Symantec Enterprise Security Manager Sybase Modules Installation · PDF fileSymantec™ Enterprise Security Manager Sybase Modules Installation Guide Documentation version 4.0 Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Symantec™ EnterpriseSecurity Manager SybaseModules Installation Guide

Version 4.0

Symantec™ Enterprise Security Manager SybaseModules Installation Guide

Documentation version 4.0

The software described in this book is furnished under a license agreement andmay be usedonly in accordance with the terms of the agreement.

Legal NoticeCopyright © 2012 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo, ActiveAdmin, BindView, bv-Control, and LiveUpdate aretrademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S.and other countries. Other names may be trademarks of their respective owners.

This Symantec product may contain third party software for which Symantec is requiredto provide attribution to the third party (“Third Party Programs”). Some of the Third PartyPrograms are available under open source or free software licenses. The LicenseAgreementaccompanying the Software does not alter any rights or obligations you may have underthose open source or free software licenses. Please see theThird Party LegalNoticeAppendixto this Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.

THEDOCUMENTATIONISPROVIDED"ASIS"ANDALLEXPRESSORIMPLIEDCONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOTBELIABLEFORINCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software andDocumentation are deemed to be commercial computer softwareas defined in FAR12.212 and subject to restricted rights as defined in FARSection 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software andDocumentation by theU.S.Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

http://www.symantec.com

Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product featuresand functionality. TheTechnical Support group also creates content for our onlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion. For example, theTechnical Support groupworkswithProductEngineeringand Symantec Security Response to provide alerting services and virus definitionupdates.

Symantec’s support offerings include the following:

■ A range of support options that give you the flexibility to select the rightamount of service for any size organization

■ Telephone and/or Web-based support that provides rapid response andup-to-the-minute information

■ Upgrade assurance that delivers software upgrades

■ Global support purchased on a regional business hours or 24 hours a day, 7days a week basis

■ Premium service offerings that include Account Management Services

For information about Symantec’s support offerings, you can visit our Web siteat the following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.

Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:


Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer onwhich theproblemoccurred, in case it is necessary to replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

■ Product release level



■ Hardware information

■ Available memory, disk space, and NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registrationIf yourSymantecproduct requires registrationor a licensekey, access our technicalsupport Web page at the following URL:


Customer serviceCustomer service information is available at the following URL:


Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and support contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs, DVDs, or manuals



Support agreement resourcesIf youwant to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:

[email protected] and Japan

[email protected], Middle-East, and Africa

[email protected] America and Latin America

mailto:[email protected]



Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Chapter 1 Installing Symantec ESM modules for SybaseASE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Before you install .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Minimum account privileges for custom roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10About using an alternate account ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14System requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16About content separation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

About the content package folder structure ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Modifying the importcontent.conf file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19About the importcontent utility ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Using the importcontent utility ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Examples of using the importcontent utility ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Installing security content on ESM managers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Installing ESM modules on ESM agent ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Silently installing ESM modules on ESM agent ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27About configuring Sybase ASE in a network-based environment .... . . . . . . . 28Silently configuring the ESM modules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Configuration of the ESM modules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Editing configuration records ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Configuring theSybaseASE server byusing theSybaseASEDiscovery

module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Configuring a new Sybase ASE server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Validating Sybase ASE server credentials ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Configuring Sybase ASE with generic credentials ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Reusing generic credentials of a Sybase ASE .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Removing unreachable or deleted servers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35About using parameters in the esmsybaseenv.dat file ... . . . . . . . . . . . . . . . . . . . . . . 35

Chapter 2 Logging functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

About the Logging functionality ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41CCS agent version 11.0 and later ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

About the log levels for messages ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42ESM agent version 10.0 and earlier ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Contents

About the log levels of messages ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Creating the configuration file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Parameters of the configuration file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45About the ESM agent log file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Format of the log file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47About the backup of logs ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Chapter 3 Uninstalling ESM application modules for SybaseASE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Uninstall ESM application module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Running the uninstallation program .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Uninstallation logs ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Silent uninstallation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Contents8

Installing Symantec ESMmodules for Sybase ASE

This chapter includes the following topics:

■ Before you install

■ Minimum account privileges for custom roles

■ About using an alternate account

■ System requirements

■ About content separation

■ Installing security content on ESM managers

■ Installing ESM modules on ESM agent

■ Silently installing ESM modules on ESM agent

■ About configuring Sybase ASE in a network-based environment

■ Silently configuring the ESM modules

■ Configuration of the ESM modules

■ Editing configuration records

■ Configuring the SybaseASE server by using the SybaseASEDiscoverymodule

■ Configuring a new Sybase ASE server

■ Validating Sybase ASE server credentials

■ Configuring Sybase ASE with generic credentials

1Chapter

■ Reusing generic credentials of a Sybase ASE

■ Removing unreachable or deleted servers

■ About using parameters in the esmsybaseenv.dat file

Before you installBefore you install the Symantec ESM modules for Sybase ASE, you must do thefollowing:

■ Ensure that Sybase ASE client is installed on the same ESM agent computerthat the Sybase ASE module should report on.

■ Ensure that connectivity to all Sybase ASE servers is established. There mustbe a valid interfaces file at the following location on the ESM agent computer:/<sybase installed directory>/interfaces

The interfaces file contains the names of the SybaseASE servers and the portson which it is running.

■ Log on as root to install the esmsyb.tpi.If you want to use a non-root account for installation, See “About using analternate account” on page 14..

Minimum account privileges for custom rolesIn the ESM modules for Sybase ASE, you can now create a custom role and use itinstead of the sa_role. You can assign to the custom role, theminimumprivilegesthat are required for a Sybase module to work. You do not need to assign all theprivileges that are associated with the sa_role when you use the custom role.

To use the custom role instead of the sa_role, youmust grant the custom role andsso_role using the SymEsmDbaRoles parameter in the esmsybaseenv.dat file:

config SymEsmDbaRoles custom_role,sso_role

During configuration of the ESMSybasemodule, the custom role and the sso_roleare granted to the SYMESMDBA account instead of the sa_role.

To make the custom role active, use the following command:

sp_modifylogin ESMSYMDBA, "add default role", custom_role

While configuring the ESM Sybase module using pre-created account instead ofthe “sa” account, you must assign the minimum account privileges to thepre-created account. Alternately you can also assign the custom role towhich you

Installing Symantec ESM modules for Sybase ASEBefore you install

10

assigned the minimum account privileges, to the pre-created account by usingthe following command:

sp_modifylogin precreated_user, "add default role", custom_role

The following stored procedures that are used by ESM Sybase Module requiresso_role:

■ sp_displayaudit

■ sp_passwordpolicy

If the sso_role is not assigned to ESMSYMDBA or the pre-created user, then ESMSybase Module reports errors on the following modules and checks:

Inactive accounts (only onSybase 15.0.2 or laterversions)

Sybase ASE Accountsp_displayaudit

Password contains digits

Minimum password length

Password expiration

Maximum failed loginattempts

Password complexityparameters

Sybase ASE PasswordStrength

sp_passwordpolicy

Table 1-1 gives the list of minimum privileges that are required to run Sybasemodules.

Note: You can also assign the privileges to an existing role to run the variousSybase modules.

