scm51 install

5/11/2018 Scm51 Install - slidepdf.com

http://slidepdf.com/reader/full/scm51-install 1/90

Tivoli ® Security Compliance Manager

Installation Guide: All Components

Version 5.1

GC32-1



Tivoli ® Security Compliance Manager

Installation Guide: All Components

Version 5.1

GC32-1



NoteBefore using this information and the product it supports, read the information in “Notices,” on page 71.

First Edition (May 2004)

This edition applies to version 5, release 1, modification 0 of IBM Tivoli Security Compliance Manager (productnumber 5724-F82) and to all subsequent releases and modifications until otherwise indicated in new editions.

© Copyright International Business Machines Corporation 2003, 2004. All rights reserved.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.



Logging during installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Frequently asked questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Invalid DB2 user ID and password given during install . . . . . . . . . . . . . . . . . . . 68Entered wrong DB2 password during server start . . . . . . . . . . . . . . . . . . . . . 68Deselected create database now box by mistake . . . . . . . . . . . . . . . . . . . . . . 68Forgot Tivoli Security Compliance Manager administrator password . . . . . . . . . . . . . . . 68Forgot Tivoli Security Compliance Manager administrator ID. . . . . . . . . . . . . . . . . . 69Forgot to reset UMASK before installation on UNIX-based or Linux platforms . . . . . . . . . . . . 69Used double-byte characters for my administrator user ID and/or password . . . . . . . . . . . . 69Forgot to select stash password during install and server will not start . . . . . . . . . . . . . . 69Selected stash password during install and server will not start . . . . . . . . . . . . . . . . . 70

Appendix. Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

iv Tivoli Security Compliance Manager: Installation Guide: All Components



Preface

The IBM® Tivoli® Security Compliance Manager Installation Guide: All Components book explains how to install and configure the IBM Tivoli Security Compliance

Manager software.

Tivoli Security Compliance Manager is a data collection service that gathers andstores a wide variety of information from multiple participating systems.Information types can include any data on a system, such as operating systemversions, software patch levels, and security-related data. System and securityadministrators can use the Tivoli Security Compliance Manager service to monitorspecific data checkpoints on any given machine (or group of machines).

Who should read this book

The target audience for this installation guide includes:

vSecurity administrators

v System administrators

Readers should be familiar with:

v TCP/IP

v DB2 Relational databases

v Security management, including authentication and authorization

What this book contains

This document contains the following chapters:

v Chapter 1, “Installation overview,” on page 1 describes the prerequisites forTivoli Security Compliance Manager.

v Chapter 2, “Installing the Tivoli Security Compliance Manager server,” on page 7describes how to install the server.

v Chapter 3, “Installing the Tivoli Security Compliance Manager client,” on page25 describes how to install the client.

v Chapter 4, “Installing the Tivoli Security Compliance Manager administrationutilities,” on page 37 describes how to install the administration utilities, whichinclude the administration console and the administration command lineinterface.

v Chapter 5, “Using the Tivoli Security Compliance Manager database utilities,” onpage 45 describes how to use the database utilities to configure the Tivoli

Security Compliance Manager DB2 database. This step is automaticallyperformed during a server install.

v Chapter 6, “Uninstalling Tivoli Security Compliance Manager,” on page 55describes how to remove any of the Tivoli Security Compliance Manager systemcomponents.

v Chapter 7, “After the installation has completed,” on page 63 describes what todo immediately after you have completed the installation.

v Chapter 8, “Alternate installation methods,” on page 65 describes how to installin silent mode using a response file to provide input or in console mode.

© Copyright IBM Corp. 2003, 2004 v



v Chapter 9, “Troubleshooting,” on page 67 describes solutions for problems thatyou might encounter during the installation of Tivoli Security ComplianceManager.

Publications

Read the descriptions of the IBM Tivoli Security Compliance Manager library, the

prerequisite publications, and the related publications to determine whichpublications you might find helpful. After you determine the publications youneed, refer to the instructions for accessing publications online.

IBM Tivoli Security Compliance Manager libraryThe publications in the IBM Tivoli Security Compliance Manager library are:

v IBM Tivoli Security Compliance Manager Installation Guide: All Components(GC32-1592-00)

Explains how to install and configure Tivoli Security Compliance Managersoftware.

v IBM Tivoli Security Compliance Manager Installation Guide: Client Component

(GC32-1593-00)Explains how to install and configure the Tivoli Security Compliance Managerclient component software.

v IBM Tivoli Security Compliance Manager Administration Guide (SC32-1594-00)

Explains how to manage and configure Tivoli Security Compliance Managerservices using the administration console.

v IBM Tivoli Security Compliance Manager Collector Development Guide (SC32-1595-00)

Explains how to design and implement custom Tivoli Security ComplianceManager collectors.

v IBM Tivoli Security Compliance Manager Warehouse Enablement Pack, Version 1.1Implementation Guide for Tivoli Data Warehouse, Version 1.2 (SC32-1596-00)

Explains how to integrate Tivoli Security Compliance Manager with Tivoli®

DataWarehouse.

v IBM Tivoli Security Compliance Manager Release Notes (GI11-4695-00)

Provides late-breaking information, such as software limitations, workarounds,and documentation updates.

Related publicationsThis section lists publications related to the Tivoli Security Compliance Managerlibrary.

The Tivoli Software Library provides a variety of Tivoli publications such as whitepapers, datasheets, demonstrations, redbooks, and announcement letters. The Tivoli

Software Library is available on the Web at:http://www.ibm.com/software/tivoli/library/

The Tivoli Software Glossary includes definitions for many of the technical termsrelated to Tivoli software. The Tivoli Software Glossary is available, in English only,from the Glossary link on the left side of the Tivoli Software Library Web pagehttp://www.ibm.com/software/tivoli/library/

IBM DB2 Universal Database™

IBM® DB2® Universal Database is required when using Tivoli Security ComplianceManager. Additional information about DB2 can be found at:

vi Tivoli Security Compliance Manager: Installation Guide: All Components

http://scm51_install.pdf/









http://scm51_install_client.pdf/









http://scm51_admin.pdf/







http://scm51_devguide.pdf/








http://scm51_tdwguide.pdf/


















http://scm51_relnotes.pdf/







http://www.ibm.com/software/tivoli/library/













http://www.ibm.com/software/data/db2/

Accessing publications onlineThe publications for this product are available online in Portable Document Format(PDF) or Hypertext Markup Language (HTML) format, or both in the Tivolisoftware library: http://www.ibm.com/software/tivoli/library

To locate product publications in the library, click the Product manuals link on theleft side of the library page. Then, locate and click the name of the product on theTivoli software information center page.

Product publications include release notes, installation guides, user’s guides,administrator’s guides, and developer’s references.

Note: To ensure proper printing of PDF publications, select the Fit to page check box in the Adobe Acrobat Print window (which is available when you clickFile → Print).

Accessibility

Accessibility features help a user who has a physical disability, such as restrictedmobility or limited vision, to use software products successfully. You can useassistive technologies to hear and navigate the product documentation. You alsocan use the keyboard instead of the mouse to operate some features of thegraphical user interface.

Tivoli technical training

For Tivoli technical training information, refer to the IBM Tivoli Education Website: http://www.ibm.com/software/tivoli/education.

Contacting software supportBefore contacting IBM Tivoli Software Support with a problem, refer to the IBMTivoli Software Support site by clicking the Tivoli support link at the followingWeb site: http://www.ibm.com/software/support/

If you need additional help, contact software support by using the methodsdescribed in the IBM Software Support Guide at the following Web site:http://techsupport.services.ibm.com/guides/handbook.html

The guide provides the following information:

v Registration and eligibility requirements for receiving support

v Telephone numbers, depending on the country in which you are located

v A list of information you should gather before contacting customer support

Conventions used in this book

This reference uses several conventions for special terms and actions and foroperating system-dependent commands and paths.

