HPE Security ArcSight ESM Installation Guide Install 7.0

User Manual:

Open the PDF directly: View PDF PDF.
Page Count: 115 [warning: Documents this large are best viewed by clicking the View PDF Link!]

HPE SecurityArcSightESM
Software Version: 7.0
ESM Installation Guide
April 20, 2018
Legal Notices
Warranty
The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
The information contained herein is subject to change without notice.
The network information used in the examples in this document (including IP addresses and hostnames) is for illustration
purposes only.
HPE Security ArcSight products are highly flexible and function as you configure them. The accessibility, integrity, and
confidentiality of your data is your responsibility. Implement a comprehensive security strategy and follow good security
practices.
This document is confidential.
Restricted Rights Legend
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use or copying.
Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical
Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.
Copyright Notice
© Copyright 2018 Hewlett Packard Enterprise Development, LP
Follow this link to see a complete statement of copyrights and acknowledgements:
https://community.softwaregrp.com/t5/Discussions/Third-Party-Copyright-Notices-and-License-Terms/td-p/1589228
Support
Phone A list of phone numbers is available on the Technical Support
Page:
https://softwaresupport.softwaregrp.com/support-contact-information
Support Web Site https://softwaresupport.softwaregrp.com/
ArcSight Product Documentation https://community.softwaregrp.com/t5/ArcSight-Product-Documentation/ct-
p/productdocs
Contact Information
ESM Installation Guide
HPE ESM 7.0 Page 2 of 115
Contents
Chapter 1: What Is ESM With CORR-Engine Storage? 8
ESM Basic Components 8
ESM Components and Distributed Correlation 9
ESM Communication Overview 10
Choosing between FIPS Mode or Default Mode 10
FIPS Encryption Cipher Suites 11
Using PKCS#11 11
Effect on Communication When Components Fail 12
Directory Structure for ESM Installation 12
References to ARCSIGHT_HOME 12
Chapter 2: Installing on an Appliance 14
Starting the Appliance for the First Time 14
Starting the Appliance for the First Time - IPv4 14
Starting the Appliance for the First Time - IPv6 15
IPv6 Static Networking Setup 15
IPv6 Auto Config Networking Setup 16
Starting the Appliance for the First Time - Dual Stack 17
Using the Configuration Wizard - Appliance 17
Keep These TCP Ports Open 21
Enable Peering 22
Running ESM on an Encrypted Appliance 22
Configuring the Appliance for Out-of-Band Remote Access 23
Chapter 3: Installing Software ESM 24
Securing Your ESM System 24
Protecting ArcSight Manager 24
Built-In Security 26
Physical Security for the Hardware 26
Operating System Security 26
General Guidelines and Policies about Security 27
Preparing to Install 28
System Requirements 28
HPE ESM 7.0 Page 3 of 115
Supported Platforms 29
Download the Installation Package 30
Prepare the System 31
Keep these TCP Ports Open 31
Install the Time Zone Package 32
Add RemoveIPC=no to /etc/systemd/logind.conf - RHELand CentOS 7.3 Only 33
Set Directory Sizes 33
Sizing Guidelines for CORR-Engine 34
Export Language UTF File 35
Distributed Correlation Cluster Planning 36
Hierarchical Implementations and Cluster Planning 36
Cluster Requirements 36
Recommended Cluster Configurations 37
Starting the Installer 41
Running the Installation File 41
Starting the Configuration Wizard In Console Mode 42
Using the Configuration Wizard - ESM in Compact Mode 42
Using the Configuration Wizard - ESM in Distributed Correlation Mode 46
Persistor Node Installation 47
Add Nodes to a Cluster - Further Node Installation 52
Post Cluster Creation Configuration 53
Setting Up Key-Based Passwordless SSH - Distributed Correlation Mode Only 53
Handling a Time Zone Update Error 54
Chapter 4: Post-Installation Considerations 55
Uninstalling ESM 55
Uninstalling ESM - Distributed Correlation Mode 56
Rerunning the Installer 57
Rerunning the ESM Configuration Wizard 57
Setting Up ESM Reports to Display in a Non-English Environment 58
Setting Up Reports On the Manager 58
Setting Up Reports On the Console 58
Improving the Performance of Your Server 59
Configure Your Browser for TLS Protocols 60
Setting Up SSL Client-Side Authentication Between Event Broker and ESM - Non-FIPS Mode 60
Configure Integration with ServiceNow® IT Service Management (ITSM) - Optional 62
Post-Installation Next Steps 63
ESM Installation Guide
HPE ESM 7.0 Page 4 of 115
Chapter 5: Installing ArcSight Console 64
Console Supported Platforms 64
Required Libraries for RHEL and CentOS (64 Bit) 64
Installing the Console 65
Configuring the ArcSight Console 66
Importing the Console’s Certificate into the Browser 70
Character Set Encoding 70
Starting the ArcSight Console 71
Logging into the Console 72
Reconnecting to the ArcSight Manager 73
Reconfiguring the ArcSight Console 73
Uninstalling the ArcSight Console 73
Appendix A: Troubleshooting 75
Location of Log Files for Components 75
If You Encounter an Unsuccessful Installation 77
Customizing the Manager 78
Fatal Error when Running the First Boot Wizard - Appliance Installation 78
Search Query Result Charts Do Not Display in Safari Browser 79
Hostname Shown as IPv6 Address in Dashboard 79
Internet Not Accessible From an IPv6 System 79
Appendix B: Default Settings For Components 80
General Settings 80
CORR-Engine Settings 80
Manager Settings 80
Appendix C: Using PKCS 82
PKCS#11 82
PKCS#11 Token Support in ESM 82
Setting Up to Use a PKCS#11 Provider 83
Install the PKCS#11 Provider’s Software 83
Map a User’s External ID to the Subject CN 83
Obtain the CAC/90Meter’s Issuers Certificate 85
Extract the Root CA Certificate From the CAC/90Meter Certificate 87
ESM Installation Guide
HPE ESM 7.0 Page 5 of 115
Import the CAC/90Meter Root CA Certificate into the ArcSight Manager 88
Import into the ArcSight Manager’s Truststore 88
Select Authentication Option in ArcSight Console Setup 89
Logging in to the ArcSight Console Using PKCS#11 Token 90
Logging in to an ESMWeb UI Using PKCS#11 Token 90
Appendix D: Installing ESM in FIPS Mode 92
What is FIPS? 92
What is Suite B? 92
Transport Layer Security (TLS) Configuration Concepts 93
TLS Support 93
Server Side Authentication 94
Client Side Authentication 95
Exporting the Manager’s Certificate to Clients 95
Using PKCS#11 Token With a FIPS Mode Setup 96
Installing ArcSight Console in FIPS Mode 96
Connecting a Default Mode ArcSight Console to a FIPS 140-2 ArcSight Manager 98
Connecting a FIPS ArcSight Console to FIPS Enabled ArcSight Managers 98
Installing SmartConnectors in FIPS Mode 98
Configure Event Broker Access - FIPS Mode (Server Authentication Only) (Optional) 99
Configure ServiceNo IT Service Management (ITSM) Access - FIPS Mode 101
Setting Up SSL Client-Side Authentication Between Event Broker and ESM - FIPS Mode 102
How Do I Know if My Installation is FIPS Enabled? 103
Appendix E: Event Broker Best Practices 104
Appendix F: Locales and Encodings 105
Locale and Encoding Terminology 105
Character Set 105
Code Point 105
Code Set 105
Encoding 105
Internationalization 105
Locale 106
Localization 106
ESM Installation Guide
HPE ESM 7.0 Page 6 of 115
Region Code 106
Unicode 106
UTF-8 106
Before You Install a Localized Version of ESM 106
ArcSight Console and Manager 107
ArcSight SmartConnectors 107
Setting the Encoding for Selected SmartConnectors 107
Localizing Date Formats 107
List of Possible Values 107
Key-Value Parsers for Localized Devices 113
Appendix G: Restore Appliance Factory Settings 114
Send Documentation Feedback 115
ESM Installation Guide
HPE ESM 7.0 Page 7 of 115
Chapter 1: What Is ESM With CORR-Engine
Storage?
ESM is a Security Information and Event Management (SIEM) solution that collects and analyzes
security data from different devices on your network and provides you a central, real-time view of the
security status of all devices of interest to you. ESM uses the Correlation Optimized Retention and
Retrieval Engine (CORR-Engine) storage, a proprietary framework that processes events, and performs
searches.
Terminology to Note:
ESMAppliance and ESM Express are different licensing models installed on an appliance.
Software ESM is ESM installed on your own hardware.
ESM Basic Components
The ESM system comprises the following components:
lESMManager -- The Manager is a server that receives event data from Connectors and correlates,
reports, and stores them in the database. The Manager and CORR-Engine are integrated
components and get installed on the same machine.
lCORR-Engine -- The CORR-Engine (Correlation Optimized Retention and Retrieval Engine) is a long-
term data storage and retrieval engine that enables the product to receive events at high rates.
lArcSight Console -- The ArcSight Console enables you to perform administrative tasks, such as
tuning the ESM content, creating rules, and managing users. The ArcSight Console is installed
separately on client machines.
lArcSight Command Center -- The ArcSight Command Center is a web-based user interface that
enables you to perform many of the functions found in the ArcSight Console. It provides
dashboards, a variety of search types, reports, case management, notifications, channels, and
administrative functions for managing content, storage, archives, search filters, saved searches,
search configuration, log retrieval and license information.
lSmartConnectors -- SmartConnectors are software components that forward security events from a
wide variety of devices and security event sources to ESM. SmartConnectors are not bundled with
ESM and are installed separately.
Below is a diagram of how these components can be deployed in a network:
HPE ESM 7.0 Page 8 of 115
ESM Components and Distributed Correlation
Distributed correlation allows you to use distributed resources as services to run on one or several
systems (nodes) in a software cluster that you install, configure, and manage. A distributed correlation
deployment includes the persistor, repository, correlators, aggregators, message bus data, message bus
control, and distributed cache. Ideally, the correlators and aggregators in the cluster will keep up with
event flow on your system. As needed, you can add more correlators and aggregators through
configuration, as described in "Configuring and Managing a Distributed Correlation", in the
ESM
Administrator's Guide.