You must grant the following privileges to every database on which ESM checksreport:

■ grant select on syscolumns to CUSTOM

■ grant select on sysprotects to CUSTOM

■ grant select on sysobjects to CUSTOM

■ grant select on sysprotects to CUSTOM

■ grant select on sysusers to CUSTOM

■ grant select on sysroles to CUSTOM

11Installing Symantec ESM modules for Sybase ASEMinimum account privileges for custom roles

Table 1-1 Minimum privileges required for Custom role

PrivilegesModule

select master..sysloginsSybase ASE Account

exec sp_helpdb

select master..sysalternates

select master..sysattributes

exec sybsystemprocs..sp_passwordpolicy

select master..sysloginroles

select master..sysloginsSybase ASE Auditing

exec sp_helpthreshold

exec sybsecurity..sp_helpthreshold

exec master..sp_configure

exec sp_helpdb

"For each database to check execsp_displayaudit 'object'"

exec sp_displayaudit 'login'

exec sp_displayaudit 'global'

Installing Symantec ESM modules for Sybase ASEMinimum account privileges for custom roles

12

Table 1-1 Minimum privileges required for Custom role (continued)

PrivilegesModule

select @@version as 'Version'Sybase ASE Configuration

exec master..sp_configure

exec master..sp_helpdevice

exec master..sp_helpserver

exec sp_helpdevice master ->

Note:Applicable toSybase15.0.1 andhigherversions.

select master..sysdevices ->

Note: Applicable to Sybase versions earlierthan 15.0.1.

exec master..sp_helpremotelogin

exec sp_helpdb

exec sp_helpdbSybase ASE Object

exec sp_helpuser

Note:Applicable for each database to check.

create table .. tempdb

select syscolumns

select sysprotects

select sysobjects


select master.dbo.sysmessages

select master.dbo.spt_values

select master..sysprotects

exec sp_help

13Installing Symantec ESM modules for Sybase ASEMinimum account privileges for custom roles

Table 1-1 Minimum privileges required for Custom role (continued)

PrivilegesModule

exec sybsystemprocs..sp_passwordpolicySybase ASE Password Strength

select master..syslogins

select master.dbo.sysattributes

select master.dbo.syslogins

master..sp_configure


select master..syssrvroles

select @@version as 'Version'Sybase ASE Patches

select master..syssrvrolesSybase ASE Roles and Grooups


exec sp_helpdb

select sysusers

select sysroles


select master..sysloginsSybase ASE Discovery

exec sp_droplogin

exec sp_password

exec sp_addlogin

select master..sysloginsSybase Setup

select @@version as 'Version'

exec sp_displaylogin

About using an alternate accountIn the previous releases, the root user that is logged on to the ESMagent computerto install and configure the ESM modules for Sybase ASE. In the current release,the non-root (alternate account) users can install and configure the ESMmodules

Installing Symantec ESM modules for Sybase ASEAbout using an alternate account

14

for Sybase ASE after the root has changed the ownership of the tpi and theSybaseSetup.

The root must change the ownership of the esmsyb.tpi, before the non-root userruns the esmsyb.tpi installer.

To change the ownership of the esmsyb.tpi

1 Log on to the ESM agent computer as the root.

2 Copy the esmsyb.tpi to the desired location on the sameESMagent computer.

3 Create a new group.

The non-root user should be a member of the new group.

4 Tochange the ownership of the esmsyb.tpi fromroot group to another group,type the following at the command prompt:

chown root:<group> esmsyb.tpi

5 To apply setuid bit to esmsyb.tpi, type the following at the command prompt:

chmod 4750 esmsyb.tpi

The users of the specified group are assigned the root’s privileges to use theesmsyb.tpi.

To install esmsyb.tpi as a non-root user

1 Log on to the ESM agent computer as a non-root user.

2 Run the esmsyb.tpi to install the ESM modules for Sybase ASE.

See “Installing ESM modules on ESM agent” on page 23.

See “Silently installing ESM modules on ESM agent” on page 27.

The rootmust change the ownership of the SybaseSetup, before thenon-root userconfigures ESM modules for Sybase ASE by using the SybaseSetup.

To change the ownership of the SybaseSetup

1 Log on to the ESM agent computer as the root.

2 Fromthe/esm/bin/<platform>directory, copy theSybaseSetup to thedesiredlocation on the same ESM agent computer.

15Installing Symantec ESM modules for Sybase ASEAbout using an alternate account

3 To change the ownership of the SybaseSetup from root group to anothergroup, type the following in the command prompt:

chown root:<group> SybaseSetup.

The users of the specified group are assigned the root privileges to use theSybaseSetup.

4 To apply setuid bit to the SybaseSetup, type the following in the command:

chmod 4750 SybaseSetup.

To configure ESMmodules for Sybase ASE by using SybaseSetup as a non-root user

1 Log on to the ESM agent computer as a non-root user.

2 Run the SybaseSetup to configure the Sybase ASE servers.

See “Configuration of the ESM modules” on page 30.

See “Silently configuring the ESM modules” on page 29.

System requirementsTable 1-2 list the supported SybaseASE versions and operating systems onwhichthe ESM application modules for Sybase ASE can report.

Note:As per Symantec's End of Life product support policy, the ESM Modules forSybase ASE are not supported on ESM 6.0.

Table 1-2 Supported Sybase ASE versions and operating systems

SupportedSybase versions

Supported OS versionsArchitectureSupportedoperatingsystems

12.5.4, 15.0.0,15.0.1, 15.0.2, 15.5,15.7

5.2RS 6000AIX (32-bit)

12.5.4, 15.0.0,15.0.1, 15.0.2,15.0.3, 15.5, 15.7

5.3, 6.1, 7.1PPC 64AIX (64-bit)

12.5.4, 15.0.0,15.0.1, 15.0.2,15.0.3, 15.5, 15.7

2.8, 2.9, 2.10SPARCSun Solaris (32-bitand 64-bit)

Installing Symantec ESM modules for Sybase ASESystem requirements

16

Table 1-2 Supported Sybase ASE versions and operating systems (continued)

SupportedSybase versions

Supported OS versionsArchitectureSupportedoperatingsystems

12.5.4, 15.0.0,15.0.1, 15.0.2, 15.5,15.7

11.11, 11.23, 11.31PARISCHP-UX (32-bit and64-bit)

12.5.4, 15.0.0,15.0.1, 15.0.2, 15.5,15.7

11.23Itanium®*HP-UX (64-bit)

12.5.4, 15.0.0,15.0.1, 15.0.2, 15.5,15.7

Windows Server 2003x86, Itanium, andx64

*Windows (32-bit,64-bit, andIA64-bit)

12.5.4, 15.0.0,15.0.1, 15.0.2, 15.5,15.7

Windows Server 2008x86, Itanium, andx64

*Windows (32-bit,64-bit, andIA64-bit)

12.5.4, 15.0.0,15.0.1, 15.0.2, 15.5,15.7

3, 4x86, x64Red Hat EnterpriseLinux AS (32-bitand 64-bit )

12.5.4, 15.0.0,15.0.1, 15.0.2, 15.5,15.7

3, 4, 5.0, 5.1, 5.2, 5.3, 5.4x86, x64Red Hat EnterpriseLinux ES (32-bitand 64-bit )

Note: *You can use HPUX-Itanium and Windows x86, Itanium, and x64 only in anetwork-based environment. You can use the other operating systems in anetwork-based and host-based environment.

See “About configuring SybaseASE in a network-based environment” on page 28.