Typeface conventionsThe following typeface conventions are used in this reference:

Preface vii



http://www.ibm.com/software/tivoli/education/

http://www.ibm.com/software/support/

http://techsupport.services.ibm.com/guides/handbook.html

http://techsupport.services.ibm.com/guides/handbook.html

http://www.ibm.com/software/support/

http://www.ibm.com/software/tivoli/education/





Bold Lowercase commands or mixed case commands that are difficult todistinguish from surrounding text, keywords, parameters, options,names of Java classes, and objects are in bold.

Italic Variables, titles of publications, and special words or phrases thatare emphasized are in italic.

Monospace Code examples, command lines, screen output, file and directory

names that are difficult to distinguish from surrounding text,system messages, text that the user must type, and values forarguments or command options are in monospace.

Operating system differencesThis book uses the UNIX convention for specifying environment variables and fordirectory notation. When using the Windows command line, replace $variable with%variable% for environment variables and replace each forward slash (/) with a

backslash (\) in directory paths. If you are using the bash shell on a Windowssystem, you can use the UNIX conventions.

viii Tivoli Security Compliance Manager: Installation Guide: All Components



Chapter 1. Installation overview

This chapter lists the supported operating systems, prerequisites, and disk andmemory requirements for IBM Tivoli Security Compliance Manager. It also

suggests important things you should consider before you begin the productinstallation.

Supported operating systems

The following tables list the supported operating systems for the Tivoli SecurityCompliance Manager server, client, collectors, and administration utilities.

Note: Unless otherwise noted, for Linux systems only Intel, IA32 is supported.

Table 1. Server

Operating system Level Patch/maintenance level

AIX®

5.1 No fix pack requiredAIX 5.2 No fix pack required

Windows® 2000 Server Latest fix pack level

Sun Solaris 2.8 Latest fix pack level

Sun Solaris 2.9 Latest fix pack level

SUSE Linux EnterpriseServer

8 Latest fix pack level

Table 2. Clients, collectors, and proxy relay


AIX 5.1 Latest cumulative patchesAIX 5.2 Latest cumulative patches

HP-UX 11.0 Latest cumulative patches

HP-UX 11i Latest cumulative patches

Red Hat Linux 6.2 Latest cumulative patches







Sun Solaris 2.6 Latest cumulative patches




Windows NT® 4.0 Server Latest service pack andsecurity roll up package

© Copyright IBM Corp. 2003, 2004 1



Table 2. Clients, collectors, and proxy relay (continued)


Windows NT 4.0 Workstation Latest service pack andsecurity roll up package

Windows 2000 Server Latest service pack andsecurity roll up package

Windows 2000 Advanced Server Latest service pack andsecurity roll up package

Windows 2000 Professional Latest service pack andsecurity roll up package

Windows XP Professional Latest service pack andsecurity roll up package

Windows 2003 Server Standard Edition andEnterprise Edition

Latest service pack andsecurity roll up package

Red Hat Enterprise Linux 2.1 Latest cumulative patches

Red Hat Enterprise LinuxAdvanced Server

3.0 (see note below) Latest cumulative patches

Red Hat Enterprise Linux forzSeries

3.0 Latest cumulative patches

Red Hat Enterprise Linux foriSeries or pSeries


Red Hat Enterprise Linux forzSeries




SUSE LINUX 7.0 Latest cumulative patches

SUSE LINUX EnterpriseServer

8 Latest cumulative patches

SUSE LINUX EnterpriseServer for zSeries


SUSE LINUX EnterpriseServer for iSeries or pSeries


Note: The Red Hat Enterprise Linux Advanced Server 3.0 platform can only beinstalled using the console mode in Japanese. Please see “Console modeinstallation” on page 66 for more information on how to perform a consolemode install.

Table 3. Administration console




Table 4. Administration command line interface


AIX 5.1 Latest cumulative patches

2 Tivoli Security Compliance Manager: Installation Guide: All Components



Table 4. Administration command line interface (continued)


AIX 5.2 Latest cumulative patches


Windows 2000 Server Latest service pack andsecurity roll up package

Windows 2000 Advanced Server Latest service pack andsecurity roll up package




HP-UX 11 Latest cumulative patches

HP-UX 11i Latest cumulative patches

SUSE LINUX Enterprise

Server


Red Hat Linux 9 Latest cumulative patches



Red Hat Enterprise Linux foriSeries or pSeries


SUSE LINUX EnterpriseServer for iSeries or pSeries


Software prerequisites

All UNIX-based and Linux systems must have full X Windows (X11) support inplace for the installation to run correctly, regardless of whether or not the systemcontains a graphics card. See the installation media for the system’s operatingsystem to install X Windows (X11).

The following table lists the software prerequisites for the server.

Table 5. Server software prerequisites

Operating system Requirements

AIX 5.1 DB2 7.2 or 8.1

AIX 5.2 DB2 7.2 or 8.1

Windows 2000 Server DB2 7.2 or 8.1

Sun Solaris 2.8 DB2 7.2 or 8.1

Sun Solaris 2.9 DB2 7.2 or 8.1

SUSE LINUX Enterprise Server 8 for IA32 DB2 7.2 or 8.1

The Tivoli Security Compliance Manager 5.1 product package includes DB2 8.1.

The following table lists the software prerequisites for the HP-UX client andcommand line interface.

Chapter 1. Installation overview 3



Table 6. Client, collectors, and proxy relay software prerequisites

Operating system Requirements

HP-UX 11.0, 11i Java Runtime Environment (JRE) 1.3.1

Processor and memory requirements for server

The following table lists the processor and memory requirements for the server.

Table 7. Server processor and memory requirements

Type of Tivoli SecurityCompliance ManagerDeployment

Processor Memory Requirements

Small (1–500 clients) 1 512 MB RAM

Medium (501–2500 clients) 2 512 MB RAM

Large (2501–10,000 clients) 2–4 2–4 GB RAM

You need 5 MB of disk space to install the server package.

Disk and memory requirements for client and collectors

The following table lists the disk and memory requirements for the Tivoli SecurityCompliance Manager client and collectors.

Table 8. Disk and memory requirements for Tivoli Security Compliance Manager client

Client Platform Disk Requirementsfor InstallationDirectory

Disk Requirementsfor TemporaryDirectory

MemoryRequirements

AIX 64 MB 45 MB 75 MB RAM

HP-UX 64 MB 6 MB 75 MB RAM

Linux 64 MB 46 MB 75 MB RAM

Solaris 64 MB 65 MB 75 MB RAM

Windows 64 MB 44 MB 75 MB RAM

Note: The HP-UX platform values in the table are much smaller than the otherplatform values because the Java Runtime Environment is not packagedwith the HP-UX client.

Disk and memory requirements for proxy relay

The following table lists the disk and memory requirements for the Tivoli SecurityCompliance Manager client with the proxy relay collector.

Table 9. Disk and memory requirements for Tivoli Security Compliance Manager proxy relay



MemoryRequirements

AIX 64 MB 45 MB 256 MB RAMminimum, 512 MBRAM recommended




Table 9. Disk and memory requirements for Tivoli Security Compliance Manager proxy

relay (continued)



MemoryRequirements

HP-UX 64 MB 6 MB 256 MB RAMminimum, 512 MBRAM recommended

Linux 64 MB 46 MB 256 MB RAMminimum, 512 MBRAM recommended

Solaris 64 MB 65 MB 256 MB RAMminimum, 512 MBRAM recommended

Windows 64 MB 44 MB 256 MB RAMminimum, 512 MBRAM recommended


Disk and memory requirements for administration utilities

The following table lists the disk and memory requirements for the administrationconsole.