You must balance system resources as you add these components (CPU and memory). You will want to
be somewhat generous in your cluster planning, and add more correlators and aggregators than you
think you need. Distributed correlation is most effective if configured over multiple physical systems to
ensure the fault tolerance benefit of the distributed correlation cluster deployment is fully realized. The
fault tolerance aspect of the distributed correlation cluster, as described in "Distributed Correlation
Concepts" in ESM 101.
Distributed correlation has components that are used in the context of cluster nodes:
lPersistor: Persists to disk the information that needs to be retained, retrieved, or shared. There is a
single persistor in the distributed correlation cluster. The persistor consists of multiple entities,
including the Manager, Logger, and the CORR-Engine database, among others. When you configure
a distributed correlation cluster, the persistor is on the first node you configure during installation.
lCorrelators: Each correlator in the cluster is a single process; there can be multiple correlators on
each node in the cluster.
lAggregators: Each aggregator in the cluster is a single process; there can be multiple aggregators on
each node in the cluster.
ESM Installation Guide
Chapter 1: What Is ESM With CORR-Engine Storage?
HPE ESM 7.0 Page 9 of 115
lMessage Bus Control and Message Bus Data:Handles the messaging among the cluster
components.
lRepository (Repo): Contains the state of each member of the cluster among all of the nodes.
lDistributed Cache: Manages the short-term storage of data needed for cluster operation.
Here is a conceptual view of the cluster services and their interactions with each other and ESM:
ESM Communication Overview
The ArcSight Console, Manager, and SmartConnectors communicate using HTTPS (HyperText
Transfer Protocol Secure). The HTTPS protocol provides for data encryption, data integrity
verification, and authentication for both server and client.
SSL works over TCP (Transport Control Protocol) connections. The default incoming TCP port on the
Manager is 8443.
The Manager never makes outgoing connections to the Console or SmartConnectors. The Manager
connects to the CORR-Engine through a loop-back interface using a propriety protocol.
Choosing between FIPS Mode or Default Mode
ESM supports the Federal Information Processing Standard (FIPS) 140-2 and Suite B. FIPS is a
standard published by the National Institute of Standards and Technology (NIST) and is used to
accredit cryptographic modules in software components. The US Federal government requires that all
IT products dealing with Sensitive, but Unclassified (SBU) information should meet FIPS140-2
standards.
Depending on your requirements, you can choose to install the ESM components in one of these
modes:
ESM Installation Guide
Chapter 1: What Is ESM With CORR-Engine Storage?
HPE ESM 7.0 Page 10 of 115
lDefault mode (standard cryptography)
lFIPS 140-2 mode
lFIPS with Suite B mode (128 bits or 192 bits)
FIPS Encryption Cipher Suites
A cipher suite is a set of authentication, encryption, and data integrity algorithms used for securely
exchanging data between an SSL server and a client. Depending on FIPS mode settings, some of the
following specific cipher suites are automatically enabled for ESM and its clients.
Note: SSL is not supported in any mode. TLS is supported for all modes. For TLS version support
see "TLS Support" on page93.
The following table outlines some of the basic differences between the three modes that ESM supports:
Mode Default Cipher Suites
Keystore/
Truststore
Default Mode lTLS_RSA_WITH_AES_128_CBC_SHA
lTLS_RSA_WITH_AES_128_GCM_SHA256
Keypair and Certificates stored in Keystore and
cacerts, and Truststore in JKS format
FIPS 140-2
Mode
lTLS_RSA_WITH_AES_128_CBC_SHA
lTLS_RSA_WITH_AES_128_GCM_SHA256
Keypair and Certificates stored in Keystore
FIPS with Suite
B Mode
lIn 192 bit mode, the following 192-bit cipher
suites are supported.
oTLS_ECDHE_ECDSA_WITH_AES_256_
CBC_SHA
oTLS_ECDHE_ECDSA_WITH_AES_256_
GCM_SHA384
lIn 128 bit mode, the following 128-bit cipher
suites are supported.
oTLS_ECDHE_ECDSA_WITH_AES_128_CBC_
SHA
oTLS_ECDHE_ECDSA_WITH_AES_128_
GCM_SHA256
Keypair and Certificates stored in Keystore
Using PKCS#11
ESM supports the use of a PKCS#11 token such as 90Meter or the Common Access Card (CAC) (which
is used for identity verification and access control) to log into the Console. PKCS#11 is Public-Key
Cryptography Standard (PKCS), published by RSA Laboratories which describes it as “a technology-
independent programming interface, called Cryptoki, for cryptographic devices such as smart cards and
PCMCIA cards.”
ESM Installation Guide
Chapter 1: What Is ESM With CORR-Engine Storage?
HPE ESM 7.0 Page 11 of 115
PKCS#11 authentication is not supported with Radius, LDAP, and Active Directory authentication
methods.
Effect on Communication When Components Fail
If any of the software components is unavailable, it can affect communication between other
components.
If the CORR-Engine is unavailable for any reason, the Manager stops accepting events and caches any
events that were not committed to the CORR-Engine. The SmartConnectors also start caching new
events they receive, so there is no event data loss. The Console is disconnected.
When the CORR-Engine is filled to capacity, as new events come in, the Manager starts deleting existing
events starting from the oldest event.
If the Manager is unavailable, the SmartConnectors start caching events to prevent event data loss. The
CORR-Engine is idle. The Console is disconnected.
If a SmartConnector fails, whether event data loss will occur or not depends on the SmartConnector
type. SmartConnectors that listen for events from devices such as the SNMP SmartConnectors will stop
accepting events. However, a SmartConnector that polls a device, such as the NT Collector
SmartConnector, may be able to collect events that were generated while the SmartConnector was
down, after the SmartConnector comes back up.
Directory Structure for ESM Installation
By default, ESM is installed in a directory tree under a single root directory. Other third-party software is
not necessarily installed under this directory, however. The path to this root directory is called
/opt/arcsight.
The directory structure below /opt/arcsight is also standardized across components and platforms.
The following table lists a few of the commonly used directories for the Manager.
Port Directory
ESM bin /opt/arcsight/manager/bin
Properties files /opt/arcsight/manager/config
Log files /opt/arcsight/var/logs
References to ARCSIGHT_HOME
<ARCSIGHT_HOME> in the paths represents:
ESM Installation Guide
Chapter 1: What Is ESM With CORR-Engine Storage?
HPE ESM 7.0 Page 12 of 115
l/opt/arcsight/manager for the ArcSight Manager
lWhatever path you specified when you installed the ArcSight Console
lWhatever path you specified when you installed an ArcSight SmartConnector.
ESM Installation Guide
Chapter 1: What Is ESM With CORR-Engine Storage?
HPE ESM 7.0 Page 13 of 115
Chapter 2: Installing on an Appliance
This section applies to users who have purchased ESM on an appliance. For instructions about how to
install ESM on your own hardware, go to "Installing Software ESM" on page24.
Read the Release Notes before you begin.
Note: The operating system image provided on a G9 appliance does not include X Window. Since
the X Window system is not present on ESM on an appliance, the installation and configuration of
ESM on an appliance is performed using the command line. No GUI wizard is available for
installation and configuration of ESM on an appliance.
There are no software preparations necessary on the appliance and no opportunity to make any
preparatory adjustments before the First Boot Wizard starts.
Starting the Appliance for the First Time
When you power on the appliance, the Operating System First Boot Wizard (FBW) starts automatically.
The FBW offers three choices of networking types:
lIPv4
lIPv6
lBoth IPv4 and IPv6 (dual stack)
Starting the Appliance for the First Time - IPv4
This is a command line interface. The FBW asks you to supply the following information, one entry at a
time (the FBW indicates which values are optional):
1. At appliance login, log in as user root, using the password arcsight.
2. Set a new password for user root.
3. Set a new password for user arcsight.
4. Set the appliance hostname.
5. Specify 1 for IPv4.
6. Specify the appliance IP address.
7. Specify the netmask.
8. Specify the default gateway.
9. Specify the primary DNS IPAddress.
ESM Installation Guide
Chapter 2: Installing on an Appliance
HPE ESM 7.0 Page 14 of 115
10. Specify the secondary DNSIP Address (optional).
11. Specify the DNSSearch Domains.
12. Specify the time zone. You can start to type and press Tab and the system will attempt to auto-fill
the time zone. For example you can type A, Tab and it fills in "America_". Press the Tab key twice for
a list of timezone entries that starts with "America_".
13. Enter the Date.
The date and time are optional. If you specify an NTP server, it overrides these date/time values. If
there is no NTPserver, these date/time values reset the appliance system clock and if you leave
them blank, the system clock determines the date time.
14. Enter the Time.
15. Specify the NTPservers. List one NTPserver per line. You can use IP addresses or host names.
Using an NTPserver is recommended.
When you are done, the FBW provides a list of what you have specified, for you to review. If you say No,
it starts over.
If you accept the specifications, type yand press Enter to end the installation session and automatically
start the Configuration Wizard.
License file: Once the IP address is defined you can log in to the appliance from the machine where you
downloaded the license file and copy it to the appliance. The Configuration Wizard segment, which is
next, asks you to specify the location of the license file on the appliance.
Starting the Appliance for the First Time - IPv6
For IPV6, you can specify Static or Auto Config Networking setups.
This is a command line interface. The FBW asks you to supply the following information, one entry at a
time (the FBW indicates which values are optional).
IPv6 Static Networking Setup
1. At appliance login, log in as user root, using the password arcsight.
2. Set a new password for user root.
3. Set a new password for user arcsight.
4. Set the appliance hostname.
5. Specify 2 for IPv6.
6. Specify 1 for a static IPv6 networking setup (in which you will provide the IP address).
7. Specify the appliance IP address.
8. Specify the default gateway.
9. Specify the primary DNS IPAddress.
ESM Installation Guide
Chapter 2: Installing on an Appliance
HPE ESM 7.0 Page 15 of 115
10. Specify the secondary DNSIP Address (optional).
11. Specify the DNSSearch Domains.
12. Specify the time zone. You can start to type and press Tab and the system will attempt to auto-fill
the time zone. For example you can type A, Tab and it fills in "America_". Press the Tab key twice for
a list of timezone entries that starts with "America_".
13. Enter the Date.
The date and time are optional. If you specify an NTP server, it overrides these date/time values. If
there is no NTPserver, these date/time values reset the appliance system clock and if you leave
them blank, the system clock determines the date time.
14. Enter the Time.
15. Specify the NTPservers. List one NTPserver per line. You can use IP addresses or host names.
Using an NTPserver is recommended.
When you are done, the FBW provides a list of what you have specified, for you to review. If you say No,
it starts over.