To install the ESMmodules for Sybase ASE, youmust have the following free diskspace:

Note: The disk space requirements are only for the Symantec ESM Modules forSybase and not for the ESM agents.

17Installing Symantec ESM modules for Sybase ASESystem requirements

Table 1-3 Disk space requirements

Disk spaceSupported OSVersion

ArchitectureSupportedoperating systems

90 MB5.2RS 6000AIX (32-bit)

108 MB5.3, 6.1, 7.1PPC 64AIX (64-bit)

37 MB2.8,2.9,2.10SPARCSun Solaris (32-bitand 64-bit)

70 MB11.11, 11.23, 11.31PARISCHP-UX (32-bit and64-bit)

36 MB3, 4x86, x64Red Hat EnterpriseLinux AS (32-bit and64-bit )

36 MB3, 4, 5.0, 5.1, 5.2, 5.3,5.4

x86, x64Red Hat EnterpriseLinux ES (32-bit and64-bit )

About content separationUntil now, the content that was included in an Application module was firstinstalled on the agents and later through the registration process it was pushedfrom the ESM agents to the ESM manager.

From this release onwards, two separate content packages are included. Thepackage that contains themodule binaries is to be installed on the ESMagent andthe other package that contains the security content such as configuration (.m)files, word files, template files, properties files, and report content files (RDL) isto be installed on the ESM managers. A new folder named, Content is created onthe ESM manager that contains platform-specific data, which the importcontentutility imports.

Note: You are required to run the esmcontentsybasetpi.exe Windows Installer oresmsybasecontent.tpi UNIX installer on the new manager. For the consecutivereleases, perform a LiveUpdate to get the latest security content.

About the content package folder structureThe content package folder on the ESM manager contains content files of theApplications modules.

Installing Symantec ESM modules for Sybase ASEAbout content separation

18

Table 1-4 shows the file types and folder paths of the Application modules.

Table 1-4 File types and folder paths

Folder pathFile typeContent

#esm/content/<AppModuleName>/<platform>/config/.properties filesApplicationmodules

#esm/content/<AppModuleName>/<platform>/register/Security module(.m)files

#esm/content/<AppModuleName>/<platform>/template/Template files

#esm/content/words/Word filesCommon

#esm/content/ble/<SU_version>/<language>/Report contentfile(UpdatePackage.rdl)

Common

Modifying the importcontent.conf fileThe platforms that you specify in the importcontent.conf file are the platformsthat are available to the ESM manager when using the importcontent utility. Theimportcontent utility only imports the platforms on the ESM manager that arenot prefixed with a hash (#).

To modify the importcontent.conf file

1 Go to <Install_Directory>:\Program Files\Symantec\Enterprise SecurityManager\ESM\config\importcontent.conf on Windows or<Install_directory>/ESM/config/importcontent.conf on UNIX.

2 Remove # before the platform that you want to include.

3 Save the file.

4 Go back to esmcontentsybasetpi.exe installer or the esmsybasecontent.tpiinstaller and press <return> to continue with the installation process.

About the importcontent utilityImportcontent utility is a command line utility, used to import the ESM content- Sybase Application modules information to the specified manager. The utilitydisplays the content version on the GUI or on the CLI. The utility is located in thebin folder of the installation directory, along with other ESM Manager binariesin platform-specific folders.

For example,

<Install_Directory>:\ProgramFiles\Symantec\EnterpriseSecurityManager\ESM\bin\w3s-ix86\importcontent.exe on Windows

19Installing Symantec ESM modules for Sybase ASEAbout content separation

<Install_Directory>/esm/bin/solaris-sparc/importcontent on UNIX

Note: If the importcontent.exe is not found on the manager, then Content TPIpackage deploys the importcontent.exe in the bin folder.

Using the importcontent utilityYou can use the importcontent utility on Windows and Solaris platforms. Theutility provides the option of importing security module (.m) files, property(.properties) files, template files, word (.wrd) files, and report content(UpdatePackage.rdl) files for ESM Sybase Application modules. You can use the-f option to force import content related information at a later stage.

Pre-requisites for using the importcontent utility:

■ You must be in the role of ESM administrator.

■ You must have ESM manager installed on the computer on which you arerunning the importcontent utility.

To use the importcontent utility

1 Navigate to the computer where the ESM Manager and Agent are installed.

2 At the Windows command prompt, navigate to the platform-specific binfolder, where the importcontent utility is located for example,<Install_Directory>\ESM\bin\w3s-ix86\.

3 Type the following command:

importcontent [-RLrnvfW] [-m manager] [-U user] [-P password] [-p

port] [-L app_module_name1, app_module_name2,...] [-a |

module_config_file1 [module_config_file2... ]]

The switch options that can be used with the importcontent utility are listed.

Manager name - the local manager name is used by default.-m

User name - the ESM user name is used by default.-U

Password - the ESM user account password.-P

TCP port number - the port number is 5600 by default.-p

Import and register all security module (.m) files with themanager.

-a

Import property files (.properties)-R

Import all templates-T

Installing Symantec ESM modules for Sybase ASEAbout content separation

20

Import report content file (UpdatePackage.rdl)-r

Import word files-W

Synchronize policies-n

Force the import of security module information-f

Write C include file for security module compilation

Note: -h, and -M options can be used only with the -a option.

-h

Write VMS macro file for security module compilation

Note: -h, and -M options can be used only with the -a option.

-M

Set verbose mode, log each action as it is performed.-v

Log the program finish.-F

Examples of using the importcontent utilityThe following examples are provided for using the importcontent utility:

■ To access the help menu for the importcontent utility, type the followingcommand:importcontent

■ To import Sybase Applcation modules type the following command:importcontent -L sybase -U <user1> -P <pwd123> -m <managerXYZ>

Note: The utility requires the application module names to be similar to thefolder names created in the <install dir>\ content directory.

■ To import templates for Sybase, type the following command:importcontent -T -L sybase -U <user1> -P <pwd123> -m <managerXYZ>

■ To synchronize policies, type the following command:importcontent -nv -U <user1> -P <pwd123> -m <managerXYZ> -U <user1>

-P <pwd123>

■ To register specific .m files with the manager, type the following command:importcontent -U <user1> -P <pwd123> -m <managerXYZ>

C:\Symantec\ESM\account.m D:\ESM\acctinfo.m E:\abc.m xyz.m

21Installing Symantec ESM modules for Sybase ASEAbout content separation

Installing security content on ESM managersYou can install the security content package on the ESM manager by using theesmcontentsybasetpi.exe Windows Installer or the esmsybasecontent.tpi UNIXinstaller.

The installation program extracts and installs configuration (.m) files, templatefiles, word files, .properties files, and report content files (RDL).

To install the security content on the ESM managers

1 Download and copy the esmcontentsybasetpi.exe Windows Installer oresmsybasecontent.tpi UNIX installer from the Security Response Web siteto the desired location.

2 Choose one of the following options:

To display the contents of the package.Option 1

To install the module.Option 2

Note: Before importing the content data for the Application modules, youmust ensure t hat content data for a security update (SU) is present on themanager database. Certain features of the Application modules may notfunction correctly if the security update (SU) content data is not alreadyimported to the manager database.

3 The Do you want to import the templates or the .m files? [no] messageappears. Do one of the following:

■ Type a Y, if you want to import the templates or the .m files.

