ESM Administrator's Guide Admin 6.9.1
User Manual:
Open the PDF directly: View PDF .
Page Count: 186
Download | |
Open PDF In Browser | View PDF |
HP ArcSight ESM Software Version: 6.9.1c Administrator's Guide January 26, 2016 Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. The network information used in the examples in this document (including IP addresses and hostnames) is for illustration purposes only. HP ArcSight products are highly flexible and function as you configure them. The accessibility, integrity, and confidentiality of your data is your responsibility. Implement a comprehensive security strategy and follow good security practices. This document is confidential. Restricted Rights Legend Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notice © Copyright 2016 Hewlett-Packard Development Company, L.P. Follow this link to see a complete statement of copyrights and acknowledgements: https://www.protect724.hpe.com/docs/DOC-13026 Support Contact Information Phone A list of phone numbers is available on the HP ArcSight Technical Support Page: https://softwaresupport.hp.com/documents/10180/14684/esp-supportcontact-list Support Web Site https://softwaresupport.hp.com Protect 724 Community https://www.protect724.hpe.com HP ESM (6.9.1c) Page 2 of 186 Contents Chapter 1: Basic Administration Tasks Starting Components Starting the ArcSight Manager Decoupled Process Execution 9 9 9 9 Stop Services Before Rebooting the ESM Server 10 Stopping the ArcSight Manager 10 Starting the ArcSight Console 10 Reconnecting ArcSight Console to the Manager 10 Starting the ArcSight Command Center 11 Starting ArcSight SmartConnectors 11 Reducing Impact of Anti-Virus Scanning 11 License Tracking and Auditing 12 ArcSight System Tasks 12 Setting up a Custom Login Banner 13 Chapter 2: Configuration Managing and Changing Properties File Settings 14 14 Property File Format 14 Defaults and User Properties 14 Editing Properties Files 15 Dynamic Properties 16 Example 17 Changing Manager Properties Dynamically 18 Changing the Service Layer Container Port 19 Securing the Manager Properties File 20 Adjusting Console Memory 20 Adjusting Pattern Discovery 20 Improving Annotation Query Performance 21 Installing New License Files Obtained from HP 21 Configuring Manager Logging 22 Sending Logs and Diagnostics to HPE Support 23 Guidelines for Using the sendlogs Command 23 Gathering Logs and Diagnostic Information 24 HP ESM (6.9.1c) Page 3 of 186 Administrator's Guide Reconfiguring the ArcSight Console After Installation 27 Reconfiguring ArcSight Manager 27 Changing ArcSight Command Center Session Timeout Managing Password Configuration Enforcing Good Password Selection 27 27 28 Password Length 28 Restricting Passwords Containing User Name 28 Password Character Sets 28 Requiring Mix of Characters in Passwords 29 Checking Passwords with Regular Expressions 29 Password Uniqueness 30 Setting Password Expiration 31 Restricting the Number of Failed Log Ins 31 Disabling Inactive User Accounts 32 Re-Enabling User Accounts 32 Advanced Configuration for Asset Auto-Creation 32 Asset Auto-Creation from Scanners in Dynamic Zones 32 Create Asset with Either IP Address or Host Name 33 Preserve Previous Assets 34 Changing the Default Naming Scheme 35 Compression and Turbo Modes for SmartConnectors 36 Compressing SmartConnector Events 36 Reducing Event Fields with Turbo Modes Sending Events as SNMP Traps Configuration of the SNMP Trap Sender Asset Aging 36 37 38 39 Excluding Assets from Aging 40 Disabling Assets of a Certain Age 40 Deleting an Asset 41 Amortize Model Confidence with Scanned Asset Age 41 Tuning for Supporting Large Actor Models About Exporting Actors Setting Up ESM for MSSP Enivronments 42 42 43 Chapter 3: SSL Authentication 44 SSL Authentication Terminology 44 How SSL Works 48 HP ESM (6.9.1c) Page 4 of 186 Administrator's Guide Certificate Types 49 SSL Certificate Tasks 50 Export a Key Pair 51 Exporting a Key Pair Using keytool 51 Exporting a Key Pair Using keytoolgui 51 Import a Key Pair 52 Importing a Key Pair Using keytool 52 Importing a Key Pair Using keytoolgui 52 Export a Certificate 53 Exporting a Certificate Using keytool 53 Exporting a Certificate Using keytoolgui 53 Import a Certificate 54 Importing a Certificate Using keytool 54 Importing a Certificate Using keytoolgui 54 Creating a Keystore 55 Creating a Keystore Using keytool 55 Creating a Keystore Using keytoolgui 56 Generating a Key Pair 57 Generating a Key Pair Using keytool 57 Generating a Key Pair Using keytoolgui 57 View Certificate Details From the Store 57 Viewing a Certificate Details from the Store Using keytool 58 Viewing a Certificate Details from the Store Using keytoolgui 58 Delete a Certificate 58 Deleting a Certificate Using keytool 58 Deleting a Certificate Using keytoolgui 59 Using a Self-Signed Certificate 59 When Clients Communicate With One Manager 59 When Clients Communicate With Multiple Managers 60 Using a CA-Signed SSL Certificate 62 Create a Key Pair for a CA-Signed Certificate 62 Send for the CA-Signed Certificate 63 Sending a CA-Signed Certificate Using keytool 63 Sending a CA-Signed Certificate Using keytoolgui 64 Import the CA Root Certificate 64 Import the CA-Signed Certificate 65 Restart the Manager 68 Accommodating Additional Components 68 Removing a Demo Certificate 69 HP ESM (6.9.1c) Page 5 of 186 Administrator's Guide Replacing an Expired Certificate 69 Establishing SSL Client Authentication 69 Setting up SSL Client-Side Authentication on ArcSight Console 70 Setting Up Client-Side Authentication for ACC 74 Setting up Client-side Authentication on SmartConnectors 75 Migrating From One Certificate Type to Another 76 Migrating from Demo to Self-Signed 76 Migrating from Demo to CA-Signed 77 Migrating from Self-Signed to CA-Signed 77 Verifying SSL Certificate Use 77 Sample Output for Verifying SSL Certificate Use 78 Using Certificates to Authenticate Users to the Manager 78 Using the Certificate Revocation List (CRL) 79 Chapter 4: Running the Manager Configuration Wizard 80 Running the Wizard 80 Authentication Details 82 How External Authentication Works 83 Guidelines for Setting Up External Authentication 83 Password Based Authentication 83 Built-In Authentication 83 Setting up RADIUS Authentication 84 Setting up Active Directory User Authentication 84 Configuring AD SSL 85 Setting up LDAP Authentication 85 Configuring LDAP SSL 86 Using a Custom Authentication Scheme 86 Password Based and SSL Client Based Authentication 87 Password Based or SSL Client Based Authentication 87 SSL Client Only Authentication 87 Appendix A: Administrative Commands 88 ArcSight_Services Command 88 ArcSight Commands 89 CORR-Engine ArcSight Commands Appendix B: Troubleshooting HP ESM (6.9.1c) 134 138 Page 6 of 186 Administrator's Guide General 138 Pattern Discovery Performance 140 Query and Trend Performance Tuning 141 SmartConnectors 142 ArcSight Console 143 Case Data Fields Appear Blank 145 Manager 145 CORR Engine - Temporary Sort Space Exceeded 147 SSL 148 Appendix C: The Logfu Command 150 Running Logfu 150 Example 152 Troubleshooting 153 Menu 154 Typical Data Attributes 154 Intervals 155 Appendix D: Creating Custom E-mails Using Velocity Templates 157 Velocity Templates 157 Notification Velocity Templates 157 Commonly Used Elements in Email.vm and Informative.vm Files 158 The #if statement 158 Contents of Email.vm and Informative.vm 158 Using Email.vm and Informative.vm Template Files 159 Understanding the Customization Process 159 Customizing the Template Files 160 Sample Output 161 Appendix E: Configuration Changes Related to FIPS 163 Tools Used to Configure Components in FIPS 163 FIPS Encryption 164 Types of Key Pairs Used in FIPS Mode 164 Types of Certificates Used in FIPS Mode 165 Using a Self-Signed Certificate 165 Using a Certificate Authority (CA) Signed Certificate 165 HP ESM (6.9.1c) Page 7 of 186 Administrator's Guide Steps Performed on the Manager 166 Steps Performed on the ArcSight Console 167 Some Often-Used SSL-Related Procedures Generating a Key Pair in a Component’s NSS DB 168 168 On the Manager 168 On the Console 169 Verifying Whether the Key Pair Has Been Successfully Created 170 Viewing the Contents of the Manager Certificate 170 Exporting Certificates 170 Exporting a Certificate From the Manager 170 Exporting a Certificate From the Console 171 Importing a Certificate into the NSS DB 171 On the Manager 171 On a Client 172 Importing an Existing Key Pair into the NSS DB 172 Setting up Server-Side Authentication 173 Setting up Client-Side Authentication 173 Changing the Password for NSS DB 174 Listing the Contents of the NSS DB 175 Viewing the Contents of a Certificate 175 Setting the Expiration Date of a Certificate 176 Deleting a Certificate from NSS DB 176 Replacing an Expired Certificate 176 Using the Certificate Revocation List (CRL) 177 Configuration Required to Support Suite B 178 Generating a Key Pair on the Manager 178 Exporting the Manager’s Certificate to Clients 180 Importing a Certificate into the Manager 180 Changing a Default Mode Installation to FIPS 140-2 181 Manager 181 ArcSight Console 183 Connectors 185 Configure Your Browser for FIPS 185 Send Documentation Feedback 186 HP ESM (6.9.1c) Page 8 of 186 Chapter 1: Basic Administration Tasks This chapter describes tasks you can perform to effectively manage installation or perform additional configuration and maintenance operations for ESM components. Some administrator tasks necessary to manage ESM are performed in the Command Center or the ArcSight Console. The details for performing such tasks are documented in the ArcSight Command Center Users Guide or the ArcSight Console Users Guide. Helpful topics in the ArcSight Console Guide include: l Managing User's and Permissions l Modeling the Network l Filtering Events l Managing Resources l Managing SmartConnectors l Managing Partitions Starting Components Start the Manager from a command or console window, or set up the Manager as a daemon. The remainder of this section provides more information about command line options to start, shut down, configure, or reconfigure ESM components. In addition, it provides information about setting up the Manager as a daemon, if you didn’t originally configure the Manager that way. Starting the ArcSight Manager If the Manager is not configured to run either as a daemon or a service, start it by running the following command as user arcsight: /etc/init.d/arcsight_services start manager When you start the Manager as a service, to monitor whether it has successfully loaded, use the command: cd ARCSIGHT_HOME;tail -f logs/default/server.std.log Decoupled Process Execution On UNIX-based systems, Manager uses decoupled process execution to perform specific tasks, for example, to run a very large report. Decoupled process execution uses a stand-alone process executor HP ESM (6.9.1c) Page 9 of 186 Administrator's Guide Chapter 1: Basic Administration Tasks (instead of using "in process" or "direct process" execution) and sends commands to be executed via the file system. The process executor uses the/tmp directory, so restrict system level access for this directory. The process executor is used, by default, on all Unix platforms. The Manager scripts ensure that the process executor runs as a daemon before the Manager is started. This has some implications with regards to troubleshooting Manager startup and runtime problems. The Manager, if configured to use the process executor, does not start unless it detects the presence of a running process executor. The process executor runs within its own watchdog, like the Manager, so if the process stops for any reason, it restarts automatically. The process executor is transparent to users regarding how the Manager is started or stopped. The stdout and stderr of the executed process are written into the following two files: /tmp/[commandfile-name].stdout /tmp/[commandfile-name].stderr Stop Services Before Rebooting the ESM Server Before performing a reboot run the following command as the user arcsight: /etc/init.d/arcsight_services stop all Performing a clean shutdown of services in this way will ensure the integrity of your ESM databases. Stopping the ArcSight Manager Stop the Manager service by running the following command as user arcsight: /etc/init.d/arcsight_services stop manager Starting the ArcSight Console To start up the ArcSight Console: 1. Open a command window on /bin. 2. Type in the following line and press Enter. ./arcsight console (on Linux) arcsight console (on Windows) Reconnecting ArcSight Console to the Manager If the ArcSight Console loses its connection to the Manager (because the Manager was restarted, for example) a dialog box appears in the ArcSight Console stating that your connection to the Manager has HP ESM (6.9.1c) Page 10 of 186 Administrator's Guide Chapter 1: Basic Administration Tasks been lost. Wait for the Manager to finish restarting, if applicable. Click Retry to re-establish a connection to the Manager or click Relogin. Note: The connection to the Manager cannot be re-established while the Manager is restarting. In some cases, a connection cannot be established without resetting one or both machines. Clicking Retry may display connection exceptions while the Manager is restarting, or as the connection is re-established. Starting the ArcSight Command Center To start the Command Center from a supported browser enter the following URL: https:// :8443/ Where is the host name or IP address of the Manager that you specified when you first configured ESM. Starting ArcSight SmartConnectors This procedure is only for SmartConnectors that are not running as a service. Before you start ArcSight SmartConnectors, make sure the Manager is running. It’s also a good idea for the ArcSight Console to also be running, so that you can see the status of the configured SmartConnectors and view messages as they appear on the Console. To start up an ArcSight SmartConnector: 1. Open a command window and navigate to the connector’s /current/bin directory. 2. Type in the following line and press Enter: ./arcsight agents (on Linux) arcsight agents (on windows) The connector in that folder starts. Reducing Impact of Anti-Virus Scanning Files in certain directories are updated frequently; for example, the log directory. When an anti-virus application monitors these directories, it can impact the system in these ways: l It can place a large and constant load on the CPU of the machine. l It can slow the system down, because frequent scanning can impede writes to disk. HP ESM (6.9.1c) Page 11 of 186 Administrator's Guide Chapter 1: Basic Administration Tasks Therefore, we recommend that you exclude the following directories (and any subdirectories under them) in from the virus scan list: l caches/server l logs l system l tmp l user, but include the user/agent/lib directory in the scan l archive You may include any directories in that contain your own files. License Tracking and Auditing The system automatically maintains a license audit history that allows you to see how many licenses are in use. When users log into the Console they receive a warning notifying them if they have exceeded their current license. ESM creates an internal audit event for each licensable component to help users track which areas have been exceeded. There are licensing reports on individual features. These reports are located in /All Reports/ArcSight Administration/ESM/Licensing/. The reports provide a summary for the number of Actors, Assets, Users, Devices, and EPS identified over the last week. ArcSight System Tasks These system tasks are scheduled to run automatically one or more times per day, depending on the task. You can control some of these schedules indirectly, for example by changing the retention period. AUP Updater: This task runs in the manager and pushes to connectors any updated AUP packages it might have. Dependent Resource Validator: This task runs validations on resources in the system and disables the ones that have problems. PurgeStaleMarkSimilarConfigs: This task does maintenance work on the 'mark similar' annotation criteria, removing the ones that are stale. Resource Search Index Updater: This task updates the resource search index. Sortable Fields Updater: This task keeps sortable event fields synchronized, based on the current indexes in the database. Table Stats Updater: This task updates statistics on the non-partitioned schema tables, which includes the resource tables. HP ESM (6.9.1c) Page 12 of 186 Administrator's Guide Chapter 1: Basic Administration Tasks Setting up a Custom Login Banner You can configure the Manager to return a custom login message to display for users logging in to the ArcSight Console. Set the following property in server.properties: auth.login.banner=config/loginbanner.txt This property configures the Manager to send the text from the file /config/loginbanner.txt whenever a user runs the ArcSight Console. Changes to the properties file take effect the next time the Manager is started. Create a text file named loginbanner.txt in the /config directory. This feature is often used to display a legal disclaimer message. Users must close the message window before they can log in. HP ESM (6.9.1c) Page 13 of 186 Chapter 2: Configuration This chapter describes the various tasks that you can perform to manage the component configuration. Managing and Changing Properties File Settings Various components use properties files for configuration. Many sections of this documentation require you to change properties in those files. Some of the properties files are also modified when you use one of the configuration wizards. Property File Format Properties files are text files containing pairs of keys and values. The keys specify the setting to configure. For example, the following property configures the port on which the Manager listens: servletcontainer.jetty311.encrypted.port=8443 Blank lines and lines that start with a pound sign ( # ) are ignored. Use the pound sign for comments. Defaults and User Properties Most properties files come in pairs. The first is the defaults properties file, such as server.defaults.properties. It contains the default settings. Do not modify these files; use them as a reference. They are overwritten upon upgrade. The second file is the user properties file, such as server.properties. It can contain any properties from the defaults properties file, but the property values in this file override those in the defaults file. Thus, it contains settings that are specific to a particular installation. Typically, the user properties file for a component is created and modified automatically when you configure the component using its configuration wizard. Because the user properties file contains settings you specify to suit your environment, it is never replaced by an upgrade. If an upgrade, such as a service pack or a version update, changes any properties, it does so in the defaults file. The following table lists the most important properties files. Default Properties User Properties Purpose config/server.defaults.properties config/server.properties Manager Configuration HP ESM (6.9.1c) Page 14 of 186 Administrator's Guide Chapter 2: Configuration Default Properties User Properties Purpose config/console.defaults.properties config/console.properties ArcSight Console Configuration config/client.defaults.properties config/client.properties ArcSight Common Client Configuration config/logger.defaults.properties config/logger.properties Features exposed on the ACC Editing Properties Files When you edit a properties file, copy the property to edit from the *.defaults.properties to *.properties and change the setting to your new value in *.properties. When you install an upgrade, and the *.defaults.properties file is updated, the properties you customized in *.properties remain unchanged. You can edit the properties using any text editor. Make sure you use one that does not add any characters such as formatting codes. If you configured the Console and SmartConnectors using default settings in the configuration wizard, a user properties file is not created automatically for that component. If you need to override a setting on such a component, use a text editor to create this file in the directory specified in the above table. When you edit a property on a component, you must restart the component for the new values to take effect except for the dynamic Manager properties listed in the next section. If you change a communication port, be sure to change both sides of the connection. For example, if you configure a Manager to listen to a different port than 8443, be sure to configure all the Manager’s clients (Consoles, SmartConnectors, and so on) to use the new port as well. Protocol Port Configuration ICMP none ArcSight Console to Target communication (ping tool) UDP 1645 or 1812 Manager to RADIUS server (if enabled) 9090 ESM Service Layer Container Port 9000 Used by the Manager for peering. TCP 8443 SmartConnectors, ArcSight Command Center, and ArcSight Console to Manager communication TCP 636 Manager to LDAP server (with SSL if enabled) TCP 389 Manager to LDAP server (without SSL if enabled) TCP 143 Manager to IMAP server (for Notifications) HP ESM (6.9.1c) Page 15 of 186 Administrator's Guide Chapter 2: Configuration Protocol Port Configuration TCP 110 Manager to POP3 server (for Notifications) UDP/TCP 53 ArcSight Console to DNS Server communication (nslookup tool) UDP/TCP 43 ArcSight Console to Whois Server communication (whois tool) TCP Manager to SMTP server (for Notifications) 25 Dynamic Properties When you change the following properties in the server.properties file on the Manager, you do not need to restart the Manager for the changes to take effect: l auth.auto.reenable.time l auth.enforce.single.sessions.console l auth.enforce.single.sessions.web l auth.failed.max l auth.password.age l auth.password.age.exclude l auth.password.different.min l auth.password.length.max l auth.password.length.min l auth.password.letters.max l auth.password.letters.min l auth.password.maxconsecutive l auth.password.maxoldsubstring l auth.password.numbers.max l auth.password.numbers.min l auth.password.others.max l auth.password.others.min HP ESM (6.9.1c) Page 16 of 186 Administrator's Guide Chapter 2: Configuration l auth.password.regex.match l auth.password.regex.reject l auth.password.unique l auth.password.userid.allowed l auth.password.whitespace.max l auth.password.whitespace.min l external.export.interval l process.execute.direct l servletcontainer.jetty311.log l servletcontainer.jetty311.socket.https.expirationwarn.days l ssl.debug l whine.notify.emails l xmlrpc.accept.ips After you make the change, you use the manager-reload-config command to load those changes to the Manager. Every time the manager-reload-config command is successful, a copy of the server.properties file it loaded is placed in /config/history for backup purposes. The server.properties file in /config/history is suffixed with a timestamp and does not overwrite the existing versions, as described in the following example. Example Manager M1 starts successfully for the first time on September 26, 2013, at 2:45 p.m. A backup copy of its server.properties file is written to /config/history with this timestamp: server.properties.2013_09_26_14_45_27_718 On September 27, 2013, the M1 administrator adds the following property to the server.properties file: notification.aggregation.max_notifications=150 When the administrator runs the manager-reload-config command at 1:05 p.m. the same day, it runs successfully because this property can be loaded dynamically. As soon as the updated server.properties file is loaded in M1’s memory, a backup copy of the updated server.properties file is written to /config/history with appropriate timestamp. Now, /config/history contains these two backup files: HP ESM (6.9.1c) Page 17 of 186 Administrator's Guide Chapter 2: Configuration server.properties.2014_09_26_14_45_27_718 server.properties.2014_09_27_01_05_40_615 On September 28, 2014, the M1 administrator adds this property to the server.properties file: notification.aggregation.time_window=2d As this property can be also loaded dynamically, similar to the previous change, after the updated server.properties is loaded in M1’s memory, a backup copy of the server.properties file is written to /config/history with appropriate timestamp. Now, /config/history contains these three backup files: server.properties.2014_09_26_14_45_27_718 server.properties.2014_09_27_01_05_40_615 server.properties.2014_09_28_03_25_45_312 On September 30, 2014, the M1 administrator updates the whine.notify.emails property in the server.properties file. When the administrator runs the manager-reload-config command, the command fails because this property cannot be loaded dynamically. As a result, these things happen: l l l The updated server.properties file is not loaded into M1’s memory, however, changes made to it are not reverted. M1 continues to use the properties that were loaded on September 29th. No backup copy is made. The /config/history directory continues to contain the same three backup files: server.properties.2014_09_26_14_45_27_718 server.properties.2014_09_27_01_05_40_615 server.properties.2014_09_28_03_25_45_312 The changes made on September 30th are not effective until M1 is restarted. Changing Manager Properties Dynamically To change any of the properties listed previously, do these steps: 1. Change the property in the server.properties file and save the file. 2. (Optional) Use the –diff option of the manager-reload-config command to view the difference between the server properties the Manager is currently using and the properties loaded after you run this command: arcsight manager-reload-config –diff HP ESM (6.9.1c) Page 18 of 186 Administrator's Guide Chapter 2: Configuration Note: The -diff option compares all server properties—default and user properties. For all options available with the manager-reload-config command, see "Administrative Commands" on page 88. 