If you accept the specifications, type yand press Enter to end the installation session and automatically
start the Configuration Wizard.
IPv6 Auto Config Networking Setup
1. At appliance login, log in as user root, using the password arcsight.
2. Set a new password for user root.
3. Set a new password for user arcsight.
4. Set the appliance hostname.
5. Specify 2 for IPv6.
6. Specify 2 for an Auto Config IPv6 networking setup, which uses Stateless Address Auto
Configuration (SLAAC). Specify the primary DNS IP address and, optionally, the secondary DNS IP
address. The IP address and gateway address are automatically detected and assigned through the
DNS.
7. Specify the time zone. You can start to type and press Tab and the system will attempt to auto-fill
the time zone. For example you can type A, Tab and it fills in "America_". Press the Tab key twice for
a list of timezone entries that starts with "America_".
8. Enter the Date.
The date and time are optional. If you specify an NTP server, it overrides these date/time values. If
there is no NTPserver, these date/time values reset the appliance system clock and if you leave
them blank, the system clock determines the date time.
9. Enter the Time.
10. Specify the NTPservers. List one NTPserver per line. You can use IP addresses or host names.
Using an NTPserver is recommended.
ESM Installation Guide
Chapter 2: Installing on an Appliance
HPE ESM 7.0 Page 16 of 115
When you are done, the FBW provides a list of what you have specified, for you to review. If you say No,
it starts over.
If you accept the specifications, type yand press Enter to end the installation session and automatically
start the Configuration Wizard.
License file: Once the IP address is defined you can log in to the appliance from the machine where you
downloaded the license file and copy it to the appliance. The Configuration Wizard segment, which is
next, asks you to specify the location of the license file on the appliance.
Starting the Appliance for the First Time - Dual Stack
This is a command line interface. The FBW asks you to supply the following information, one entry at a
time (the FBW indicates which values are optional):
1. At appliance login, log in as user root, using the password arcsight.
2. Set a new password for user root.
3. Set a new password for user arcsight.
4. Set the appliance hostname.
5. Specify 3 for both IPv4 and IPv6.
6. Complete the choices for the IPv4 networking setup per the steps in "Starting the Appliance for the
First Time - IPv4" on page14.
7. Complete the choices for the IPv6 networking setup per the steps in "Starting the Appliance for the
First Time - IPv6" on page15.
When you are done, the FBW provides a list of what you have specified for both IPv4 and IPv6, for your
review. If you choose No, it starts over.
If you accept the specifications for both IPv4 and IPv6, type yand press Enter to end the installation
session and automatically start the Configuration Wizard.
License file: Once the IP address is defined you can log in to the appliance from the machine where you
downloaded the license file and copy it to the appliance. The Configuration Wizard segment, which is
next, asks you to specify the location of the license file on the appliance.
Using the Configuration Wizard - Appliance
When installing on an appliance, the configuration wizard starts automatically. (You do not need to
manually enter any command for that to happen.)
Note: Distributed correlation mode is not available on an appliance.
ESM Installation Guide
Chapter 2: Installing on an Appliance
HPE ESM 7.0 Page 17 of 115
Note: When you run the managersetup command on the appliance, you will receive these
messages: "Wizard could not connect to an X11 display. Please set the DISPLAY variable to start the
wizard in UI mode. Falling back to console mode." Ignore these messages.
1. Read the Welcome message. If the license file is accessible, type yes to continue.
2. Under Language Options, select the language for interface displays. Press Enter to continue.
3. Under Installation Mode, type 0to install ESM in Compact Mode. The other option, Distributed
Mode, is not available on an appliance.
4. Under CORR-Engine Password, press Enter to continue with obfuscated passwords or type no
and press Enter to allow them to show on screen.
5. Under CORR-Engine Password, set a password for the CORR-Engine and reenter it for the
Password confirmation. Press Enter. For information on password restrictions, see the
ESM
Administrator's Guide section “Managing Password Configuration” in the chapter Basic
Configuration.”
6. Under CORR-Engine Configuration, enter the CORR-Engine storage allocation information and
press Enter.
System Storage Size - the size of the storage space set aside to store resources
Event Storage Size - the size of the storage space set aside to store events
Online Event Archive Size - the maximum number of gigabytes of disk space for event archives.
This only applies to the online event archive.
Retention Period - the amount of time that you want to retain the events before they are purged
from the system
7. Under Notification Emails, specify the following email addresses:
Error Notification Recipient: Specify one email address for the email account to receive email
notifications if the Manager goes down or encounters some other problem. If you need to specify
more email addresses, the Manager Configuration Wizard allows that, as described in the "Running
the Manager Configuration Wizard" section of the ESM Administrator's Guide.
From email address: The email address used for the notifications sender.
If the values are correct, type yes and Enter to continue. Emails are sent when the system detects
the following occurrences:
lThe subsystem status is changed. The email shows the change and who did it.
lThe report has been successfully archived.
lThe account password has been reset.
lThe Archive report generation fails.
lThere is too many notifications received by a destination.
lThe event archive location has reached the cap space. It will ask you to free up some space by
moving the event archives to some other place.
ESM Installation Guide
Chapter 2: Installing on an Appliance
HPE ESM 7.0 Page 18 of 115
lThe user elects to email the ArcSight Console settings.
lThe user sends partition archival command.
lAn archive fails because there is not enough space.
lThe Connection to the database failed.
8. For the License File, enter the path and file name of the license file you downloaded and press
Enter.
9. Under Select the Product Mode, select whether you want to install in default mode or FIPS mode.
Press Enter to continue.
Caution:
lIf you choose to install the product in FIPS mode, be sure to install the Console in FIPS
mode too. Refer to "Installing ArcSight Console in FIPS Mode" on page96 for instructions
on installing the Console in FIPS mode.
lOnce you have configured the software in FIPS mode, you will not be able to convert it to
default mode without reinstalling it.
lConverting from default mode installation to FIPS-140-2 mode is supported. If you need to
do so at any time, refer to the Administrator’s Guide for instructions.
lBy default, ESM uses a self-signed certificate. If you would like to use a CA-signed
certificate, you will have to import the CA-signed certificate manually after the
configuration wizard completes successfully. Refer to the Administrator’s Guide for ESM for
details on using a CA-signed certificate.
10. If you selected FIPS mode, confirm your selection. if not, skip to the Manager Information step.
11. If you selected FIPS mode on the Select the Cipher Suite Options panel, select the cipher suite.
Suite B defines two security levels of 128 and 192 bits. The two security levels are based on the
Advanced Encryption Standard (AES) key size that is used instead of the overall security provided
by Suite B. At the 128-bit security level, the 128 bit AES key size is used. However, at the 192-bit
security level, a 256 bit AES key size is used. Although a larger key size means more security, it also
means computational cost in time and resource (CPU) consumption. In most scenarios, the 128-bit
key size is sufficient.
12. Under Manager Information, enter the Manager’s hostname, set the user ID and password for the
admin user, and press Enter.
Caution:
lThe Manager host name is the IP address (for IPv4 only), or fully-qualified domain name of
the machine where the Manager is installed. This name is what all clients (for example,
ArcSight Console) specify to connect to the Manager. Using a fully-qualified domain name
instead of an IP address is recommended for flexibility.
ESM Installation Guide
Chapter 2: Installing on an Appliance
HPE ESM 7.0 Page 19 of 115
lThe IP Version selection (IPv4 or IPv6) appears if you have a dual-stack machine, such as
an appliance. If you see this option, your selection has the following effects:
lIt controls what IP Address is used by third party software if a hostname is given. for
example, the e-mail server in Manager Setup.
lIt controls which IP Address is tried on the peering page if a hostname is specified.
lIt controls whether an IPv4 or IPv6 Address is chosen for the manager asset.
lThere might be more than one host name, and the default might not be the same as the one
returned by the hostname command. If you are using the High Availability Module, use the
Service hostname that is common to both servers (primary and secondary) as the Manager
IP, or hostname. Otherwise, pick one which you would expect to work, and would be
convenient for configuring connectors, consoles, and other clients. Note that it is always
best to use a fully qualified domain name.
lIf you do not want the hostname on your DNSserver, add a static host entry to the
/etc/hosts file to resolve the host name locally.
lThe Manager hostname is used to generate a self-signed certificate. The Common Name
(CN) in the certificate is the Manager host name that you specify in this screen.
lAlthough the Manager uses a self-signed certificate by default, you can switch to using a
CA-signed certificate if needed. You can do this after installation. Refer to the
ESM
Administrator’s Guide for instructions.
13. Select whether to set up connection to the Event Broker (if Event Broker is part of your
implementation of ESM). If you need to set up the Event Broker in FIPS mode, see "Configure
Event Broker Access - FIPS Mode (Server Authentication Only) (Optional)" on page99 .
If client authentication is enabled on the Event Broker, see either "Setting Up SSL Client-Side
Authentication Between Event Broker and ESM - Non-FIPS Mode" on page60 or "Setting Up SSL
Client-Side Authentication Between Event Broker and ESM - FIPS Mode" on page102.
Select Yes to set up the connection; select No to continue. If you select Yes, specify:
a. Host: Port(s): Enter the host and port information for the nodes in the Event Broker. Include
the host (hostname or IP address) and port information of all the nodes in a multiple node
environment not just the Master node. This is a comma-separated list, for example:
<host>:<port>,<host>:<port>. Note that Event Broker can only accept IPV4 connections from
ESM.
b. Topic to read from: Specify the topic in the Event Broker you want to read from. This will
determine the data source. See the chapter "Managing Event Broker Topics", in the Event
Broker Administrator's Guide.
c. Path to the Event Broker root cert: ESM communicates with the Event Broker through TLS.
To enable this, you must import the Event Broker's root certificate into ESM's client truststore.
Copy over the Event Broker root certificate from the Event Broker machine in this location:
/opt/arcsight/kubernetes/ssl/ca.crt to a local folder on the ESM machine. After you
ESM Installation Guide
Chapter 2: Installing on an Appliance
HPE ESM 7.0 Page 20 of 115
enter the path to the certificate, and click Next, the Event Broker's root certificate is imported
into ESM's client truststore and the connection to the Event Broker is validated. If there are any
issues, you will receive an error or warning message. If no message displays and you advance to
the next screen in the wizard, that indicates that the connection between the Event Broker and
ESM is successfully validated.