Note:

Only an ESM administrator or any ESM user that have the permissionsto create policies, create templates, and perform remote installation orupgrade can install the content on the ESMmanager. The ESM superusercan also install content on the ESM manager as this user has all thepermissions. However Register only users cannot perform this task asthey do not have the specified permissions.

The program displays a message to include or exclude the platforms thatyou want to import. See “Modifying the importcontent.conf file”on page 19.

Installing Symantec ESM modules for Sybase ASEInstalling security content on ESM managers

22

http://www.symantec.com/business/security_response/securityupdates/list.jsp?fid=esm

■ Type an N, if you do not want to import the templates or the .m files.You can skip this step if you want to import the content later. You canimport the content by running the importcontent utility.

4 Enter the ESM manager that the agent is registered to.

Usually, it is the name or the IP of the computer that themanager is installedon.

5 Enter the ESM access name (logon name) for the manager.

6 Enter the ESM password that is used to log on to the ESM manager.

7 Enter the port that is used to contact the ESM Manager. The default port is5600.

8 The Is this information correct? message appears. Do one of the following:

■ Type a Y, the program continues with the installation.

■ Type an N, the setup prompts to re-enter the details of the new manager.

9 The Do you want to import the report content file <UpdatePackage.rdl>?[yes] message appears. Do the following:

■ Type a Y, if you want to import the report content file.

■ Type an N, if you do not want to import the report content file.

When the installation completes, you are prompted to exit.

Installing ESM modules on ESM agentYou can install the Sybase ASE module on the ESM agent computer by using theesmsyb.tpi.

You must have SU 23 or later installed on the ESM agent computer before youinstall the ESM modules for Sybase ASE.

The installation program does the following:

■ Extracts and installs module executables, configuration (.m) files, and thetemplate files.

■ Registers the .m and the template files by using the ESM agent’s registrationprogram.

Note: If you register the .m files during a module installation on an agent thatis installed on the same platform, then you do not have to re-register the .mfiles again.

23Installing Symantec ESM modules for Sybase ASEInstalling ESM modules on ESM agent

■ Launches the SybaseSetup program to create the SYMESMDBA account forreporting.The password for the SYMESMDBA account is 12 characters long and isgenerated randomly. The password is encrypted by using a 256-bit AESencryption algorithm and is stored in the /esm/config/SybaseModule.datfile.

Note: The SYMESMDBA account can perform only the Read operations.

■ Grants the following default roles to SYMESMDBA account:

■ sa_role

■ sso_roleYou can either grant one role or multiple roles. You can grant a role in thefollowing way:

■ Addaparameter "config SymEsmDbaRoles <nameof new roles>” entryto the esmsybaseenv.dat file.

You can use a comma or a space to separate the multiple roles.

Note: The esmsybaseenv.dat file does not exist by default and you mustcreate it manually.

■ Auto-generates the password for the reporting account. The ESMmodules forthe Sybase ASE consider the following parameters during auto-generation ofthe passwords :

■ PassChangedPeriodThe “PassChangedPeriod” parameter specifies the number of days afterwhich you want to change the password of the configured account.If you set the "Password expiration interval” setting of the configuredaccount to 0, the password changes after every policy run.

■ PrecreatedNoPassChangeIf you do not want to change the password of your pre-created accountthen you set the PrecreatedNoPassChange parameter to 1.This value is not set by default. Periodically, you must manually changethe pre-created account password that you have configured.

Note: If you change the password for the pre-created account then youmustmodify the records byusing the /esm/bin/<platform>/SybaseSetup.

Installing Symantec ESM modules for Sybase ASEInstalling ESM modules on ESM agent

24

■ PassSpecStringThe password must contain at least one upper-case, one lower-case, onenumeric character (0-9), and one special character. The default specialcharacters are the underscore (_) and the hash (#). If you want to use otherspecial characters, you can also add a parameter ‘’config PassSpecString$@%” entry into the /esm/config/esmsybaseenv.dat file before you run theSybase configuration.

To install the ESM modules on ESM agent

1 Fromtheproductdisc, run the /DATABASES/Sybase/Modules/<architecture>/esmsyb.tpi.

You can also download and copy the esmsyb.tpi from the Security ResponseWeb site to the desired location.

2 Choose one of the following option:

To display the contents of the package.Option 1

To install the module.Option 2

3 The Do you wish to register the template or .m files? message appears. Doone of the following:

■ Type a Y, if the files are not registered with the manager.

■ Type an N, if the files have already been registered and skip to See “Toconfigure for the Sybase ASE servers on the ESM agent computers”on page 26.

Note:Youmust register the template and the .m files once for the agents thatuse the same manager on the same operating system.


Usually, it is the name of the computer that the manager is installed on.

5 Enter the ESM access name (login name) for the manager.


7 Enter the network protocol that is used to contact the ESM manager.

8 Enter the port that is used to contact the ESM Manager. The default port is5600.

25Installing Symantec ESM modules for Sybase ASEInstalling ESM modules on ESM agent



9 Enter the name of the agent as it is currently registered to the ESMmanager.

Usually, it is the name of the computer that the agent is installed on.


■ Type a Y, the agent continues with the registration to the ESM manager.


When the extraction is complete, you are prompted to add configurationrecords to enable the ESM security checking for your Sybase ASE.

11 The Continue and add configuration records to enable ESM securitychecking for your Sybase ASE? [yes] message appears. Do one of thefollowing:

■ Type a Y, to configure the Sybase ASE module on the agent computer.If you have typed a Y, the installation program reads the existingconfiguration records and displays them.

■ Type an N, the program installation continues without configuration.

To configure for the Sybase ASE servers on the ESM agent computers

1 To add a configuration record for the Sybase ASE server, do the following:

■ Enter the Sybase path.You must specify the path where you have installed the Sybase ASE onthe ESM agent computer.

■ Enter the SYBASE_OCS directory in Sybase path [OCS-XX_0]: default OCSpath.The ESM for Sybase ASE servers module installation program displaysthe existing Sybase ASE servers that are found in the OCS path that youprovide.

2 The Would you like to add a configuration record for this server <Servername>? [yes] message appears . Do the following:

■ Enter the sa or pre-created login for server “Server name” [sa]:

■ Enter the password that is used to log on to the “Server name” server:

■ Re-Enter password:The sa account creates the SYMESMDBA login account to perform thesecurity checks and then displays the login information of theSYMESMDBA account.


■ Type a Y, to continue and add configuration records to enable the ESMsecurity checking for your Sybase ASE.

Installing Symantec ESM modules for Sybase ASEInstalling ESM modules on ESM agent

26

■ Type an N, to re-enter the configuration information.

After the setup completes the configuration for the first detected SybaseASEserver, you are prompted to configure the other detected SybaseASE servers.

4 The Would you like to add a configuration record for this server <Servername>? [yes] message appears. Do the following:

■ Type a Y, to add another server record.

5 The Would you like to continue for another Sybase path? [no] messageappears.

If you type an N, the configuration exits and the setup continues with theinstallation program. After you have created the configuration records foreach Sybase ASE server, the program lists all of the configuration records.

6 The Do you wish to push the report content file [no]? message appears. Dothe following:

■ Type a Y, to push the RDL package to the manager.

■ Type an N, to exit the program.

Note: The encryption that is used to store the credentials for reporting is 256-bitAES encryption algorithm.

Silently installing ESM modules on ESM agentYou can silently install the ESMmodules for Sybase ASE by using the esmsyb.tpi.

