to generate the self-signed certificate containing the new hostname.

    10. As the user arcsight, start ArcSight Web by running:

    /etc/init.d/arcsight_services start arcsight_web

    Youmay ignore themessage indicating that ArcSight Web is already started.

    11. Wait twominutes to ensure that ArcSight Web has started.

    12. Import theManager’s newly-generated certificate on all clients (Console and connectors) thataccess theManager. Use keytoolgui. See the “Using Keytoolgui to Import a Certificate” section inthe “Configuration” chapter in the ESM Administrator’s Guide available on the HP ArcSightCustomer Support download site for details.

    13. Test to make sure that

    n The clients can connect to theManager

    n Peer configuration works as expected. If not, redo the peer configuration.

    Changing the Host Name of the Machineafter Running the First Boot WizardIf you are using the High Availability module, the procedure is different. Refer to theArcSight HighAvailability Module User's Guide for the proper procedure.

    Note: Run the managersetup commandwhen logged in as user arcsight.

    In case you want to change the host name of themachine after running the First Boot Wizardsuccessfully, follow these steps:

    1. Stop all services by running (as user arcsight):

    /etc/init.d/arcsight_services stop all

    2. Change the host name of your machine.

    3. Reboot themachine.

    Installation and Configuration GuideAppendix A: Troubleshooting

    HP ESM (6.8c) Page 53 of 79

  • If you had entered a host name (instead of an IP address) when configuring theManager in the FirstBoot Wizard, then you will be required to do the following in addition to the steps mentioned above:

    1. As the user arcsight, stop theManager by running:

    /etc/init.d/arcsight_services stop manager

    2. As the user arcsight, stop ArcSight Web by running:

    /etc/init.d/arcsight_services stop arcsight_web

    3. As the user arcsight, run theManager’s setup program from the /opt/arcsight/manager/bindirectory as user “arcsight”:

    ./arcsight managersetup

    a. Enter the new host name (that you set for your machine in the steps above), in theManagerHost Name field when prompted by the wizard.

    b. Make sure to select the self-signed keypair option when prompted by the wizard and enter therequired information to generate the self-signed certificate containing the new host name.

    4. As the user arcsight, start theManager by running:

    /etc/init.d/arcsight_services start manager

    5. Export theManager’s newly generated self-signed certificate and import it into ArcSight Webusing the keytoolgui tool. For details on how to do this, see the “SSLCertificate Tasks” sectionin the “SSL Authentication” chapter of theAdministrator’s Guide available on the HP ArcSightCustomer Support download site.

    6. As the user arcsight, run the following to start the setup program for ArcSight Web from the/opt/arcsight/web/bin directory:

    ./arcsight websetup

    a. Enter the new host name inWebserver Host Name field when prompted.

    b. Select the self-signed keypair option when prompted by the wizard and enter the requiredinformation to generate the self-signed certificate containing the new hostname.

    7. As the user arcsight, start ArcSight Web by running:

    /etc/init.d/arcsight_services start arcsight_web

    8. Start ArcSight CommandCenter by running:

    https://:8443/

    Where is the host name or IP address that you specified when you first configuredESM. (Host names with underscores do not work on IE, so use the IP address.)

    Installation and Configuration GuideAppendix A: Troubleshooting

    HP ESM (6.8c) Page 54 of 79

  • 9. Import theManager’s certificate on all clients (Console and connectors) that will be accessing theManager. You can do so using the keytoolgui. See the “Using Keytoolgui to Import a Certificate”section in the “Configuration” chapter in the ESM Administrator’s Guide available on the HPArcSight Customer Support download site for details on how to do this.

    10. Test to make sure that the clients can connect to theManager.

    Installation and Configuration GuideAppendix A: Troubleshooting

    HP ESM (6.8c) Page 55 of 79

  • Appendix B: Default Settings For ComponentsThis appendix gives you the default settings for each software component i