14. Select whether to set up ArcSight Investigate. Select Yes to enable the integration; select No to
continue. If you select Yes, specify the Search URL for the ArcSight Investigate deployment.
15. Select whether to integrate with the ServiceNo IT Service Management (ITSM) application.
Select Yes to enable the integration; select No to continue. If you select Yes, specify the
mandatory ServiceNow URL and the optional ServiceNow Proxy URL .
16. Under Packages Panel press Enter to continue. Otherwise, select the optional packages that you
are licensed to use. In addition to these optional packages, there are default standard content
packages that are installed automatically on the ArcSight Manager. These default packages
provide essential system health and status operations, and you can use them immediately to
monitor and protect your network.
For more information about packages, see the ArcSight Administration and ArcSight System
Standard Content Guide.
17. Under About to Configure ESM.
Caution: Once you type yes and press Enter, the product is installed as specified.
18. When the configuration says Configuration Completed Successfully, type yes and then Enter to
exit.
19. Log in as user root and run the following script to set up and start the required services:
/opt/arcsight/manager/bin/setup_services.sh
20. After you have completed the installation, check the location and size of your storage volumes and
make any necessary changes. You can do this in the ArcSight Command Center. Refer to the
ArcSight Command Center User's Guide, the "Administration" chapter under "Storage and Archive
section for details regarding your storage volumes.
You can rerun the wizard manually only if you exit it at any point before you reach the first
configuration screen called “About to Configure ESM v7.0”. See "Rerunning the ESM
Configuration Wizard" on page57 for details.
Keep These TCP Ports Open
On an appliance, these ports are already open.
Ports for external incoming connections:
8443/tcp
22/tcp (ssh)
ESM Installation Guide
Chapter 2: Installing on an Appliance
HPE ESM 7.0 Page 21 of 115
TCP ports used internally for inter-component communication:
1976, 28001, 2812, 3306, 5555, 6005, 6009, 7777, 7778, 7779, 7780, 8005, 8009, 8080, 8088, 8089,
8666, 8766, 8808, 8880, 8888, 8889, 9095, 9090, 9123, 9124, 9999,45450
Enable Peering
This topic is for appliance installation using an ESM license that includes peering.
By default appliances ship with port 9000 disabled. Peering requires this port. For peering to work on
an appliance, enable port 9000 using the following commands:
[root@rhel7 ~]# firewall-cmd --zone=public --add-port=9000/tcp --permanent
[root@rhel7 ~]# firewall-cmd --reload
Use this command to check that port 9000 is enabled:
[root@rhel7 ~]# iptables-save | grep 9000
You should get response similar to this:
-A IN_public_allow -p tcp -m tcp --dport 9000 -m conntrack --ctstate NEW -j
ACCEPT
Note that peering works between ESMManagers that use the same IP version. However, if an
ESMManager is on a dual-stack machine, refer to the ArcSight Command Center User's Guide for
details. See "Peers" in the section on "Administration Configuration."
Running ESM on an Encrypted Appliance
ESM can be run on encrypted hardware to help you to meet compliance regulations and privacy
challenges by securing your sensitive data at rest. This includes systems using the HighAvailability
Module; the HA functionality is exactly the same.
You can encrypt your G9 ESM Express appliance (such as B7600 or E7600) by using Secure
Encryption, available from the Server Management Software > Secure Encryption web page. For
instructions, refer to the Secure Encryption Installation and User Guide, available in PDFand CHM
formats through the Technical Support > Manuals link on that page.
G9 Appliances are encryption-capable. They come pre-installed with everything necessary for you to
encrypt them using Secure Encryption. You can encrypt your hardware before or after ESM is installed.
If HA is already installed, encrypt the secondary first, so you only have to failover once.
The length of time encryption takes depends on the amount of data on the server being encrypted. In
our testing, a Gen 9 appliance with 7.5 TBof stored data took about 72 hours to encrypt. You can
ESM Installation Guide
Chapter 2: Installing on an Appliance
HPE ESM 7.0 Page 22 of 115
continue using ESM while the encryption runs. You may notice some performance degradation after
encrypting your ESM appliance.
Caution:After encryption, you cannot restore your ESM to its previously unencrypted state.
Configuring the Appliance for Out-of-Band Remote
Access
Configure the appliance for out-of-band remote access so that Customer Support can access and
troubleshoot the appliance if it becomes unresponsive. All appliance models are equipped with the
Integrated Lights-Out (iLO) advanced remote management card. Visit
https://www.hpe.com/us/en/servers/integrated-lights-out-ilo.html for detailed information and
documentation.
ESM Installation Guide
Chapter 2: Installing on an Appliance
HPE ESM 7.0 Page 23 of 115
Chapter 3: Installing Software ESM
We recommend that you read the ESM Release Notes before you begin installing ESM.
If you are installing ESMExpress, which is on an appliance, go to "Installing on an Appliance" on page14.
If you are going to use the ESMHigh Availability Module with ESMand this is a new ESMinstallation,
install the HAModule first. Refer to the ESM
High Availability Module Guide for instructions. Note that
you must install ESM after HA has completed disk synchronization. Attempting to install ESM while HA
synchronization is in process can cause the ESM installation to fail.
ESM is sensitive to the operating system and version. To ensure proper operation, this installer only
allows installation on the specific operating systems and versions listed in the ArcSight ESM Support
Matrix, which is available for download on Protect 724.
Securing Your ESM System
Use the information in the following sections to protect your ArcSight components.
Protecting ArcSight Manager
Do not use demo SSL certificates in production. Make sure when switching that you remove the demo
CA from cacerts on all SmartConnectors and ArcSight Consoles.
Closely control access to files, using the principle of least privilege, which states that a user should be
given only those privileges that the user needs to complete his or her tasks. The following files are
particularly sensitive:
Note: <ARCSIGHT_HOME> is the root directory for a component. For example for the Manager
component, <ARCSIGHT_HOME> is: /opt/arcsight/manager.
l<ARCSIGHT_HOME>/config/jetty/keystore (to prevent the ArcSight Manager private key from
being stolen)
l<ARCSIGHT_HOME>/config/jetty/truststore (with SSL Client authentication only, to prevent
injection of new trusted CAs)
l<ARCSIGHT_HOME>/config/server.properties (has database passwords)
l<ARCSIGHT_HOME>/config/esm.properties (has cluster configuration properties and SSL
properties common to persistor, correlator, and aggregator services on the node) This properties file
is present on each node in a distributed correlation cluster.
l<ARCSIGHT_HOME>/config/jaas.config (with RADIUS or SecurID enabled only, has shared
HPE ESM 7.0 Page 24 of 115
node secret)
l<ARCSIGHT_HOME>/config/client.properties (with SSL Client authentication only, has
keystore passwords)
l<ARCSIGHT_HOME>/reports/sree.properties (to protect the report license)
l<ARCSIGHT_HOME>/reports/archive/* (to prevent archived reports from being stolen)
l<ARCSIGHT_HOME>/jre/lib/security/cacerts (to prevent injection of new trusted CAs)
l<ARCSIGHT_HOME>/lib/* (to prevent injection of malicious code)
l<ARCSIGHT_HOME>/rules/classes/* (to prevent code injection)
If you are installing ESM on your own hardware (as opposed to an appliance), use a host-based firewall.
On the ArcSight Manager, block everything except for the following ports. Make sure you restrict the
remote IP addresses that may connect to those that actually need to talk.
Port Flow Description
22/TCP Inbound SSH log in (Unix only)
53/UDP Inbound/Outbound DNS requests and responses
8443/TCP Inbound SmartConnectors and Consoles
25/TCP Outbound SMTP to mail server
110/TCP Outbound POP3 to mail server, if applicable
143/TCP Outbound IMAP to mail server, if applicable
1645/UDP Inbound/Outbound RADIUS, if applicable
1812/UDP Inbound/Outbound RADIUS, if applicable
389/TCP Outbound LDAP to LDAP server, if applicable
636/TCP Outbound LDAP over SSL to LDAP server, if applicable
Applies to IPv4 only:
As another layer of defense (or if no host-based firewall is available), you can restrict which connections
are accepted by the ArcSight Manager using the following properties in the server.properties file:
xmlrpc.accept.ips=
agents.accept.ips=
Each of these properties takes a list of IP addresses or subnet specifications, separated by commas or
spaces. Once specified, only connections originating from those addresses are accepted.
lThe xmlrpc.accept.ips property restricts access for ArcSight Consoles.
lThe agents.accept.ips property restricts access for SmartConnectors. For registration, the
SmartConnectors need to be in xmlrpc.accept.ips as well, so that they can be registered. (Being
"registered"does not mean you can then remove them.)
ESM Installation Guide
Chapter 3: Installing Software ESM
HPE ESM 7.0 Page 25 of 115
The format for specifying subnets is quite flexible, as shown in the following example:
xmlrpc.accept.ips=192.0.2.0 192.0.2.5
agents.accept.ips=10.*.*.*,192.0.0.0-192.0.255.255
Built-In Security
ESM user accounts have user types that control the functions which users can access in the ArcSight
Manager. The "Normal User" type has the most privileges. Where possible, use more restrictive types,
such as "Manager SmartConnector," "Management Tool," or "Archive Utility" for automated user
accounts. This is particularly important when user passwords must be stored in scripts for unattended
execution.
Apply the principle of least privilege when creating user accounts in ESM and when granting access to
resources or events. Users should not have more privileges than their tasks require.
By default, the minimum length for passwords is six characters and the maximum length is 20
characters. For information on password restrictions see the Administrator's Guide, chapter 2.
"Configuration," "Managing Password Configuration," "Password Character Sets."
Physical Security for the Hardware
In addition to establishing security policies for passwords, keystores, and other software facilities, it is
important to provide physical security for the hardware used by the ESM system. Physical hardware
includes computers running ArcSight Console, and SmartConnector software, as well as the network
which connects them.