Table 1-5 lists the command line options for silently installing the ESM modulesfor Sybase ASE.

Table 1-5 Options for silent installation

DescriptionOption

Install this tune-up/third-party package.-i

Display the description and contents of this tune-up/third-party package.-d

Specify the ESM access record name.-U

Do not execute the before and after executables (installation withoutconfiguration).

-e

Specify the ESM access record password.-P

27Installing Symantec ESM modules for Sybase ASESilently installing ESM modules on ESM agent

Table 1-5 Options for silent installation (continued)

DescriptionOption

Specify the TCP port to use.-p

Specify the ESM manager name.-m

Connect to the ESM manager by using TCP.-t

Connect to the ESM manager by using IPX (Windows only).-x

Specify the ESM agent name to use for registration-g

Do not prompt for and do the re-registration of the agents.-K

No return is required to exit the tune-up package (Windows only).-n

Do not update the report content file on the manager.-N

Update the report content file on the manager.-Y

To silently install the ESM modules for Sybase ASE without configuration

◆ At the command prompt, type the following:

./esmsyb.tpi -it -m <Manager Name> -U <Username> -p <port> -P

<password>-g <Agent Name> -e

If the installation succeeds, the return value is 0. If the installation fails, the returnvalue is 1.

About configuring Sybase ASE in a network-basedenvironment

You cannot install the ESM application modules for Sybase ASE on the HP-UXItanium ESM agent computers. Instead, these agents must be queried from aremoteESMagent computer onadifferent platform that is supported for theESMapplication modules for the Sybase ASE.

Installing Symantec ESM modules for Sybase ASEAbout configuring Sybase ASE in a network-based environment

28

To report on a Sybase ASE in a network-based environment

1 Copy the Sybase ASE server and port information from the network-basedSybase ASE server interfaces file /<Sybase Installed

Directory>/interfaces to the interfaces file that is present on thehost-basedSybase ASE server. By performing this step, you copy the contents and notoverwrite the file.

You must ensure that you can connect to the network-based Sybase ASEserver by using the isql utility on the host-based Sybase ASE server.

2 Configure the host-based SybaseASE server by using the SybaseSetup utility.

Note: You cannot use the Sybase ASE Discovery module to configure thenetwork-based Sybase ASE server.

Silently configuring the ESM modulesYou can silently configure the ESM modules for Sybase ASE by using theSybaseSetup. You can find the SybaseSetup at /esm/bin/<OS

architecture>/SybaseSetup.

Table 1-6 lists the command line options for silently configuring the ESMmodulesfor Sybase ASE.

Table 1-6 Options for silent configuration

DescriptionOption

Display help.-h

Add a new configuration record for undetected Sybase ASE.-a

Do not delete the existing SYMESMDBA account duringconfiguration.

Note: This is an optional switch.

-n

Directory path of Sybase ASE.-S <sybase dir>

Directory of Sybase OCS.-O <OCS dir>

The sa login for Sybase ASE server to create SYMESMDBA account,or pre-created account for ESM to perform checks.

-A <account>

The password for Sybase ASE server login.-P <password>

29Installing Symantec ESM modules for Sybase ASESilently configuring the ESM modules

Table 1-6 Options for silent configuration (continued)

DescriptionOption

Specify the file name that contains the encrypted generic credentialrecord.

-gif

Specify the file name that should be created with the encryptedgeneric credentials record.

-gof

Use this option with -gif option.

If you select the option and if at the same time, you replace thegeneric pre-created credentials with 'sa' credentials then all therecords that are configured to use generic pre-created credentialsare deleted from the configuration file.

-ng

Note: If you do not specify any option then ./SybaseSetup runswith the -h option.

To silently configure the ESM modules for Sybase ASE

◆ At the command prompt, type the following:

./SybaseSetup -a <SID> -S <sybase dir> -O <OCS dir> -A <account>

-P <password>

If the configuration succeeds, the return value is 0.

If the configuration fails, the return value is 255.

After you have run the SybaseSetup, the logs are created in/esm/system/<hostname>/ EsmSybaseConfig.log.

Configuration of the ESM modulesAfter installing Symantec ESM Modules for Sybase ASE, you can edit theconfiguration records. A configuration record is created for each Sybase ASEserver when you enable the security checking during installation.

Note: Before a policy run, you must configure the ESM modules for SybaseASE-related information and credentials for the application modules to reporton. You can use a pre-created account or a sa account. With a sa account, ESMuses a SYMESMDBAaccount for reporting. Pre-created account is a non sa accountthat you can create before the configuration.

Installing Symantec ESM modules for Sybase ASEConfiguration of the ESM modules

30

Editing configuration recordsYou can add, modify, or remove the Sybase ASE servers that are configured forSymantec ESM security checks by using the SybaseSetup program. By default,SybaseSetup is located in the \ESM\bin\<platform>\.

Table 1-7 lists the options that you can use when running the SybaseSetup.

Table 1-7 Editing configuration records

ActionType

Display help.SybaseSetup -h

Create configuration records for detected Sybase ASE servers.SybaseSetup -c

Add a new configuration record for undetected Sybase ASEservers.

SybaseSetup -a

Modify existing Sybase ASE configuration records.SybaseSetup -m

List existing Sybase ASE configuration records.SybaseSetup -l

Add configuration records for the generic credentials.SybaseSetup -G

Note: If no option is specified, SybaseSetup runs with the -h option.

Configuring the Sybase ASE server by using theSybase ASE Discovery module

The host-based Sybase ASE Discovery module automates the detection andconfiguration of new Sybase ASE servers that are not yet configured on the ESMagent computers. TheSybaseASEDiscoverymodule alsodetects andautomaticallyremoves the deleted or the unreachable Sybase ASE servers.

You can configure the Sybase ASE servers by using the generic credentials. Thegeneric credentials are the common Sybase ASE credentials that you can useacross servers. The generic credentials can be a “sa” account or a pre-createdaccount. If you use a “sa” account then a SYMESMDBAaccount is created on everyserver and is used for reporting.

If you use a pre-created account then you can add the new configuration optionPrecreatedNoPassChange 1 in the esm/config/esmsybaseenv.dat file.

Formore information on the PrecreatedNoPassChange parameter, See “InstallingESM modules on ESM agent” on page 23.

31Installing Symantec ESM modules for Sybase ASEEditing configuration records

Configuring a new Sybase ASE serverTo report on the Sybase ASE server, you must first configure the Sybase ASEserver on an ESM agent computer. The configuration helps the ESM applicationmodules for Sybase ASE to understand which servers the module should reporton.

To configure a new Sybase ASE server

1 Run the Sybase ASE Discovery module on the ESM agent computer that hasthe Sybase ASE server installed.

The module lists all the new Sybase ASE servers that were not configuredearlier.

2 Select multiple Sybase ASE servers and do one of the following:

■ Right-click and select Correction option.The Correction option configures the Sybase ASE servers with the servercredentials. When you enter the pre-created credentials the server isconfigured using the pre-created credentials. When you enter the “sa”credentials the SYMESMDBA is created. However, if you use thepre-created credentials then SYMESMDBA is not created.

■ Right-click and select Snapshot Update option.The Snapshot Update option configures the Sybase ASE servers withgeneric credentials. Before you select the Snapshot Update option, youmust first configure the generic credentials.See “Configuring SybaseASEwith generic credentials” on page 33.