Table 10. Disk and memory requirements for Tivoli Security Compliance Manager

administration console

AdministrationConsole Platform

Disk Requirementsfor Installation

Directory

Disk Requirementsfor Temporary

Directory

MemoryRequirements


The following table lists the disk and memory requirements for the command lineinterface.

Table 11. Disk and memory requirements for Tivoli Security Compliance Manager command

line interface

Command LineInterface Platform

Disk Requirementsfor Installation

Directory

Disk Requirementsfor Temporary

Directory

MemoryRequirements

AIX 64 MB 45 MB 256 MB RAMminimum, 512 MBRAM recommended

HP-UX 64 MB 6 MB 256 MB RAMminimum, 512 MBRAM recommended

Linux 64 MB 46 MB 256 MB RAMminimum, 512 MBRAM recommended

Chapter 1. Installation overview 5



Table 11. Disk and memory requirements for Tivoli Security Compliance Manager command

line interface (continued)

Command LineInterface Platform

Disk Requirementsfor InstallationDirectory


MemoryRequirements

Solaris 64 MB 65 MB 256 MB RAMminimum, 512 MBRAM recommended



CD Layout

The Tivoli Security Compliance Manager 5.1 CD contains the following files anddirectories:

v /policies/Network_AIX.pol

v /policies/System_AIX.pol

v /policies/Network_Windows.pol

v /policies/System_Windows.pol

v scm_aix

v scm_hp11

v scm_linux

v scm_linux390

v scm_linuxppc

v scm_solaris

v scm_win32.exe

v scminstall.jar

The scm_aix, scm_hp11, scm_linux, scm_linux390, scm_linuxppc, scm_solaris,scm_win32.exe and scminstall.jar are the InstallShield executables and .jar fileneeded to install Tivoli Security Compliance Manager.




Chapter 2. Installing the Tivoli Security Compliance Managerserver

You can install the Tivoli Security Compliance Manager server on the platformslisted in “Supported operating systems” on page 1. The installation program is anInstallShield MultiPlatform package. When you install the server, theadministration utilities and database configuration utility are automaticallyincluded. The administration utilities includes the administration console, theadministration command line interface, and the proxy relay collector.Administration and usage information for the proxy relay, including configuration,can be found in the IBM Tivoli Security Compliance Manager Administration Guide.

Note: Do not attempt to run the administration console on unsupported platforms.Doing so may have unintended consequences on your Tivoli SecurityCompliance Manager installation.

Before you beginBefore you install the server:

v If you are reinstalling the server, stop the server before you attempt to reinstallit. See “Using the InstallShield MultiPlatform package to uninstall” on page 55for more information.

v The default installation directories are /opt/IBM/SCM directory on UNIX-basedplatforms and Linux platforms, and in the C:\Program Files\IBM\SCM directoryon Windows.

v For UNIX-based platforms and Linux platforms, the installation directory shouldnot be on the root file system. If the /opt directory is located in the root filesystem, consider one of the following options:

– Create a separate file system for /opt (the optimum solution).

– Create a separate file system for /opt/IBM or /opt/IBM/SCM

– Create a symbolic link from /opt to /usr/opt

– Create a symbolic link from /opt/IBM or /opt/IBM/SCM to some other filesystem (perhaps /usr/opt/IBM or /usr/opt/IBM/SCM).

The /opt directory is often a part of the root file system. Causing the root filesystem to fill up might impact other applications, including the operating systemitself. Changing the mount point does not remove the possibility of filling up afile system, but it does reduce the impact to other applications that are runningon the system. It localizes a file system problem to Tivoli Security ComplianceManager.

v

DB2 must be installed prior to installing Tivoli Security Compliance Managerserver. Consider making a separate file system for the DB2 database that is to beused by the server. This might be necessary if the server encounters DB2 errorsindicating that there is not enough space to store Tivoli Security ComplianceManager data. Creating a separate file system does not remove the possibility offilling up a file system but it does reduce the impact to other applications thatare using DB2 and using the file system that DB2 uses by default. If the filesystem has an error, it will be easier to isolate the problem to Tivoli SecurityCompliance Manager.

– A DB2 8.1 database may either be on the server machine, or on a remotemachine. In order to use a DB2 8.1 database on a remote machine, you will













need to place a copy of the db2java.zip and the db2jcc.jar files onto yourIBM Tivoli Security Compliance Manager server machine. These files must belocated in the same directory on the IBM Tivoli Security Compliance Managerserver. You will need to provide the fully-qualified directory path to thedb2java.zip file during install.

– A DB2 7.2 database may either be on the server machine, or on a remotemachine. In order to use a DB2 7.2 database on a remote machine, you willneed to place a copy of the db2java.zip file onto your IBM Tivoli SecurityCompliance Manager server machine. You will need to provide thefully-qualified directory path to the db2java.zip file during install.

v You need to know the DB2 instance ID and password.

v For UNIX-based and Linux systems, you must be logged on as the user ID root.

v For installations on UNIX-based or Linux platforms, set the umask to 022 for theTivoli Security Compliance Manager files to be installed with the correctpermissions for operations. If the umask is set to another value, the install willcomplete but the product will not run.

v For more information on alternative installation methods, including silent andconsole mode installations, see Chapter 8, “Alternate installation methods,” on

page 65.Additional server installation requirements are listed on the Welcome panel of theinstallation program.

Using the InstallShield MultiPlatform package to install

Tivoli Security Compliance Manager uses the InstallShield MultiPlatform (ISMP)tool for installation. Through the use of ISMP, a Java-based installation tool, acommon look and feel for installation is provided regardless of your operatingsystem. Configuration questions are provided by the installation, and a simpleconfiguration is performed during installation to get you up and running quickly.

When you use ISMP to install the Tivoli Security Compliance Manager server, youwill follow these steps regardless of your operating system:

1. Run the installation executable. The list of the platform-specific installationexecutables is located in Chapter 1, “Installation overview,” on page 1. Astartup window for the Java Virtual Machine, JVM, is displayed while the

JVM is loaded.

2. The Language Selection window is displayed. Select a language for theinstallation. Click OK.

Figure 1. Language Selection




3. The installation Welcome window is displayed. This window lists all therequired information for each Tivoli Security Compliance Managercomponent; use the scroll bar to display the required information for thecomponent you will be installing. Click Next.

4. The software license agreement is displayed. Accept the agreement and clickNext to continue.

Figure 2. Installation Welcome window

Chapter 2. Installing the Tivoli Security Compliance Manager server 9



5. The Installation Directory Location window is displayed. The Tivoli SecurityCompliance Manager server code is installed in the /opt/IBM/SCM directory onUNIX–based platforms and Linux platforms, and in the C:\ProgramFiles\IBM\SCM directory on Windows. Enter a different installation location inthis window if you do not want to use the default directory. Click Next.

Note: If you have already installed another Tivoli Security Compliance

Manager component, or are reinstalling the server, the InstallationDirectory Location window will not be displayed. The installationprogram will automatically install the server to the same location as thepreviously installed components.

Figure 3. Installation Directory Location window




6. The System Component Selection window is displayed. After the systemcomponent selection window opens, you will be able to continue yourinstallation based on the system component you have selected. Select IBMTivoli Security Compliance Manager Server and click Next.

Note: The IBM Tivoli Security Compliance Manager Database Configurationutility is automatically included with the server installation. After the

server installation has completed, a separate database configuration stepis not required.

Figure 4. System Component Selection window — Server




7. The Server E-mail Configuration window is displayed. Enter the SMTP e-mailserver host name that will be used by Tivoli Security Compliance Manager tosend e-mail notifications, and the e-mail address to send the notifications to.The e-mail address will be used as the From: field in the e-mail notificationsent by the Tivoli Security Compliance Manager server. Click Next tocontinue.