Physical access to computers running ArcSight software must be restricted.
lUse the locking mechanisms provided by most rack-mount cases to prevent malicious/accidental
tampering with the machine
lUse locks on disk drive enclosures
lUse redundant power and uninterruptible power supplies (UPS)
lProtect the BIOS (x86 systems only) or firmware:
oDisable all CD-ROM drives for booting so that the system can only be booted from the hard disk
oDisable COM, parallel, and USB ports so that they cannot be used to extract data
oDisable power management
Operating System Security
lOn Linux, set up a boot loader password to prevent unauthorized people from booting into single
user mode (see the iLO or GRUB documentation for details).
lOn Linux, disable reboot by Ctrl-Alt-Del in /etc/inittab. Comment out the line that refers to
ESM Installation Guide
Chapter 3: Installing Software ESM
HPE ESM 7.0 Page 26 of 115
“ctrlaltdel.
lSet up a screen saver that prompts for a password with a moderately short delay (such as five
minutes).
lDisable power management in the OS.
lWhen installing the OS, select packages individually. Only install what you know will be needed. You
can always install missing packages as you encounter them.
lRun automated update tools to obtain all security fixes. Use up2date on Red Hat Linux (may
require Red Hat Network subscription).
lUninstall (or at least turn off) all services that you do not need. In particular: finger, r-services, telnet,
ftp, httpd, linuxconf (on Linux), Remote Administration Services and IIS Services on Windows.
lOn Unix machines, disallow remote root logins (for OpenSSH, this can be done using the
PermitRootLogin no directive in /etc/ssh/sshd_config). This will force remote users to log in
as a non-root user and su to root, thus requiring knowledge of two passwords to gain root access to
the system. Restrict access to su, using a “wheel group” pluggable authentication module (PAM) so
that only one non-root user on the machine can su to root. Make that user different from the
arcsight user. That way, even if the root password is known and an attacker gains access through
ESM in some way, they won't be able to log in as root.
lRename the Administrator/root account to make brute force attacks more difficult to perform.
General Guidelines and Policies about Security
Educate system users about “social engineering” tricks used to discover user account information. No
employee of HPE will ever request a user’s password. When HPE representatives are on site, the
administrator of the system will be asked to enter the password and, if needed, to temporarily change
the password for the HPE team to work effectively.
Educate users to use secure means of communication (such as SSL to upload or PGP for e-mail) when
transferring configuration information or log files to HPE.
Set up a login banner stating the legal policies for use of the system and the consequences of misuse.
(Instructions for creating a login banner vary by platform.) ArcSight Consoles can also display a custom
login banner. See the ESM Administrator's Guide or Contact Customer Support for more information.
Choose secure passwords. (No password used in two places, seemingly random character sequences,
eight characters or longer, containing numbers and special (non-letter) characters). For information on
password restrictions see the Administrator's Guide, chapter 2. "Configuration," "Managing Password
Configuration."
Passwords are used in the following places—if any one is breached, the system is compromised:
lAll database accounts (arcsight)
lThe “arcsight” user and root user on the system that runs the ArcSight Manager
lAll users created in ESM
ESM Installation Guide
Chapter 3: Installing Software ESM
HPE ESM 7.0 Page 27 of 115
lThe SSL keystores
lThe boot loader (Linux)
lThe BIOS (x86 systems only)
lThe RADIUS node secret
lThe LDAP password for ArcSight Manager (with basic authentication only), where applicable
lThe Active Directory domain user password for ArcSight Manager, where applicable
Consider purchasing and using a PKI solution to enable SSL client authentication on Consoles and
SmartConnectors.
Consider purchasing and using a two-factor authentication solution such as RSA SecurID.
Make sure that all the servers with which ESM interacts (DNS, Mail, RADIUS, etc.) are hardened
equivalently.
Use a firewall and intrusion detection systems to secure the network that the ArcSight Manager CORR_
Engine use.
Preparing to Install
Before you run the Software ESM installation file, you must prepare your system.
System Requirements
The hardware requirements for ESM 7.0 are as follows:
Minimum Mid-Range High Performance
Processors 8 cores (16 preferred) 32 cores 40 cores
Memory 48 GB RAM (64 preferred) 192 GB RAM 512 GB RAM
Hard Disk Six 600 GB disks (1.5 TB)
(RAID 10)
10,000 RPM
20 1 TB disks (10 TB)
(RAID 10)
15,000 RPM
12 TB
(RAID 10)
Solid state
Caution: The "Minimum" values apply to systems running base system content at low EPS (typical
in lab environments). It should not be used for systems running high number of customer-created
resources, or for systems that need to handle high event rates. Use the "Mid Range" or "High
Performance" specifications for production environments that handle a sizable EPS load with
additional content and user activity.
ESM Installation Guide
Chapter 3: Installing Software ESM
HPE ESM 7.0 Page 28 of 115
Using Pattern Discovery or large numbers of Assets and Actors puts additional load on the system
that can reduce the search and event processing performance. For further assistance in sizing your
ESM installation, contact your Sales or Field Representative.
If you anticipate that you will have large lists, ensure that your system meets the Mid-Range
requirements or better.
Manager Hostname Resolution
Before ESM installation, make sure that the host machine's hostname is resolvable, otherwise, Manager
setup will not complete successfully. Use ping to verify the hostname, and fix any issues to avoid errors
during Manager setup.
Mapping 127.0.0.1 to localhost
Make sure that the IP address 127.0.0.1 is resolved to localhost in the /etc/hosts file, otherwise,
the ESM installation will fail. This applies to IPv4 and IPv6 systems.
Monitor Requirement
For displaying the ArcSight Command Center, use a monitor that has a width of at least 1450 pixels.
This is the minimum width needed to display all of the top-menu items without cutting any of them off.
This minimum width also applies on a larger monitor when reducing the size of the browser window.
Supported Platforms
ESM 7.0 is supported on 64-bit Red Hat Enterprise Linux and CentOS. See the ArcSight ESM Support
Matrix for the supported version numbers. Install them using at least the "Web Server" option with
added "Compatibility Libraries" and "Development Tools" at the time of installation. ESM is sensitive to
the operating system and version.
Note:
lTo install the product in GUImode, install the X Windows system package. X Window is entirely
optional. If you use it, use xorg-x11-server-utils-7.5-13.el6.x86_64 or a later version
for RHEL or CentOS. If you do not use X Window, you can install ESMin console mode.
lThe XFS and EXT4 file system formats are supported during installation.
lESM configures itself to the file system upon which it is first installed; you therefore cannot
change the file system type after installation, even during an upgrade.
lWhen you install RHEL or CentOS, the installation offers you certain options. Be sure to choose
the Web Server,Compatibility Libraries, and the Development Tools options.
ESM Installation Guide
Chapter 3: Installing Software ESM
HPE ESM 7.0 Page 29 of 115
Download the Installation Package
The ESM7.0 installation package is available for download from at
https://softwaresupport.softwaregrp.com/. Download the ArcSightESMSuite-7.0.0.xxxx.0.tar
file and copy it on to the system where you will be installing ESM. The xxxx in the file name stands for
the build number.
HPE provides a digital public key to enable you to verify that the signed software you received is indeed
from HPE and has not been manipulated in any way by a third party.
Visit the following site for information and instructions:
https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=HPLinuxCod
eSigning
After you download the .tar file from the software download site, initiate license procurement by
following the instructions in the Electronic Delivery Receipt you receive in an email after placing the
order.
ESM Installation Guide
Chapter 3: Installing Software ESM
HPE ESM 7.0 Page 30 of 115
Prepare the System
1. Verify that the zip and unzip packages are installed on the server. These packages are required in
order for the installation to function properly.
For RHEL and CentOS 6.9:
lunzip-6.0-5.el6.x86_64
lzip-3.0-1.el6_7.1.x86_64
For RHEL and CentOS 7.3:
lzip-3.0-11.el7.x86_64
lunzip-6.0-16.el7.x86_64
2. Log in as user root.
3.
Run the following command to untar the file:
tar xvf ArcSightESMSuite-7.0.0.xxxx.0.tar
When you untar the ArcSightESMSuite-7.0.0.xxxx.0.tar file, It places the prepare_
system.sh script in a sub-directory called Tools in the location where you untarred the file.
4. Run prepare_system.sh
5. Change ownership of all the files and folders that were extracted from the tar file to be owned by
user arcsight.
6. Reboot the system.
7. Verify that it ran correctly. Log in as user root and run:
ulimit -a
Check for the following two lines:
open files 65536
max user processes 10240
Keep these TCP Ports Open
For Software ESM, before installation, open the following ports on your system, if not already open,
and ensure that no other process is using them.
Ports for external incoming connections:
8443/tcp
9000/tcp
694/udp (for HA)
7789/tcp (for HA)
22/tcp (ssh)
TCP ports used internally for inter-component communication:
ESM Installation Guide
Chapter 3: Installing Software ESM
HPE ESM 7.0 Page 31 of 115
1976, 28001, 2812, 3306, 5555, 6005, 6009, 7777, 7778, 7779, 7780, 8005, 8009, 8080, 8088, 8089,
8666, 8766, 8808, 8880, 8888, 8889, 9000, 9095, 9090, 9123, 9124, 9999, 45450
Some ports are used in a distributed correlation environment. The ports 3179, 3180, and 3181 are used
by the information repository. Also, there are port ranges reserved for use by cluster services. Ports in
these reserved ranges must not be used by other processes. See "Dynamic Ports in the Distributed
Correlation Environment" in the ESM Administrator's Guide for details on these reserved port ranges.
Install the Time Zone Package
ESM uses the time zone update package in order to automatically handle changes in time zone or
changes between standard and daylight savings time. During installation, ESM checks to see if the
appropriate operating system time zone package is installed. If it is not, you have the option of exiting
the installer to install the latest operating system timezone update or continuing the ESM installation
and skipping the timezone update for ESM components. We recommend installing the time zone
update package.
For RHEL 7.3 and CentOS 7.3 use tzdata-2017c-1.el7.noarch.rpm, or a later version of the rpm
package.
On RHELor CentOS 7.3
To install it on RHELor CentOS 7.3, as user root use the command:
rpm -Uvh <package>
Check the time zone setting with this command:
timedatectl
If the time zone is not set or is not the desired time zone, specify another time zone by using:
timedatectl set-timezone <time_zone>
for example:
timedatectl set-timezone America/Los_Angeles
On RHEL or CentOS 6.9
To install it on RHELor CentOS 6.9, as user root use the command:
rpm -Uvh <package>
Check to make sure that the /etc/localtime link is pointing to a valid time zone by running the
following command:
ls -altrh /etc/localtime
You should get a response similar to this (below), where <ZONE> is your time zone such as
America/Los_Angeles.
ESM Installation Guide
Chapter 3: Installing Software ESM
HPE ESM 7.0 Page 32 of 115
lrwxrwxrwx. 1 root root 39 Nov 27 08:28 /etc/localtime ->
/usr/share/zoneinfo/<ZONE>
Note:If the /etc/localtime link is not pointing to a valid time zone, the ESMinstallation stops. In this
case, you must manually set the link to a valid timezone.
If you do not install at this time...
If you complete the ESM installation without installing the required tzdata rpm package, you can still set
up the time zone update after completing the ESM installation. Use the following procedure after
ensuring that you have downloaded and installed the correct tzdata package and the link
/etc/localtime is set correctly. (Remember, this is for after the ESM installation is complete.):
1. As user arcsight, shut down all arcsight services. (This is important.) Run
/etc/init.d/arcsight_services stop all
2. As user arcsight, run the following command (this is one line):
/opt/arcsight/manager/bin/arcsight tzupdater /opt/arcsight /opt/arcs
ight/manager/lib/jre-tools/tzupdater
3. Start all arcsight services using this command.
/etc/init.d/arcsight_services start all
Add RemoveIPC=no to /etc/systemd/logind.conf - RHELand
CentOS 7.3 Only
If the preflight check fails, add or edit the value of the property RemoveIPC=no in the file
/etc/systemd/logind.conf.
To add the value:
1. As user root, edit the file /etc/systemd/logind.conf.
2. Search for RemoveIPC, and ensure there is only one instance of this property.
3. Edit the property if it exists (or add the property if it does not exist) to have the value no:
RemoveIPC=no
4. Run:
systemctl restart systemd-logind.service
Set Directory Sizes
Make sure that the partition in which your /tmp directory resides has at least 6 GB of space.
Make sure that the partition in which your /opt/arcsight directory resides has at least 100 GB of
space.
ESM Installation Guide
Chapter 3: Installing Software ESM
HPE ESM 7.0 Page 33 of 115
Sizing Guidelines for CORR-Engine
When installing ESM 7.0, the default CORR-Engine storage sizes are automatically calculated based on
your hardware according to the default values in the table below. These are the recommended sizing
guidelines. You can change any of the default storage sizes in the “CORR-Engine Configuration” panel
of the wizard, but when doing so, be sure that you take the minimum and maximum values into
consideration when changing storage sizes.
Note: Any events that are brought from an offline archive into the online archive count as part of
the total 12 TB (or license determined) storage limit. You do not want the online archives that you
bring back online to encompass the entire storage limit. Use discretion when bringing offline
archives online, and be sure to make them offline again when you are done working with them.
System Storage - non-event storage, for example, resources, trends, and lists
Event Storage - storage for events
Event Archive Size - archive of online events
Recommended Minimum Maximum
System
Storage
Size
The default is about one sixth of Usable Space, from at least 3 GB up to a
maximum of 1,500 GB. During installation, it is recommended that you
accept the default.
3 GB 1,500 GB
Event
Storage
Size
Specify about two thirds of the Usable Space shown during installation. 10 GB 12 TB
Event
Archive
Size
You may specify the remaining space after the System and Event storage
have been allocated.
1 GB Limit is
predicated on
your file system
size.
The system reserves 10 percent of the /opt/arcsight partition for its own use.
During installation, the system will show the size of the /opt/arcsight partition as Available Space,
and the size of that partition less 10 percent reserved space designated as Usable Space. The maximum
event storage volume size is calculated by the system using this formula:
Maximum Event Storage = /opt/arcsight partition x 0.9 - system storage -
event archives.
After installation, the allocated event storage space consists of a default storage group and an internal
storage group whose size is initially set by the installer. These storage groups do not fill the maximum
size of the event storage volume. You may expand the size of these storage groups or add up to four of
your own storage groups until the allocated size of the event storage reaches the maximum size of the
event storage volume. Use the ArcSight Command Center user interface to add or change the size of
storage groups.
ESM Installation Guide
Chapter 3: Installing Software ESM
HPE ESM 7.0 Page 34 of 115
In the ArcSight Command Center, select Administration > Storage and Archive to see and change
the storage allocations. Refer to the ArcSight Command Center User's Guide for details.
The following diagrams clarify the various terms used in the configuration wizard and in the ArcSight
Command Center user interface:
Export Language UTF File
Run the following command:
export LC_ALL=[language].UTF-8
...where [language] is one of these:
en_US (English)
zh_CN (Simplified Chinese)
zh_TW (Traditional Chinese)
ja_JP (Japanese)
fr_FR (French)
ESM Installation Guide
Chapter 3: Installing Software ESM
HPE ESM 7.0 Page 35 of 115
ko_KR (Korean)
ru_RU (Russian)
For example: export LC_ALL=en_US.UTF-8
Distributed Correlation Cluster Planning
Plan your cluster before you begin the installation described in "Using the Configuration Wizard - ESM
in Distributed Correlation Mode" on page46. A distributed correlation deployment includes the
persistor, information repository, correlators, aggregators, message bus data, message bus control, and
distributed cache. Ideally, the correlators and aggregators in the cluster will keep up with event flow on
your system.
You must balance system resources as you add these components (CPU and memory). You will want to
be somewhat generous in your cluster planning, and add more correlators and aggregators than you
think you need. Distributed correlation is most effective if configured over multiple physical systems to
ensure the fault tolerance benefit of the distributed correlation cluster deployment is fully realized. The
fault tolerance aspect of the distributed correlation cluster, as described in "Distributed Correlation
Concepts" in ESM 101.
Note: In the context of a distributed correlation implementation, ESMis the entire cluster. The
individual cluster nodes are part of the fuller implementation, and do not function independently.
The systems that are the cluster nodes should be dedicated to use in the cluster only, and not used
to run other applications. Keep this in mind when you plan your cluster.
Hierarchical Implementations and Cluster Planning
If you have been using a hierarchical implementation of ESM in order to get higher performance, then
you might consider implementing a distributed correlation cluster to increase your EPS. You can convert
your upgraded system to a cluster implementation, repurposing the systems that were part of your
hierarchical implementation, and adding more as needed. If you use a hierarchical implementation of
ESM to gain benefits other than higher performance, such as combining feeds from various
geographical areas, then a cluster implementation is not the favored solution for your situation.
Cluster Requirements
All nodes in a distributed correlation cluster must:
lHave the same operating system version
lBe in the same time zone
lIf FIPS, be in the same FIPS mode
lUse the same IP protocol (IPv4 or IPv6). Dual stack machines are supported, but all ESM IP
addresses on all nodes of a cluster must be either IPv4 or IPv6.
ESM Installation Guide
Chapter 3: Installing Software ESM
HPE ESM 7.0 Page 36 of 115
Note: We recommend 32 GB as the minimum heap memory size for the manager service on the
persistor node in a cluster if you expect heavy use (>30,000 EPS, large numbers of rules and data
monitors, and large active lists and session lists).
Recommended Cluster Configurations
Depending on your system resources, you can set multiple nodes on multiple machines. Below are
recommended cluster configurations.
Note concerning adding correlators and aggregators to your cluster: The number of
correlators and aggregators you configure in your cluster will depend on the settings in your ESM
implementation. For example, if you have complex filters and rule conditions, you might need more
correlators. If you have a large number of data monitors or use complex join rules, you might need
more aggregators. Lags shown in the Cluster View dashboard in the ArcSight Command Center can
indicate that you need to add more correlators or aggregators, depending on the type of lag shown
in the dashboard.
Small Configuration (Good)
The small configuration consists of three nodes on three systems, distributed as listed below and with
the following recommended resources:
Hardware Requirements
The persistor node hardware:
lat least 128 GB RAM
lat least 8 TB disk
lat least 16 cores
lat least 1 Gbit network
Other nodes hardware:
lat least 128 GB RAM
lat least 2 TB disk
lat least 16 cores
lat least 1 Gbit network
Software Requirements
lNode 1:
opersistor with a built-in distributed cache
Note:Adding standalone distributed cache instances can reduce persistor memory usage. You
might need to add at least two additional (standalone) distributed cache instances when
ESM Installation Guide
Chapter 3: Installing Software ESM
HPE ESM 7.0 Page 37 of 115
persistor memory usage is excessive. This means adding at least two instances of distributed
cache in addition to the built-in distributed cached that is included during installation.
oone message bus control
oone information repository
lNode 2:
oone correlator
Note: Two correlators are recommended if the number of cores is 24 or greater, and the
network is 10 Gbit or greater.
oone aggregator
oone message bus control
oone message bus data
oone information repository
lNode 3:
oone correlator
Note: Two correlators are recommended if the number of cores is 24 or greater, and the
network is 10 Gbit or greater.
oone aggregator
oone message bus control
oone message bus data
oone information repository
Medium Configuration (Better)
The medium configuration consists of four nodes on four systems, distributed as listed below and with
the following recommended resources:
Hardware Requirements
The persistor node hardware:
lat least 192 GB RAM
lat least 8 TB disk
lat least 24 cores
lat least 10 Gbit network
Other nodes hardware:
ESM Installation Guide
Chapter 3: Installing Software ESM
HPE ESM 7.0 Page 38 of 115
lat least 128 GB RAM
lat least 6 TB disk
lat least 24 cores
lat least 10 Gbit network
Software Requirements
lNode 1:
opersistor with a built-in distributed cache
oone information repository
lNode 2:
oone correlator
Note: Two correlators are recommended if the number of cores is 32 or greater.
oone aggregator
oone distributed cache
oone message bus control
oone message bus data
lNode 3:
otwo correlators
Note: Three correlators are recommended if the number of cores is 32 or greater.
oone message bus control
oone message bus data
oone information repository
lNode 4:
otwo aggregators
Note: One correlator and two aggregators are recommended if the number of cores is 32 or
greater.
oone distributed cache
oone message bus control
oone message bus data
oone information repository
ESM Installation Guide
Chapter 3: Installing Software ESM
HPE ESM 7.0 Page 39 of 115
Large Configuration (Best)
The large configuration consists of five (or more) nodes on five (or more) systems, distributed as listed
below and with the following recommended resources:
Hardware Requirements
The persistor node hardware:
lat least 256 GB RAM
lat least 8 TB disk
lat least 32 cores
lat least 10 Gbit network
Other nodes hardware:
lat least 256 GB RAM
lat least 8 TB disk
lat least 32 cores
lat least 10 Gbit network
Software Requirements
lNode 1:
opersistor with a built-in distributed cache
oone information repository
lNode 2:
otwo correlators
otwo aggregators
oone distributed cache
oone message bus control
oone message bus data
lNode 3:
otwo correlators
oone aggregator
oone message bus control
oone message bus data
oone information repository
lNode 4:
otwo correlators
oone aggregator
ESM Installation Guide
Chapter 3: Installing Software ESM
HPE ESM 7.0 Page 40 of 115
oone distributed cache
oone message bus control
oone message bus data
oone information repository
lNode 5+:
oone distributed cache
oone message bus data
otwo correlators
o1 aggregator
Starting the Installer
Start the installation while logged in as user arcsight.
If not already granted, give the ArcSightESMSuite.bin file the execute permission. To do so, enter:
chmod +x ArcSightESMSuite.bin
Run the installation file as follows:
./ArcSightESMSuite.bin -i console
(or ./ArcSightESMSuite.bin, for GUI mode, if you are using X Window.)
The installation begins.
Note:
lTo run in GUImode, X Window must be running. If it is not, the installer automatically runs in
Console mode. GUImode is entirely optional.
lTo run in Console mode, make sure X Windows is not running. GUI mode requests the same
information as console mode and is not documented separately.
lThe log files for this installation appear in the /home/arcsight directory.
The next topic picks up after the installer has started.
Running the Installation File
The following steps describe the ESMinstaller.
1. Read the Introduction message and press Enter.
2. On the License Agreement panel, press Enter to page through the agreement. In GUImode, the “I
accept the terms of the License Agreement” check box is disabled until you scroll to the bottom of
ESM Installation Guide
Chapter 3: Installing Software ESM
HPE ESM 7.0 Page 41 of 115
the agreement text. If you accept the License Agreement, type yand press Enter.
3. Read the Special Notice and press Enter.
4. Under Choose Link Folder, enter the number for the location where you would like the installer to
place the links for this installation and press Enter.
5. Review the Pre-Installation Summary. Press Enter to continue.
Under Installing a progress bar appears.
The Suite Installer installs each component.
lIn Console mode, after the components are installed it says Installation Complete. Press Enter to
exit the installer. Go to the next topic, "Starting the Configuration Wizard In Console Mode" below.
lIn GUImode, after the components are installed, the Configuration Wizard GUI opens automatically.
Go to "Using the Configuration Wizard - ESM in Compact Mode" below or "Using the Configuration
Wizard - ESM in Distributed Correlation Mode" on page46 for details on configuring ESM.
Note: In GUImode, if you get a dialog box reporting an error or problem and the action button
says Quit, use the Quit button. If you use the Xin the upper right corner of the dialog, the
process does not quit, but cannot complete successfully with the reported error.
Starting the Configuration Wizard In Console Mode
If you are installing software ESM in GUI mode or installing ESMExpress, the configuration wizard
starts automatically and you can skip this step during initial installation.
When installing software ESM in console mode (from the command line), the installation stops at this
point when the Suite Installer is done, but it does not automatically continue with the configuration
wizard. You start the configuration wizard manually by issuing the following command:
/opt/arcsight/manager/bin/arcsight firstbootsetup -boxster -soft -i console
Using the Configuration Wizard - ESM in Compact Mode
This section contains instructions to install ESM in compact mode. To install ESM in distributed
correlation mode (using a cluster implementation) see "Using the Configuration Wizard - ESM in
Distributed Correlation Mode" on page46.
For Software ESM in console mode, you start the configuration wizard manually using the following
command:
/opt/arcsight/manager/bin/arcsight firstbootsetup -boxster -soft -i console
1. Read the Welcome message. If the license file is accessible, type yes to continue.
2. Under Language Options, select the language for interface displays. Press Enter to continue.
3. Under Installation Mode, type 0to install ESMin Compact mode.
ESM Installation Guide
Chapter 3: Installing Software ESM
HPE ESM 7.0 Page 42 of 115
4. Under CORR-Engine Password, press Enter to continue with obfuscated passwords or type no
and Enter to allow them to show on screen.
5. Under CORR-Engine Password, set a password for the CORR-Engine and reenter it for the
Password confirmation. Press Enter. For information on password restrictions, see the
ESMAdministrator's Guide section “Managing Password Configuration” in the chapter
“Configuration.
6. Under CORR-Engine Configuration, enter the CORR-Engine storage allocation information and
press Enter.
System Storage Size - the size of the storage space set aside to store resources
Event Storage Size - the size of the storage space set aside to store events
Online Event Archive Size - the maximum number of gigabytes of disk space for event archives.
This only applies to the online event archive.
Retention Period - the amount of time that you want to retain the events before they are purged
from the system
7. Under Notification Emails, specify the following email addresses:
Error Notification Recipient: Specify one email address for the email account to receive email
notifications if the Manager goes down or encounters some other problem. If you need to specify
more email addresses, the Manager Configuration Wizard allows that, as described in the "Running
the Manager Configuration Wizard" section of the ESM Administrator's Guide.
From email address: The email address used for the notifications sender.
If the values are correct, type yes and Enter to continue. Emails are sent when the system detects
the following occurrences:
lThe subsystem status is changed. The email shows the change and who did it.
lThe report has been successfully archived.
lThe account password has been reset.
lThe Archive report generation fails.
lThere is too many notifications received by a destination.
lThe event archive location has reached the cap space. It will ask you to free up some space by
moving the event archives to some other place.
lThe user elects to email the ArcSight Console settings.
lThe user sends partition archival command.
lAn archive fails because there is not enough space.
lThe Connection to the database failed.
8. For the License File, enter the path and file name of the license file you downloaded and press
Enter.
ESM Installation Guide
Chapter 3: Installing Software ESM
HPE ESM 7.0 Page 43 of 115
9. Under Select the Product Mode, select whether you want to install in default mode or FIPS mode.
Press Enter to continue.
Caution:
lIf you choose to install the product in FIPS mode, be sure to install the Console in FIPS
mode too. Refer to "Installing ArcSight Console in FIPS Mode" on page96 for instructions
on installing the Console in FIPS mode.
lOnce you have configured the software in FIPS mode, you will not be able to convert it to
default mode without reinstalling it.
lConverting from default mode installation to FIPS-140-2 mode is supported. If you need to
do so at any time, refer to the Administrator’s Guide for instructions.
lBy default, ESM uses a self-signed certificate. If you would like to use a CA-signed
certificate, you will have to import the CA-signed certificate manually after the
configuration wizard completes successfully. Refer to the Administrator’s Guide for ESM for
details on using a CA-signed certificate.
10. If you selected FIPS mode, confirm your selection. if not, skip to the Manager Information step.
11. If you selected FIPS mode on the Select the Cipher Suite Options panel. select the cipher suite.
Suite B defines two security levels of 128 and 192 bits. The two security levels are based on the
Advanced Encryption Standard (AES) key size that is used instead of the overall security provided
by Suite B. At the 128-bit security level, the 128 bit AES key size is used. However, at the 192-bit
security level, a 256 bit AES key size is used. Although a larger key size means more security, it also
means computational cost in time and resource (CPU) consumption. In most scenarios, the 128-bit
key size is sufficient.
12. Under Manager Information, enter the Manager’s hostname, set the user ID and password for the
admin user, and press Enter.
Caution:
lThe Manager host name is the IP address (for IPv4 only), or fully-qualified domain name of
the machine where the Manager is installed. This name is what all clients (for example,
ArcSight Console) specify to connect to the Manager. Using a fully-qualified domain name
instead of an IP address is recommended for flexibility.
lThe IP Version selection (IPv4 or IPv6) appears if you have a dual-stack machine, such as
an appliance. If you see this option, your selection has the following effects:
lIt controls what IP Address is used by third party software if a hostname is given. for
example, the e-mail server in Manager Setup.
lIt controls which IP Address is tried on the peering page if a hostname is specified.
lIt controls whether an IPv4 or IPv6 Address is chosen for the manager asset.
ESM Installation Guide
Chapter 3: Installing Software ESM
HPE ESM 7.0 Page 44 of 115
lThere might be more than one host name, and the default might not be the same as the one
returned by the hostname command. If you are using the High Availability Module, use the
Service hostname that is common to both servers (primary and secondary) as the Manager
IP, or hostname. Otherwise, pick one which you would expect to work, and would be
convenient for configuring connectors, consoles, and other clients. Note that it is always
best to use a fully qualified domain name.
lIf you do not want the hostname on your DNSserver, add a static host entry to the
/etc/hosts file to resolve the host name locally.
lThe Manager hostname is used to generate a self-signed certificate. The Common Name
(CN) in the certificate is the Manager host name that you specify in this screen.
lAlthough the Manager uses a self-signed certificate by default, you can switch to using a
CA-signed certificate if needed. You can do this after installation. Refer to the
ESM
Administrator’s Guide for instructions.
13. Select whether to set up connection to the Event Broker (if Event Broker is part of your
implementation of ESM). If you need to set up the Event Broker in FIPS mode, see "Configure
Event Broker Access - FIPS Mode (Server Authentication Only) (Optional)" on page99 .
If client authentication is enabled on the Event Broker, see either "Setting Up SSL Client-Side
Authentication Between Event Broker and ESM - Non-FIPS Mode" on page60 or "Setting Up SSL
Client-Side Authentication Between Event Broker and ESM - FIPS Mode" on page102.
Select Yes to set up the connection; select No to continue. If you select Yes, specify:
a. Host: Port(s): Enter the host and port information for the nodes in the Event Broker. Include
the host (hostname or IP address) and port information of all the nodes in a multiple node
environment not just the Master node. This is a comma-separated list, for example:
<host>:<port>,<host>:<port>. Note that Event Broker can only accept IPV4 connections from
ESM.
b. Topic to read from: Specify the topic in the Event Broker you want to read from. This will
determine the data source. See the chapter "Managing Event Broker Topics", in the Event
Broker Administrator's Guide.
c. Path to the Event Broker root cert: ESM communicates with the Event Broker through TLS.
To enable this, you must import the Event Broker's root certificate into ESM's client truststore.
Copy over the Event Broker root certificate from the Event Broker machine in this location:
/opt/arcsight/kubernetes/ssl/ca.crt to a local folder on the ESM machine. After you
enter the path to the certificate, and click Next, the Event Broker's root certificate is imported
into ESM's client truststore and the connection to the Event Broker is validated. If there are any
issues, you will receive an error or warning message. If no message displays and you advance to
the next screen in the wizard, that indicates that the connection between the Event Broker and
ESM is successfully validated.
14. Select whether to set up ArcSight Investigate. Select Yes to enable the integration; select No to
continue. If you select Yes, specify the Search URL for the ArcSight Investigate deployment.
ESM Installation Guide
Chapter 3: Installing Software ESM
HPE ESM 7.0 Page 45 of 115
15. Select whether to integrate with ServiceNo IT Service Management (ITSM) application. Select
Yes to enable the integration; select No to continue. If you select Yes, specify the ServiceNow
URL and the optional ServiceNow Proxy URL.
16. Under Packages Panel press Enter to continue. Otherwise, select the optional packages that you
are licensed to use. In addition to these optional packages, there are default standard content
packages that are installed automatically on the ArcSight Manager. These default packages
provide essential system health and status operations, and you can use them immediately to
monitor and protect your network.
For more information about packages, see the ArcSight Administration and ArcSight System
Standard Content Guide.
17. Under About to Configure ESM.
Caution: Once you type yes and press Enter, the product is installed as specified.
18. When the configuration says Configuration Completed Successfully, type yes and then Enter to
exit.
19. Log in as user root and run the following script to set up and start the required services:
/opt/arcsight/manager/bin/setup_services.sh
20. After you have completed the installation, check the location and size of your storage volumes and
make any necessary changes. You can do this in the ArcSight Command Center. Refer to the
ArcSight Command Center User's Guide, the "Administration" chapter under "Storage and Archive
section for details regarding your storage volumes.
You can rerun the wizard manually only if you exit it at any point before you reach the first
configuration screen called “About to Configure ESM v7.0”. See "Rerunning the ESM
Configuration Wizard" on page57 for details.
Using the Configuration Wizard - ESM in Distributed
Correlation Mode
This section contains instructions to install ESM in distributed correlation mode. To install ESM in
compact mode see "Using the Configuration Wizard - ESM in Compact Mode" on page42.
Distributed correlation allows you to use distributed resources as services to run on several systems
(nodes) in a software cluster that you install, configure, and manage. You must plan the cluster before
you begin installation in distributed correlation mode. See "Distributed Correlation Cluster Planning" on
page36 for details. This is an important task and you want to get as much of it right the first time as you
can. For details on cluster configuration and management post-installation, see "Configuring and
Managing a Distributed Correlation", in the ESM
Administrator's Guide.
When you install ESM in distributed correlation mode, you must first install the persistor node (which is
by default the first node installed); see "Persistor Node Installation" on the next page. After that, you
ESM Installation Guide
Chapter 3: Installing Software ESM
HPE ESM 7.0 Page 46 of 115
install the other cluster nodes as needed (see "Add Nodes to a Cluster - Further Node Installation" on
page52), and then perform post-cluster creation configuration tasks (see "Post Cluster Creation
Configuration " on page53).
Do not attempt simultaneous installations of cluster nodes. You must complete the installation of the
persistor node and then add each additional node separately, one at a time.
Note: Distributed correlation mode is not available on an appliance.
Persistor Node Installation
Note: If you have a High Availability (HA) implementation, note that HA is supported only on the
persistor node in the distributed correlation cluster. HA is not supported on any non-persistor node
in a distributed correlation cluster.
For Software ESM in console mode, you start the configuration wizard manually using the following
command:
/opt/arcsight/manager/bin/arcsight firstbootsetup -boxster -soft -i console
1. Read the Welcome message. If the license file is accessible, type yes to continue.
2. Under Language Options, select the language for interface displays. Press Enter to continue.
3. Under Installation Mode, type 1to install ESM in Distributed mode.
4. Under Cluster Setup:Are you starting a new cluster or adding to an existing one, type 0to
start a new cluster. Starting a new cluster creates the first node in a cluster. This node is the
persistor node and contains a built-in distributed cache and the information repository.
5. Under ESM server ports:Enter low and high values of ESM server ports, the default values
are:
lLowest ESM server port: 10000
lHighest ESM server port:10100
You must specify a range of available ports for your cluster. This range of ports is made available
for dynamic assignment to services (aggregator and correlator, message bus data and message bus
control, and distributed cache) as they are added to a cluster. The lowest value can be 1024 and the
highest value 32767. The difference between the lowest value and the highest value specified must
be at least 100.
6. Under Certificate Administrator Master Password, press Enter to continue with obfuscated
passwords or type no and Enter to allow them to show on screen.
7. Under Certificate Administrator Master Password, set a password for the certificate
administration and reenter it for the Password confirmation. Press Enter. For information on
password restrictions, see the ESM
Administrator's Guide section “Managing Password
Configuration”. Be sure to save this password in a safe place outside of ESM.
ESM Installation Guide
Chapter 3: Installing Software ESM
HPE ESM 7.0 Page 47 of 115
8. Under CORR-Engine Password, press Enter to continue with obfuscated passwords or type no
and Enter to allow them to show on screen.
9. Under CORR-Engine Password, set a password for the CORR-Engine and reenter it for the
Password confirmation. Press Enter. For information on password restrictions, see the
ESMAdministrator's Guide section “Managing Password Configuration” in the chapter
“Configuration.
10. Under CORR-Engine Configuration, enter the CORR-Engine storage allocation information and
press Enter.
System Storage Size - the size of the storage space set aside to store resources
Event Storage Size - the size of the storage space set aside to store events
Online Event Archive Size - the maximum number of gigabytes of disk space for event archives.
This only applies to the online event archive.
Retention Period - the amount of time that you want to retain the events before they are purged
from the system
11. Under Notification Emails, specify the following email addresses:
Error Notification Recipient: Specify one email address for the email account to receive email
notifications if the Manager goes down or encounters some other problem. If you need to specify
more email addresses, the Manager Configuration Wizard allows that, as described in the "Running
the Manager Configuration Wizard" section of the ESM Administrator's Guide.
From email address: The email address used for the notifications sender.
If the values are correct, type yes and Enter to continue. Emails are sent when the system detects
the following occurrences:
lThe subsystem status is changed. The email shows the change and who did it.
lThe report has been successfully archived.
lThe account password has been reset.
lThe Archive report generation fails.
lThere is too many notifications received by a destination.
lThe event archive location has reached the cap space. It will ask you to free up some space by
moving the event archives to some other place.
lThe user elects to email the ArcSight Console settings.
lThe user sends partition archival command.
lAn archive fails because there is not enough space.
lThe Connection to the database failed.
12. For the License File, enter the path and file name of the license file you downloaded and press
Enter.
ESM Installation Guide
Chapter 3: Installing Software ESM
HPE ESM 7.0 Page 48 of 115
13. Under Select the Product Mode, select whether you want to install in default mode or FIPS mode.
Press Enter to continue.
Caution:
lIf you choose to install the product in FIPS mode, be sure to install the Console in FIPS
mode too. Refer to "Installing ArcSight Console in FIPS Mode" on page96 for instructions
on installing the Console in FIPS mode.
lOnce you have configured the software in FIPS mode, you will not be able to convert it to
default mode without reinstalling it.
lConverting from default mode installation to FIPS-140-2 mode is supported. If you need to
do so at any time, refer to the Administrator’s Guide for instructions.
lBy default, ESM uses a self-signed certificate. If you would like to use a CA-signed
certificate, you will have to import the CA-signed certificate manually after the
configuration wizard completes successfully. Refer to the Administrator’s Guide for ESM for
details on using a CA-signed certificate.
14. If you selected FIPS mode, confirm your selection. if not, skip to the Manager Information step.
15. If you selected FIPS mode on the Select the Cipher Suite Options panel. select the cipher suite.
Suite B defines two security levels of 128 and 192 bits. The two security levels are based on the
Advanced Encryption Standard (AES) key size that is used instead of the overall security provided
by Suite B. At the 128-bit security level, the 128 bit AES key size is used. However, at the 192-bit
security level, a 256 bit AES key size is used. Although a larger key size means more security, it also
means computational cost in time and resource (CPU) consumption. In most scenarios, the 128-bit
key size is sufficient.
16. Under Manager Information, enter the Manager’s hostname, set the user ID and password for the
admin user, and press Enter.
Caution:
lThe Manager host name is the IP address (for IPv4 only), or fully-qualified domain name of
the machine where the Manager is installed. This name is what all clients (for example,
ArcSight Console) specify to connect to the Manager. Using a fully-qualified domain name
instead of an IP address is recommended for flexibility.
lThe IP Version selection (IPv4 or IPv6) appears if you have a dual-stack machine, such as
an appliance. If you see this option, your selection has the following effects:
lIt controls what IP Address is used by third party software if a hostname is given. for
example, the e-mail server in Manager Setup.
lIt controls which IP Address is tried on the peering page if a hostname is specified.
lIt controls whether an IPv4 or IPv6 Address is chosen for the manager asset.
ESM Installation Guide
Chapter 3: Installing Software ESM
HPE ESM 7.0 Page 49 of 115
lThere might be more than one host name, and the default might not be the same as the one
returned by the hostname command. If you are using the High Availability Module, use the
Service hostname that is common to both servers (primary and secondary) as the Manager
IP, or hostname. Otherwise, pick one which you would expect to work, and would be
convenient for configuring connectors, consoles, and other clients. Note that it is always
best to use a fully qualified domain name.
lIf you do not want the hostname on your DNSserver, add a static host entry to the
/etc/hosts file to resolve the host name locally.
lThe Manager hostname is used to generate a self-signed certificate. The Common Name
(CN) in the certificate is the Manager host name that you specify in this screen.
lAlthough the Manager uses a self-signed certificate by default, you can switch to using a
CA-signed certificate if needed. You can do this after installation. Refer to the
ESM
Administrator’s Guide for instructions.
17. Select whether to set up connection to the Event Broker (if Event Broker is part of your
implementation of ESM). If you need to set up the Event Broker in FIPS mode, see "Configure
Event Broker Access - FIPS Mode (Server Authentication Only) (Optional)" on page99 .
If client authentication is enabled on the Event Broker, see either "Setting Up SSL Client-Side
Authentication Between Event Broker and ESM - Non-FIPS Mode" on page60 or "Setting Up SSL
Client-Side Authentication Between Event Broker and ESM - FIPS Mode" on page102.
Select Yes to set up the connection; select No to continue. If you select Yes, specify:
a. Host: Port(s): Enter the host and port information for the nodes in the Event Broker. Include
the host (hostname or IP address) and port information of all the nodes in a multiple node
environment not just the Master node. This is a comma-separated list, for example:
<host>:<port>,<host>:<port>. Note that Event Broker can only accept IPV4 connections from
ESM.
b. Topic to read from: Specify the topic in the Event Broker you want to read from. This will