To configure a new Sybase ASE server automatically

1 Enable the check Automatically add new Sybase ASE server.

The check automatically configures the newly discovered Sybase ASE serverin the configuration file /esm/config/SybaseModule.dat. The check usesthe generic credentials and attempts to connect to the server. After eachsuccessful connection, the SybaseASEDiscoverymodule adds a configurationrecord in the configuration file. If the connection attempt fails then themodule returns a correctable message.

2 To use the Correctable option

■ Right-click on the message.

■ Choose Correction option.You are prompted to enter the credentials to connect to the server again.Do one of the following

■ Enter pre-created credentials.

Installing Symantec ESM modules for Sybase ASEConfiguring a new Sybase ASE server

32

The SybaseASE server is configured using the pre-created credentials.

■ Enter “sa” credentials.The SYMESMDBA account is created.

Validating Sybase ASE server credentialsThe Validate configuration check uses the configured credentials and connectsto the server.

The module does the following:

■ Checks whether the configured account is unlocked.

■ Checks for the assigned roles of the configured account.

If the SymEsmDbaRoles parameter is configured in the esmsybaseenv.dat filethen the module checks for the defined roles. By default the module checks forthe “sa” and the “sso” roles.

If the validation of the SYMESMDBA account fails and the generic credentials arepresent then the SYMESMDBA account is recreated. For pre-created account, themodule returns a correctable message. When the server is configured usingpre-created account, auto-correction is not supported.

To use the Correction option

1 Right-click on the message.

2 Select Correction option.

You are prompted to enter the credentials to connect to the server again. Doone of the following:

■ Enter the sa credentials.The SYMESMDBA account is recreated. This SYMESMDBA account isunlocked and the required roles are assigned to it.

■ Enter the pre-created credentials.The server is configured with the pre-created credential

Configuring Sybase ASE with generic credentialsYou can configure a new Sybase ASE server on an ESM agent computer by usinga generic credential. The generic credential option helps you to configure acommon Sybase ASE server credential for all the Sybase ASE servers on an ESMagent computer.

33Installing Symantec ESM modules for Sybase ASEValidating Sybase ASE server credentials

To specify generic credentials

1 On the command prompt , type SybaseSetup –G.

2 Enter the Generic Login ID: User name.

3 Enter a password for the generic login. Reconfirm the password.

4 Press Enter.

The generic credentials are configured in the SybaseModule.dat file.

If you have a pre-created account configured and you want to replace it with a saaccount then the setup returns a message warning that the records that wereconfigured to use the pre-created generic credentials are removed.

If you enter YES, the setup does the following:

■ Removes the records that were configured to use the pre-created genericcredentials.

■ Replaces the generic credentials.You must run the Sybase ASE Discovery module again.

Reusing generic credentials of a Sybase ASEIf you want to specify a common generic credential on multiple ESM agentcomputers it is not necessary to use SybaseSetup –G option on every ESM agentcomputer. Instead, you canuse -gif and -gof options to specify a generic credential.The specified generic credential is then stored in an encrypted format in a filethat can be reused on every ESM agent computer.

To specify generic credentials

1 On the command prompt, type SybaseSetup -gof <filepath>

For example: SybaseSetup -gof < /esm/bin/<platform>/pass.dat>.

2 Enter the Generic Login ID: User name.

3 Enter a password for the generic login. Reconfirm the password.

4 Press Enter.

The pass.dat file is created with the encrypted generic credentials that arespecified in Step 1.

Installing Symantec ESM modules for Sybase ASEReusing generic credentials of a Sybase ASE

34

To reuse generic credentials

1 Copy the pass.dat file on a SybaseASEESMagent computerwhere youwantto import the generic credentials.

2 On the command prompt, type SybaseSETUP -gif <filepath>

The generic credentials are imported in the SybaseModule.dat file.

See “Configuring a new Sybase ASE server” on page 32.

Removing unreachable or deleted serversAlthough, you may have deleted a Sybase ASE server, the configurationinformation still exists in the configuration file /esm/config/SybaseModule.dat.The Sybase ASE Discovery module when executed removes the configurationinformation of such Sybase ASE servers.

To remove unreachable or deleted servers manually

1 Run the Sybase ASE Discovery module on the target ESM agent computers.Themodule lists all the unreachable and the deleted Sybase ASE servers thatwere configured earlier.

2 Select multiple Sybase ASE servers right-click, and select Snapshot Updateoption. The Snapshot Update option removes the configuration informationof such Sybase ASE servers.

To remove unreachable or deleted servers automatically

◆ Enable the check Automatically remove deleted Sybase ASE servers. Themodule automatically removes the corresponding server records from theconfiguration file /esm/config/SybaseModule.dat.

About using parameters in the esmsybaseenv.dat fileThis table lists the different parameters that you canuse in the esmsybaseenv.datfile to work with the Sybase ASE modules.

35Installing Symantec ESM modules for Sybase ASERemoving unreachable or deleted servers

Table 1-8 Parameters and their usage

ExampleParameter valueDescriptionParameter name

config EnableExtendedEncryption 1

In theesmsybaseenv.datfile, if you set thevalue ofEnableExtendedEncryption to1, theextendedencryption getsenabled.

If the parameterEnableExtendedEncryption doesnot exist in theesmsybaseenv.datfile or if it existsand the value is not1, then extendedencryption isdisabled.

Note: If theextendedencryption isenabled and thelibrary directorylocated at<SYBASE>/<SYBASE_OCS>/lib3p that containsthe libraries forencrypting thepassword does notexist, then themessage Failed tostat the path :<PATH> isdisplayed.

To resolve this, runisql -X andensure that thefolder lib3p exists.

All connectionstrings to SybaseASE have anadditionalparameter,which promptsyou for anencryption key.This ensuresthat thepassword isencrypted whenconnecting toSybase ASE overa network.

You can use thisparameter toenable theextendedencryptionmechanism. Bydefault, extendedencryption isdisabled.

EnableExtendedEncryption

Installing Symantec ESM modules for Sybase ASEAbout using parameters in the esmsybaseenv.dat file

36

Table 1-8 Parameters and their usage (continued)


configSymEsmDbaRoles<role 1, role 2,…>

The default rolesare the sa_role andthe sso_role.

If you do notspecify theparameter in theesmsybaseenv.datfile then defaultroles are assigned.If you specify theparameter thenuser-defined rolesor existing roles areassigned.

You can add thisparameter to theesmsybaseenv.dat

file as configSymEsmDbaRoles<name of newroles>.

You can use thisparameter togrant roles to theSYMESMDBAaccount whileconfiguring theSybase ASE.

SymEsmDbaRoles

config PassSpecString$@%

The default specialcharacters are theunderscore (_) andthe hash (#).

The other specialcharacters that youcan use are $@%.


file as configPassSpecString<specialcharacters>.

You can use thisparameter tospecify thespecialcharacters thatyou can usewhile generatingthe password forthe configuredaccount.

PassSpecString

37Installing Symantec ESM modules for Sybase ASEAbout using parameters in the esmsybaseenv.dat file



configPassChangedPeriod 30

If you want tochange thepassword of yourconfigured accountthen you set thePasswordexpiration intervalsetting parameterto 0.

If you do notspecify any valuethen by default thevalue is 35 days.


file as configPassChangedPeriod<number of days>.