3. Run this command in /bin to load the new property values: arcsight manager-reload-config If this command fails with a warning, it means you are changing properties that require a Manager restart. In that case, none of the property changes are applied, including ones that do not require a restart. You can: l l Revert changes to properties that require restarting the Manager and rerun the manager-reloadconfig command. Force an update of all properties using the –as option, as follows: arcsight manager-reload-config -as When you use the -as option, the properties that can be changed without restarting the Manager take effect immediately. The properties that require a Manager restart are updated in the server.properties but are not effective until the Manager is restarted. For example, if you change auth.password.length.min to 7 and search.enabled to false, you get the above warning because only auth.password.length.min can be updated without restarting the Manager. If you force an update of the server.properties file, auth.password.length.min is set to 7, but search.enabled continues to be set to true until the Manager is restarted. Note: Be careful in using the –as option to force reload properties. If an invalid static change is made, it may prevent the Manager from starting up after it reboots. Changing the Service Layer Container Port By default the service layer container port is 9090. You can change this port: 1. Modifying the following files located in the Manager’s : n /arcsight-dm com.arcsight.dm.plugins.tomcatServer_7.0.21/conf/server.xml n /config/proxy.rule.xml n /config/rewriteProxy.rule.xml Make sure to replace the references to port 9090 with an unused port number. 2. Restart the Manager. HP ESM (6.9.1c) Page 19 of 186 Administrator's Guide Chapter 2: Configuration Securing the Manager Properties File The Manager’s server.properties file contains sensitive information such as database passwords, keystore passwords, and so on. Someone accessing the information in this file can do a number of things, such as tampering with the database and acting as a Manager. Protect the server.properties file so that only the user account under which the Manager is running is able to read it. For example, in Unix you can use the chmod command: chmod 600 server.properties This operation is performed during the Manager installation. As a result, only the owner of the file, which must be the user that runs the Manager, may read or write to the file. For all other users, access to the file is denied. Note: You can also protect the server.properties file on Windows systems with an NTFS file system using Microsoft Windows Access Control Lists (ACLs). Adjusting Console Memory Because the ArcSight Console can open up to ten independent event-viewing channels, out-of-memory errors may occur. If such errors occur, or if you simply anticipate using numerous channels for operations or analysis, please make the following change to each affected Console installation. In the bin/scripts directory, in the (Windows) or console.sh configuration file, edit the memory usage range for the Java Virtual Machine. Adjusting Pattern Discovery Note: Pattern Discovery is not supported on ESM on an appliance. By default, Pattern Discovery limits its memory usage to about 4 GB of memory. However, if the search for patterns involves too many transactions and events, the task can run out of memory and abort. To control the memory limit indirectly, change the maximum number of transactions and events the Pattern Discovery task can hold in memory. The settings for these values are in the server.defaults.properties file in the config folder. Place the changed versions in the server.properties file to supersede the default. l l patterns.transactionbase.max: The maximum transactions allowed in memory. If you exceed this, these transactions are stored as a page file. The default is 10000. patterns.maxSupporterCost: The maximum supporters allowed in memory. If you exceed this number, the Pattern Discovery task aborts. The default is 80000. HP ESM (6.9.1c) Page 20 of 186 Administrator's Guide Chapter 2: Configuration l l patterns.maxUniqueEvents: The maximum unique events allowed in memory. If you exceed this number, the Pattern Discovery task aborts. The default is 20000. patterns.timeSpreadCalculation: Set to false avoid calculating timespread statistics, which can take a lot of resources. If you experience performance issues while "Extracting Pattern for Snapshot," try scheduling Pattern Discovery for off-peak times. If you run Pattern Discovery against millions of matched events, try reducing the time frame to half to see how long it takes to complete. Use that information to plan when to run it. You can also make the filter condition more granular so there are fewer matches. If the Pattern Discovery task aborts, a message to that effect appears in the console. Run the Pattern Discovery task again after increasing the Pattern Discovery memory usage limits. To increase the memory usage limit increase the three values proportionally. For example, to add 25 percent more memory capacity, you would change the values to: l patterns.transactionbase.max=12500 l patterns.maxSupporterCost=100000 l patterns.maxUniqueEvents=25000 After changing these values, restart the manager for them to take effect. Improving Annotation Query Performance If you have annotation queries, their performance can be improved by adding the following property to the Manager’s server.properties file: event.annotation.optimization.enabled=true You can edit the properties file using a regular text editor. After adding this property, restart the manager for it to take effect. Installing New License Files Obtained from HP You receive new license files packaged as .zip files and sent via e-mail from HPE. To deploy the new license file you obtained from HPE, follow the steps below: 1. Go to the ArcSight Command Center’s Administration tab and find the License Information section, under Configuration Management. 2. In the License File field specify or browse to the lic or zip file containing the license you want to upload and click Upload. 3. After uploading, the ArcSight Command Center asks if you want to Restart, which restarts certain ArcSight server processes. HP ESM (6.9.1c) Page 21 of 186 Administrator's Guide Chapter 2: Configuration You can choose to restart later. If so, when you are ready, select Server Management in the accordion panel under Configuration Management, and click Restart, at the bottom. You will have to log in again. If your license has expired and you cannot access a user interface, use the managersetup command, as documented in "managersetup" on page 114. Configuring Manager Logging The Manager writes logging information to log files, which by default are located in: /logs/default/ Various Manager utilities write logging information to different sets of log files. Each of which can consist of multiple files. The number and size of log files are configurable, a typical setting is 10 files with 10 megabytes each. When a log file reaches a maximum size, it is copied over to a different location. Depending on your system load, you may have to change the default settings. To make changes to the logging configuration, change the log channel parameters. The default log channel is called file. For the main Manager log file, called server.log, the following server.properties settings are used: # Maximum size of a log file. log.channel.file.property.maxsize=10MB # Maximum number of roll over files. log.channel.file.property.maxbackupindex=10 The first setting affects the size of each individual log file; the second affects the number of log files created. The log file currently in use is always the one with no number appended to the name. The log file with the largest number is the oldest. All log files are written to the /logs/default directory. The Manager and its related tools write the following log files: Log File Description server.log* The main Manager log. server.status.log* System status information, such as memory usage. server.channel.log* Active Channel logs. server.std.log* All output that the Manager prints on the console (if run in command line mode) server.pulse.log* The Manager writes a line to this set of logs every ten seconds. Used to detect service interruptions. HP ESM (6.9.1c) Page 22 of 186 Administrator's Guide Chapter 2: Configuration Log File Description server.sql.log* If database tracing is enabled, the SQL statements are written to this set of log files. execproc.log* Log information about externally executed processes (only on some platforms) serverwizard.log* Logging information from the managersetup command. Sending Logs and Diagnostics to HPE Support Customer Support may request log files and other diagnostic information to troubleshoot problems. You can use the Log Retrieval feature in ArcSight Command Center. Check the online help for that feature for more information. In the ArcSight Console, the sendlogs command automatically locates the log files and compresses them. You can send the compressed files to Customer Support. For details on the sendlogs command, see "Administrative Commands" on page 88. l l You can run this command as a wizard directly from the Console interface (GUI) in addition to the command-line interface of each component. Optionally, gather diagnostic information such as session wait times, thread dumps, and database alert logs about your ESM system, which helps HP Customer Support analyze performance issues on your ESM components. Note: You can also use the arcdt command to run specific diagnostic utilities from the Manager command line. For more information, see "Administrative Commands" on page 88. l When you run this command from the Console or Manager, you can gather logs and diagnostic information for all components of the system. Guidelines for Using the sendlogs Command When using the sendlogs command: l l You can be connected as any valid user on an ESM component to collect its local logs; however, you must have administrator access to collect logs from other components. For example, if you are connected as user ‘joe’ to the Console, you can collect its logs. But if you need to collect logs for the Manager and the database, you must connect to the Console as the administrator. SmartConnectors must be running version 4037 or later to remotely (using a Console or the Manager) collect logs from them. HP ESM (6.9.1c) Page 23 of 186 Administrator's Guide Chapter 2: Configuration You can only collect local logs on SmartConnectors or the CORR-Engine. The Send Logs utility only collects logs for the component on which you run it. In order to collect the CORR-Engine logs, the Manager needs to be running. l All log files for a component are gathered and compressed. That is, you cannot select a subset of log files that the utility should process. l The sendlogs command generates a compressed file on your local system that you can send to Customer Support by e-mail, if they request it. l You can review the compressed file to ensure that only a desired and appropriate amount of information is sent to support. l You can remove or sanitize information such as IP addresses, host names, and e-mail addresses from the log files before compressing them. The options are: l n Send log as generated This option, the default, does not remove any information from the logs files. n Only remove IP address This option removes IP addresses, but not host names or e-mail addresses, from the logs files. n Remove IP address, host names, e-mail addresses This option removes all IP addresses and enables you to specify a list of host-name suffixes for which all host names and e-mail addresses are removed from the logs. For example, if you specify ‘company.com’ as a host-name suffix to remove, the Send Logs utility removes all references to domains such as ‘www.company.com’ and e-mail addresses such as ‘john@company.com’ from the logs. Gathering Logs and Diagnostic Information When you run the sendlogs command on SmartConnectors, it gathers logs and diagnostic information (if applicable) for only those components. However, when you run this utility on ArcSight Console or Manager, you can gather logs and diagnostic information for all or a selected set of ESM components. To run this command on SmartConnectors, enter this in /bin: ./arcsight agent sendlogs To gather logs and diagnostic information for all or a selected set of components, do one of the following: l On the ArcSight Console, click Tools > SendLogs. l Enter this command in /bin on the Console or Manager machine: ./arcsight sendlogs The above action starts the Send Logs wizard. In the wizard screens, perform these steps: HP ESM (6.9.1c) Page 24 of 186 Administrator's Guide Chapter 2: Configuration Note: The Send Logs wizard remembers most of the choices you make when you run it for the first time. Therefore, for subsequent runs, if you choose to use the previous settings, you do not need to re-enter them. 1. Decide whether you want the wizard to gather logs only from the component on which you are running it or from all components. Choose either Use current setting to gather logs or Change/Review settings before gathering logs. If you select Use current settings to gather logs. Logs for all components are gathered thus: If this is the first sendlogs is run after installation, then all the logs are gathered. If this is not the first time you have sendlogs has run, it uses the same setting as the previous run. a. Enter the Manager’s login information. b. Go to the step "Sanitize logs" on the next page. If you select Change/Review settings before gathering logs., you get the option to select the components for which you want logs gathered. Choose either Local Logs Only or Logs from other components (Requires Manager credentials). These choices allow you to select whether you want only the local (the component from where you ran the sendlogs command) logs selected or to select logs from other components to be collected as well. Local logs only: If you select Local logs only, you can choose either Include all time ranges or Choose a specific time range. If you select Include all time ranges, go to the step "Sanitize logs" on the next page. If you select Choose a specific time range, you are prompted to enter a Start Time and End Time, which is a time range for which the wizard gathers the logs. Go to the step "Sanitize logs" on the next page. Logs from other components (Requires Manager credentials): If you select Logs from other components (Requires Manager credentials), you are prompted to choose the components. a. Select the components (for example, Manager, or Connectors) and the time range for which you want to gather logs. In addition, select whether you want to run the diagnostic utilities to gather additional information for those components. HP ESM (6.9.1c) Page 25 of 186 Administrator's Guide Chapter 2: Configuration If you choose to specify the diagnostic utilities to run, you are prompted to select the utilities from a list in a later screen. The diagnostic utilities you can select are described in "arcdt" on page 92. b. If you chose to gather logs from the SmartConnectors, select those SmartConnectors in the next screen. Note: At a minimum, the SmartConnectors should be running version 4037 or later. c. If you chose to select the diagnostic utilities you want to run earlier in this wizard, select them in the next screen. 2. Sanitize logs Select whether you want to sanitize the logs before collecting them. For more information about sanitizing options, see " Guidelines for Using the sendlogs Command" on page 23. If you choose Do not sanitization logs (fastest), go to the step "Incident Number" below If you choose Change/Review Logs sanitization settings, you are prompted to select what you want to sanitize. If you chose one of the first two options, go to the step "Incident Number" below. If you selected Remove IP addresses, host names, and e-mail addresses (Slowest), you are prompted to enter what you want removed. Click Add to add a suffix to remove. Highlight an entry and click Remove to remove it from the list. 3. Incident Number Enter the Customer Support incident number. The sendlogs command uses this number to name the compressed file it creates. Use the incident number that Customer Support gave you when you reported the issue for which you are sending the logs. Doing so helps Customer Support relate the compressed file to your incident. In case you do not have an incident number at this time, you can continue by entering a meaningful name for the compressed file to be created. After you obtain the incident number from Customer Support, you can rename the file with the incident number you received. 4. Click Next to start the compression. Note: Most of the values you entered during the first run of the Send Logs wizard are retained. The next time you run this wizard, you need to enter only a few settings. 5. Click Done on the final screen. HP ESM (6.9.1c) Page 26 of 186 Administrator's Guide Chapter 2: Configuration Reconfiguring the ArcSight Console After Installation You can reconfigure ArcSight Console at anytime by typing arcsight consolesetup within a command window. Run the ArcSight Console Configuration Wizard by entering the following command in a command window in the /bin directory: ./arcsight consolesetup To run the ArcSight Console Setup program without the graphical user interface, type: ./arcsight consolesetup -i console The ArcSight Console Configuration Wizard launches. Reconfiguring ArcSight Manager To reconfigure Manager settings made during installation, run the Manager Configuration Wizard. The Manager Configuration Wizard is covered in "Running the Manager Configuration Wizard" on page 80. To change advanced configuration settings (port numbers, database settings, log location, and so on) after the initial installation, change the server.properties file. ArcSight’s default settings are listed in the server.defaults.properties file. You can override these default settings by adding the applicable lines from server.defaults.properties to the server.properties file. If a property exists in both the server.defaults.properties file and the server.properties file, the value in the server.properties file is used. These files are located in /config. Values in the server.properties file supersede Changing ArcSight Command Center Session Timeout ArcSight Command Center will automatically log out if it has been inactive for a certain amount of time. This duration is defined by the configurable tservice.session.timeou property. If the session duration is too short, increase the value set for the service.session.timeout property in the / /config/server.properties file. Managing Password Configuration The Manager supports a rich set of functionality for managing users passwords. This section describes various password configuration options. Generally, all the settings are made by editing the HP ESM (6.9.1c) Page 27 of 186 Administrator's Guide Chapter 2: Configuration server.properties file. See "Managing and Changing Properties File Settings" on page 14. Some of these control character restrictions in passwords. Enforcing Good Password Selection There are a number of checks that the Manager performs when a user picks a new password in order to enforce good password selection practices. Password Length The simplest one is a minimum and, optionally, a maximum length of the password. The following keys in server.properties affect this: auth.password.length.min=6 auth.password.length.max=20 By default, the minimum length for passwords is six characters and the maximum length is 20 characters and can contain numbers and/or letters. Configuring the above properties to a value of -1 sets the password length to unlimited characters. Restricting Passwords Containing User Name Another mechanism that enforces good password practices is controlled through the following server.properties key: auth.password.userid.allowed=false When this key is set to false (the default), a user cannot include their user name as part of the password. Password Character Sets For appliance users, the Manager comes installed using the UTF-8 character set. If you install the Manager, it allows you to set the character set encoding that the Manager uses. When you install the ArcSight Console, the operating system on that machine controls the character set the Console uses. Be sure the operating system uses the same character set as the Manager if: l l A user password contains "non-English" characters (in the upper range of the character set: values above 127) That user wants to log in with that ArcSight Console. This is not an issue if you log in from the web-based ArcSight Command Center. For passwords that are in the ASCII range (values up to 127), the character set for the ArcSight Console does not matter. HP ESM (6.9.1c) Page 28 of 186 Administrator's Guide Chapter 2: Configuration Requiring Mix of Characters in Passwords Strong passwords consist not only of letters, but contain numbers and special characters as well. This makes them more difficult to guess and can prevent dictionary attacks. By default, the minimum length for passwords is six characters and the maximum length is 20 characters and can contain numbers and/or letters. The following properties control the distribution of characters allowed in new passwords: auth.password.letters.min=-1 auth.password.letters.max=-1 auth.password.numbers.min=-1 auth.password.numbers.max=-1 auth.password.whitespace.min=0 auth.password.whitespace.max=0 auth.password.others.min=-1 auth.password.others.max=-1 The *.min settings can be used to enforce that each new password contains a minimum number of characters of the specified type. The *.max settings can be used to limit the number of characters of the given type that new passwords can contain. Letters are all letters from A-Z, upper and lowercase, numbers are 0-9; "whitespace" includes spaces, etc.; "others" are all other characters, including special characters such as #$%@!. Additionally, the following server.properties key lets you restrict the number of consecutive same characters allowed. auth.password.maxconsecutive=3 For example, the default setting of 3 would allow "adam999", but not "adam9999" as a password. Furthermore, the following server.properties key enables you to specify the length of a substring that is allowed from the old password in the new password. auth.password.maxoldsubstring=-1 For example, if the value is set to 3 and the old password is "secret", neither "secretive" nor "cretin" is allowed as a new password. Checking Passwords with Regular Expressions To accommodate more complex password format requirements, the Manager can also be set up to check all new passwords against a regular expression. The following server.properties keys can be used for this purpose: auth.password.regex.match= auth.password.regex.reject= HP ESM (6.9.1c) Page 29 of 186 Administrator's Guide Chapter 2: Configuration The auth.password.regex.match property describes a regular expression that all passwords have to match. If a new password does not match this expression, the Manager rejects it. The auth.password.regex.reject property describes a regular expression that no password may match. If a new password matches this regular expression, it is rejected. Note: Backslash ( \ ) characters in regular expressions must be duplicated (escaped)—instead of specifying \, type \\. For more information on creating an expression for this property, see http://www.regularexpressions.info/. The following are a few examples of regular expressions and a description of what they mean. auth.password.regex.match= /^\\D.*\\D$/ l Only passwords that do not start or end with a digit are accepted. auth.password.regex.match= ^(?=.*[A-Z].*[A-Z])(?=.*[a-z].*[a-z])(?=.*[0-9].*[09])(?=.*[^a-zA-Z0-9].*[^a-zA-Z0-9]).{10,}$ l Only passwords that contain at least 10 characters with the following breakdown are accepted: n At least two upper case letters n At least two lower case letters n At least two digits n At least two special characters (no digits or letters) auth.password.regex.reject= ^(?=.*[A-Z].*[A-Z])(?=.*[a-z].*[a-z])(?=.*[0-9].*[09])(?=.*[^a-zA-Z0-9].*[^a-zA-Z0-9]).{12,}$ l The passwords that contain 12 characters with the following breakdown are rejected: n At least two upper case letters n At least two lower case letters n At least two digits n At least two special characters (no digits or letters) Password Uniqueness In some environments, it is also desirable that no two users use the same password. To enable a check that ensures this, the following server.properties key can be used: auth.password.unique=false If set to true, the Manager checks all other passwords to make sure nobody is already using the same password. HP ESM (6.9.1c) Page 30 of 186 Administrator's Guide Chapter 2: Configuration Note: This feature may not be appropriate for some environments as it allows valid users of the system to guess other user’s passwords. Setting Password Expiration The Manager can be set up to expire passwords after a certain number of days, forcing users to choose new passwords regularly. This option is controlled by the following key in server.properties: auth.password.age=60 By default, a password expires 60 days from the day it is set. When this setting is used, however, some problems arise for user accounts that are used for automated log in, such as the user accounts used for Manager Forwarding Connectors. These user accounts can be excluded from password expiration using the following key in server.properties: auth.password.age.exclude=username1,username2 This value is a comma-separated list of user names. The passwords of these users never expire. The Manager can also keep a history of a user’s passwords to make sure that passwords are not reused. The number of last passwords to keep is specified using the following key in server.properties: auth.password.different.min=1 By default, this key is set to check only the last password (value = 1). You can change this key to keep up to last 20 passwords. Restricting the Number of Failed Log Ins The Manager tracks the number of failed log in attempts to prevent brute force password guessing attacks. By default, a user's account is disabled after three failed log in attempts. This feature is controlled through the following key in server.properties: auth.failed.max=3 Change this to the desired number or to -1 if you do not wish user accounts to be disabled, regardless of the number of failed log in attempts. After a user account has been disabled, the Manager can be configured to automatically re-enable it after a certain period of time. This reduces administrative overhead, while effectively preventing brute force attacks. This mechanism is controlled by the following key in server.properties: auth.auto.reenable.time=10 This value specifies the time, in minutes, after which user accounts are automatically re-enabled after they were disabled due to an excessive number of incorrect log ins. Set the property key to -1 to specify that user accounts can only be re-enabled manually. HP ESM (6.9.1c) Page 31 of 186 Administrator's Guide Chapter 2: Configuration Disabling Inactive User Accounts By default, if a user does not log in for 90 days, the account is automatically disabled. To change the number of days of inactivity before the account is disabled, add the following property to the server.properties file: auth.user.account.age= Change to the number of days of inactivity allowed before the account is disabled. Re-Enabling User Accounts Under normal circumstances, user accounts that have been disabled—for example, as a result of too many consecutive failed log ins—can be re-enabled by any user with sufficient permission. Check the Login Enabled check box for a particular user in the User Inspect/Editor panel in the ArcSight Console. If the only remaining administrator user account is disabled, a command line tool can be run on the system where the Manager is installed to re-enable user accounts. First, ensure that the Manager is running. Then, from the command line, run the following commands: cd /opt/arcsight/manager/bin ./arcsight reenableuser username where username is the name of the user you want to re-enable. After this procedure, the user can log in again, using the unchanged password. Advanced Configuration for Asset Auto-Creation Assets are automatically created for all components and, if applicable, for assets arriving from scan reports sent by vulnerability scanners via scanner SmartConnectors. This is done by the asset autocreation feature. If the profile of events in your network causes asset auto creation feature to create assets in your network model inefficiently, you can modify the asset auto creation default settings in the user configuration file, server.properties. The server.properties file is located at $ARCSIGHT_HOME/config/server.properties. Asset Auto-Creation from Scanners in Dynamic Zones The following properties relate to how assets are created from a vulnerability scan report for dynamic zones. HP ESM (6.9.1c) Page 32 of 186 Administrator's Guide Chapter 2: Configuration Create Asset with Either IP Address or Host Name By default, an asset is not created in a dynamic zone if there is no host name present. The property set by default is: scanner-event.dynamiczone.asset.nonidentifiable.create=false You can configure ESM to create the asset as long as it has either an IP address or a host name. In server.properties, change scanner-event.dynamiczone.asset.nonidentifiable.create from false to true. ESM discards conflicts between an IP address and host name (similar IP address, but different host name and/or MAC address). Caution: Creating an asset if no host name is present can result in an inaccurate asset model. Setting scanner-event.dynamiczone.asset.nonidentifiable.create to true means that assets are created if the asset has either an IP address or a host name. This could lead to disabled assets or duplicated assets being created. Change this configuration only if you are using a dynamic zone to host ostensibly static assets, such as long-lived DHCP addresses. When this property is set to true, the following takes place: Action taken if previous asset with similar information Example Action taken if no conflicts IP=1.1.1.1 Asset created Asset created, previous asset is deleted. Asset created Asset created, previous asset is deleted. Asset created Asset created, previous asset is deleted. Asset created Asset created, previous asset is deleted. hostname=myhost mac=0123456789AB ip=1.1.1.1 hostname=myhost mac=null ip=1.1.1.1 hostname=null mac=0123456789AB ip=1.1.1.1 hostname=null mac=null HP ESM (6.9.1c) Page 33 of 186 Administrator's Guide Chapter 2: Configuration Action taken if previous asset with similar information Example Action taken if no conflicts ip=null Asset created Asset created, previous asset is deleted. Asset not created. Either host name or IP address is required. Asset not created. Either host name or IP address is required. Asset not created. Either host name or IP address is required. Asset not created. Either host name or IP address is required. hostname=myhost mac=null ip=null hostname=null mac=0123456789AB ip=null hostname=myhost mac=0123456789AB Preserve Previous Assets This setting applies when ESM creates assets from a vulnerability scan report for dynamic zones. By default, if a previous asset with similar information already exists in the asset model, ESM creates a new asset and deletes the old one. To preserve the previous asset rather than delete it when a scan finds a new asset with similar information, you can configure ESM to rename the previous asset. In server.properties, change scanner-event.dynamiczone.asset.ipconflict.preserve from false to true. Caution: Preserving previous assets results in a larger asset model. Setting event.dynamiczone.asset.ipconflict.preserve to true means that assets are continually added to the asset model and not removed. Use this option only if you know you must preserve all assets added to the asset model. When the system is configured with scannerevent.dynamiczone.asset.nonidentifiable.create=false and scannerevent.dynamiczone.asset.ipconflict.preserve=true, it takes the following actions: Example Action taken if previous asset with similar information and preserve = true IP=1.1.1.1 Asset created, previous asset is renamed. hostname=myhost mac=0123456789AB HP ESM (6.9.1c) Page 34 of 186 Administrator's Guide Chapter 2: Configuration Example Action taken if previous asset with similar information and preserve = true ip=1.1.1.1 Asset created, previous asset is renamed. hostname=myhost mac=null ip=1.1.1.1 Asset created, previous asset is renamed. hostname=null mac=0123456789AB ip=1.1.1.1 No action taken. Either host name or MAC address is required. hostname=null mac=null ip=null Asset created, previous asset is renamed. hostname=myhost mac=null ip=null Asset created, previous asset is renamed. hostname=null mac=0123456789AB ip=null Asset created, previous asset is renamed. hostname='myhost' mac=0123456789AB Changing the Default Naming Scheme By default, the system names assets that come from scanners using the naming scheme outlined in the topic "Asset Names" in the ArcSight Console User’s Guide. Static Zone Dynamic Zone Property scanner-event.autocreate.asset.name.template scanner-event.autocreate.dynamiczone.asset.name.template Value $destinationAddress $!destinationHostName $destinationHostName Example 1.1.1.1 - myhost HP ESM (6.9.1c) myhost Page 35 of 186 Administrator's Guide Chapter 2: Configuration You can reconfigure this naming scheme. For example, if you want the asset name for an asset in a static zone to appear this way in the ArcSight Console: myhost_1.1.1.1 In this case, change the default $destinationAddress - $!destinationHostName to $!destinationHostName_$destinationAddress Compression and Turbo Modes for SmartConnectors These sections discuss compression techniques and turbo modes for SmartConnectors. Compressing SmartConnector Events ArcSight SmartConnectors can send event information to the Manager in a compressed format using HTTP compression. The compression technique used is standard GZip, providing compression ratio of 1:10 or higher, depending on the input data (in this case, the events the ArcSight SmartConnector is sending). Using compression lowers the overall network bandwidth used by ArcSight SmartConnectors dramatically, without impacting their overall performance. By default, all ArcSight SmartConnectors have compression enabled. To turn it off, add the following line to the /user/agent/agent.properties file: compression.enabled = false ArcSight SmartConnectors determine whether the Manager they are sending events to supports compression. Reducing Event Fields with Turbo Modes If your configuration, reporting, and analytic usage permits, you can accelerate the transfer of sensor information through SmartConnectors by choosing one of the "turbo" modes, which send fewer event fields from the connector. The default transfer mode is called Complete, which passes all the data arriving from the device, including any additional data (custom, or vendor-specific). ArcSight SmartConnectors can be configured to send more or less event data, on a perSmartConnector basis, and the Manager can be set to read and maintain more or less event data, independent of the SmartConnector setting. Some events require more data than others. For example, operating system syslogs often capture a considerable amount of environmental data that may or may not be relevant to a particular security event. Firewalls, on the other hand, typically report only basic information. ESM defines the following Turbo Modes: HP ESM (6.9.1c) Page 36 of 186 Administrator's Guide Chapter 2: Configuration Turbo Modes 1 Fastest Recommended for firewalls 2 Faster Manager default When Turbo Mode is not specified (mode 3, Complete), all event data arriving at the SmartConnector, including additional data, is maintained. Turbo Mode 2, Faster, eliminates the additional custom or vendor-specific data, which is not required in many situations. Turbo Mode 1, Fastest, eliminates all but a core set of event attributes, in order to achieve the best throughput. Because the event data is smaller, it requires less storage space and provides the best performance. It is ideal for simpler devices such as firewalls. The Manager processes event data using its own Turbo Mode setting. If SmartConnectors report more event data than the Manager needs, the Manager ignores the extra fields. On the other hand, if the Manager is set to a higher Turbo Mode than a SmartConnector, the Manager maintains fields that are not filled by event data. Both situations are normal in real-world scenarios, because the Manager configuration reflects the requirements of a diverse set of SmartConnectors. Event data transfer modes are numbered (1 for Fastest, 2 for Faster, 3 for Complete), and possible Manager-SmartConnector configurations are therefore: 1-1 Manager and SmartConnector in Fastest mode 1-2 SmartConnector sending more sensor data than Manager needs 1-3 SmartConnector sending more sensor data than Manager needs 2-1 SmartConnector not sending all data that Manager is storing* 2-2 Manager and SmartConnector in Faster mode 2-3 Default: Manager does not process additional data sent by SmartConnector 3-1 Manager maintains Complete data, SmartConnector sends minimum* 3-2 Manager maintains additional data, but SmartConnector does not send it 3-3 Manager and SmartConnector in Complete mode *When the SmartConnector sends minimal data (Turbo Mode 1), the Manager can infer some additional data, creating a 2-1.5 or a 3-1.5 situation. Sending Events as SNMP Traps ESM can send a sub-stream of all incoming events (that includes rule-generated events) via SNMP to a specified target. A filter is used to configure which events are sent. ESM’s correlation capabilities can be used to synthesize network management events that can then be routed to your enterprise network management console. HP ESM (6.9.1c) Page 37 of 186 Administrator's Guide Chapter 2: Configuration Configuration of the SNMP Trap Sender The SNMP trap sender is configured using the Manager configuration file. The /config/server.defaults.properties file includes a template for the required configuration values. Copy those lines into your /config/server.properties file and make the changes there. After making changes to this file, you need to restart the Manager. Caution: Setting the Manager to send SNMP v3 traps is not FIPS compliant. This is because SNMP v3 uses the MD5 algorithm. However, SNMPv1 and v2 are FIPS compliant. The following provides a description of specific SNMP configuration properties: snmp.trapsender.enabled=true Set this property to true in order to enable the SNMP trap sender. snmp.trapsender.uri= /All Filters/Arcsight System/SNMP Forwarding/SNMP Trap Sender The system uses the filter specified by the URI (it should all be on one line) to decide whether or not an event is forwarded. There is no need to change the URI to another filter. These contents are locked and are overwritten when the contents are upgraded to the next version. By default, the "SNMP Trap Sender" filter logic is Matches Filter (/All Filters/ArcSight System/Event Types/ArcSight Correlation Events)—that is, only rules-generated events are forwarded. snmp.destination.host= snmp.destination.port=162 The host name and the port of the SNMP listener that wants to receive the traps. snmp.read.community=public snmp.write.community=public The SNMP community strings needed for the traps to make it through to the receiver. The read community is reserved for future use, however, the write community must match the community of the receiving host. This depends on your deployment environment and your receiving device. Please consult your receiving device's documentation to find out which community string to use. snmp.version=1 snmp.fields=\ event.eventId,\ event.name,\ event.eventCategory,\ event.eventType,\ event.baseEventCount,\ event.arcsightCategory,\ HP ESM (6.9.1c) Page 38 of 186 Administrator's Guide Chapter 2: Configuration event.arcsightSeverity,\ event.protocol,\ event.sourceAddress,\ event.targetAddress These event attributes should be included in the trap. The syntax follows the SmartConnector SDK as described in the FlexConnector Developer’s Guide. All the ArcSight fields can be sent. The identifiers are case sensitive, do not contain spaces and must be capitalized except for the first character. For example: ArcSight Field SDK/SNMP trap sender identifier Event Name eventName Device Severity deviceSeverity Service service The SNMP field types are converted as: ArcSight SNMP STRING OCTET STRING INTEGER INTEGER32 Address IP ADDRESS LONG OCTET STRING BYTE INTEGER Additional data values are accessible by name, for example: snmp.fields=event.eventName,additionaldata.myvalue This sends the Event Name field and the value of myvalue in the additional data list part of the SNMP trap. Only the String data type is supported for additional data, therefore all additional data values are sent as OCTET STRING. Asset Aging The age of an asset is defined as the number of days since it was last scanned or modified. So, for example, if an asset was last modified 29 hours ago, the age of the asset is taken as 1 day and the remaining time (5 hours, in our example) is ignored in the calculation of the asset’s age. You can use asset aging to reduce asset confidence level as the time since the last scan increases. Note: Only the assets belonging to the following categories are considered for aging: HP ESM (6.9.1c) Page 39 of 186 Administrator's Guide Chapter 2: Configuration l /Site Asset Categories/Scanned/Open Ports l /Site Asset Categories/Scanned Vulnerabilities Excluding Assets from Aging To exclude certain assets from aging, you can add those assets to a group and then set the property asset.aging.excluded.groups.uris in the server.properties file to the URI(s) of those groups. For example, to add the groups MyAssets and DontTouchThis (both under All Assets) add the following to the server.properties file: #Exclude MyAssets and DontTouchThis from aging asset.aging.excluded.groups.uris=/All Assets/MyAssets,/All Assets/DontTouchThis Note: When setting the asset.aging.excluded.groups.uris property keep in mind that the assets in this group are not disabled, deleted or amortized. Disabling Assets of a Certain Age By default, asset aging is disabled. There is a scheduled task that disables any scanned asset that has reached the specified age. By default, after the assets aging feature is turned on, this task runs every day half an hour after midnight (00:30:00). Add the following in the server.properties file to enable asset aging: #----------------------------# Asset aging #----------------------------# Defines how many days can pass before a scanned asset is defined as old # after this time the asset will be disabled # Default value: disabled asset.aging.daysbeforedisable = -1 Note that the default value -1 means that asset aging is turned off, not that assets will be disabled. The value is expressed in days that define how long an asset is allowed to age before it is disabled. For example: asset.aging.daysbeforedisable = So, this setting: asset.aging.daysbeforedisable = 4 means that after 4 days, assets will be considered old and disabled. Set this property to a reasonable value that makes sense for your assets. HP ESM (6.9.1c) Page 40 of 186 Administrator's Guide Chapter 2: Configuration Deleting an Asset To delete the asset instead of disabling it, set the property asset.aging.task.operation to delete in server.properties file: # Delete assets when they age asset.aging.task.operation = delete Verify that this property is set to delete for deletion of aging assets to occur. Amortize Model Confidence with Scanned Asset Age The IsScannedForOpenPorts and IsScannedForVulnerabilities sub-elements in the ModelConfidence element are factored by the age of an asset. They are extended to include an optional attribute, AmortizeScan. If AmortizeScan is not defined (or defined with value -1), the assets are not amortized. A "new" asset gets the full value while and "old" asset gets no points. You can edit the AmortizeScan value (number of days) in the Manager’s /config/server/ThreatLevelFormula.xml file: For this example, the value is modified as follows: HP ESM (6.9.1c) Page 41 of 186 Administrator's Guide Chapter 2: Configuration Asset Age (in days) AmortizeScan Value 0 4 60 2 120 0 240 0 Tuning for Supporting Large Actor Models If your actor model contains tens of thousands of members, follow the guidelines in this section to allow adequate processing capacity for best results. 1. Shut down the Manager. Note: In-memory capacity changes made to arc_session_list must match sessionlist.max_ capacity in server.properties If you update the in-memory capacity for the arc_session_list table to number other than the default 500,000, the value you enter must match the value set for sessionlist.max_capacity in server.properties. 2. Adjust Java Heap Memory Size using the Manager Configuration Wizard. Supporting 50,000 actors requires an additional 2 GB of Java heap memory in the Manager. An additional 300 MB is needed for each category model you construct that uses 50,000 actors. This additional memory is not in use all the time, but is needed for certain operations. The Manager Configuration Wizard is covered in "Running the Manager Configuration Wizard" on page 80. 3. Re-start the Manager. 4. Proceed with importing the actor model. For details about starting and stopping the Manager, see "Starting Components" on page 9. About Exporting Actors If you need to export your entire actor model to image another Manager, you can do it using the export_ system_tables command with the -s parameter, which specifies the export of session list data. Additionally, the -s parameter captures the special session list infrastructure that is part of the Actor Resource Framework in addition to the actor resources themselves. HP ESM (6.9.1c) Page 42 of 186 Administrator's Guide Chapter 2: Configuration Setting Up ESM for MSSP Enivronments To set up ESM in a managed security service provider (MSSP) environment, do the following: l Disable the search auto-complete feature. To do this, in the logger.properties file change the value of auto-complete.fulltext.enabled to false. HP ESM (6.9.1c) Page 43 of 186 Chapter 3: SSL Authentication This chapter describes the Secure Socket Layer (SSL) technology used for communication between the Manager and its clients—ArcSight Console and SmartConnectors. It is not used between the Manager and the database. SSL enables the Manager to authenticate to its clients and communicate information over an encrypted channel, thus providing the following benefits: l l Authentication: Ensuring that clients send information to an authentic server and not to a machine pretending to be that server. Encryption: Encrypting information sent between the clients and the server to prevent intentional or accidental modification. By default, clients submit a valid user name and password to authenticate with the server; however, these clients can be configured to use SSL client authentication. SSL Authentication Terminology Terms that are used in describing and configuring SSL: l Certificate A certificate is an entry in the keystore file that contains the public key and identifying information about the machine such as machine name and the authority that signs the certificate. SSL certificates are defined in the ISO X.509 standard. l Key pair A key pair is a combination of a private key and the public key that encrypts and decrypts information. A machine shares only its public key with other machines; the private key is never shared. The public and private keys are used to set up an SSL session. For details, see " How SSL Works" on page 48. l SSL server-SSL client An SSL session is set up between two machines—a server and a client. In client-side SSL authentication, the server and its clients authenticate each other before communicating. The Manager is an SSL server, while SmartConnectors, Console, and browsers are SSL clients. l Keystore HP ESM (6.9.1c) Page 44 of 186 Administrator's Guide Chapter 3: SSL Authentication A keystore file is an encrypted repository on the SSL server that holds the SSL certificate and the server’s private key. The following table lists the ESM component, the name of the keystore on that component, and its location. Log File keystore File Name Location of keystore Manager keystore Clients[1] (client-side authentication) keystore.client This values can be amortized by the age of the asset --> that means that the value will reduce constantly over time as the asset /config/jetty /config [1] In client-side authentication, a keystore exists on both the server and the client. Make sure you do not change the keystore file name. l Truststore Truststore is an encrypted repository on SSL clients that contains a list of certificates from the issuers that a client trusts. Use the either the keytool or keytoolgui command to view a truststore. See "View Certificate Details From the Store" on page 57 for details on viewing a truststore. A certificate is signed by the issuer with its private key. When the server presents this certificate to the client, the client uses the issuer’s public key from the certificate in its truststore to verify the signature. If the signature matches, the client accepts the certificate. For more details, see how SSL handshake occurs in " How SSL Works" on page 48. The following table lists the ESM component, the name of the truststore on that component, and its location. Component truststore File Name Location of truststore Clients cacerts /jre/lib/security Manager cacerts[1] /jre/lib/security Manager truststore[2] /config/jetty [1] There are utilities on the Manager machine that are clients of the Manager. The cacerts file on the Manager is used for authenticating the Manager to these clients. [2] When client-side authentication is used. l Alias Certificates and key pairs in a keystore or a truststore are identified by an alias. l Truststore password HP ESM (6.9.1c) Page 45 of 186 Administrator's Guide Chapter 3: SSL Authentication The *.defaults.properties file contains the default truststore password for each ESM component (By default this password is changeit). Use a truststore password to encrypt a truststore file. Without this password, you cannot open the truststore file. The password is in clear text. To change or obfuscate it, use the changepassword command, as described in "Administrative Commands" on page 88. The following table lists the property name where the obfuscated truststore passwords are stored. Truststore Property File Property Name Client client.properties** ssl.truststore.password.encrypted Manager* server.properties servletcontainer.jetty311. truststore.password.encrypted Connector agent.properties** ssl.truststore.password *For client-side authentication ** If config/client.properties or user/agent/agent.properties does not exist, create it using an editor of your choice. Whenever you change a password for the truststore, you must make the same change in the password entry in the corresponding properties file. l Keystore password Use a keystore password to encrypt the keystore file. Without this password, you cannot open the keystore file. The default is password for the Manager and changeit for the ArcSight Console’s client keystore. The default password for the key pair for any component is the same as for the component’s keystore. You specify a keystore password when creating a key pair, which is discussed in later sections of this chapter. The password is obfuscated and stored in the ESM component’s *.properties file. The following table lists the property name where the obfuscated keystore passwords are stored. Keystore Property File Property Name Client* client.properties** ssl.keystore.password Manager server.properties server.privatekey.password. encrypted Connector agent.properties** ssl.keystore.password.encrypted *For client-side authentication ** If config/client.properties or user/agent/agent.properties does not exist, create it using an editor of your choice. HP ESM (6.9.1c) Page 46 of 186 Administrator's Guide Chapter 3: SSL Authentication Whenever you change a password for the keystore, you must make the same change in the password entry in the corresponding properties file. NSS database password l The default password for the Manager’s nssdb and the Console’s nssdb.client are both changeit. To change it, see "Changing the Password for NSS DB" on page 174. cacerts l This is the name of the truststore file used for client authentication certificates. There should be a folder with this name on each client machine. There is also one on the Manager machine because there are certain Manager utilities on that machine that communicate with the Manager as clients. The default password for cacerts ischangeit. Cipher suite l A set of authentication, encryption, and data integrity algorithms used for securely exchanging data between an SSL server and a client. Depending on FIPS mode settings, some of the following cipher suites are automatically enabled for ESM and its clients: n TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA n TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA n TLS_RSA_WITH_3DES_EDE_CBC_SHA n TLS_RSA_WITH_AES_128_CBC_SHA The cipher suites that are enabled are configured by ArcSight Wizards in property files. Although in most cases you do not need to change the cipher suites, you can configure them in the corresponding properties file for an ArcSight component: Component Property File Property Manager config/server.properties servletcontainer.jetty311.socket. https.ciphersuites Clients config/client.properties ssl.cipher.suites Connectors user/agent/agent.properties ssl.cipher.suites Cipher suites are set as a comma-delimited list. During the SSL handshake, the endpoints provide these lists as the cipher suites that they can accept, in descending order of preference. One of the cipher suites is chosen by SSL negotiation process and that cipher suite is used for the entire communication session between these two components. This means that in order to limit cipher suites, it is sufficient to restrict the list of enabled cipher suites on one side only, for example, on the Manager side. HP ESM (6.9.1c) Page 47 of 186 Administrator's Guide Chapter 3: SSL Authentication How SSL Works When a client initiates communication with the SSL server, the server sends its certificate to authenticate itself to the client. The client validates the certificate by verifying: l l l The hostname is identical to the one with which the client initiated communication. The certificate issuer is in the list of trusted certificate authorities in the client’s truststore ( /jre/lib/security/cacerts) and the client is able to verify the signature on the certificate by using the CA’s public key from the certificate in its truststore. The current time on the client machine is within the validity range specified in the certificate to ensure that the certificate is valid. If the certificate is validated, the client generates a random session key, encrypts it using the server’s public key, and sends it to the server. The server decrypts the session key using its private key. This session key is used to encrypt and decrypt data exchanged between the server and the client from this point forward. The following figure illustrates the handshake that occurs between the client and Manager. HP ESM (6.9.1c) Page 48 of 186 Administrator's Guide Chapter 3: SSL Authentication With client-side authentication, the server requests the client’s certificate when it sends its certificate to the client. The client sends its certificate along with the encrypted session key. Certificate Types There are three types of SSL certificates: HP ESM (6.9.1c) Page 49 of 186 Administrator's Guide Chapter 3: SSL Authentication l CA-signed l Self-signed (applicable to default mode only) l Demo (applicable to default mode only) CA-signed certificates are issued by a third party you trust. The third party may be a commercial Certificate Authority (CA) such as VeriSign and Thawte or you might have designated your own CA. Because you trust this third party, your client's truststores might already be configured to accept its certificate. Therefore, you may not have to do any configuration on the client side. See " Using a CASigned SSL Certificate" on page 62. You can create your own self-signed certificates. A self-signed certificate is signed using the private key from the certificate itself. Each server is an issuer. Configure clients to trust each self-signed certificate you create. Self-signed certificates are as secure as CA-signed, however, CA-signed certificates scale better as illustrated in this example: If you have three SSL servers that use self-signed certificates, you configure your clients to accept certificates from all of them (the three servers are three unique issuers). If you add a new server, you configure all the clients, again, to accept the additional certificate. However, if these servers use a CAsigned certificate, all servers use copies of the same one. You only configure the clients once to accept that certificate. If the number of Managers grows in the future, you do not need to do any additional configuration on the clients. Demo certificates are useful in isolated test environments. Using one in a production environment is not recommended. SSL Certificate Tasks The keytool (runs from the command line in a terminal window) and keytoolgui (provides a graphical user interface) commands enable you to perform SSL configuration tasks. The preferred tool is keytool, which does not require the X Window system. Using the keytoolgui interface requires that the X Window system be installed on your system. Note that using the X Window system is not preferred on the Manager machine, but if you have it installed and want to use it, you can use keytoolgui. The X Window system is not present on an appliance. Using keytoolgui on Console machines is fine, but be aware that keytoolgui does not work on the Mac, so for managing the keystore and certificates and so on, on a Mac, use keytool. HP's keytool simplifies usage of JRE keytool by pre-populating several command line arguments of JRE keytool command based on component’s configured values. These command line arguments include: -keystore, -storepass, and -storetype (with exceptions that will be discussed in later sections in the context of certain commands). The following sections present keytool command lines that are exactly formed to perform the task mentioned in the section. Use only those options to perform the documented tasks. Note that if you use keytool -h to view Help you will see options that are not covered in this documentation. The keytool examples presented in this guide do not display all possible keytool options. HP ESM (6.9.1c) Page 50 of 186 Administrator's Guide Chapter 3: SSL Authentication For details on keytool in general, see online vendor documentation. Various vendors have their own version of keytool. One reference is http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html. Export a Key Pair You can use keytool to export a key pair. Use of keytool (which runs from the command line in a terminal window) is preferred. Using the keytoolgui interface requires that the X Window system be installed on your system. Note that using the X Window system is not preferred, but if you have it installed and want to use it, you can use keytoolgui. The X Window system is not present on ESM on an appliance. Exporting a Key Pair Using keytool An example of a keytool command line is provided. Use this example as a basis to form the command line you need. Note that this command does not use the HP keytool wrapper and requires more options be specified than some other keytool commands. To export key pair with the alias testkey into a file named config/jetty/keystore.p12 from keystore config/jetty/keystore: /jre/bin/keytool -importkeystore -srckeystore config/jetty/keystore -srcstoretype JKS -destkeystore config/jetty/keystore.p12 -deststoretype PKCS12 srcalias testkey Exporting a Key Pair Using keytoolgui To use keytoolgui: 1. Start keytoolgui by running the following from the Manager’s bin directory: ./arcsight keytoolgui 2. Click File->Open keystore and navigate to the component’s keystore. 3. Enter the password for the keystore when prompted. For the default password see "Keystore password" on page 46. 4. Right-click the key pair and select Export. 5. Select Private Key and Certificates radio button and click OK. 6. Enter the password for the key pair when prompted. For the default password see "Keystore password" on page 46. 7. Enter a new password for the exported key pair file, then confirm it and click OK. 8. Navigate to the location on your machine to where you want to export the key pair. HP ESM (6.9.1c) Page 51 of 186 Administrator's Guide Chapter 3: SSL Authentication 9. Enter a name for the key pair with a .pfx extension in the Filename text box and click Export. You get an Export Successful message. 10. Click OK. Import a Key Pair You can use keytool to import a key pair. Use of keytool (which runs from the command line in a terminal window) is preferred. Using the keytoolgui interface requires that the X Window system be installed on your system. Note that using the X Window system is not preferred, but if you have it installed and want to use it, you can use keytoolgui. The X Window system is not present on ESM on an appliance. Importing a Key Pair Using keytool An example of a keytool command line is provided. Use this example as a basis to form the command line you need. Note that this command does not use the HP keytool wrapper and requires more options be specified that some other keytool commands. To export key pair with the alias testkey from a file named config/jetty/keystore.p12 into the file config/jetty/keystore.new: /jre/bin/keytool -importkeystore -srckeystore config/jetty/keystore.p12 -srcstoretype PKCS12 -destkeystore config/jetty/keystore.new -deststoretype jks -srcalias testkey Importing a Key Pair Using keytoolgui 1. Start the keytoolgui from the component to which you want to import the key pair. To do so, run the following command from the component’s /bin directory. ./arcsight keytoolgui 2. Select File->Open keystore and navigate to your component’s keystore. 3. Enter the keystore password when prompted. For the default password see "Keystore password" on page 46. 4. Select Tools->Import Key Pair and navigate to the location of the key pair file, select it and click Choose. 5. Enter the password for the key pair file when prompted and click OK. For the default password see "Keystore password" on page 46. 6. Select the key pair and click Import. 7. Enter an alias for the key pair and click OK. HP ESM (6.9.1c) Page 52 of 186 Administrator's Guide Chapter 3: SSL Authentication 8. Enter a new password for the key pair file to be imported, confirm it, and click OK. You see a message saying Key Pair Import Successful. 9. Click OK. 10. Select File->Save keystore to save the changes to the keystore and exit the keytoolgui. Export a Certificate You can use keytool to export a certificate. Use of keytool (which runs from the command line in a terminal window) is preferred. Using the keytoolgui interface requires that the X Window system be installed on your system. Note that using the X Window system is not preferred, but if you have it installed and want to use it, you can use keytoolgui. The X Window system is not present on ESM on an appliance. Exporting a Certificate Using keytool An example of a keytool command line is provided. Use this example as a basis to form the command line you need. Note that if the alias points to a trusted certificate, the output is that certificate. Also, if the alias points to a key entry, the output is the first certificate from key's certificate chain. For example: /bin/arcsight keytool -exportcert -store managerkeys -alias testkey -file /tmp/testkey.cer Exporting a Certificate Using keytoolgui 1. Start the keytoolgui from the component from which you want to export the certificate. To do so, run the following command from the component’s /bin directory. ./arcsight keytoolgui 2. Select File->Open keystore and navigate to your component’s truststore. 3. Enter the truststore password when prompted. For the default password see "Truststore password" on page 45. 4. Right-click the certificate and select Export. a. Select Head Certificate as Export Type and DER Encoded as the Export Format and click OK: b. Navigate to the location where you want to export the certificate, and enter a name for the HP ESM (6.9.1c) Page 53 of 186 Administrator's Guide Chapter 3: SSL Authentication certificate with a .cer extension and click Export. c. You see the Export Successful message 5. If the component into which you want to import this certificate resides on a different machine than the machine from which you exported the certificate (the current machine), copy this certificate to the to the other machine. Import a Certificate You can use keytool to import a certificate. Use of keytool (which runs from the command line in a terminal window) is preferred. Using the keytoolgui interface requires that the X Window system be installed on your system. Note that using the X Window system is not preferred, but if you have it installed and want to use it, you can use keytoolgui. The X Window system is not present on ESM on an appliance. Importing a Certificate Using keytool An example of a keytool command line is provided. Use this example as a basis to form the command line you need. In this example, the command imports a certificate from the specified file into manager keystore and it sets the alias to that certificate. Specify passwords for your keystore when needed. Note that if the keystore contains a key with specified alias, then keytoolassumes that you are importing a certificate reply from CA. If there is no a key with such an alias in the keystore, then keytool imports a trusted certificate for that alias. For example: /bin/arcsight keytool -importcert -store managerkeys -alias testkey -file /tmp/tms_root.cer Importing a Certificate Using keytoolgui 1. Start the keytoolgui from the component into which you want to import the certificate. To do so, run the following command from the component’s /bin directory. ./arcsight keytoolgui 2. Click File->Open keystore and navigate to the truststore ( /jre/lib/security) of the component. 3. Select the store named cacerts and click Open. 4. Enter the password for the truststore when prompted. For the default password see "Truststore password" on page 45. HP ESM (6.9.1c) Page 54 of 186 Administrator's Guide Chapter 3: SSL Authentication 5. Click Tools->Import Trusted Certificate and navigate to the location of the certificate that you want to import. 6. Click Import. 7. You see the message Could not establish a trust path for the certificate. The certificate information will now be displayed after which you may confirm whether or not you trust the certificate. Click OK. 8. The Certificate details are displayed. Click OK. 9. You see the message Do you want to accept the certificate as trusted?. Click Yes. 10. Enter an alias for the Trusted Certificate you just imported and click OK. Typically, the alias Name is same as the fully qualified host name (for example devgroup.topco.com). 11. You see the message Trusted Certificate Import Successful.. Click OK. 12. Save the truststore file. Creating a Keystore You can use keytool or keytoolgui to create a keystore. Use of keytool (which runs from the command line in a terminal window) is preferred. Using the keytoolgui interface requires that the X Window system be installed on your system. Note that using the X Window system is not preferred, but if you have it installed and want to use it, you can use keytoolgui. The X Window system is not present on ESM on an appliance. Creating a Keystore Using keytool An example of a keytool command line is provided below. Use this example as a basis to form the command line you need. Note that this command does not use the HP keytool wrapper and requires more options be specified than some other keytool commands. The abbreviations in the command below denote the following fields: cn = Common Name, ou = Organizational Unit, o = Organization, and c = Country. The command generates a new self-signed certificate with ALIAS_NAME in the specified keystore PATH_ TO_KEYSTORE. Example for a new keystore: /jre/bin/keytool -genkeypair -keystore config\keystore.client storetype JKS -storepass password -dname "cn=John Smith, ou=ArcSight, o=HP, c=US" alias testKey -validity 365 HP ESM (6.9.1c) Page 55 of 186 Administrator's Guide Chapter 3: SSL Authentication Specify all the options in the above example using the appropriate values for your installation. As a separate operation, either before or after you run the genkeypair command, you have to set the values for the keystore location, keystore type, and password in the client.properties file. This file is in /config (for example, C:\arcsight\Console\current\config). The Console uses this file to access the keystore during authentication. The client.properties file works as an override for the client.defaults.properties file. (You do not edit the default properties file because it is overwritten at upgrade time.) Set these properties in client.properties, as follows: l l l ssl.keystore.path= Set this value if it differs from the default in client.defaults.properties. It must be the same as the path specified in the -keystore option in the command example, above. ssl.keystore.type= Set this value if it differs from the default in client.defaults.properties. It must be the same as the path specified in the -storetype option in the command example, above. ssl.keystore.password=Set this value if it differs from the default in client.defaults.properties. It must be the same as the password specified in the -storepass option in the command example, above. The default is blank (no password), but having a password is recommended. However, if you plan to encrypt the password (also recommended), there is no need to set it manually in this file. You specify it and encrypt it using the changepassword command, next. To set an encrypted password, run the following command: arcsight changepassword -f config\client.properties -p ssl.keystore.password This command prompts you for the actual password, adds it to the client.properties file, and encrypts it. It must be the same as the password specified in the -storepass option in the command example, above. Creating a Keystore Using keytoolgui 1. Start the keytoolgui from the component into which you want to import the certificate. To do so, run the following command from the component’s /bin directory. ./arcsight keytoolgui 2. Click File->New keystore. 3. Select JKS and click OK. 4. Click File->Save keystore. HP ESM (6.9.1c) Page 56 of 186 Administrator's Guide Chapter 3: SSL Authentication Generating a Key Pair You can use keytool to generate a key pair. Use of keytool (which runs from the command line in a terminal window) is preferred. Using the keytoolgui interface requires that the X Window system be installed on your system. Note that using the X Window system is not preferred, but if you have it installed and want to use it, you can use keytoolgui. The X Window system is not present on ESM on an appliance. Generating a Key Pair Using keytool The abbreviations in the command below denote the following fields: cn = Common Name, ou = Organizational Unit, o = Organization, and c = Country. For example: /bin/arcsight keytool -genkeypair -store managerkeys -dname "cn=John Smith, ou=ArcSight, o=HP, c=US" -alias testKey -validity 365 Provide a key password for , or press Enter using same as password as the keystore password). Generating a Key Pair Using keytoolgui 1. Start the keytoolgui from the component into which you want to import the certificate. To do so, run the following command from the component’s /bin directory. ./arcsight keytoolgui 2. Click File->Open keystore and navigate to your keystore. 3. Click Tools->Generate Key Pair and fill in the fields in the General Certificate dialog and click OK. 4. Enter an alias for the newly created key pair and click OK. 5. Save the keystore by clicking File->Save keystore. View Certificate Details From the Store You can use keytool to view certificate details from the keystore (list the entries in a keystore). Use of keytool (which runs from the command line in a terminal window) is preferred. Using the keytoolgui interface requires that the X Window system be installed on your system. Note that using the X Window system is not preferred, but if you have it installed and want to use it, you can use keytoolgui. The X Window system is not present on ESM on an appliance. HP ESM (6.9.1c) Page 57 of 186 Administrator's Guide Chapter 3: SSL Authentication Viewing a Certificate Details from the Store Using keytool An example of a keytool command line is provided. Use this example as a basis to form the command line you need. Note that this command does not use the HP keytool wrapper and requires more options be specified that some other keytool commands. To list all existing keys: /bin/arcsight keytool -store managerkeys -list To print details for the key with the specified alias: /bin/arcsight keytool -store managerkeys -list -alias mykey -v Viewing a Certificate Details from the Store Using keytoolgui For certificates in the keystore, truststore, or cacerts, use the keytoolgui command to see certificate information. 1. Start keytoolgui from the component from which you want to export the certificate. To do so, run the following command from the component’s /bin directory. ./arcsight keytoolgui 2. Select File->Open keystore and navigate to your component’s truststore. 3. Enter the truststore password when prompted. For the default password see "Truststore password" on page 45. 4. Double-click the certificate whose details you want to view. Details include valid date range, and other information about the certificate. For the nssdb or nssdb.client, use the runcertutil command to view certificate information. See "runcertutil" on page 123, for more information. For the Manager certificate you can also use tempca -i command. Delete a Certificate You can use keytool to delete a certificate from the keystore. Use of keytool (which runs from the command line in a terminal window) is preferred. Using the keytoolgui interface requires that the X Window system be installed on your system. Note that using the X Window system is not preferred, but if you have it installed and want to use it, you can use keytoolgui. The X Window system is not present on ESM on an appliance. Deleting a Certificate Using keytool An example of a keytool command line is provided. Use this example as a basis to form the command line you need. Note that this command does not use the HP keytool wrapper and requires more HP ESM (6.9.1c) Page 58 of 186 Administrator's Guide Chapter 3: SSL Authentication options be specified that some other keytool commands. To remove the ESM certificate mykey: /bin/arcsight keytool -store managerkeys -delete -alias myKey To remove a third party trusted certificate with alias rootCA: /bin/arcsight keytool -store managercerts -delete -alias rootCA Deleting a Certificate Using keytoolgui To delete a certificate from the truststore, start keytoolgui and navigate to the certificate, right-click on the certificate, and select Delete. Using a Self-Signed Certificate The procedure you follow depends on the number of Managers with which your clients communicate, because each Manager will have its own self-signed certificate, and any client that has to communicate with different Managers has to be configured to accept all those Manager’s certificates. When Clients Communicate With One Manager To use a self-signed certificate for deployments in which clients communicate with only one Manager, perform these steps: 1. On the Manager, create a self-signed key pair: Note: Steps to create a self-signed key pair may be different for a new Manager installation as the Configuration Wizard is launched automatically during the installation process. a. In /bin, run this command: ./arcsight managersetup b. In the Manager Configuration Wizard, select Replace with new Self-Signed key pair and click Next. c. Enter information about the SSL certificate and click Next. d. Enter the SSL keystore password for the certificate. Click Next. Remember this password. You will use it to open the keystore. e. Continue through the Configuration Wizard. The Configuration Wizard does these three SSL-related things: HP ESM (6.9.1c) Page 59 of 186 Administrator's Guide Chapter 3: SSL Authentication o It replaces the Manager’s keystore at, /config/jetty/keystore, with the one created using this procedure. o It generates the selfsigned.cer certificate file in the /config/jetty directory. o It overwrites the existing Manager truststore file, /jre/lib/security/cacerts, with one containing the new self-signed certificate to the Manager’s truststore file. The new cacerts file contains the information about the Trusted Certificate Authority (CA) that signed your self-signed certificate. The self-signed certificate does not take effect until the Manager and clients are restarted later in this procedure. 2. Export the Manager’s certificate from /jre/lib/security/cacerts. 3. Copy the Manager’s certificate to each machine from which clients connect to the Manager. 4. On those clients, import the Manager’s certificate to the /jre/lib/security directory. See "Import a Certificate" on page 54. Note: Make sure you have imported the Manager’s certificate to all existing clients before proceeding further. Otherwise, after you perform the next steps, only clients with the new Manager’s certificate can connect to the Manager. 5. Restart the Manager process so that the Manager can start using the self-signed certificate. Run the following command to do so: /etc/init.d/arcsight_services restart manager 6. Restart all clients. 7. When installing a new client, repeat Steps 2-4 of this procedure. 8. Optionally, if SSL client-side authentication is needed, on the ArcSight Console, perform the steps listed in section "Setting up SSL Client-Side Authentication on ArcSight Console " on page 70 When Clients Communicate With Multiple Managers This procedure is for using a self-signed certificate where clients communicate with more than one Manager. In this procedure you get the self-signed certificate files from each manager, copy them to a client, import them all into that client, then copy that client cacerts file to all your other clients. HP ESM (6.9.1c) Page 60 of 186 Administrator's Guide Chapter 3: SSL Authentication 1. Follow Step 1 of the procedure "When Clients Communicate With One Manager" on page 59 on all Managers. In each case it generates a certificate file called selfsigned.cer. 2. Copy the selfsigned.cer file from each Manager to the /jre/lib/security directory on one of your clients. The certificate files all have the same name. Rename each one so they do not overwrite another on the client. For example, rename the certificate file from ManagerA to SelfSigned_MgrA.cer. 3. On that client, use the keytool or keytoolgui command to import certificates into the truststore (cacerts): The keytool command is preferred. Using the keytoolgui interface requires that the X Window system be installed on your system. Note that using the X Window system is not preferred, but if you have it installed and want to use it, you can use keytoolgui. The X Window system is not present on ESM on an appliance. See "Import a Certificate" on page 54 for details on using keytool. To use the keytoolgui command: a. In /bin, run this command: ./arcsight keytoolgui b. Click File->Open keystore. c. In /jre/lib/security, select the store named cacerts. For the default password see "cacerts" on page 47. d. Click Tools->Import Trusted Certificate: i. Select the self-signed certificate for a Manager and click Import. ii. You see the message: Could not establish a trust path for the certificate. The certificate information will now be displayed after which you may confirm whether or not you trust the certificate. Click OK. The Certificate details are displayed. Click OK. iii. When asked if you want to accept the certificate as trusted, click OK. iv. Enter an alias for the Trusted Certificate you just imported and click OK. Typically, the alias Name is same as the fully qualified host name. v. You see the message Trusted Certificate Import Successful.. Click OK. HP ESM (6.9.1c) Page 61 of 186 Administrator's Guide Chapter 3: SSL Authentication vi. Save the truststore file (cacerts). vii. Repeat Steps i through vi for all self-signed certificates you copied. e. On the client, enter this command in /bin to stop the client from using the Demo certificate: ./arcsight tempca -rc For SmartConnectors, run: ./arcsight agent tempca –rc 4. Restart the Manager service so the Manager can start using the self-signed certificate. 5. Restart the client. 6. Copy the cacerts file to all your other clients and restart them. If you install a new client, copy the cacerts file to it as well. Using a CA-Signed SSL Certificate Using a certificate signed by a Certificate Authority means replacing your demo or self-signed certificate. Follow the procedures described in this section to obtain and import the certificate into the Manager. Obtaining and deploying a CA-signed certificate involves these steps: 1. " Create a Key Pair for a CA-Signed Certificate" below. 2. "Send for the CA-Signed Certificate" on the next page. 3. " Import the CA Root Certificate" on page 64. 4. "Import the CA-Signed Certificate" on page 65. 5. "Restart the Manager " on page 68. 6. "Accommodating Additional Components" on page 68. 7. Optionally, if SSL client-side authentication is needed, on the ArcSight Console, perform the steps listed in section "Setting up SSL Client-Side Authentication on ArcSight Console " on page 70 Create a Key Pair for a CA-Signed Certificate To create a key pair, the keytool command is preferred. Using the keytoolgui interface requires that the X Window system be installed on your system. Note that using the X Window system is not preferred, but if you have it installed and want to use it, you can use keytoolgui. The X Window HP ESM (6.9.1c) Page 62 of 186 Administrator's Guide Chapter 3: SSL Authentication system is not present on ESM on an appliance. See "Generating a Key Pair" on page 57 for details on using keytool. To use the keytoolgui command: 1. On the Manager machine, run this command to launch keytoolgui in /bin: ./arcsight keytoolgui 2. Click File->New keystore to create a new keystore. 3. Select JKS for the keystore Type, it supports Java keystore: 4. Click Tools->Generate Key Pair to create the key pair. This can take some time. 5. Enter key pair information such as the length of time for its validity (in days). Click OK. For Common Name (CN), enter the fully qualified domain name of the Manager. Ensure that DNS servers, used by the clients connecting to this host, can resolve this host name. For Email(E), provide a valid e-mail address as the CAs typically send an e-mail to this address to renew the certificate. When you click OK it asks you for a new password. Use the password of your existing keystore to save this one.The Manager may fail to start if the password of the Key pair does not match the password of the keystore encrypted in server.properties. If you do not remember the password, run the Manager setup Wizard and change the password of your existing keystore before you proceed. You reuse this file after receiving the reply from the CA. 6. Specify an alias name of mykey for referring to the new key pair. 7. Click File->Save as and save the keystore with a name such as keystore.request. Send for the CA-Signed Certificate To send for the CA-signed certificate, first create a certificate signing request (CSR). You can use keytool to send for a CA-signed certificate. Use of keytool (which runs from the command line in a terminal window) is preferred. Using the keytoolgui interface requires that the X Window system be installed on your system. Note that using the X Window system is not preferred, but if you have it installed and want to use it, you can use keytoolgui. The X Window system is not present on ESM on an appliance. Sending a CA-Signed Certificate Using keytool An example of a keytool command line is provided. Use this example as a basis to form the command line you need. For example: HP ESM (6.9.1c) Page 63 of 186 Administrator's Guide Chapter 3: SSL Authentication /bin/arcsight keytool -certreq -store managerkeys -alias testkey file config/testkey.csr The command creates signing request using the PKCS#10 format for a certificate with alias from keystore_path. Here is keystore password, and is a password for the specified alias. No need to be specified for empty values. As a result the command creates a file that should be sent to certificate authority (CA). After verifying the information you sent, the CA electronically signs the certificate using its private key and replies with a certification response containing the signed certificate (cer-file). Sending a CA-Signed Certificate Using keytoolgui 1. In keytoolgui , right-click the mykey alias name and select Generate CSR to create a Certificate Signing Request. 2. Choose a path and filename, and click Generate. After you enter a file name, the CSR file is generated in the current working directory. 3. Send the CSR to the selected Certificate Authority (CA). After verifying the information you sent, the CA electronically signs the certificate using its private key and replies with a certification response containing the signed certificate. Import the CA Root Certificate When you get the response from the certificate authority, it should include instructions for getting the root CA certificate. You can skip this step if renewing a CA-signed certificate issued by the same root certificate authority. You import the CA root certificate into the truststore file. To create a key pair, the keytool command is preferred. Using the keytoolgui interface requires that the X Window system be installed on your system. Note that using the X Window system is not preferred, but if you have it installed and want to use it, you can use keytoolgui. The X Window system is not present on ESM on an appliance. See "Import a Certificate" on page 54 for details on using keytool. 1. Save the Root CA certificate as a file rootca.cer. 2. Repeat the following procedure on all the machines where the Manager is installed: a. Launch keytoolgui on the Manager machine. b. Click File > Open keystore. c. Select the Truststore file located at /jre/lib/security/cacerts. Use the default password to open cacerts. For the default password see "cacerts" on page 47. d. Click Tools >Import Trusted Certificate, and pick the rootca.cer file. e. You see the following warning message: "Could not establish a trust path for the certificate. The certificate information will now be HP ESM (6.9.1c) Page 64 of 186 Administrator's Guide Chapter 3: SSL Authentication displayed after which you may confirm whether or not you trust the certificate." f. Click OK to finish. Note: Hints on importing the CA root certificate: o If the CA root certificate has a chain, follow the same procedure to import all intermediate CA certificates into the Truststore. o Update the CA root certificate on other ESM components, as well. - Repeat step 2 of the procedure on one of the Consoles. - Copy the updated cacerts to any Logger, and other machines with Consoles or Connectors. o Restart all services after the new cacerts is copied. Import the CA-Signed Certificate When the CA has processed your request, it sends you a file with the signed certificate. You import this certificate into the Manager’s keystore. The SSL certificate you receive from the Certificate Authority must be a 128-bit X.509 Version 3 certificate. The type of certificate is the same one that is used for common web servers. The signed certificate must be returned by the CA in base64 encoded format. It looks similar to this: -----BEGIN CERTIFICATE----MIICjTCCAfagAwIBAgIDWnWvMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJaQTEiMCAGA1UECBMZRk9 SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMUVGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBA sTDlRFU1QgVEVTVCBURVNUMRwwGgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAyMDkyNzIzMzI0M VoXDTAyMTAxODIZMzI0MVowaDELMAkGA1UEBhMCrVMxDTALBgNVBAgTBGJsYWgxDTALBgNVBAcTBGJsYWgx DTALBgNVBAoTBGJsYWgxDTALBgNVBAsTBGJsYWgxHTAbBgNVBAMTFHppZXIuc3YuYXJjc2lnaHQuY29tMIG fMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCZRGnVfQwG1b+BgABd/p8UhsaNov5AjaagAoBmouJCwgW2vw N4JViC CSBkDpiqVF7K11Sx4ZVSXX4+VQ6k4gT5G0kDNvQeN05wWkzEMygMB+ZBnYqPA/XtWRZtjxvH MoqS+JEqHruiMLITC6q0reUB/txby6+S9zNo/fUG1pkIcQIDAQABoyUwIzATBgNVHSUEDDAKBggrBgEFBQc DATAMBgNVHRMBAg8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAFY37E60+P4b3zTLnaG7EVM57GtkED6PwCIilB 6ixjvNL4MNGRubPa8kyaZp5fEDoNUPQVQxnpABjzTalRfYgjNFJ6ltI6ZKjBO5kim9UBeCnKiNNzhIyDyFw bHXOPB/JaLIV+jGugYNS7hf/ay0BXKlfueO07EgjhhB/mQFs2JB -----END CERTIFICATE----- Before proceeding, make sure the name of the issuer that signed your certificate exists as a Trusted CA in cacerts. (Use keytoolgui to check your cacerts.) Follow these steps to import the signed certificate: HP ESM (6.9.1c) Page 65 of 186 Administrator's Guide Chapter 3: SSL Authentication 1. If the returned file has the .CER or .CRT file extension, save it to the /config/jetty directory and skip to Step 4. 2. If it has a different extension, use a text editor to copy and paste the text string to a file. Include the lines "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----", and make sure there are no extra spaces before or after the string. 3. Save it to a file named ca_reply.txt on the Manager in the /config/jetty directory. 4. On the Manager machine, run this command in /bin: ./arcsight keytoolgui 5. Click File->Open keystore and select the keystore (keystore.request) you saved in Step 7 of " Create a Key Pair for a CA-Signed Certificate" on page 62. Provide the password you used to save the keystore in that step. 6. Right-click the key pair you created at the beginning of the process and named mykey in Step 6 of " Create a Key Pair for a CA-Signed Certificate" on page 62. 7. Select Import CA Reply from the menu. 8. Select the CA reply certificate file you caved in /config/jetty and click Import. If the CA reply file contains a chain of certificates,keytoolgui tries to match the reply’s root CA to an existing Trusted Certificate in your cacerts truststore. If this operation fails, the Certificate Details dialog appears for manual verification. Acknowledge the certificate by clicking OK and answering Yes to the subsequent challenge. Answer No if the certificate is not trustworthy for some reason. After the key pair you generated has been updated to reflect the content of the CA reply, the keystore named keystore.request contains both the private key and the signed certificate (in the alias mykey). 9. Select File > Save. The keystore is now ready for use by the Manager. 10. Make a backup of the existing keystore by renaming it: Rename /config/jetty/keystore to /config/jetty/keystore.old. If, for any reason, the new keystore does not work properly, you can revert back to the demo keystore you saved as keystore.old. 11. Copy /config/jetty/keystore.request to /config/jetty/keystore. 12. For successful reconfiguration and Manager startup, enter the keystore passwords into the HP ESM (6.9.1c) Page 66 of 186 Administrator's Guide Chapter 3: SSL Authentication appropriate properties file. Enter the password into the server.properties file for the Manager using the following command (all on one line): arcsight changepassword -f /config/server.properties -p server.privatekey.password After entering this command, the system displays the previous password as asterisks and asks you to enter and then confirm your new password. These commands enter the password into the properties file in an encrypted format. 13. If your Manager clients trust the CA that signed your server certificate, go to "Restart the Manager " on the next page. Otherwise, perform these steps to update the client’s cacerts (truststore): Note: Also perform these steps on the Manager to update the Manager’s cacerts so that Manager clients such as the archive command can work. a. Obtain a root certificate from the CA that signed your server certificate and copy it to your client machine. (you got this in " Import the CA Root Certificate" on page 64.) b. For one client, use keytoolgui to import the certificate into the truststore (cacerts): i. In /bin, run this command: ./arcsight keytoolgui ii. Click File->Open keystore. iii. Select the store named cacerts. Use the default password to open cacerts. For the default password see "cacerts" on page 47. iv. Click Tools->Import Trusted Certificate and select the certificate you copied earlier in this procedure. v. You see the message: Could not establish a trust path for the certificate. The certificate information will now be displayed after which you may confirm whether or not you trust the certificate. Click OK. vi. Enter an alias for the Trusted Certificate you just imported and click OK. HP ESM (6.9.1c) Page 67 of 186 Administrator's Guide Chapter 3: SSL Authentication vii. Right-click the alias ca in the truststore and choose Delete from the menu. viii. Save the keystore. c. Copy the /jre/lib/security/cacerts file from the client in the previous step to all other clients. Restart the Manager When you restart the Manager, clients cannot communicate with it until their keystores are populated with the new certificate. 1. Restart the Manager. The Manager may fail to start if the password of the Key pair does not match the password of the keystore, which is encrypted in server.properties. If you do not remember the keystore password, run the Manager setup wizard and change the password of your existing keystore. 2. Restart all clients. 3. To verify that the new certificate is in use: a. From the command line navigate to and enter the command: arcsight tempca -i The output shows which CA issuer signed the SSL CA-signed certificate, certificate type, status of a validation of the certificate, and so on. b. Point a web browser to https:// :8443. to test it. Accommodating Additional Components Perform these extra steps to use CA-signed certificates with additional ESM components such asthe ArcSight Console, or SmartConnectors. l Adding additional Managers You do not need to add the CA root certificate to the Truststore-cacerts file again. Just copy the cacerts file from the existing Manager to the new Manager. l Other ArcSight Components (Console and SmartConnectors). When installing a new Console, copy the cacerts file from an existing Console to the new Console. HP ESM (6.9.1c) Page 68 of 186 Administrator's Guide Chapter 3: SSL Authentication Removing a Demo Certificate You can remove the demo certificate by using the tempca script located in /bin. Issue the following command on all Manager and Console installations: arcsight tempca -rc For SmartConnectors, run the tempca script using the following command: arcsight agent tempca -rc Replacing an Expired Certificate When a certificate in your truststore/cacerts expires, replace it with a new one as follows. To delete an expired certificate, the keytool command is preferred. Using the keytoolgui interface requires that the X Window system be installed on your system. Note that using the X Window system is not preferred, but if you have it installed and want to use it, you can use keytoolgui. The X Window system is not present on ESM on an appliance. To replace an expired certificate, you must delete the current certificate and import a new one. See "Delete a Certificate" on page 58 and "Import a Certificate" on page 54 for details on using keytool. 1. Delete the expired certificate from the truststore/cacerts. To delete a certificate from the truststore/cacerts, start keytoolgui and navigate to the certificate, right-click on the certificate, and select Delete. 2. Replace the certificate by importing the new certificate into truststore/cacerts. Use keytoolgui to import the new certificate into the truststore/cacerts. See " Using a Self-Signed Certificate" on page 59, or " Using a CA-Signed SSL Certificate" on page 62 section (depending on the type of certificate you are importing) for steps on how to import the certificate. Since the common name (CN) for the new certificate is the same as the old certificate, you cannot have both of them in the truststore, cacerts. Establishing SSL Client Authentication This section describes the required steps for enabling client-authentication for ArcSight Console. All communications between ESM and Console are performed over SSL connections. Which protocols and cipher suites to use for SSL connection is decided in the very beginning, during the initial SSL handshake. SSL handshake always validates that server could be trusted by reviewing and challenging its certificate. Optionally SSL handshake could validate client’s certificate to ensure that connection was requested from a legitimate client. For that purpose the client provides SSL certificate and SSL handshake verifies that the client owns the corresponding private key. HP ESM (6.9.1c) Page 69 of 186 Administrator's Guide Chapter 3: SSL Authentication Depending on the selected authentication mode the described below configuration steps might have effect on overall user authentication. These are the implications of the various modes: 1. Password Based Authentication: No impact 2. Password Based and SSL Client Based Authentication: In this mode, the client sends the SSL certificate and password-based credentials. Both of them should identify exactly the same user. 3. Password Based or SSL Client Based Authentication: In this mode, the result depends on your choice. For this authentication mode Console’s login dialog provides two buttons: "Login" and "SSL Client Login" to send either the username and password or the SSL certificate. 4. SSL Client Only Authentication: In this mode, authentication is performed based on SSL certificate only. Unless it’s PKCS#11 login in the modes 2 and 4 described above with configured client-side authentication, SSL Login will always be performed under the same user, because the login dialog will always use the same client certificate. For PKCS#11 logins the authentication process uses the certificates from PKCS#11 token, so the result will depend on the provided token. Regardless of PKCS#11 mode, SSL login authentication is performed on server-side in two steps by validating SSL certificate and then by looking up the ArcSight user with the external ID that matches CN (Common Name) from the provided certificate. Note: Client-side authentication could be helpful when you want to establish connection from a client to ESM always under the same user account. That eliminates the need to provide username/password. If it’s what you need use the following instructions and once the client certificate is created, select "SSL Client Only Authentication" mode for that client, and create ArcSight User (in ESM) with externalID matching CN from client certificate. Do not forget to secure access to this certificate. If keystore with the certificate is stolen, it could be used to access ESM from other clients. Setting up SSL Client-Side Authentication on ArcSight Console You can use keytool to import a certificate. Use of keytool (which runs from the command line in a terminal window) is preferred. Using the keytoolgui interface requires that the X Window system be installed on your system. Note that using the X Window system is not preferred, but if you have it installed and want to use it, you can use keytoolgui. The X Window system is not present on ESM on an appliance. To enable client-side authentication for ArcSight Console running in default mode, perform these steps in addition to the ones you perform for setting up server authentication: 1. On each Console, generate a key pair. For CA-signed certificate follow these steps: a. From the Console’s /bin directory start keytoolgui by running the following command: HP ESM (6.9.1c) Page 70 of 186 Administrator's Guide Chapter 3: SSL Authentication ./arcsight keytoolgui b. Open File->New keystore. This opens the New keystore Type dialog. c. Select JKS and click OK. d. Click Tools->Generate Key Pair and fill in the fields in the Generate Certificate dialog. e. Enter an alias for the key pair and click OK: Caution: If you plan to install the Console and Manager on the same machine, make sure that this alias is unique. Also, do not use the machine name or IP address for the alias. f. Enter a password for the keystore and confirm it and click OK. 2. Save the keystore in the Console's /config directory by clicking File > Save keytstore. a. Enter a password for the keystore and confirm it. b. Enter keystore.client (name for the keystore) in the File Name text box and click Save. Example keytool command line: jre/bin/keytool -genkeypair -keystore config/keystore.client -storetype JKS -storepass password -dname "cn=John Smith, ou=ArcSight, o=HP, c=US" -alias testKey -validity 365 3. Change the following properties in the Console's /config/client.properties file and save the file: ssl.keystore.password= ssl.keystore.path=config/keystore.client Note: HP recommends encrypting the password in the property file to protect the password. If you decide to do then you don’t need to enter the property "ssl.keystore.password" as it’s described above, but you can simply run the changepassword tool to set an encrypted keystore password in the client.properties file: arcsight changepassword -f config/client.properties -p ssl.keystore.password You will be asked to enter the value for the specified unencrypted property and the command will automatically add the new property ssl.keystore.password.encrypted for you. During that call the unencrypted property is removed. 4. If you are using a self-signed certificate, skip to step 7. Otherwise, create a Signing Request by following the steps in "Send for the CA-Signed Certificate" on page 63 and "Import the CA-Signed Certificate" on page 65. Send a request to the certificate authorities and import the signed certificate into the Console's HP ESM (6.9.1c) Page 71 of 186 Administrator's Guide Chapter 3: SSL Authentication keystore. Example for keytool command line: bin/arcsight keytool -certreq -store clientkeys -alias testkey -file config/testkey.csr.. 5. After receiving a response, follow the steps in " Import the CA Root Certificate" on page 64. Import the CA Root Certificate into the Console's truststore. Example for keytool command line: bin/arcsight keytool -importcert -store clientkeys -alias testkey -file /tmp/signed-cert.cer 6. Export the client's certificate into cer-file: a. In keytoolgui, right-click the key pair you just generated and select Export. b. Make sure to select Head Certificate as Export Type and DER Encoded as the Export Format and click OK. c. Enter a name for the certificate with a .cer extension and click Export. d. You see the Export Successful message. e. If your Console is on a different machine than the Manager, copy this certificate to the Manager’s machine. Example for keytool command line: bin/arcsight keytool -exportcert -store clientkeys -alias testkey -file /tmp/console-certificate.cer 7. Import the Console’s certificate into the Manager’s truststore. If your Manager trusts the CA that signed your Console’s certificates, go to the next step. Otherwise perform these steps to update the Manager’s truststore. a. Start keytoolgui by entering arcsight keytoolgui command from the Manager’s bin directory. b. Click File->Open keystore and navigate to Manager’s /config/jetty/truststore. c. Enter changeit when prompted for the truststore password and click OK. d. Click Tools->Import Trusted Certificate. e. Navigate to the Console’s certificate that you exported earlier and click Import. HP ESM (6.9.1c) Page 72 of 186 Administrator's Guide Chapter 3: SSL Authentication f. You see the message: Could not establish a trust path for the certificate. The certificate information will now be displayed after which you may confirm whether or not you may confirm whether or not you trust the certificate. Click OK. g. Review the certificate details and click OK. h. In response to Do you want to accept the certificate as trusted?, click Yes. i. Enter an alias for the certificate. j. Click OK and save the changes to the ESM truststore. ESM reads its truststore during start up, so you need to restart ESM in order to enable newly imported certificates. Example for keytool command line: bin/arcsight keytool -importcert -store managercerts -alias testkey -file /tmp/console-certificate.cer 8. Stop the Manager as user arcsight by running: /etc/init.d/arcsight_services stop manager 9. From the /opt/arcsight/manager/bin directory, run: ./arcsight managersetup 10. Change the SSL selection to the appropriate setting. You can leave all the other values as they were and finish the configuration wizard. 11. Restart the Manager service. HP ESM (6.9.1c) Page 73 of 186 Administrator's Guide Chapter 3: SSL Authentication Setting Up Client-Side Authentication for ACC You can use keytool to import a certificate. Use of keytool (which runs from the command line in a terminal window) is preferred. Using the keytoolgui interface requires that the X Window system be installed on your system. Note that using the X Window system is not preferred, but if you have it installed and want to use it, you can use keytoolgui. The X Window system is not present on ESM on an appliance. To set up client-side authentication for ACC, you must export the Console’s private key into a p12file, and then import that file into the browser’s internal truststore. 1. Export the Console's private key: a. From the Console’s /bin directory start keytoolgui by running the following command: ./arcsight keytoolgui b. Click File > Open keystore and navigate to the Console keystore you created. c. Right-click on the Console's keypair and select Export. d. Select Private Key and Certificates as the Export Type and PKCS#12 as the Export Format (if not already selected). Click OK. e. Enter the password for that you have set for the Console's keystore when prompted and OK. f. Enter a new password for the keystore and confirm the password. Click OK. g. Enter a name for the Console's private key with a .pfx extension and click Export. h. You receive a message saying Export Successful. Click OK and exit keytoolgui. Example keytool command line: keytool -importkeystore -srckeystore config\keystore.client -srcstoretype jks -srcstorepass password -destkeystore config/consolekey.p12 -deststoretype PKCS12 -srcalias testconsolekey The above command creates a new file config/consolekey.p12 with keystore of the type PKCS12 and stores there a private key for alias testconsolekey from client's keystore file config/keystore.client. 2. Use keystore config/consolekey.p12 that contains Console's private key to export the certificate into internal browser's keystore: n On Firefox: Select Tools > Options > Advanced > View Certificates > Your Certificates/Import. Then specify file, submit, and restart the browser. HP ESM (6.9.1c) Page 74 of 186 Administrator's Guide Chapter 3: SSL Authentication n On Internet Explorer and Chrome: Select Control Panel > Internet Options > Content > Certificates > Personal > Import.Then specify file, submit, and restart the browser. Setting up Client-side Authentication on SmartConnectors In order to enable client-side authentication on clients (SmartConnectors) running in default mode, perform these steps: 1. Create a new client keystore in the SmartConnector’s /config directory. a. Start the keytoolgui from the client’s bin directory by running the following: On SmartConnector: ./arcsight agent keytoolgui b. Go to File->New keystore. c. Select JKS for type of keystore and click OK. d. Save the keystore by clicking File->Save keystore As, navigate to the config directory, enter keystore.client in the File Name box and click Save. e. Set a password for the keystore and click OK. 2. Create a new key pair in the config/keystore.client of the SmartConnector. (If you already have a keypair that you would like to use, you can import the existing key pair into the client’s config/keystore.client. See section "Import a Key Pair" on page 52 for details.) a. In keytoolgui, click Tools->Generate Key Pair. Note: The Common Name field should be the external ID of the user logging in to the Manager that this console connects to. b. In the Generate Certificate dialog enter the details requested and click OK. c. Enter an alias for the key pair and click OK. d. Set a password for the key pair and click OK. e. At the successful generation dialog, click OK. You should now see a key pair with the alias you set for it in the keystore. Example command for keytool command line: HP ESM (6.9.1c) Page 75 of 186 Administrator's Guide Chapter 3: SSL Authentication jre/bin/keytool -genkeypair -keystore config/keystore.client -storetype JKS storepass password -dname "cn=John Smith, ou=ArcSight, o=HP, c=US" -alias testKey -validity 365 3. Create a client SSL configuration text file in the user/agent directory and name it agent.properties for a connector. The contents of this file (whether client or agent) should be as follows: auth.null=true ssl.client.auth=true cac.login.on=false ssl.keystore.path=config/keystore.client ssl.keystore.password= Note: Make sure that this password is identical to the password that you set for /config/keystore.client when creating it. 4. Export the client’s (Connector) certificate using keytoolgui. See section "Export a Certificate" on page 53 for details. Example command for keytool command line: bin/arcsight keytool -exportcert -store clientkeys -alias testkey -file /tmp/agent-certificate.cer 5. Import the CA’s certificate of the client’s certificate (in case you are using CA-signed certificate) or the client’s certificate itself (in case you are using a self-signed certificate) into the Manager’s truststore, /config/jetty/truststore. Example command for keytool command line: bin/arcsight keytool -importcert -store managercerts -alias testkey -file /tmp/agent-certificate.cer 6. Restart the Manager. 7. Restart the client (Connector). Migrating From One Certificate Type to Another When you migrate from one certificate type to another on the Manager, update all Consoles, and SmartConnectors. Migrating from Demo to Self-Signed To migrate from a demo to self-signed certificate: HP ESM (6.9.1c) Page 76 of 186 Administrator's Guide Chapter 3: SSL Authentication 1. Follow the steps described in " Using a Self-Signed Certificate" on page 59. 2. Follow the instructions in " Verifying SSL Certificate Use" below to ensure that a self-signed certificate is in use. Migrating from Demo to CA-Signed To migrate from a demo to CA-Signed certificate: 1. Follow the steps described in " Using a CA-Signed SSL Certificate" on page 62. 2. Follow the instructions in " Verifying SSL Certificate Use" below to ensure that CA-signed certificate is in use. Migrating from Self-Signed to CA-Signed To migrate from a self-signed to CA-signed certificate: 1. Follow the steps described in " Using a CA-Signed SSL Certificate" on page 62. 2. Follow the instructions in " Verifying SSL Certificate Use" below to ensure that a CA-signed certificate is in use. Verifying SSL Certificate Use After the migration, run this command in /bin on the client to ensure the certificate type you intended is in use: ./arcsight tempca –i In the resulting output, a sample of which is available below, do the following: 1. Review the value of the line: Demo CA trusted. The value should be "no." If the value is "yes," the demo certificate is still in use. Follow these steps to stop using the demo certificate: a. In /bin, enter the following command to make the client stop using the currently in use demo certificate: ./arcsight tempca -rc For SmartConnectors, run: HP ESM (6.9.1c) Page 77 of 186 Administrator's Guide Chapter 3: SSL Authentication ./arcsight agent tempca –rc b. Restart the client. 2. Verify that the Certificate Authority that signed your certificate is listed in the output. For a selfsigned certificate, the Trusted CA is the name of the machine on which you created the certificate Sample Output for Verifying SSL Certificate Use This is a sample output of the arcsight tempca –i command run from a Console’s bin directory: ArcSight TempCA starting... SSL Client truststore C:\arcsight\Console\current\jre\lib\security\cacerts Type JKS Demo CA trusted no Trusted CA DigiCert Assured ID Root CA [digicertassuredidrootca] Trusted CA TC TrustCenter Class 2 CA II [trustcenterclass2caii] . . . Demo CA keystore Exiting... C:\arcsight\Console\current\config\keystore.tempca Using Certificates to Authenticate Users to the Manager Instead of using a user name and password to authenticate a user to the Manager, you can configure these systems to use a digitally-signed user certificate. This section tells you how to do that. This capability is useful in environments that make use of Public Key Infrastructure (PKI) for user authentication. The Manager accepts login calls with empty passwords and use the Subject CN (Common Name) from the user’s certificate to identify the user. Note: Before you enable client-side authentication, make sure that you log in to the Console and create a new user or modify an existing user such that you set the user’s external_id to the one specified in the certificate created on the Console. The external id should be set to the users name set as the CN (Common Name) setting when creating the certificate. You must enable SSL client authentication as described in the previous section to use digitally-signed user certificates for user authentication. To configure the Manager to use user certificates, do the following: HP ESM (6.9.1c) Page 78 of 186 Administrator's Guide Chapter 3: SSL Authentication 1. On the Console, make sure that External ID field in the User Editor for every user is set to a value that matches the CN in their user certificate. 2. Restart the system you are configuring. 3. Restart the Consoles. When you start the Console, the user name and password fields are grayed out. Simply select the Manager to which you want to connect and click OK to log in. Using the Certificate Revocation List (CRL) ESM supports the use of a CRL to revoke a CA-signed certificate that has been invalidated. The CA that issued the certificates also issues a CRL file containing a signed list of certificates that it had previously issued, and that it now considers invalid. The Manager checks the client certificates against the list of certificates listed in the CRL and denies access to clients whose certificates appear in the CRL. Before you use the CRL feature, verify that: l l Your certificates are issued/signed by a valid Certificate Authority or an authority with an ability to revoke certificates. The CA’s root certificate is present in the Manager’s /config/jetty/truststore directory. The Manager validates the authenticity of the client certificate using the root certificate of the signing CA. l You have a current CRL file provided by your CA. The CA updates the CRL file periodically as and when additional certificates get invalidated. To use the CRL feature: 1. Log out of the Console. 2. Copy the CA-provided CRL file into your Manager’s /config/jetty/crls directory. After adding the CRL file, it takes approximately a minute for the Manager to get updated. HP ESM (6.9.1c) Page 79 of 186 Chapter 4: Running the Manager Configuration Wizard After you have installed and configured your system, you can change some configuration parameters by running the managersetup -i console command in a terminal window to launch the Manager Configuration Wizard. Running the command in console mode is the preferred way of launching the wizard. Using the X Window system to run the wizard in graphical user interface mode is not preferred, but if you have the X Window system installed and want to use it, you can run the managersetup command without options to launch the wizard. The X Window system is not present an appliance. If issues occur while running the Manager Configuration Wizard, this command logs troubleshooting information in a log file: /opt/arcsight/manager/logs/default/serverwizard.log. Running the Wizard Run the wizard as user arcsight. Before you run the Manager Configuration Wizard, stop your Manager by running the following command: /etc/init.d/arcsight_services stop manager Verify that the Manager has stopped by running the following command (as user arcsight): /etc/init.d/arcsight_services status all To start the wizard, run the following from /opt/arcsight/manager/bin directory: ./arcsight managersetup -i console Note: If you want to install X Window to use the GUI mode you can get the following error if X Window is not set up correctly: Could not initialize class sun.awt.X11GraphicsEnvironment. To fix it, ensure that your X Window system is set up properly and try again. The Manager Configuration Wizard establishes parameters required for the Manager to start up when you reboot. 1. Select either Run manager in default mode or Run manager in FIPS mode. For information on FIPS, see "Configuration Changes Related to FIPS " on page 163 2. You can enter Manager Host Name, Manager Port, and Physical Location. To change the hostname or IP address for your Manager host, enter the new one. The Manager host name that you enter appears on the Manager certificate. If you change the host name, be sure to regenerate the Manager’s certificate in by selecting Replace with the new Self-Signed key pair in the screen that allows you to select key pair options (make a note of this if you change your host name). We recommend that you do not change the Manager Port number. 3. If you would like to replace your license file with a new one, select Replace current license file. HP ESM (6.9.1c) Page 80 of 186 Administrator's Guide Chapter 4: Running the Manager Configuration Wizard Otherwise, accept the default option of Keep the current license file. If you selected Replace the current license file. you are prompted for the new one. 4. Select the Java Heap memory size. The Java Heap memory size is the amount of memory that ESM allocates for its heap. (Besides the heap memory, the Manager also uses some additional system memory.) 5. Select a key pair option. The Manager controls SSL certificate type for communications with the Console, so the wizard prompts you to select the type of SSL certificate that the Manager is using. If you changed the Manager host name in the first or second step above, select Replace with new Self-Signed key pair, otherwise select Do not change anything. If you selected Replace with new Self-Signed key pair, you are prompted to enter the password for the SSL key store and then details about the new SSL certificate to be issued. 6. Accept the Logger JDBC URL and Database Password defaults. 7. Select the desired authentication method (password based or SSL client only). 8. Select the method for authenticating the users. See "Authentication Details" on the next page for more details on each of these options. 9. Accept the default (Internal SMTP server) or configure a different email server for notification. Caution: You must set up notification and specify notification recipients in order to receive system warnings. The importance of this step is sometimes overlooked, leading to preventable system failures. If you choose External SMTP Server, additional options are requested, to which the following steps apply: a. Enter the name of the outbound SMTP Server to use for notifications. b. Enter the From Address that the Manager is to place in the From field of outgoing emails. c. Enter the Error Notification Recipients as a comma-separated list of email addresses to which the Manager should send error notifications. Emails are sent when the system detects the following occurrences: o The subsystem status is changed. The email shows the change and who did it. o The report has been successfully archived. o The account password has been reset. o The Archive report generation fails. HP ESM (6.9.1c) Page 81 of 186 Administrator's Guide Chapter 4: Running the Manager Configuration Wizard o There is too many notifications received by a destination. o The event archive location has reached the cap space. It will ask you to free up some space by moving the event archives to some other place. o The user elects to email the ArcSight Console settings. o The user sends partition archival command. o An archive fails because there is not enough space. o The Connection to the database failed. d. Select Use my server for notification acknowledgements. e. Enter the SMTP server and account information. This includes the incoming email server and the server protocol, and the username and password for the email account to be used. 10. The Manager can automatically create an asset when it receives an event with a new sensor or device information.The default, Enable Sensor Asset Creation, ensures that assets are automatically created. If you want to disable this feature, select Disable Sensor Asset Creation. You have completed the Manager setup program. You can now start the Manager by running the following as user arcsight: /etc/init.d/arcsight_services start manager Authentication Details The authentication options enable you to select the type of authentication to use when logging into the Manager. Caution: In order to use PKCS#11 authentication, you must select one of the SSL based authentication methods: l l If you plan to use PKCS #11 token with ArcSight Web, make sure to select Password Based or SSL Client Based Authentication. PKCS#11 authentication is not supported with Radius, LDAP and Active Directory authentication methods. By default, the system uses its own, built-in authentication, but you can specify third party, external authentication mechanisms, such as RADIUS Authentication, Microsoft Active Directory, LDAP, or a custom JAAS plug-in configuration. HP ESM (6.9.1c) Page 82 of 186 Administrator's Guide Chapter 4: Running the Manager Configuration Wizard How External Authentication Works The Manager uses the external authentication mechanism for authentication only, and not for authorization or access control. That is, the external authenticator only validates the information that users enter when they connect to the Manager by doing these checks: l l The password entered for a user name is valid. If groups are applicable to the mechanism in use, the user name is present in the groups that are allowed to access ArcSight Manager. Users who pass these checks are authenticated. After you select an external authentication mechanism, all user accounts, including the admin account, are authenticated through it. Guidelines for Setting Up External Authentication Follow these guidelines when setting up an external authentication mechanism: l l l l Users connecting to the Manager must exist on the Manager. User accounts, including admin, must map to accounts on the external authenticator. If the accounts do not map literally, you must configure internal to external ID mappings in the Manager. Users do not need to be configured in groups on the Manager even if they are configured in groups on the external authenticator. If user groups are configured on the Manager, they do not need to map to the group structure configured on the external authenticator. l Information entered to set up external authentication is not case sensitive. l To restrict information users can access, set up Access Control Lists (ACLs) on the Manager. Password Based Authentication Password-based authentication requires users to enter their User ID and Password when logging in. You can select the built-in authentication or external authentication. Built-In Authentication This is the default authentication when you do not specify a third party external authentication method. If you selected this option, you are done. HP ESM (6.9.1c) Page 83 of 186 Administrator's Guide Chapter 4: Running the Manager Configuration Wizard Setting up RADIUS Authentication To configure ArcSight Manager for RADIUS Authentication, choose RADIUS Authentication and supply the following parameter values: Parameter Description Authentication Which authentication protocol is configured on your RADIUS server: PAP, CHAP, Protocol MSCHAP, or MSCHAP2. RADIUS Server Host Host name of the RADIUS server. To specify multiple RADIUS servers for failover, enter comma-separated names of those servers in this field. For example, server1, server2, server3. If server1 is unavailable, server2 is contacted, and if server2 is also unavailable, server3 is contacted. RADIUS Server Type Type of RADIUS server: l RSA Authentication Manager l Generic RADIUS Server l Safeword PremierAccess RADIUS Server Port Specify the port on which the RADIUS server is running. The default is 1812. RADIUS Shared Secret Specify the RADIUS shared secret string used to verify the authenticity and integrity of the messages exchanged between the Manager and the RADIUS server. Setting up Active Directory User Authentication To authenticate users using a Microsoft Active Directory authentication server, choose Microsoft Active Directory. Communication with the Active Directory server uses LDAP and optionally SSL. The next panel prompts you for this information. Parameter Description Active Directory Server HP ESM (6.9.1c) Host name of the Active Directory Server. Page 84 of 186 Administrator's Guide Chapter 4: Running the Manager Configuration Wizard Parameter Description Enable SSL Whether the Active Directory Server is using SSL. The default is True (SSL enabled on the AD server). No further SSL configuration is required for the AD server. Whether you selected SSL earlier for communications with the Console is irrelevant. Certificate type is set on the AD server side, not the manager. Active Directory Port Specify the port to use for the Active Directory Server. If the AD server is using SSL (Enable SSL=true), use port 636. If SSL is not enabled on the AD server, use port 389. Search Base Search base of the Active Directory domain; for example, DC=company, DC=com. User DN Distinguished Name (DN) of an existing, valid user with read access to the Active Directory. For example, CN=John Doe, CN=Users, DC=company, DC=com. The CN of the user is the "Full Name," not the user name. Password Domain password of the user specified earlier. Allowed User Groups Comma-separated list of Active Directory group names. Only users belonging to the groups listed here will be allowed to log in. You can enter group names with spaces. Specify any user who exists in AD to test the server connection. Specify the user name used to log in to the Manager and the External ID name to which it is mapped on the AD server. Configuring AD SSL If you are using SSL between the Manager and your authentication server, you must ensure that the server’s certificate is trusted in the Manager’s trust store /jre/lib/security/cacerts, whether the authentication server is using self-signed or CA certificates. For CA certificates, if the Certificate Authority (CA) that signed your server’s certificate is already listed in cacerts, you do not need to do anything. Otherwise, obtain a root certificate from the CA and import it in your Manager’s cacerts using the keytoolgui command. Setting up LDAP Authentication The ArcSight Manager binds with an LDAP server using a simple bind. To authenticate users using an LDAP authentication server, choose Simple LDAP Bind and click Next. The next panel prompts you for this information. HP ESM (6.9.1c) Page 85 of 186 Administrator's Guide Chapter 4: Running the Manager Configuration Wizard Parameter Description LDAP Server Host Specify the host name of the LDAP Server. Enable SSL Whether the LDAP Server is using SSL. The default is True (SSL enabled on the LDAP server). No further SSL configuration is required for the LDAP server. Whether you selected SSL earlier for communications with the Console is irrelevant. Certificate type is set on the LDAP server side, not the manager. LDAP Server Port Specify the port to use for the LDAP Server. If the LDAP server is using SSL (Enable SSL=true), use port 636. If SSL is not enabled on the LDAP server, use port 389. Specify any user who exists in LDAP to test the server connection. Enter a valid Distinguished Name (DN) of a user (and that user’s password) that exists on the LDAP server; for example, CN=John Doe, OU= Engineering, O=YourCompany. This information is used to establish a connection to the LDAP server to test the validity of the information you entered in the previous panel. Note: LDAP groups are not supported. Therefore, you cannot allow or restrict logging into the Manager based on LDAP groups. If you configure your Manager to use LDAP authentication, ensure that you create users on the Manager with their Distinguished Name (DN) information in the external ID field. For example, CN=John Doe, OU= Engineering, O=YourCompany. Specify the user name used to log in to the Manager and the External ID name to which it is mapped on the LDAP server. Configuring LDAP SSL If you are using SSL between the Manager and your authentication server, you must ensure that the server’s certificate is trusted in the Manager’s trust store /jre/lib/security/cacerts, whether the authentication server is using self-signed or CA certificates. For CA certificates, if the Certificate Authority (CA) that signed your server’s certificate is already listed in cacerts, you do not need to do anything. Otherwise, obtain a root certificate from the CA and import it in your Manager’s cacerts using the keytoolgui command. Using a Custom Authentication Scheme From the Manager Setup Wizard, you can choose the Custom JAAS Plug-in Configuration option if you want to use an authentication scheme that you have built. (Custom Authentication is not supported HP ESM (6.9.1c) Page 86 of 186 Administrator's Guide Chapter 4: Running the Manager Configuration Wizard from the ArcSight Command Center.) You must specify the authentication configuration in a jaas.config file stored in the ArcSight Manager config directory. Password Based and SSL Client Based Authentication Your authentication will be based both upon the username and password combination as well as the authentication of the client certificate by the Manager. Note: Using PKCS#11 provider as your SSL Client Based authentication method within this option is not currently supported. Password Based or SSL Client Based Authentication You can either use the username/password combination or the authentication of the client certificate by the Manager (for example PKCS#11 token) to login if you select this option. For more detail on SSL authentication for browser logins, see "Login in with SSL Authentication" in the chapter "Starting the Command Center" in the ArcSight Command Center Guide. SSL Client Only Authentication You must manually set up the authentication of the client certificate by the Manager. You can either use a PKCS#11 Token or a client keystore to authenticate. HP ESM (6.9.1c) Page 87 of 186 Appendix A: Administrative Commands This appendix provides information about assorted administrative commands. ArcSight_Services Command The arcsight_services command syntax and options are described below. Note: Do not start or stop services that are listed in the category Background Component Services. They are listed for information only. Description This command manages component services. Applies to All components Syntax /etc/init.d/arcsight_services Service Actions start Start the specified component, and any components it depends on. stop Stop the specified component and any components that depend on it. restart Complete a controlled stop and restart of the specified component service and any component it depends on. Do not use stop, then start, to restart a service. Component Services HP ESM (6.9.1c) status This provides the component version and build numbers followed by whether each service is available. help Provides command usage (no component). version Print the complete version numbers of all components. all This is the default if no component is specified. logger_httpd logger_servers logger_web manager mysqld Logger Apache httpd service Logger service Logger Web service ESM Manager MySQL database Page 88 of 186 Administrator's Guide Appendix A: Administrative Commands Background Component Services (for information only) aps ArcSight Platform Services; functions in background to perform configuration tasks; you can start this service, but do not stop it unless you are stopping all services postgresql Open source database, which functions in the background; you can start this service, but do not stop it unless you are stopping all services execprocsvc Examples Helper service for the Manager; actions not supported on this service /etc/init.d/arcsight_services start /etc/init.d/arcsight_services stop manager /etc/init.d/arcsight_services status all /etc/init.d/arcsight_services stop ArcSight Commands To run an ArcSight command script on a component, open a command window and switch to the directory. The arcsight commands run using the file (on Windows) or arcsight.sh in \bin. The general syntax is as follows: bin\arcsight [parameters] In general, commands that accept a path, accept either a path that is absolute or relative to . Running the command from and prefixing it with bin\ enables you to use the shell’s capabilities in looking for relative paths. Not all parameters are required. For example, username and password may be a parameter for certain commands, such as the Manager and Package commands, but the username and password are only required if the command is being run from a host that does not also host the Manager. ACLReportGen Description This command generates a report on ACLs either at the group level or at the user level. By default, the generated report is placed in the /opt/arcsight/manager/ACLReports directory. Applies to Manager Syntax ACLReportGen [parameters] Parameters Optional: HP ESM (6.9.1c) Page 89 of 186 Administrator's Guide Appendix A: Administrative Commands ACLReportGen, continued Example -config The primary configuration file (config/server.defaults.properties). -locale The locale under which to run the command. -mode Mode in which this tool is run to generate the ACLs report. Supported modes are grouplevel and userlevel. The default value is grouplevel. -pc The name of the override configuration file (config/server.properties). -h Help arcsight ACLReportGen agent logfu Description This command runs a graphical SmartConnector log file analyzer. Applies to SmartConnectors Syntax agent logfu -a [parameters] Parameters -a Example arcsight agent logfu -a SmartConnector log, which is required. For other parameters, see the description of the logfu command for the Manager. agent tempca Description This command allows you to Inspect and manage temporary certificates for a SmartConnector host machine Applies to SmartConnectors Syntax agent tempca Parameters Example For parameters, see the description of the tempca command for the Manager. arcsight agent tempca agentcommand Description This command allows you to send a command to SmartConnectors Applies to SmartConnectors HP ESM (6.9.1c) Page 90 of 186 Administrator's Guide Appendix A: Administrative Commands agentcommand, continued Syntax agentcommand -c (restart | status | terminate) Parameters -c Examples To retrieve status properties from the SmartConnector: Valid parameters are restart, status, or terminate. arcsight agentcommand -c status To terminate the SmartConnectorprocess: arcsight agentcommand -c terminate To restart the SmartConnectorprocess: arcsight agentcommand -c restart agents Description This command runs all installed ArcSight SmartConnector on the host as a standalone application. Applies to SmartConnectors Syntax agents Parameters None Example arcsight agents agentsvc Description This command installs an ArcSight SmartConnector as a service. Applies to SmartConnectors Syntax agentsvc –i –u Parameters -i Install the service. -u Run service as specified user. Example arcsight agentsvc agentup Description This command allows you to verify the current state of a SmartConnector. It returns 0 if the SmartConnector is running and accessible, and returns 1 if it is not. Applies to SmartConnectors HP ESM (6.9.1c) Page 91 of 186 Administrator's Guide Appendix A: Administrative Commands agentup, continued Syntax agentup Parameters None Example arcsight agentup arcdt Description This command allows you to run diagnostic utilities such as session wait times, and thread dumps about your system, which can help Customer Support analyze performance issues on your components. Applies to Manager Syntax arcdt diagnostic_utility utility_Parameters Parameters diagnostic_utility Utilities you can run are: runsql—Run SQL commands contained in a file that is specified as a parameter of this command. Required Parameter: -f —The file containing the sql statements to be executed. Optional Parameters: -fmt —The format the output should be displayed in (where relevant), choices are html or text -o —File name to save output to. () -rc —The number of rows to be shown as a result of a select. (10000) HP ESM (6.9.1c) Page 92 of 186 Administrator's Guide Appendix A: Administrative Commands arcdt, continued -se — if type is EndTime or mrt, value is like yyyy-MM-dd-HH-mm-ss-SSS-zzz; if type is EventId, value is a positive integer indicating the end of eventId. (2011-06-30-0100-00-000-GMT) -sr —The row number from which you want data to be shown (0) -ss —if type is StartTime or mrt, value is like yyyy-MM-dd-HH-mm-ss-SSSzzz; if type is EventId, value is a positive integer indicating the start of eventId. (2011-0630-00-00-00-000-GMT) -t —The character that separates SQL statements in the input file. (;) -type —Session type for sql query: EndTime, mrt, or EventId (EndTime) -cmt — Flag indicating whether all inserts and updates should be committed before exiting. -sp — Flag specifying whether output should be saved to disk or not. Required Parameter: -sp — Flag specifying whether output should be saved to disk or not. Optional Parameters: -c — The number of times we want to query the various session tables. (5) -f — The time interval (in seconds) between queries to the session tables. (20) -fmt — The format the output should be displayed in (where relevant), choices are: html/text (text) -o — File name to save output to. () HP ESM (6.9.1c) Page 93 of 186 Administrator's Guide Appendix A: Administrative Commands arcdt, continued thread-dumps—Obtain thread dumps from the Manager. Optional parameters which can be specified -c — The number of thread dumps to request. (3) -f —The interval in SECONDS between each thread dump request. (10) -od — The output directory into which the requested thread dumps have to be placed. () help help commands Use these help Parameters (no dash) to see the Parameters, a list of commands, or help for a specific command. help Examples To find out the number of cases in your database: 1. Create a file called sample.txt in /temp on the Manager with this SQL command: select count(*) from arc_resource where resource_type=7; 2. Run this command in /bin: arcsight arcdt runsql -f temp/sample.txt If not done correctly, you might get no result querying the ArcSight.events table from arcdt. For example, to run SQL to query events for a specific time period, follow the steps below: 1. Create a file such as 1.sql in /tmp/ containing this SQL: "select * from arcsight.events where arc_deviceHostName = 'host_name' limit 2;" 2. Run arcdt and pass the created SQL file as parameter, and also specify the time period to examine. ./arcsight arcdt runsql -f /tmp/1.sql -type EndTime -ss -se The result will be empty if there are no events in the specified time period. HP ESM (6.9.1c) Page 94 of 186 Administrator's Guide Appendix A: Administrative Commands archive Description This command imports or exports resources (users, rules, and so on) to or from one or more XML files. Generally, there is no need to use this command. The Packages feature in the ArcSight Console is more robust and easier to use for managing resources. Applies to Manager, Console Syntax archive –f [Parameters] Required Parameter -f The input (import) or the output (export) file specification. File name paths can be absolute or relative. Relative paths are relative to , not the current directory. Optional Parameters -action Possible actions include: diff, export, i18nsync, import, list, merge, sort, and upgrade. Default: export. -all Export all resources in the system (not including events). -autorepair Check ARL for expressions that operate directly on resource URI's. -base The basefile when creating a migration archive. The new archive file is specified with –source (the result file is specified with –f). -config Configuration file to use. Default: config/server.defaults.properties -conflict The policy to use for conflicts resolution. Possible policies are: default: Prompts user to resolve import conflicts. force: Conflicts are resolved by the new overwriting the old. overwrite: Merges resources, but does not perform any union of relationships. preferpackage: if there is a conflict, it prefers the information in the package that is coming in over what is already there. skip: Do not import resources with conflicts. HP ESM (6.9.1c) Page 95 of 186 Administrator's Guide Appendix A: Administrative Commands archive, continued -exportaction The action to assign to each resource object exported. Export actions are: insert: Insert the new resource if it doesn’t exist (this is the default). update: Update a resource if it exists. remove: Remove a resource if it exists. -format Specifies the format of the archive. If you specify nothing, the default is default. default: Prompts user to resolve import conflicts. preferarchive: if there is a conflict, it prefers the information that is coming in over what is there. install: Use this for the first time. update: Merges the archive with the existing content. overwrite: Overwrites any existing content. -h Get help for this command. -i (Synonym for –action import.) -m The Manager to communicate with. -o Overwrite any existing files. -p Password with which to log in to the Manager. -param The source file for parameters used for archiving. Any parameters in the named file can be overridden by command line values. -pc Private configuration file to override –config. Default: config/server.properties -pkcs11 Use this option when authenticating with a PKCS#11 provider. For example, arcsight archive -m -pkcs11 -f HP ESM (6.9.1c) -port The port to use for Manager communication. Default: 8443 -q Quiet: do not output progress information while archiving Page 96 of 186 Administrator's Guide Appendix A: Administrative Commands archive, continued -source The source file. This is used for all commands that use the -f to specify an output file and use a separate file as the input. -standalone Operate directly on the Database, not the Manager. Warning: Do not run archive in – standalone mode when the Manager is running; database corruption could result. -u The user name to log in to the Manager -uri The URIs to export. No effect during import. All dependent resources are exported, as well—for example, all children of a group. Separate multiple URIs (such as "/All Filters/Geographic/West Cost ") with a space, or repeat the –uri switch HP ESM (6.9.1c) -urichildren The URIs to export (there is no effect during import). All child resources of the specified resources are exported. A parent of a specified resource is only exported if the specified resource is dependent on it. -xrefids Exclude reference IDs. This option determines whether to include reference IDs during export. This is intended only to keep changes to a minimum between exports. Do not use this option without a complete understanding of its implications. -xtype The types to exclude during export. No effect during import. Exclude types must be valid type names, such as Group, Asset, or ActiveChannel. -xtyperef The types to exclude during export (there is no effect during import). This is the same as xtype, except it also excludes all references of the given type. These must include only valid type names such as Group, Asset, and ActiveChannel. -xuri The URIs to exclude during export. No effect during import. Resources for which all possible URIs are explicitly excluded are not exported. Resources which can still be reached by a URI that is not excluded are still exported. Page 97 of 186 Administrator's Guide Appendix A: Administrative Commands archive, continued -xurichildren Examples The URIs to exclude during export (there is no effect during import). These exclusions are such that all URIs for the children objects must be included in the set before the object will be excluded. In other words, they can still be exported if they can be reached through any path that is not excluded. To import resources from an XML file (on a Unix host): arcsight archive –action import –f /user/subdir/resfile.xml To export certain resources (the program displays available resources): arcsight archive –f resfile.xml –u admin –m mgrName –p pwd To export all resources to an XML file in quiet, batch mode: arcsight archive –all –q –f resfile.xml –u admin –m mgrName -p password To export a specific resource: arcsight archive –uri "/All Filters/Geographic/West Coast" -f resfile.xml Manual import (program prompts for password): arcsight archive –i –format preferarchive –f resfile.xml –u admin -m mgrName Scheduled or batch importing: arcsight archive –i –q –format preferarchive –f resfile.xml –u admin –m mgrName -p password Scheduled or batch exporting: arcsight archive –f resfile.xml –u admin –m mgrName -p password uri "/All Filters/Geographic/East Coast" –uri "/All Filters/Geographic/South" Make sure that the archive tool client can trust the Manager's SSL certificate. See "SSL Authentication" on page 44 for information on managing certificates. From the /bin/directory, you can enter the command, arcsight archive -h to get help. Archive Command Details Note: Ordinarily, you should use the packages feature to archive and import resources. For more information about packages and how to use them, see the "Managing Packages" topic in ArcSight Console Online Help. Also, see the packages command. HP ESM (6.9.1c) Page 98 of 186 Administrator's Guide Appendix A: Administrative Commands You can use the archive command line tool to import and export resources. It is useful for managing configuration information, for example, importing asset information collected from throughout your enterprise. You can also use this tool to archive resources so you can restore it after installing new versions of this system. The archive command automatically creates the archive files you specify, saving resource objects in XML format. This documentation does not provide details on the structure of archive files and the XML schema used to store resource objects for re-import into the system. Generally it is easier to use packages. This command displays a resource in the archive menu list of resources only if the user running the utility has top-level access to the resource. Access is different for each mode. Remote Mode In remote mode, you can import or export from either a Manager or ArcSight Console installation and can perform archive operations while the Manager is running. arcsight archive -u Username -m Manager [-p Password] -f Filename [-i | -sort] [-q] ... Caution: The cacerts file on the Manager host must trust the Manager's certificate. You may have to update cacerts if you are using demo certificates by running: arcsight tempca –ac You do not need to run the above command if you run the archive command from the Console. When you run the archive utility in the remote mode, it runs as the user specified in the command line. However, even users with the highest privilege level (administrator) do not have top level access to, for example, the user resource (All Users). Thus, the User resource does not show up in the list of resources. You can export users with the -uri option, but if you want to use the -u option, use the Standalone mode. To export user resources, you can use the -uri option and specify a user resource to which you have direct access. For example: arcsight archive -u -m -format exportuser -f exportusers.xml -uri "/All Users/Administrators/John Standalone Mode In standalone mode, from the computer where the Manager is installed, you can connect directly to the database to import or export resource information, however, the Manager must be shut down before you perform archive operations. Caution: Do not run the archive tool in standalone mode against a database currently in use by a Manager as it is possible to corrupt the database. The basic syntax for the archive command in standalone mode is the following: arcsight archive -standalone -f Filename [-i | -sort] [-q] ... HP ESM (6.9.1c) Page 99 of 186 Administrator's Guide Appendix A: Administrative Commands Note: Both remote and standalone archive commands support the same optional arguments. Note that the standalone mode only works from the archive command found in the Manager installation, and does not work remotely. For example: arcsight archive -standalone -format exportuser -f exportusers.xml Exporting Resources to an Archive 1. Make sure the archive tool client can trust the Manager’s SSL certificate. Refer to "SSL Authentication" on page 44 for information on managing certificates. From the /bin directory, you can enter the command, arcsight archive -h to get help. 2. From the /bin directory, enter the arcsight archive command along with any parameters you want to specify. This command logs into the Manager then displays a list of Resources available for archiving. Note: If the Manager is running, you must specify archive commands in remote mode, entering your user name, password, and Manager name to connect to the Manager. To run the archive command in standalone mode, accessing resources directly from the ArcSight Database, enter -standalone rather than -u -p -m . 3. Enter the number of the resource type to archive. The archive command displays a list of options that let you choose which resource or group within the resource type that you want to archive. 4. Choose the resource or group to archive. After making your selection, you are prompted whether you want to add more resources to the archive. 5. You can continue adding additional resources to the archive list. When you’ve finished, answer no to the prompt Would you like to add more values to the archive? (Y/N) After it is finished writing the archive file, you are returned to the command prompt. Importing Resources from an Archive 1. Make sure the archive tool client can trust the Manager’s SSL certificate. Refer to "SSL Authentication" on page 44, for information on managing certificates. 2. From the /bin directory, type arcsight archive with its parameters and HP ESM (6.9.1c) Page 100 of 186 Administrator's Guide Appendix A: Administrative Commands attach -i for import. Note: If the Manager is running, you must specify archive commands in remote mode, entering your user name, password, and Manager name to connect to the Manager. To run the archive command in standalone mode, accessing resources directly from the database, enter -standalone rather than -u -p -m . 3. Select one of the listed options if there is a conflict. Importing is complete when the screen displays Import Complete. Syntax for Performing Common Archive Tasks For manual importing, run this command in /bin: arcsight archive -i -format preferarchive -f -u -m Before performing the import operation, you are prompted for a password to log in to the Manager. For exporting: arcsight archive -f -u -m Before performing the import operation, you are prompted for a password to log in to the Manager and use a series of text menus to pick which Resources are archived. For scheduled/batch importing: arcsight archive -i -q -format preferarchive -f -u -p -m For scheduled/batch exporting: arcsight archive -u admin -p password -m arcsightserver -f somefile.xml -uri "/All Filters/Geographic Zones/West Coast" -uri "/All Filters/Geographic Zones/East Coast" Note: You can specify multiple URI resources with the URI parameter keyword by separating each resource with a space character, or you can repeat the URI keyword with each resource entry. archivefilter Description HP ESM (6.9.1c) This command changes the contents of the archive. The archivefilter command takes a source archive xml file as input, applies the filter specified and writes the output to the target file. Page 101 of 186 Administrator's Guide Appendix A: Administrative Commands archivefilter, continued Applies to Manager Syntax archivefilter –source –f [Parameters] Parameters -a Action to perform can be insert, or remove}. if you specify nothing, no action is performed. -e Elements to process (Default: ‘*’ which denotes all elements) -extid Regular expression to represent all of the external IDs to include. This is the external ID of the archival object. (Default: none) -f Target file (required). If a file with an identical name already exists in the location where you want to create your target file, the existing file is overwritten. If you would like to receive a prompt before this file gets overwritten, use the –o option -o Overwrite existing target file without prompting (Default: false) -relateduri Regular expression to get all of the URIs found in references to include. This checks all attribute lists that have references and if any of them have a URI that matches any of the expressions, that object is included -source Source file (required) -uri Regular expression to represent all of the URIs to include. This is the URI of the archival object -xe Elements to exclude -xextid Regular expression to represent all of the external IDs to exclude -xgroup The group types to exclude. -xuri Regular expression to represent all of the URIs to exclude -h Help HP ESM (6.9.1c) Page 102 of 186 Administrator's Guide Appendix A: Administrative Commands archivefilter, continued Examples To include any resources, for example all Active Channels, whose attributes contain the URI specified by the –relateduri option: arcsight archivefilter -source allchannels.xml -f t0.xml -relateduri "/All Active Channels/ArcSight Administration/" To include any resources whose parent URI matches the URI specified by the –uri option: arcsight archivefilter -source allchannels.xml -f t0.xml -uri "/All Active Channels/ArcSight Administration/.*" To exclude resources whose parent URI matches the URI specified by the –xuri option: arcsight archivefilter -source allchannels.xml -f t0.xml -xuri "/All Active Channels/.*" To include all the resources that contain either URIs specified by the two –relateduri Parameters: arcsight archivefilter -source allchannelsFilter.xml -f t0.xml relateduri "/All Active Channels/ArcSight Administration/" -relateduri .*Monitor.* bleep Description This command is an unsupported stress test to supply a Manager with security events from replay files (see replayfilegen). Replay files containing more than 30,000 events require a lot of memory on the bleep host. Do not run bleep on the Manager host. Install the Manager on the bleep host and cancel the configuration wizard when it asks for the Manager’s host name. Run arcsight tempca –ac on the bleep host if the Manager under test is using a demo certificate. Create the file config/bleep.properties using the descriptions in bleep.defaults.properties. Applies to Manager Syntax bleep [-c ] [-D = [ = …]] Parameters -c file Alternate configuration file (default: config/bleep.properties) -D = Override definition of configuration properties -m Maximum number of events to send. (Default: -1) HP ESM (6.9.1c) Page 103 of 186 Administrator's Guide Appendix A: Administrative Commands bleep, continued Examples -n Manager host name -p Manager password -t Manager port (Default: 8443) -u Manager user name -h Help To run: arcsight bleep bleepsetup Description This command runs a wizard to create the bleep.properties file. Applies to Manager Syntax bleepsetup Parameters -f Properties file (silent mode) -i Mode: {swing, console, recorderui, silent} Default: swing -g Generate sample properties file Examples To run: arcsight bleepsetup changepassword Description This command changes obfuscated passwords in properties files. The utility prompts for the new password at the command line. Applies to Manager Syntax changepassword –f –p Parameters -f Properties file, such as config/server.properties -p Password property to change, such as server.privatekey.password Examples To run: arcsight changepassword HP ESM (6.9.1c) Page 104 of 186 Administrator's Guide Appendix A: Administrative Commands checklist Description This command is the ArcSight Environment Check. Used internally by the installer to see if you have the correct JRE and a supported operating system. This can run from the Manager. console Description This command runs the ArcSight Console. Applies to Console Syntax console [-i] [parameters] Parameters -ast -debug -i -imageeditor -laf