Figure 5. Server E-mail Configuration window




8. The Server Communication Configuration window is displayed. Enter theserver and client connection ports, and click Next. The server connection portdisplayed on this window is the port used for communications with theadministration console and with the administration command line interface.

Figure 6. Server Communication Configuration window




9. The Server Security Configuration window is displayed.

a. Enter the fully qualified host name of the server machine for the systemname for the certificate, and the password to be used for the masterkeystore and a separate password to be used for the server keystore. Thesepasswords must be at least six characters in length.

b. Select the check box to stash the server keystore password and enable the

server to start automatically after installation has completed; if you do notselect the box you will have to manually start the server and then enterthe server keystore password.

Additionally on Windows systems, if you choose not to store the serverkeystore password, the server service will not be installed as a Windowsserver. As a result, the server will not start automatically when theWindows machine is started. Instead, you will need to use the jacservercommand to start the server, and then you will be prompted for the serverkeystore password before launching the server.

Click Next to continue the installation.

Note: The master keystore password is used to generate the keystore.

Figure 7. Server Security Configuration window




10. The Database Location window is displayed.

v To use a database on the server machine, select The database is on thelocal machine, click Next, and continue onto the next step.

v To use a database on a remote machine, select The database is remote,click Next, and continue onto Step 13 on page 19

Figure 8. Database Location window




11. The Database Configuration window is displayed. A slightly different windowis displayed on Windows platforms as opposed to UNIX-based or Linuxplatforms.

v For Windows platforms, enter the following information:

– The DB2 user ID and password.

– The location of the .jar or .zip file that contains the DB2 JDBC driver.

Click the Browse button to navigate to the location of the .jar or .zipfile, or enter the location manually. The typical location for this file is:C:\Program Files\IBM\SQLLIB\java\db2java.zip

– The name of the DB2 JDBC driver. A default DB2 JDBC driver name isdisplayed.

– The URL to use for database connectivity. Leave the default for a localdatabase, and see your DB2 administrator for a remote database. Seeyour DB2 documentation for more information on how to configure

JDBC for DB2.

– Click Next to continue the installation and continue onto Step 12 on page18.

Figure 9. Database Configuration window — Windows Platform




v For UNIX-based and Linux platforms, enter the following information:

– The DB2 user ID and password.

– The location to create the DB2 database. If this field is left blank, theinstallation will use the default location of the database instance IDhome. If a location is specified in this field, that location will be used asthe location of the database.

– Select the check box to create the DB2 database as part of the serverinstallation. See the note in the next step for more details on the functionof the check box.

– Click Next to continue the installation and continue onto Step 15 on page22.

Figure 10. Database Configuration window — UNIX-based Platforms




12. A second Database Configuration window is displayed for Windowsplatforms. Select the check box to create the DB2 database as part of the serverinstallation. If you choose to not create the database as part of the serverinstallation, then the installation program will bypass the creation of thedatabase. Click Next to continue the installation and continue onto Step 15 onpage 22.

Note:

The check box option allows you to customize your databaseconfiguration by not installing the database with the defaultconfiguration. The default database used by IBM Tivoli SecurityCompliance Manager is called JAC. The table definitions are includedin the file INSTDIR/sql/jac.sql. The commands to create the databaseand the local node alias, SCM, are included as comments in the jac.sqlfile. You can either create the database JAC and the SCM local node aliasusing DB2 commands prior to using jac.sql, or uncomment thestatements in jac.sql.

There are two other files in the INSTDIR/sql/ directory that are usedduring database configuration: groups_and_roles.sql and admin.sql.The file groups_and_roles.sql contains the default administrationgroup and role definitions. The file admin.sql contains the commandsused to create the administrator user ID.

Figure 11. Second Database Configuration window — Windows Platform




The db2 –tvf <filename> command can be used to execute thecommands contained in the .sql files. When creating a customdatabase configuration, you should create the database tables using thejac.sql file before using the other two .sql files.

The IBM Tivoli Security Compliance Manager Server connects to the JAC database or the SCM alias using the configuration parameters

specified during installation. The database configuration options areincluded in the INSTDIR/server/server.ini file. The configurationoptions contained in the server.ini file must be valid for any databasecustomization.

13. For installations that will use a remote database, the Database Configurationwindow is displayed. Enter the following information:

Note: Although the information requested is the same, the order in which theinformation is requested differs between Windows platforms andUNIX-based or Linux platforms. The windows that follow show theorder for Windows platforms.

v The DB2 user ID and password.

v The location of the .jar or .zip file that contains the DB2 JDBC driver.Click the Browse button to navigate to the location of the .jar or .zip file,or enter the location manually. The typical location for this file is:

– Windows: C:\Program Files\IBM\SQLLIB\java\db2java.zip

– UNIX-based or Linux platforms:/home/db2instl/sqllib/java/db2java.zip

v The name of the DB2 JDBC driver. A default DB2 JDBC driver name isdisplayed.

v The URL to use for database connectivity. Leave the default for a localdatabase, and see your DB2 administrator for a remote database. See yourDB2 documentation for more information on how to configure JDBC forDB2.

v Click Next to continue the installation.




Figure 12. Database Configuration window




14. A Confirm Remote Database Exists window is displayed. This windowprompts you to check that the remote database exists and has been enabled touse the JDBC interface specified on the Database Configuration windows.Click Next to continue the installation and continue onto Step 16 on page 23.

Figure 13. Confirm Remote Database Exists window




15. The Administrator User ID Configuration window is displayed. Enter theTivoli Security Compliance Manager system administrator user ID andpassword, and click Next. The user ID and password entered on this windowwill be used as the primary administrator for the administration console orthe command line interface. The passwords must be at least six characters inlength.

Note: All administrator user IDs and passwords must contain only single-bytecharacters for the installation to complete successfully. Once the

installation is complete, you may use the administration console tochange the administrator user ID and password to contain double-bytecharacters.

Figure 14. Administrator User ID Configuration window




16. The Installation Summary window is displayed. This window displays theinstallation location, the system components to be installed, and theinstallation size. Click Next to begin the installation process.

Figure 15. Installation Summary window




17. An installation progress indicator will be displayed in place of the summarywindow. After the installation has completed, a results window is displayed.Click Finish to exit the installation.

18. After installation is complete, make sure to back up your server keys andkeystores. See the chapter on managing server keys and keystores in the IBMTivoli Security Compliance Manager Administration Guide for instructions onusing the administration console to create a back-up of the server keys andkeystores. In addition, refer to Chapter 7, “After the installation has

completed,” on page 63 for further post-installation recommendations.

Figure 16. Installation Results window













Chapter 3. Installing the Tivoli Security Compliance Managerclient

This chapter describes how to install the Tivoli Security Compliance Managerclient.

Before you begin

Before you install the client:

v If you are reinstalling the client, stop it before you attempt to reinstall it. See“Using the InstallShield MultiPlatform package to uninstall” on page 55 formore information.

v You will need the host name and port number of the Tivoli Security ComplianceManager server that the client will connect to.

v If you will install the client on a HP-UX system that is using Japanese as its

language, use the console mode installation or enter export LANG=C in yourcommand window prior to using the ISMP install. For more information on theconsole mode installation, see Chapter 8, “Alternate installation methods,” onpage 65.

v If you will install the client on a Linux for zSeries system or on a Linux for 390system, these systems do not come with a CD-ROM drive. You must load theCD on a workstation that has a CD-ROM and NFS mount it to the Linuxsystem, or FTP the scm_linux390 and scminstall.jar files to the Linux system.

v If you will install the client on a Linux for zSeries system, you must connect tothe Linux for zSeries installation file with a system that supports an X server, oruse the console mode when installing. See “Console mode installation” on page66 for more information on using the console mode install.

v

The Red Hat Enterprise Linux Advanced Server 3.0 platform can only beinstalled using the console mode in Japanese. Please see “Console modeinstallation” on page 66 for more information on how to perform a consolemode install.


v For more information on alternative installation methods, including silent andconsole mode installations, see Chapter 8, “Alternate installation methods,” onpage 65.

Additional client installation requirements are listed on the Welcome window ofthe installation program.

Using the InstallShield MultiPlatform Package to Install

Tivoli Security Compliance Manager uses the InstallShield MultiPlatform (ISMP)tool for installation on all supported client platforms. See Chapter 1, “Installationoverview,” on page 1 for a complete list of supported client platforms.

Through the use of ISMP, a Java-based installation tool, a common look and feelfor installation is provided regardless of your operating system. Configuration




questions are provided by the installation, and a simple configuration is performedduring installation to get you up and running quickly.

In addition to the regular product installation package, a stand-alone ISMP clientinstallation package is provided. This client-only installation is very similar to theregular product installation, but contains fewer screens. Differences between theregular and client-only installation packages are indicated throughout the

installation procedure.

When you use ISMP to install the Tivoli Security Compliance Manager client, youwill follow these steps regardless of your operating system:


JVM is loaded.







Note: This window is not displayed in the client-only installation.



Chapter 3. Installing the Tivoli Security Compliance Manager client 27



5. The Installation Directory Location window is displayed. The Tivoli SecurityCompliance Manager client code is installed in the /opt/IBM/SCM directory onUNIX-based platforms and the Linux platforms, and in the C:\ProgramFiles\IBM\SCM directory on Windows. Enter a different installation location inthis window if you do not want to use the default directory. Click Next.


Manager component, or are reinstalling the client, the InstallationDirectory Location window will not be displayed. The installationprogram will automatically install the client to the same location as thepreviously installed components.





6. The System Component Selection window is displayed. After the systemcomponent selection window opens, you will be able to continue yourinstallation based on the system component you have selected. Select IBMTivoli Security Compliance Manager Client and click Next.


Figure 20. System Component Selection window — Client




7. For client installations on the HP-UX platform, the Java Runtime Locationwindow is displayed. Enter the directory that contains the 1.3.1 JVM, and clickNext.

Figure 21. HP-UX Java Runtime Location window




8. The Client Communication Mode Configuration window is displayed. Enterthe client connection port, and the client communications mode. There are twocommunication modes:

Push A client that permits communication with the server to be initiated byeither the client or the server.

Pull A client that permits communication with the server to be initiated by

only the server.Defining a client as a push client permits communication with the server to beestablished by either the client or the server. In some network environments,however, inbound connections to the server might not be permitted. In thesecases, defining the client as a pull client forces the server to initiate allcommunications with the client. Pull clients are generally needed when theserver is located behind a firewall.

To install a push client, select Push and click Next. To install a pull client,select Pull, click Next, and proceed to Step 11 on page 34.

Figure 22. Client Communication Mode Configuration window




9. The Server Communication Configuration window is displayed. Enter theTivoli Security Compliance manager server host name and connection port forserver and client communications.

Select the check box if the client has a dynamic IP address, or if the IP addressor host name of the client changes frequently. Clear the check box if the clienthas a static IP address.


Figure 23. Server Communication Configuration window




10. For DHCP clients, the Client DHCP Configuration window is displayed. Youcan enter an optional DHCP client alias, or the system will use a default aliasof the client host name. Click Next to continue the installation.

Figure 24. Client DHCP Configuration window




Chapter 4. Installing the Tivoli Security Compliance Manageradministration utilities

This chapter provides instructions on how to install the Tivoli Security ComplianceManager administration utilities, which includes the administration console, theadministration command line interface, and the proxy relay collector.Administration and usage information for the proxy relay, including configuration,can be found in the IBM Tivoli Security Compliance Manager Administration Guide.

Before you begin

If you are reinstalling the administration utilities, first stop any administrationapplication you are using before you attempt to reinstall. See “Using theInstallShield MultiPlatform package to uninstall” on page 55 for more information.

For installations on UNIX-based or Linux platforms, set the umask to 022 for the

Tivoli Security Compliance Manager files to be installed with the correctpermissions for operations. If the umask is set to another value, the install willcomplete but the product will not run.

For more information on alternative installation methods, including silent andconsole mode installations, see Chapter 8, “Alternate installation methods,” onpage 65.

Additional administration utilities installation requirements are listed on theWelcome window of the installation program.

Using the InstallShield MultiPlatform Package to Install

Tivoli Security Compliance Manager uses the InstallShield MultiPlatform (ISMP)tool for installation on all supported administration console and administrationcommand line interface platforms. See Chapter 1, “Installation overview,” on page1 for a complete list of supported administration console and administrationcommand line interface platforms. The administration console is only supported onWindows platforms, and will not be installed on non-Windows platforms duringan administration utilities installation.

Through the use of ISMP, a Java-based installation tool, a common look and feelfor installation is provided regardless of your operating system. Configurationquestions are provided by the installation, and a simple configuration is performedduring installation to get you up and running quickly.

When you use ISMP to install the Tivoli Security Compliance Manageradministration utilities, you will follow these steps regardless of your operatingsystem:

1. Run the installation executable. The list of the platform specific installationexecutable are located in Chapter 1, “Installation overview,” on page 1. Astartup window for the Java Virtual Machine, JVM, is displayed while the JVMis loaded.














3. The installation Welcome window is displayed. This window lists all therequired information for each Tivoli Security Compliance Manager component;use the scroll bar to display the required information for the component youwill be installing. Click Next.







5. The Installation Directory Location window is displayed. The Tivoli SecurityCompliance Manager administration utilities code is installed in the/opt/IBM/SCM directory on UNIX-based platforms and the Linux platforms, andin the C:\Program Files\IBM\SCM directory on Windows. Enter a differentinstallation location in this window if you do not want to use the defaultdirectory. Click Next.

Note: If you have already installed another Tivoli Security ComplianceManager component, or are reinstalling the administration console or thecommand line interface, the Installation Directory Location window willnot be displayed. The installation program will automatically install theadministration console or administration command line interface to thesame location as the previously installed components.


Chapter 4. Installing the Tivoli Security Compliance Manager administration utilities 39



6. The System Component Selection window is displayed. After the systemcomponent selection window opens, you will be able to continue yourinstallation based on the system component you have selected. Select IBMTivoli Security Compliance Manager Administration Utilities and click Next.

Figure 30. System Component Selection window – Administration Utilities




7. For administration utilities installations on the HP-UX platform, the JavaRuntime Location window is displayed. Enter the directory that contains the1.3.1 JVM, and click Next.

Figure 31. HP-UX Java Runtime Location window




8. The Installation Summary window is displayed. This window displays theinstallation location, the system components to be installed, and the installationsize. Click Next to begin the installation process.

Figure 32. Installation Summary Window




Chapter 5. Using the Tivoli Security Compliance Managerdatabase utilities

This chapter describes how to use the Tivoli Security Compliance Managerdatabase utilities to configure the Tivoli Security Compliance Manager DB2database. The database utility is provided to configure DB2 databases that wereinstalled after the Tivoli Security Compliance Manager server was installed.

Before you begin

Before you use the database utilities:

v DB2 must be installed prior to installing Tivoli Security Compliance Manager.Consider making a separate file system for the DB2 database that is to be used

by the server. A separate file might be necessary if the server encounters DB2errors indicating that there is not enough space to store Tivoli SecurityCompliance Manager data. Creation of a separate file does not remove the

possibility of filling up a file system but it does reduce the impact to otherapplications that are using DB2 and using the file system that DB2 uses bydefault. If the file system has an error, it will be easier to isolate the problem toTivoli Security Compliance Manager.

v A DB2 8.1 database may either be on the server machine, or on a remotemachine. In order to use a DB2 8.1 database on a remote machine, you will needto place a copy of the db2java.zip and the db2jcc.jar files onto your IBM TivoliSecurity Compliance Manager server machine. These files must be located in thesame directory on the server, and you will need to provide the fully-qualifieddirectory path to the db2java.zip file during install.

v A DB2 7.2 database may either be on the server machine, or on a remotemachine. In order to use a DB2 7.2 database on a remote machine, you will need

to place a copy of the db2java.zip file onto your IBM Tivoli SecurityCompliance Manager server machine. You will need to provide thefully-qualified directory path to the db2java.zip file during install.

v You need to know the DB2 instance ID and password

v For UNIX-based and Linux systems, you must be logged on as the user ID root.


v For more information on alternative installation methods, including silent andconsole mode installations, see Chapter 8, “Alternate installation methods,” onpage 65.

Additional database utilities requirements are listed on the Welcome window ofthe installation program.




Using the InstallShield MultiPlatform package to run the database

utilities

Tivoli Security Compliance Manager uses the InstallShield MultiPlatform (ISMP)tool to run the database utilities. Through the use of ISMP, a Java-based installationtool, a common look and feel for installation is provided regardless of your

operating system. Configuration questions are provided by the installation, and asimple configuration is performed during installation to get you up and runningquickly.

When you use ISMP to run the Tivoli Security Compliance Manager databaseutilities, you will follow these steps regardless of your operating system:


JVM is loaded.









Chapter 5. Using the Tivoli Security Compliance Manager database utilities 47



5. The Installation Directory Location window is displayed. The Tivoli SecurityCompliance Manager server code is installed in the /opt/IBM/SCM directory onUNIX-based and Linux platforms, and in the C:\Program Files\IBM\SCMdirectory on Windows. Enter a different installation location in this window ifyou do not want to use the default directory. Click Next.


Manager component, the Installation Directory Location window willnot be displayed. The installation program will automatically install thedatabase configuration utilities to the same location as the previouslyinstalled components.





6. The System Component Selection window is displayed. After the systemcomponent selection window opens, you will be able to continue yourinstallation based on the system component you have selected. Select IBMTivoli Security Compliance Manager Database Configuration and click Next.

Figure 37. System Component Selection window – Database Configuration




7. The Database Configuration window is displayed. Enter the followinginformation:

v The DB2 user ID and password.

v The location of the .jar or .zip file that contains the DB2 JDBC driver.Click the Browse button to navigate to the location of the .jar or .zip file,or enter the location manually. The default location for this file is:

– Windows: C:\Program Files\IBM\SQLLIB\java\db2java.zip– UNIX–based platforms: /home/db2inst1/sqllib/java/db2java.zip

v The name of the DB2 JDBC driver. A default DB2 JDBC driver name isdisplayed.

v The URL to use for database connectivity. Leave the default for a localdatabase, and see your DB2 administrator for a remote database. See yourDB2 documentation for more information on how to configure JDBC forDB2.


Figure 38. Database Configuration window




8. A second Database Configuration window is displayed. Select the check boxto create the DB2 database.

This option allows you to customize your database configuration by notinstalling the database with the default configuration. The default databaseused by IBM Tivoli Security Compliance Manager is called JAC. The tabledefinitions are included in the file INSTDIR/sql/jac.sql. The commands tocreate the database and the local node alias, SCM, are included as comments inthe jac.sql file. You can either create the database JAC and the SCM local nodealias using DB2 commands prior to using jac.sql, or uncomment thestatements in jac.sql.

There are two other files in the INSTDIR/sql/ directory that are used duringdatabase configuration: groups_and_roles.sql and admin.sql. The filegroups_and_roles.sql contains the default administration group and roledefinitions. The file admin.sql contains the commands used to create theadministrator user ID.

The db2 –tvf <filename> command can be used to execute the commandscontained in the .sql files. When creating a custom database configuration,you should create the database tables using the jac.sql file before using theother two .sql files.

The IBM Tivoli Security Compliance Manager Server connects to the JACdatabase or the SCM alias using the configuration parameters specified duringinstallation. The database configuration options are included in theINSTDIR/server/server.ini file. The configuration options contained in theserver.ini file must be valid for any database customization.

Figure 39. Second Database Configuration window




9. The Administrator User ID Configuration window is displayed. Enter theTivoli Security Compliance Manager system administrator user ID andpassword, and click Next. The password must be at least six characters inlength.

Note: All administrator user IDs and passwords must contain only single-bytecharacters for the installation to complete successfully. Once the

installation is complete, you may use the Administration Console tochange the administrator user ID and password to contain double-bytecharacters.

Figure 40. Administrator User ID Configuration window




Chapter 6. Uninstalling Tivoli Security Compliance Manager

This chapter describes how to uninstall the system components of Tivoli SecurityCompliance Manager.

Before you begin

If you intend to uninstall your Tivoli Security Compliance Manager server andthen reinstall it and have your existing clients communicate without needing to bereinstalled, you must keep the keystore files currently being used for client-servercommunication. See the chapter on managing server keys and keystores in the IBMTivoli Security Compliance Manager Administration Guide for instructions on using theadministration console to create a backup copy of the server keys and keystores.

Using the InstallShield MultiPlatform package to uninstall

Tivoli Security Compliance Manager uses the InstallShield MultiPlatform (ISMP)tool for uninstallation on all system component supported platforms. SeeChapter 1, “Installation overview,” on page 1 for a complete list of systemcomponent supported platforms.

Through the use of ISMP, a Java-based installation tool, a common look and feelfor uninstallation is provided regardless of your operating system.

To uninstall any Tivoli Security Compliance Manager system component, use thefollowing steps:

1. Navigate to the uninstallation directory and run the uninstallation executable.The path to the platform specific uninstallation executables follows:

v UNIX-based platforms and Linux platforms: /opt/IBM/SCM/_uninst

v Windows platforms: C:\Program Files\IBM\SCM\_uninst

A startup window for the Java Virtual Machine, JVM, is displayed while the JVM is loaded.















3. The Uninstallation Welcome window is displayed. Click Next.

Figure 44. Uninstallation Welcome window




4. The Uninstallation Selection window is displayed. All installed Tivoli SecurityCompliance Manager system components are listed, and preselected, in thiswindow. Select the Tivoli Security Compliance Manager system components touninstall and click Next.


5. If you select to uninstall the server, the Confirm Keystore Deletion window isdisplayed.

If you intend to reinstall the server and have your existing clients communicatewithout needing to be reinstalled, you must keep the keystore files currently

being used for client-server communication. See the chapter on managingserver keys and keystores in the IBM Tivoli Security Compliance Manager Administration Guide for instructions on using the administration console tocreate a backup of the server keys and keystores.

Select the check box to delete the client server communication keystore file ifyou have a back-up copy or you do not intend to reinstall the server. Deselectthe check box to leave the two files, server.jksand master.jks, in theINSTDIR/server/keystores directory and uninstall the server. Click Next tocontinue.

Figure 45. Uninstallation Selection window

Chapter 6. Uninstalling Tivoli Security Compliance Manager 57












6. The Uninstallation Summary window is displayed. This window displays thedirectory location that the system components will be uninstalled from and thesystem components to be uninstalled. Click Next to begin the uninstallationprocess.

Figure 46. Uninstallation Summary window




7. A progress indicator will be displayed in place of the summary window. Afterthe uninstallation has completed, a results window is displayed. Click Next.

Figure 47. Uninstallation Results window




8. The uninstall wizard might require you to restart your computer to completethe uninstallation process. Click Finish to exit the uninstallation program.

Note: The uninstallation process on HP-UX systems will display a Next optionon the final uninstallation panel instead of a Finish option. Selecting theNext option will complete the uninstall.

Console mode Uninstallation

In addition to running the launcher executable, there are other methods of startingthe uninstallation that also might be useful. This section describes the way to startthe uninstallation program using a Java command with the –console option.Command examples are shown as if you have first used a cd (change directory)command to change to the /opt/IBM/SCM/_uninst directory on UNIX–based andLinux platforms, or to the C:\Program Files\IBM\SCM\_uninst directory onWindows.

To bypass the launcher executable and run the uninstallation in the non-graphicalmode, run the Java command with the –console option. An example of the Javacommand using the –console option follows:

For UNIX–based and Linux platforms: uninstaller.bin -consoleFor Windows: uninstaller.exe -console

This example starts the uninstallation in the non-graphical mode. If you arerunning the uninstallation from a remote host, use the non-graphical mode. Theuninstallation program does not run correctly with some window managers whenrun remotely.

Figure 48. Uninstallation System Restart window




Note: The console mode uninstallation process on HP-UX systems will display aNext option on the final uninstallation panel instead of a Finish option.Selecting the Next option will complete the uninstall.




Chapter 7. After the installation has completed

After you have installed the server, the client, and the administration console orcommand line interface or both, be sure to install the Tivoli Security Compliance

Manager collectors and policies from the product CD into a directory that theserver can read and write to. See the IBM Tivoli Security Compliance Manager Administration Guide for more information about using the collectors.

After you have installed Tivoli Security Compliance Manager, it is important toreview log space in DB2 to determine if you have adequate space for TivoliSecurity Compliance Manager logging requirements. You must have administratorauthority for DB2 to issue the following commands, which will enable you toreview the logging requirements and make changes, if necessary.

The values in the following commands are the minimum size needed for areasonably loaded system. If you are using a more heavily loaded system, you

might need to increase the log file size and or the number of log files.1. To see the current DB2 settings, issue the command: db2 get db cfg for JAC

2. To set the log file to 1000 4K pages, issue the command: db2 update db configfor JAC using LOGFILSIZ 1000

3. To set DB2 to use 30 circular log files, issue the command: db2 update dbconfig for JAC using LOGPRIMARY 30

4. After you make these changes, stop and then restart the server.













Chapter 8. Alternate installation methods

The Tivoli Security Compliance Manager InstallShield package provides the abilityto perform a silent installation, or to install in console mode. The following

sections provide details on both of these installation methods.

You can install in silent mode using a response file to provide input.

Silent install

Note: Before you begin be aware that ISMP does not report any errors in silentmode. Therefore, if you type any of the options incorrectly, the installationwill silently fail or respond unexpectedly. For example, if you are installingin /syslocal/tools/SCM and you were to type the command incorrectly, thecomponent would still be installed and there would be no error message.

The InstallShield MultiPlatform tool provides the capability to create a template filethat contains all possible responses. The tool also provides a record option thatallows you to record the responses given when installing a particular system.Response files created using these techniques can be used to perform silentinstallations.

Note: When performing a silent install on a Windows system, the InstallShieldprogram does not wait for the installation to complete before displaying anactive command window. The install will still be in progress once the userprompt is displayed, so check to ensure that the installation is complete

before using the command window.

In the examples given in this section for the platform variables, substitute one ofthe following: scm_aix, scm_hp11, scm_linux, scm_linux390, scm_linuxppc,scm_solaris, scm_win32.exe

To record a response file during an installation, enter the following command:

scm_ platform -options-record filename

where filename is the path name of the file to which the recorded response datawill be written.

Note: Using the -options-record on the Solaris platform causes invalid errormessages to be displayed. The options file that is created on Solaris can beused for silent installation.

To generate a template file, enter the following command:

scm_ platform -options-template filename

where filename is the path name of the file that the template response data will bewritten.

When the template generation successfully completes, you will receive thefollowing message:

Options file filename was successfully created




The template file that is created must be edited using a text editor as follows:

v For options you want to set, remove the three comment characters (###) at thestart of the option line.

v Replace value with the appropriate value for each uncommented option.

When you first perform a silent installation, use the -options-record option to

generate a response file from an actual installation. This option allows you tofamiliarize yourself with the data variables that can be set and with the validresponses. After you are familiar with the data that must be provided in theresponse file, you might find the -options-template option, which provides atemplate file of all possible responses, to be useful.

After you have created a response file with the desired data input, you can usethat file in a subsequent silent installation. For example, to perform a silentinstallation enter the following command:

scm_ platform -silent -options filename

where filename is the path name of the file that contains the response data to beused.

Console mode installation

In addition to running the launcher executable, there are other methods of startingthe installation that also might be useful. This section describes the way to start theinstallation program using a Java command with the –console option. Commandexamples are shown as if you have first used a cd (change directory) command tochange to the directory where the Tivoli Security Compliance Manager CD ismounted.

To bypass the launcher executable and run the installation in the non-graphicalmode, run the Java command with the –console option. An example of the Javacommand using the –console option follows:

scm_ platform -console

where platform is the installation executable platform.

This example starts the installation in the non-graphical mode. If you are runningthe installation from a remote host, use the non-graphical mode. The installationprogram does not run correctly with some window managers when run remotely.




Chapter 9. Troubleshooting

This chapter describes problems that you might encounter as you install andconfigure Tivoli Security Compliance Manager and it provides some solutions to

these problems.

Installing with an alternate temporary directory

The installation process can require a significant amount of temporary free spacethat is used to unpack and contain the bundled Java runtime environment andother installation files. Specific space requirements are documented in Chapter 1,“Installation overview,” on page 1.

If the temporary directory on your system does not contain sufficient free space toperform the installation, you must change the directory that is used for temporaryspace to one that does contain sufficient space.

Note: Before you install Tivoli Security Compliance Manager, the temporarydirectory must already exist; otherwise, the option is ignored.

To install a system component using an alternate directory for temporaryinstallation space, use the command:

launcher_name -is:tempdir temp_dir

where launcher_name is the name of the installation executable and temp_dir is thename of the directory that will be used to store temporary files.

Files left in temporary directory

Occasionally, InstallShield files are left in the temporary directory. This problemcan occur if you use Ctrl+c to cancel out of an installation, or if the installationabnormally terminates. Canceling the installation can also result in errors beinglogged and files being left on the system. If you cancel an installation before itcompletes successfully, or an installation abnormally terminates, make sure toremove all files in the installation directory; the default installation location is the/opt/IBM/SCM directory on UNIX–based platforms and Linux platforms, and theC:\Program Files\IBM\SCM directory on Windows.

Logging during installation

If an error occurs during the installation, then an installation log is automaticallygenerated. The log file, log.txt, will be placed into the installation locationdirectory. To perform an installation with additional logging, enter the followingcommand:

scm_ platform -log !fileName @ALL

where scm_ platform is one of the platform launchers for Tivoli SecurityCompliance Manager: scm_aix, scm_hp11, scm_linux, scm_linux390,scm_linuxppc, scm_solaris, scm_win32.exe. The @ALL parameter will log allinstallation events.




The ISMP installation program also stores information about the ISMP installedcomponents in a vital product data file called vpd.properties. This file is found invarious directories depending on the operating system, such as:

v Windows: %SystemRoot%\vpd.properties

v AIX: /usr/lib/objrepos/vpd.properties

v Linux: /root/vpd.properties

v HP-UX: /vpd.propertiesv Solaris: /vpd.properties

Frequently asked questions

The following section contains frequently asked installation troubleshootingquestions.

Invalid DB2 user ID and password given during installProblem: I entered an invalid DB2 user ID and password during install.

Solution: You can rerun the installation program by selecting the database

configuration option; this will recreate your database and tables. You will also haveto edit the INSTDIR/server/server.ini file to set the following values:

db.userid=<correct_userid_value>db.password=<correct_password_value>

where <correct_userid_value> is the valid DB2 user ID and<correct_password_value> is the valid DB2 password. You may enter the passwordas plain text, and it will be encrypted in the file for you.

Entered wrong DB2 password during server startProblem:I entered the wrong password for the DB2 user ID, and my server willnot start.

Solution: Edit the INSTDIR/server/server.ini file to correct the db.passwordvalue. You may enter the password as plain text, and when you start the server itwill be encrypted in the file for you.

Deselected create database now box by mistakeProblem: I deselected the check box to create the database as part of the serverinstallation, but I did not mean to.

Solution: Rerun the installation and select the database configuration option.Alternatively, you can edit the INSTALLDIR/sql/jac.sql file to uncomment the linesneeded to create the database and alias. See 8 on page 51 in the database

configuration chapter for more information.

Forgot Tivoli Security Compliance Manager administratorpassword

Problem: I forgot the password I entered for the Tivoli Security ComplianceManager administrator.

Solution: Contact IBM Tivoli Support for assistance.




Forgot Tivoli Security Compliance Manager administrator IDProblem: I forgot the user ID I entered for the Tivoli Security Compliance Manageradministrator.

Solution: Look in the file INSTDIR/sql/admin.sql.

Forgot to reset UMASK before installation on UNIX-based orLinux platformsProblem:I forgot to reset the UMASK parameter on my UNIX-based or Linuxmachine before beginning installation, and my commands will not run or arehaving problems executing wbindmsg.

Solution: Log in as the root user and use the chmod to change the command filepermissions and the INSTDIR/bin/wbindmsg file permissions. You may also need touse chmod on the /var/ibm/tivoli/common/HCV directory and its subdirectories.

Used double-byte characters for my administrator user IDand/or password

Problem:I entered an administrator ID and/or password that contains double-bytecharacters, and I can not log into my administration console.

Solution:Rerun the installation and select the database configuration option. Enteronly single-byte characters for the administrator ID and password.

Note: If you deselected the check box to create the database now, you can updateonly the affected tables as follows:

1. Use the db2 connect command to connect to the JAC database.

2. Use the db2 select userid command to select the administrator user IDfrom the jac_sys.users file.

3.

Use the db2 delete command to delete the administrator user ID fromthe jac_sys.users file where userid=<wrong_value>.

4. Use the db2 delete command to delete the administrator user IDpassword from the jac_sys.use_passwords file whereuserid=<wrong_value>.

5. Enter the following command:

db2 –tvf INSTDIR/sql/admin.sql

Forgot to select stash password during install and server willnot start

Problem: I deselected the stash password check box on the Server SecurityConfiguration window during installation, and my server fails to start when thesystem is rebooted.

Solution:Deselecting the stash password check box removes theserver.keystore.password value from the INSTDIR/server/server.ini file, butdoes not change the system entries to automatically start the server.

v To solve this problem on AIX systems, enter the following command:

rmitab ibmscmsrv

v To solve this problem on other UNIX-based systems, enter the followingcommands:

Chapter 9. Troubleshooting 69



cd /etcfind . | grep IBMSCMserver | xargs rm –f

v To solve this problem on a Windows system, enter the following command toremove the server as a Windows service:

scmserver –remove

Selected stash password during install and server will notstartProblem:I selected the stash password check box on the Server SecurityConfiguration window during installation, but my server does not automaticallystart when the system is rebooted.

Solution: Use the following steps to add the server to your system’s start upprocess:

Note: Make sure to replace the INSTDIR directory below with the directory whereyou installed Tivoli Security Compliance Manager.

v For AIX systems, enter the following command:

mkitab ibmscmsrv:2:once:INSTDIR/server/scmserver start 2>/dev/nullv For Solaris systems, make the following symbolic links:

ln –s INSTDIR/server/scmserver /etc/init.d/IBMSCMserverln –s INSTDIR/server/scmserver /etc/rc0.d/K10IBMSCMserverln –s INSTDIR/server/scmserver /etc/rc1.d/K10IBMSCMserverln –s INSTDIR/server/scmserver /etc/rc2.d/S99IBMSCMserverln –s INSTDIR/server/scmserver /etc/rcS.d/K10IBMSCMserver

v For Windows systems, enter the following command:

scmserver –install

v For Linux systems, make the following symbolic links:

ln –fs INSTDIR/server/scmserver /etc/init.d/IBMSCMserverln –fs ../IBMSCMserver /etc/init.d/rc0.d/K10IBMSCMserverln –fs ../IBMSCMserver /etc/init.d/rc1.d/K10IBMSCMserver

ln –fs ../IBMSCMserver /etc/init.d/rc2.d/S99IBMSCMserverln –fs ../IBMSCMserver /etc/init.d/rc3.d/S99IBMSCMserverln –fs ../IBMSCMserver /etc/init.d/rc4.d/S99IBMSCMserverln –fs ../IBMSCMserver /etc/init.d/rc5.d/S99IBMSCMserverln –fs ../IBMSCMserver /etc/init.d/rc6.d/K10IBMSCMserver




Appendix. Notices

This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document in

other countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right may

be used instead. However, it is the user’s responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM Corporation500 Columbus AvenueThornwood, NY 10594U.S.A

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia CorporationLicensing2-31 Roppongi 3-chome, Minato-kuTokyo 106, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will be

incorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.




Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/101

11400 Burnet RoadAustin, TX 78758USA

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this information and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement, or any equivalent agreement

between us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to the

suppliers of those products.

All statements regarding IBM’s future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

If you are viewing this information softcopy, the photographs and colorillustrations may not appear.

Trademarks

The following terms are trademarks or registered trademarks of InternationalBusiness Machines Corporation in the United States, other countries, or both:

AIXDB2IBM




IBM logoTivoliTivoli logo

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Sun Microsystems, Inc. in the United States and other countries.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Other company, product, and service names may be trademarks or service marksof others.

Appendix. Notices 73



Glossary

collector. A software module that runs on a clientsystem and gathers data. This data is subsequently sent

to a server.

compliance query. An SQL query that extracts specificdata from the server database and returns a list ofclients that are in violation of specific securityrequirements.

delta table. A database table used for saving changeddata from subsequent runs of a collector.

disinherit. To remove actions from a role that wereoriginally copied from a template.

inherit. To copy actions to a role from a template.

policy. A set of one or more compliance queries usedto demonstrate the level of adherence to specificsecurity requirements.

policy bundle. A file containing the informationassociated with a policy, such as the compliancequeries, the collectors, and the associated schedules. Apolicy bundle permits the policy to be saved andsubsequently applied to other servers.

proxy relay. A special pull client that acts as a relay between the server and one or more clients. A proxyrelay is used to reach a limited number of clients thatare located behind a firewall, or that are in an

IP-address range that is not directly addressable by theserver.

pull client. A client that permits communication withthe server to be initiated by only the server.

push client. A client that permits communication withthe server to be initiated by either the client or theserver.

snapshot. The result of running all of the compliancequeries in a policy against a set of clients. A snapshotshows the number of violations and indicates whatclients are not adhering to the security requirements being tested by the compliance queries.




Index

Aaccessibility vii

administration utilities installation 37after installation 63alternate temporary installation directory 67

CCD layout 6client installation 25configuration

database 45console mode installation 66console mode uninstallation 60

Ddatabaseconfiguration 45

database utilities 45

Iinstallation

after completion 63console mode 66silent 65troubleshooting 67using an alternate temporary directory 67

installation prerequisites 1installing

administration utilities 37client 25server 7

InstallShield MultiPlatform uninstallation 55

Pproduct removal 55

Rreinstalling

administration utilities 37client 25

server 7related publications virunning database utilities 46

Sserver installation 7silent install

administration utilities 65client 65server 65

silent installation 65software prerequisites 1

Ttroubleshooting installation 67

Uuninstall

console mode 60InstallShield MutliPlatform 55

uninstalling 55




Printed in USA

GC32-1592-00

scm51 install

Documents