You can use thisparameter tospecify theperiod afterwhich you wantto change thepassword of theconfiguredaccount.

PassChangedPeriod

configPrecreatedNoPassChange1

If you do not wantto change thepassword of yourconfigured accountthen you set thePrecreatedNoPassChangeparameter to 1.This value is notset by default.

You can use thispassword to notto change thepassword of thepre-createdaccount.

PrecreatedNoPassChange


38



config UsingTimeout 50If you set thedefault value to 0,the Sybase ASEserver never timesout.


file as configUsingTimeout<number ofseconds>.

You can use theparameter tospecify thetimeout period ifthe Sybase ASEserver is unableto complete therequest withinthe specifiedtime.

UsingTimeout

39Installing Symantec ESM modules for Sybase ASEAbout using parameters in the esmsybaseenv.dat file


40

Logging functionality


■ About the Logging functionality

■ CCS agent version 11.0 and later

■ ESM agent version 10.0 and earlier

About the Logging functionalityThe logging feature in the Sybase ASE modules enables the ESM agent to log theinformation, such as errors and exceptions that a module generates at the runtime.

Note: Logging functionality is enabled for all the modules of Sybase ASE.

CCS agent version 11.0 and laterCCS agent version 11.0 onwards, logging can be configured in the agent.conf filefrom the ESM console. The agent.conf file is a common configuration file for theagent and the ESM modules, unlike in the case of ESM agent version 10.0 andearlier. The agent.conf file is made available with the CCS agent installation.

Note: The agent.conf and esmlog.conf file co-exist in CCS agent version 11 andlater. If you have not set any logging related attribute from the console or if theparameters in the agent.conf file are modified or if the agent.conf file is deletedor empty, the esmlog.conf file is used.

2Chapter

About the log levels for messagesThe following log levels can be configured in the agent.conf file from the ESMconsole:

Table 2-1 Log levels for messages

ExampleDescriptionLog level

Defines the maximumlog file size. If it exceedsthen it creates a backupof log as per the settingsin the configuration file.The value varies from 1MB to 1024 MB.

ESM_LOG_MAX_SIZE

Provides a facility toback up the log file afterthe log file size reachesthe limit. The defaultvalue is 1. The valuevaries from 0 to 20.

ESM_LOG_MAX_BACKUP

If the agent.conf file contains both thekeys for example,

ESM_LOG_MAX_SIZE=3

ESM_MOD_LOG_MAX_SIZE=5

then ESM_MOD_LOG_MAX_SIZEtakes priority and the value 5 isconsidered.

This key is similar toESM_LOG_MAX_SIZEand is specific to theESMapplicationmodule.If both the keys aredefined in the agent.conffile, thenESM_MOD_LOG_MAX_SIZEtakes priority.

ESM_MOD_LOG_MAX_SIZE

If the agent.conf file contains both thekeys for example,

ESM_LOG_MAX_BACKUP=3

ESM_MOD_LOG_MAX_BACKUP=5

thenESM_MOD_LOG_MAX_BACKUPtakes priority and the value 5 isconsidered.

This key is similar toESM_LOG_MAX_BACKUPand is specific to theESMapplicationmodule.If both keys are definedin the agent.conf file,thenESM_MOD_LOG_MAX_BACKUPtakes priority.

ESM_MOD_LOG_MAX_BACKUP

Logging functionalityCCS agent version 11.0 and later

42

Table 2-1 Log levels for messages (continued)

ExampleDescriptionLog level

ESM_MOD_LOG_DIR= C:\ESMLog

The name of the log file is the shortname of the module. For example,acctinfo.log for Account Informationmodule.

Lets you configure thelog directory. If the logdirectory is notconfigured then thedefault directoryESM/system/hostname/is used. The directorycontains separate logfiles per module.

ESM_MOD_LOG_DIR

If the agent.conf file containsESM_MODULENAME_LOG_LEVEL=ESMCRITICALFAILURES,then the messages of only the criticallog level are logged.

If agent.conf file containsESM_MODULENAME_LOG_LEVEL=ESMCRITICALFAILURES|ESMPERFMANCETIMING,then the messages of only the criticallog level and the performance timingis logged.

In the key ESM_MODULENAME_LOG_LEVELtheMODULENAMEgetsreplaced by the name of the module.For example, to enable logs foracctinfo module the key isESM_ACCTINFO_LOG_LEVEL.

Default value: ESM_MODULENAME_LOG_LEVEL=ESMCRITICALFAILURES|ESMERRORS| ESMEXCEPTIONS

The log levels areconfigurable and arestored in the agent.conffile. Possible log levelsare:

■ ESMCRITICALFAILURES- By default, thecritical failures arelogged irrespectiveofthe log level.

■ ESMERRORS - Logserrors.

■ ESMEXCEPTIONS -Logs exceptions.

■ ESMWARNINGS -Logs warnings.

■ ESMINFORMATION- Logs informationalmessages.

■ ESMTRACE - Logsdebug information.

■ ESMPERFMANCETIMING- Logs performancetiming logs.

■ ESMAUDIT - Logsaudit.

■ ESMMAXIMUM-Fulllogging, includes alllog levels.

■ ESMNOLOG - Logsdisabled.

ESM_MODULENAME_LOG_LEVEL

43Logging functionalityCCS agent version 11.0 and later

Only those messages are logged whose log levels match the level that is specifiedin the agent.conf file.

ESM agent version 10.0 and earlier

About the log levels of messagesTheESM log level specifies the type and criticality of amessage. You canmanuallycreate a configuration file on the ESM agent computer and specify the log levelmessages that you want to be logged.

ESM checks the log level that you set in the configuration file and stores only thequalifying messages in the log file.

See “Creating the configuration file” on page 45.

You can specify the following log levels:

Table 2-2 Log levels of messages

DescriptionLog levels

All errors are logged.

The following are some examples of theerrors:

■ Template file not found

■ Configuration file not found

ESM_LOG_ERROR

All warnings are logged.ESM_LOG_WARNING

All information messages are logged.

The information that is gathered during apolicy run is also logged at this level.

Note: When you enable theESM_LOG_INFORMATION level, theperformance of the module may be affectedbecause all the information messages arelogged.

ESM_LOG_INFORMATION

All debug information is logged.ESM_LOG_TRACE

Includes all log levels except ESM_NO_LOG.ESM_LOG_MAXIMUM

Disable logging for the module.ESM_NO_LOG

Logging functionalityESM agent version 10.0 and earlier

44

You specify the log level in the LogLevel parameter of the configuration file. Forexample, to log the messages that are related to critical failures, specify the loglevel as follows:

[sybasediscovery_LogLevel] = ESM_LOG_TRACE

You can also specifymultiple log levels by separating themwith a pipe (|) characteras follows:

[sybasediscovery_LogLevel] = ESM_LOG_INFORMATION|ESM_LOG_ERROR

You can use log levels for specific operations as follows:

ESM_LOG_INFORMATION andESM_LOG_ERROR

For regular policy runs

ESM_LOG_INFORMATION,ESM_LOG_ERROR, and ESM_LOG_TRACE

To generate detailed logs for policy failure

Creating the configuration fileYou can create a configuration file named esmlog.conf in the<esm_install_dir>/config folder on theESMagent computer and specify the valuesthat ESM uses to store the logs of a module.

To create the configuration file

1 Change to the <esm_install_dir>/config folder.

2 Create a new text file and specify the parameters and their values.

3 Save the text file as esmlog.conf.

See “Parameters of the configuration file” on page 45.

The following is an example of the entries in the configuration file:

[MaxFileSize] = 1024

[NoofBackupFile] = 20

[LogFileDirectory] = <esm_install_dir>/system/agentname/logs

[sybasediscovery_LogLevel] = ESM_LOG_INFORMATION

Note: No default configuration file is shipped with the Sybase ASE modules. Youneed to manually create the file and specify the parameters in it.

Parameters of the configuration fileTable 2-3 lists the parameters that you need to specify in the configuration file.

45Logging functionalityESM agent version 10.0 and earlier

Table 2-3 Configuration file parameters

Default valueRange of valuesDescriptionParameter name

1 MB1 MB to 1024 MB (1GB)

Specify themaximum file sizefor the log file in MB

[MaxFileSize]

10 to 20Specify the numberof backup files of thelogs that can bestored per module.

For example, if thevalue ofNOOFBACKUPFILEis3, then ESM stores amaximum of threebackup files for themodule.

[NoOfBackupFile]

The directory/esm/system/<hostname>/tmp/

N/ASpecify the absolutepath to store the logfile and backup logfiles.

[LogFileDirectory]

ESM_LOG_ERRORN/ASpecify the log levelalong with the shortname of the module.

For example, to logall errormessages forthe Sybase ASEDiscovery module,specify the following:

[sybasediscovery_LogLevel]=ESM_LOG_ERROR

[<module>_LogLevel]

If the configuration file esmlog.conf is not present then the logging functionalityappears to be disabled and no logs are generated.

About the ESM agent log fileThe ESM agent computer now stores the log file esmlog.conf of the modules inthe directory that the user specifies. If the directory that the user specifies doesnot exist, then the module first creates the directory and then stores the log filesin it.


46

The log file has the following format:

<module_name>.log

The <module_name> is the short name of the module. For example, the log fileof the Sybase ASE Discovery module is named sybasediscovery.log. The backupfile name for Sybase ASE Discovery module is named sybasediscovery.log_1.bakand so on.

Note: During the process of logging, ESM locks the log file to store the logginginformation. If the log file is open at that time, the information about the logsmay be lost.

Format of the log fileA log file contains the following fields:

Table 2-4 Format of the log file

Serial number of the log file entry

The serial number is displayed inhexadecimal format.

The serial number is reset in the next policyrun on the module.

Serial Number

Thread identifier of the process thatgenerated the message

Thread ID

Name of the source file that generates themessage.

Source File Name

Line number in the source file from wherethe message generates

Line Number

Date on which the log was createdDate

Time at which the log was createdTime

Theactualmessage thatwasgeneratedalongwith the log level of that message.

Message

About the backup of logsWhen the log file reaches a specified size limit, ESM backs up the log file. Thissize limit is configurable and you can specify it in the MaxFileSize parameter ofthe configuration file.

47Logging functionalityESM agent version 10.0 and earlier

If the log file reaches the MaxFileSize value, ESM creates a backup of the log filedepending on theNoofBackupFile value that is specified in configuration file. Forexample, if the NoofBackupFile value is 0, ESM overwrites the existing log file, ifany, for the module.


48

Uninstalling ESMapplication modules forSybase ASE


■ Uninstall ESM application module

■ Silent uninstallation

Uninstall ESM application moduleYou can uninstall all the components of the ESM application module for SybaseASE that are installed on the ESM agent computer and unregister the modulefrom themanager. You can uninstall the ESM applicationmodule for Sybase ASEusing the uninstaller program.

The sybaseuninstall executable uninstalls the following components:

■ Application executables

■ Configuration files

■ Environment configuration files

■ Configuration file with server records

■ Property file

■ Sybase ASE application module version file

■ Application-specific log file

3Chapter

Running the uninstallation programYou can uninstall the application modules for Sybase ASE on the ESM agentcomputer by using the sybaseuninstall executable.

To uninstall the application module for Sybase ASE

1 OnUNIX, at the command prompt, type cd <path> to open the directory thatcorresponds to <Install_Dir>/esm/bin/<platform>/sybaseuninstall.

2 The This will uninstall the application module permanently. Do you wantto continue? [yes] message appears. Do one of the following:

■ Type a Y, if you want to continue with the uninstallation.

■ Type an N, if you want to exit.

3 The Do you want to register the agent to the manager after uninstallation?[yes] message appears. Do one of the following:

■ Type a Y, if you want to register the agent to the manager.The program informs themanager about the uninstallation of the SybaseASE Application module from the agent computer that is registered to it.

■ Type an N, if you do not want to register the agent to the manager.


Usually, it is the name of the computer that the manager is installed on.

5 Enter the name of the agent as it is currently registered to the ESMmanager.

Usually, it is the name of the computer that the agent is installed on.

6 Enter the ESM access name (logon name) for the manager.


8 Re-enter the password.

9 Enter the port that is used to contact the ESM Manager.

The default port is 5600.


■ Type a Y, the agent continues with the registration to the ESM manager.


Uninstalling ESM application modules for Sybase ASEUninstall ESM application module

50

Note:Theuninstaller programvalidates themanager namewith themanagername that is present in the manager.dat file. If the manager name does notmatch, the program reports a message, Specified manager is not found inmanager.dat file. Skipping re-registration for <manager name>.

11 The Would you like to add registration information of another manager?[no] message appears. Do one of the following:

■ Type a Y, the agent continues with the registration of another manager.

■ Type an N, the agent is successfully registered to the manager.

Note: If the uninstallation fails, thenESMrolls-back the uninstallation action andbrings back the agent to its original state.

Uninstallation logsThe uninstaller creates a log file for you to know about the changes that theuninstaller program performed. The log file, ESM_Sybase_Uninstall.log is storedin the system folder. The specified folder is located at<esm_install_dir>/ESM/system/<Host_Name>onUNIX.Theuninstaller programautomatically creates the log file and captures the uninstallation events and errorsin it.

Silent uninstallationYou can use the sybaseuninstall.exe to uninstall the ESM Sybase ASE modulesilently, by using the following command:

sybaseuninstall -S -m <manager> -N <agent> [-p <port>] [-mfile

<mgrfile>] -U <user> -P <password> or

sybaseuninstall -S -F <mgrfile> or

sybaseuninstall -S

Table 3-1 lists the command-line options for uninstalling the ESM Sybase ASEmodule silently

51Uninstalling ESM application modules for Sybase ASESilent uninstallation

Table 3-1 Options for silent uninstallation

DescriptionOption

Enters the interactivemode and invokes theuninstall operation.

-F

Enters the interactive mode and creates adata file with details of the ESM managerand user credentials.

-mfile

Invokes the uninstallation in a Silent Mode.

Note: If -S is specified without any otheroption then the re-registration is notperformed. The uninstall program entersthe interactive mode and invokes theuninstall operation.

-S

Specify the ESM manager name.-m

Specify the agent name as registered withthe ESM manager.

-N

Specify the TCP port to connect to the ESMmanager.

-p

Specify the ESM manager login ID.-U

Specify the ESM manager password.-P

Uninstalling ESM application modules for Sybase ASESilent uninstallation

52

Documents

Symantec Enterprise Security Manager Sybase Modules Installation · PDF fileSymantec™ Enterprise Security Manager Sybase Modules Installation Guide Documentation version 4.0 Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused