Novell SENTINEL 6.1 Installation Guide

Novell®

www.novell.com

Installation Guide

novdocx (en) 7 January 2010

AUTHORIZED DOCUMENTATION

Sentinel

6.1 SP2

February 2010

TM

Sentinel 6.1 Installation Guide

Legal Notices

Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.,
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities
on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export
laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses.
See the Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information
on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export
approvals.

novdocx (en) 7 January 2010

Copyright © 1999-2010 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this
document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.
patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or
more additional patents or pending patent applications in the U.S. and in other countries.

Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com

Online Documentation: To access the latest online documentation for this and other Novell products, see

the Novell Documentation Web page (http://www.novell.com/documentation).

Novell Trademarks

For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/

trademarks/tmlist.html).

Third-Party Materials

All third-party trademarks are the property of their respective owners.

novdocx (en) 7 January 2010

novdocx (en) 7 January 2010

4 Sentinel 6.1 Installation Guide

Contents

Preface 9

1 Introduction 11

1.1 Sentinel Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.2 Sentinel User Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1.2.1 Sentinel Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1.2.2 Sentinel Data Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.2.3 Sentinel Solution Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.2.4 Sentinel Collector Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.3 Sentinel Server Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.3.1 Sentinel Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.3.2 Sentinel Communication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

1.3.3 Sentinel Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

1.3.4 Sentinel Collector Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

1.3.5 Correlation Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

1.3.6 iTRAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

1.3.7 Crystal Reports Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

1.3.8 Sentinel Advisor and Exploit Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

1.4 Sentinel Plugins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

1.4.1 Collectors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

1.4.2 Connectors and Integrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

1.4.3 Correlation Rules and Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

1.4.4 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

1.4.5 iTRAC Workflows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

1.4.6 Solution Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

1.5 Language Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

novdocx (en) 7 January 2010

2 System Requirements 17

2.1 Supported Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.1.1 Patch Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.1.2 Database Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.1.3 Sentinel Component Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2.1.4 Platform Support Exceptions and Cautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

2.2 Hardware Recommendations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2.2.1 Architecture Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2.2.2 Supported Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.2.3 Proof of Concept Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.2.4 Production Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

2.2.5 High-Performance Production Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

2.2.6 Virtual Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

3 Installing Sentinel 6.1 SP2 27

3.1 Installer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

3.2 Sentinel Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

3.2.1 Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

3.2.2 Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.2.3 Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.2.4 High-Performance Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Contents 5

3.3 Port Numbers Used for Sentinel 6.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3.4 General Installation Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3.4.1 Providing Power User Privileges to Domain Users . . . . . . . . . . . . . . . . . . . . . . . . . . 33

3.4.2 Sentinel Database Installation Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

3.4.3 Authentication Mode Settings on Microsoft SQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

3.4.4 Sentinel Server Installation Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

3.5 Database Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

3.5.1 Setting Kernel Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

3.5.2 Creating Group and User Accounts for Oracle (Solaris Only) . . . . . . . . . . . . . . . . . . 39

3.5.3 Setting Environment Variables for Oracle (Solaris Only) . . . . . . . . . . . . . . . . . . . . . . 39

3.5.4 Installing Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

3.6 Simple Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

3.7 Custom Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

3.7.1 Starting the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

3.7.2 Configuring the Database on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

3.7.3 Configuring the Database on Linux or Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

3.7.4 Completing the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

3.7.5 Console Installation on Linux or Solaris. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

3.8 Installing Sentinel as a Domain user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

3.9 Post-Installation Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

3.9.1 Configuring the SMTP Integrator to Send Sentinel Notifications . . . . . . . . . . . . . . . . 55

3.9.2 Sentinel Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

3.9.3 Collector Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

3.9.4 Starting the Collector Manager Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

3.9.5 Configuring the Light weight Collector Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

3.9.6 Managing Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

3.9.7 Modifying Oracle dbstart and dbshut scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

3.9.8 High-Performance Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

3.10 LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

3.10.1 Configuring the Sentinel 6.1 Server for LDAP Authentication . . . . . . . . . . . . . . . . . . 62

3.10.2 Configuring Multiple LDAP Servers for Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

3.10.3 Migrating LDAP User Accounts from Sentinel 6.1 SP1 Hotfix 2 to Sentinel 6.1 SP2 68

3.11 Updating the License Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

3.11.1 Unix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

3.11.2 Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

novdocx (en) 7 January 2010

4 Testing the Installation 71

4.1 Testing the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

4.2 Clean Up from Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

4.3 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

5 Adding Sentinel Components 81

5.1 Adding Sentinel Components to an Existing Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

5.2 Installing Additional Load Balancing Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

5.2.1 Multiple DAS_Binary Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

6 Communication Layer (iSCALE) 91

6.1 SSL Proxy and Direct Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

6.1.1 Sentinel Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

6.1.2 Collector Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

6.2 Changing the Communication Encryption Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

6.3 Increasing AES Key Strength. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

6 Sentinel 6.1 Installation Guide

7 Crystal Reports for Windows 97

7.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

7.2 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

7.3 Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

7.4 Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

7.4.1 Installation Overview of Crystal Reports Server with SQL Server 2005 . . . . . . . . . 100

7.4.2 Installation Overview of Crystal Reports Server with Oracle . . . . . . . . . . . . . . . . . . 101

7.5 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

7.5.1 Installing Microsoft Internet Information Server (IIS) and ASP.NET . . . . . . . . . . . . 102

7.5.2 Installing Crystal Reports Server for Microsoft SQL Server 2005 with Windows

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

7.5.3 Installing Crystal Reports Server for Microsoft SQL Server 2005 with SQL

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

7.5.4 Installing Crystal Reports Server for Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

7.6 Downloading the Service Packs for Crystal Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

7.7 Configuring Crystal Reports Server to Work with the Sentinel Control Center . . . . . . . . . . . 112

7.7.1 Configuring inetmgr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

7.7.2 Patching Crystal Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

7.8 Publishing Crystal Report Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

7.8.1 Using the Solution Manager to Publish Report Templates . . . . . . . . . . . . . . . . . . . 116

7.8.2 Using the Crystal Publishing Wizard to Publish Report Templates . . . . . . . . . . . . . 116

7.8.3 Using the Central Management Console to Publish Report Templates. . . . . . . . . . 118

7.8.4 Setting a Named User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

7.8.5 Configuring Report Permissions and Testing Connectivity . . . . . . . . . . . . . . . . . . . 119

7.8.6 Disabling the Sentinel Top 10 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

7.8.7 Configuring the Sentinel Control Center to Integrate with Crystal Reports Server . 121

7.9 High-Performance Configurations for Crystal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

7.9.1 Increasing the Report Refresh Record Limit for Crystal Reports Server . . . . . . . . 122

7.9.2 Using the Aggregration Service for Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

7.9.3 Report Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

7.10 Using Crystal Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

7.11 Uninstalling Crystal Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

novdocx (en) 7 January 2010

8 Crystal Reports for Linux 125

8.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

8.2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

8.2.1 Pre-Install Crystal Reports Server

8.2.2 Installing Crystal Reports Server XIR2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

8.2.3 Patching Crystal Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

8.3 Downloading the Service Packs for Crystal Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

8.4 Publishing Crystal Reports Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

8.4.1 Publishing Report Templates using Solution Manager . . . . . . . . . . . . . . . . . . . . . . 132

8.4.2 Publishing Report Templates – Crystal Publishing Wizard . . . . . . . . . . . . . . . . . . . 133

8.4.3 Publishing Report Templates – Central Management Console . . . . . . . . . . . . . . . . 135

8.5 Using the Crystal XI R2 Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

8.5.1 Testing connectivity to the Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

8.5.2 Setting a “Named User” Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

8.5.3 Configuring Reports Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

8.6 Increasing Crystal Reports Server Report Refresh Record Limit . . . . . . . . . . . . . . . . . . . . . . 137

8.7 Configuring Sentinel Control Center to Integrate with Crystal Reports Server. . . . . . . . . . . . 138

8.8 Utilities and Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

8.8.1 Starting MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

8.8.2 Starting Tomcat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

8.8.3 Starting Crystal Reports Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

TM

XI R2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Contents 7

8.8.4 Crystal Host Name Error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

8.8.5 Cannot Connect to CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

8.9 High-Performance Configurations for Crystal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

8.9.1 Reports Using Aggregation Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

8.9.2 Report Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

8.10 Using Crystal Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

9 Uninstalling Sentinel 143

9.1 Uninstalling Sentinel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

9.1.1 Uninstall for Solaris and Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

9.1.2 Uninstall for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

9.2 Post-Uninstall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

9.2.1 Sentinel Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

A Pre-installation Questionnaire 151

B Oracle Setup 153

B.1 Installing Oracle 11g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

B.1.1 Oracle 11g Installation on SLES 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

B.1.2 Oracle 11g Installation on SLES 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

B.1.3 Oracle 11g Installation on Red Hat Linux 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

B.1.4 Oracle 11g Installation on Solaris 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

B.2 Upgrading the Database from Oracle 10g to Oracle 11g. . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

B.3 Installing Oracle 10g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

B.3.1 Oracle 10g Installation on SLES 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

B.3.2 Oracle 10g Installation on Red Hat Linux 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

B.3.3 Oracle 10g Installation on Solaris 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

B.4 Manual Oracle Instance Creation (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

novdocx (en) 7 January 2010

C Sentinel with Oracle Real Application Clusters 167

C.1 Configuring the Oracle RAC Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

C.1.1 Creating the RAC Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

C.1.2 Creating the Sentinel Tablespaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

C.1.3 Creating the Sentinel Database User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

C.2 Installing the Sentinel Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

C.3 Configuring the Connection Properties File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

C.4 Configuring the Connection for Sentinel Data Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

C.4.1 Known Issue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

C.5 Configuring the Connection for Crystal Enterprise Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

8 Sentinel 6.1 Installation Guide

Preface

SentinelTM is a security information and event management solution that receives information from
many sources throughout an enterprise, standardizes it, prioritizes it and presents it to you to make
threat, risk and policy related decisions.

This guide describes the installation procedures for Sentinel 6.1 SP2.

 Chapter 1, “Introduction,” on page 11

 Chapter 2, “System Requirements,” on page 17

 Chapter 3, “Installing Sentinel 6.1 SP2,” on page 27

 Chapter 4, “Testing the Installation,” on page 71

 Chapter 5, “Adding Sentinel Components,” on page 81

 Chapter 6, “Communication Layer (iSCALE),” on page 91

 Chapter 7, “Crystal Reports for Windows,” on page 97

 Chapter 8, “Crystal Reports for Linux,” on page 125

 Chapter 9, “Uninstalling Sentinel,” on page 143

novdocx (en) 7 January 2010

 Appendix A, “Pre-installation Questionnaire,” on page 151

 Appendix B, “Oracle Setup,” on page 153

 Appendix C, “Sentinel with Oracle Real Application Clusters,” on page 167

Audience

This documentation is intended for Information Security Professionals.

Feedback

We want to hear your comments and suggestions about this manual and the other documentation
included with this product. Please use the User Comments feature at the bottom of each page of the
online documentation and enter your comments there.

Additional Documentation

Sentinel Technical documentation is broken down into several different volumes. They are:

 Sentinel 6.1 Install Guide (http://www.novell.com/documentation/sentinel61/s61_install/data)

 Sentinel 6.1 User Guide (http://www.novell.com/documentation/sentinel61/s61_user/data)

 Sentinel 6.1 Reference Guide (http://www.novell.com/documentation/sentinel61/

s61_reference/data)

 Sentinel SDK (http://developer.novell.com/wiki/index.php?title=Develop_to_Sentinel)

This site gives you details about developing collectors (proprietary or JavaScript) and
JavaScript correlation actions.

Preface 9

Documentation Conventions

The following are the conventions used in this manual:

 Notes and Warnings

NOTE: Notes provide additional information that may be useful or for reference.

WARNING: Warnings provide additional information that helps you identify and stop performing

actions in the system that cause damage or loss of data.

 Commands appear in courier font. For example:

useradd –g dba –d /export/home/oracle –m –s /bin/csh oracle

 Go to Start > Program Files > Control Panel to perform this action: Multiple actions in a step.

 References

 For more information, see “Section Name” (if in the same Chapter).

 For more information, see “Chapter Name” (if in the same Guide).

novdocx (en) 7 January 2010

 For more information, see “Section Name” in “Chapter Name”, Name of the Guide (if in a

different Guide).

In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and
items in a cross-reference path.

®

A trademark symbol (

, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party

trademark.

When a single pathname can be written with a backslash for some platforms or a forward slash for
other platforms, the pathname is presented with a backslash. Users of platforms that require a
forward slash, such as Linux or UNIX, should use forward slashes as required by your software.

Contacting Novell

 Web Site: http://www.novell.com (http://www.novell.com)

 Novell Technical Support: http://support.novell.com/

phone.html?sourceidint=suplnav4_phonesup (http://support.novell.com/
phone.html?sourceidint=suplnav4_phonesup)

 Self Support: http://support.novell.com/

support_options.html?sourceidint=suplnav_supportprog (http://support.novell.com/
support_options.html?sourceidint=suplnav_supportprog)

 Patch Download Site: http://download.novell.com/index.jsp (http://download.novell.com/

index.jsp)

 24x7 support: http://www.novell.com/company/contact.html (http://www.novell.com/

company/contact.html)

 For Collectors/Connectors/Reports/Correlation/Hotfixes/TIDS: http://support.novell.com/

products/sentinel (http://support.novell.com/products/sentinel)

10 Sentinel 6.1 Installation Guide

1

Introduction

 Section 1.1, “Sentinel Overview,” on page 11

 Section 1.2, “Sentinel User Interfaces,” on page 12

 Section 1.3, “Sentinel Server Components,” on page 13

 Section 1.4, “Sentinel Plugins,” on page 15

 Section 1.5, “Language Support,” on page 16

The following sections will walk you through the product basics. The rest of the Sentinel User
Guide has more detailed architecture, operation and administrative procedures.

These sections assumes that you are familiar with Network Security, Database Administration,
Windows* and UNIX* operating systems.

1.1 Sentinel Overview

novdocx (en) 7 January 2010

1

SentinelTM is a security information and event management solution that receives information from
many sources throughout an enterprise, standardizes it, prioritizes it and presents it to you to make
threat, risk, and policy-related decisions.

Sentinel automates log collection, analysis, and reporting processes to ensure that IT controls are
effective supporting threat detection and audit requirements. Sentinel replaces these labor-intensive
manual processes with automated, continuous monitoring of security and compliance events and IT
controls.

Sentinel gathers and correlates security and non-security information from across an organization's
networked infrastructure, as well as third-party systems, devices, and applications. Sentinel presents
the collected data in a more sensible GUI, identifies security or compliance issues, and tracks
remediation activities, to streamline previously error-prone processes and build a more rigorous and
secure management program.

Automated incident response management enables you to document and formalize the process of
tracking, escalating, and responding to incidents and policy violations, and provides two-way
integration with trouble-ticketing systems. Sentinel enables you to react promptly and resolve
incidents efficiently.

Solution Packs are a simple way to distribute and import Sentinel correlation rules, dynamic lists,
maps, reports, and iTRAC workflows into controls. These controls may be designed to meet specific
regulatory requirements, such as the Payment Card Industry Data Security Standard, or they may be
related to a specific data source, such as user authentication events for an Oracle database.

With Sentinel, you get:

 Integrated, automated real-time security management and compliance monitoring across all

systems and networks

 A framework that enables business policies to drive IT policy and action

 Automatic documenting and reporting of security, systems, and access events across the

enterprise

Introduction

11

 Built-in incident management and remediation

 The ability to demonstrate and monitor compliance with internal policies and government

regulations such as Sarbanes-Oxley, HIPAA, GLBA, FISMA and others. The content required
to implement these controls is simply distributed and implemented using Solution Packs.

The following is a conceptual architecture of Sentinel, which illustrates the components involved in
performing security and compliance management.

Figure 1-1 Conceptual Architecture of Sentinel

novdocx (en) 7 January 2010

1.2 Sentinel User Interfaces

Sentinel includes several easy-to-use user interfaces:

 Sentinel Control Center

 Sentinel Data Manager

 Sentinel Solution Designer

 Sentinel Collector Builder

1.2.1 Sentinel Control Center

Sentinel Control Center provides an integrated security management dashboard that enables analysts
to quickly identify new trends or attacks, manipulate and interact with real-time graphical
information, and respond to incidents. Key features of Sentinel Control Center include:

 Active Views: Real-time analytics and visualization

 Incidents: Incident creation and management

 Correlation: Correlation rules definition and management

 iTRAC: Process management for documenting, enforcing, and tracking incident resolution

processes

12 Sentinel 6.1 Installation Guide

 Reporting: Historical reports and metrics

 Event Source Management: Collector deployment and monitoring

1.2.2 Sentinel Data Manager

Sentinel Data Manager (SDM) allows you to manage the Sentinel Database. You can perform the
following operations in the SDM:

 Monitor Database Space Utilization

 View and Manage Database Partitions

 Manage Database Archives

 Import Data into the Database

1.2.3 Sentinel Solution Designer

Sentinel Solution Designer is used to create and modify Solution Packs, which are packaged sets of
Sentinel content, such as reports, correlation rules, and workflows.

novdocx (en) 7 January 2010

1.2.4 Sentinel Collector Builder

Sentinel Collector Builder enables you to build Collectors in the Sentinel proprietary language to
process events. You can create and customize the templates so that the Collector can parse the data.

1.3 Sentinel Server Components

Sentinel is made up of several components:

 Data Access Service (DAS)

 Sentinel Communication Server

 Sentinel Database

 Sentinel Collector Manager

 Correlation Engine

 iTRAC

 Crystal Reports Server *

 Sentinel Advisor and Exploit Detection (optional)

1.3.1 Sentinel Server

The Data Access Service (DAS) is the primary component used to communicate with the Sentinel
database. DAS and other server components work together to store events received from the
Collector Managers in the database, filter data, process Active View displays, perform database
queries and process results, and manage administrative tasks such as user authentication and
authorization.

TM

Introduction 13

1.3.2 Sentinel Communication Server

The iSCALETM Message Bus is capable of moving thousands of message packets in a second among
the components of Sentinel. This allows independent scaling of components and standards-based
integration with external applications.

1.3.3 Sentinel Database

The Sentinel product is built around a back-end database that stores security events and all of the
Sentinel metadata. The events are stored in normalized form, along with asset and vulnerability data,
identity information, incident and workflow status, and many other types of data.

1.3.4 Sentinel Collector Manager

Collector Manager manages data collection, monitors system status messages, and performs event
filtering as needed. Main functions of the Collector Manager include transforming events, adding
business relevance to events through taxonomy, performing global filtering on events, routing
events, and sending health messages to the Sentinel server.

novdocx (en) 7 January 2010

The Sentinel Collector Manager can connect directly to the message bus or it can use an SSL proxy.

1.3.5 Correlation Engine

Correlation adds intelligence to security event management by automating analysis of the incoming
event stream to find patterns of interest. Correlation allows you to define rules that identify critical
threats and complex attack patterns so that you can prioritize events and initiate effective incident
management and response.

1.3.6 iTRAC

Sentinel provides an iTRAC workflow management system to define and automate processes for
incident response. Incidents that are identified in Sentinel, either by a correlation rule or manually,
can be associated with an iTRAC workflow.

1.3.7 Crystal Reports Server

Comprehensive reporting services within the Sentinel Control Center are powered by Crystal
Reports Server by Business Objects*. Sentinel comes with predefined reports geared toward the
most common reporting requests by organizations monitoring their security and compliance
postures. Using the Crystal Reports Developer, new or customized reports can also be developed
against the Sentinel published report view schema.

1.3.8 Sentinel Advisor and Exploit Detection

Sentinel Advisor is an optional data subscription service that includes known attacks,
vulnerabilities, and remediation information. This data, combined with known vulnerabilities and
real-time intrusion detection or prevention information from your environment, provide proactive
exploit detection and the ability to immediately act when an attack takes place against a vulnerable
system.

14 Sentinel 6.1 Installation Guide

1.4 Sentinel Plugins

Sentinel supports a variety of plugins to expand and enhance system functionality. Some of these
plugins are installed automatically. Additional plugins (and updates) are available for download at

http://support.novell.com/products/sentinel/sentinel61.html (http://support.novell.com/products/
sentinel/sentinel61.html).

Some plugins, such as the Remedy* Integrator and the IBM* Mainframe Connector, require an
additional license for download.

1.4.1 Collectors

Sentinel collects data from source devices and delivers a richer event stream by injecting taxonomy,
exploit detection, and business relevance into the data stream before events are correlated and
analyzed and sent to the database. A richer event stream means that data is correlated with the
required business context to identify and remediate internal or external threats and policy violations.

Sentinel Collectors can parse data from the types of devices listed below:

novdocx (en) 7 January 2010

 Intrusion Detection Systems (host)

 Intrusion Detection Systems (network)

 Firewalls

 Operating Systems

 Policy Monitoring

 Authentication

 Routers and Switches

 VPNs

JavaScript Collectors can be written and run on Sentinel 6.0 SP1 and above using standard
JavaScript development tools and the Collector SDK. Proprietary Collectors can be built or
modified using Section 1.2.4, “Sentinel Collector Builder,” on page 13, a standalone application
included with the Sentinel system.

 Anti-Virus Detection Systems

 Web Servers

 Databases

 Mainframe

 Vulnerability Assessment Systems

 Directory Services

 Network Management Systems

 Proprietary Systems

1.4.2 Connectors and Integrators

Connectors provide connectivity from the Collector Manager to event sources using standard
protocols such as JDBC* and syslog. Events are passed from the Connector to the Collector for
parsing.

Integrators enable remediation actions on systems outside of Sentinel. For example, a correlation
action can use the SOAP Integrator to initiate a Novell Identity Manager workflow.

The optional Remedy AR Integrator provides the ability to create a Remedy ticket from Sentinel
events or incidents.

1.4.3 Correlation Rules and Actions

Correlation rules identify important patterns in the event stream. When a correlation rule triggers, it
initiates correlation actions, such as sending email notifications, initiating an iTRAC workflow, or
executing an action using an Integrator.

Introduction 15

1.4.4 Reports

Users can run a wide variety of dashboard and operational reports from the Sentinel Control Center
using Crystal Reports Server. In Sentinel 6.1 and later versions, reports are typically distributed via
Solution Packs.

1.4.5 iTRAC Workflows

iTRAC workflows provide consistent, repeatable processes for managing incidents. In Sentinel 6.1
and later versions, workflow templates are typically distributed via Solution Packs.

1.4.6 Solution Packs

Solution Packs are packaged sets of related Sentinel content, such as correlation rules, actions,
iTRAC worflows, and reports. Novell provides Solution Packs that focus on specific business needs,
such as the PCI-DSS Solution Pack, which addresses compliance with the Payment Card Industry
Data Security Standard. Novell also creates “collector packs,” which include content focused on a
specific event source, such as Windows Active Directory*.

novdocx (en) 7 January 2010

1.5 Language Support

Sentinel components are localized for the following languages:

 English

 Portuguese (Brazil)

 French

 Italian

 German

 Spanish

 Japanese

 Chinese (Traditional)

 Chinese (Simplified)

There are several exceptions:

 The Collector Builder interface and scripting are in English only, although it can run on the

non-English operating systems listed above.

 JavaScript Collectors can be modified to parse either ASCII or Unicode (double-byte) data, but

the Collectors posted on the Sentinel Content site are currently written for English data only.
Collectors written in the proprietary Collector language are only capable of processing ASCII
and extended ASCII data.

 Internal events (to audit Sentinel operations) are in English only.

16 Sentinel 6.1 Installation Guide

2

System Requirements

 Section 2.1, “Supported Software,” on page 17

 Section 2.2, “Hardware Recommendations,” on page 21

2.1 Supported Software

For best performance and reliability, Novell® recommends installing all SentinelTM components on
the approved software listed in this section. This software is quality assured and certified. For the
latest information on the minimum requirements, see the Sentinel Documentation site (http://

www.novell.com/documentation/sentinel61).

 Section 2.1.1, “Patch Levels,” on page 17

 Section 2.1.2, “Database Supported Platforms,” on page 18

 Section 2.1.3, “Sentinel Component Supported Platforms,” on page 19

 Section 2.1.4, “Platform Support Exceptions and Cautions,” on page 20

novdocx (en) 7 January 2010

2

2.1.1 Patch Levels

The following table lists the specific patch levels that were used to perform Sentinel testing. For
convenience in this document, these platforms are referred to by the short name in the left column.
In situations in which the bit length does not matter in this document, the bit length might be
truncated from the short name.

Table 2-1 Patch Level Information

Short Name Full Name and Patch Level

SLES 11 (64-bit) SUSE® Linux Enterprise Server 11 (64-bit)

SLES 10 (32-bit) SUSE Linux Enterprise Server 10 SP2 (32-bit)

SLES 10 (64-bit) SUSE Linux Enterprise Server 10 SP2 (64-bit)

RHEL 4 (32-bit) Red Hat* Enterprise Linux 4 Nahant Update-4 (32-bit)

RHEL 4 (64-bit) Red Hat Enterprise Linux 4 Nahant Update-4 (64-bit)

Solaris* 10 (64-bit) Sun* Solaris 10 6/06 s10s_u2wos_09a (64-bit SPARC*)

Microsoft* Windows* 2003 (32-bit) Windows 2003 SP2, Standard or Enterprise Edition (32-bit)

Windows 2003 (64-bit) Windows 2003 SP1, Standard or Enterprise Edition (64-bit)

Windows 2008 (64-bit) Windows 2008 SP1, Standard Edition (64-bit)

SLED 10 (32-bit) SUSE Linux Enterprise Desktop 10 SP1 (32-bit)

Windows XP (32-bit) Windows XP SP2 (32-bit)

Windows Vista* (32-bit) Windows Vista SP1 (32-bit)

System Requirements

17

Short Name Full Name and Patch Level

Oracle* 10g (32-bit) Oracle 10g Enterprise Edition with partitioning (v 10.2.0.4)

Oracle 10g (64-bit) Oracle 10g Enterprise Edition with partitioning (v 10.2.0.4)

Oracle 11g (64-bit) Oracle 11g Enterprise Edition with partitioning

SQL Server* 2005 (32-bit) Microsoft SQL Server 2005 SP2, Standard or Enterprise Edition (32-

bit)

SQL Server 2005 (64-bit) Microsoft SQL Server 2005 SP2, Standard or Enterprise Edition (64-

bit)

SQL Server 2008 (64-bit) Microsoft SQL Server 2008 (Version 10.0.1300.13)

SLES 9 (32-bit) SUSE Linux Enterprise Server 9 SP2 (32-bit)

You should check with the vendors for security updates and patches. Hot fixes and security patches
typically have no impact on Sentinel operations and are therefore supported. Because major or
minor releases of a database or operating system typically involve more substantial changes, only
the versions mentioned in Table 2-1 on page 17 are supported for this release.

novdocx (en) 7 January 2010

2.1.2 Database Supported Platforms

The following database and operating system combinations are certified or supported. Certified
combinations have been tested with Novell Engineering’s full test suite. Supported combinations are
expected to be fully functional.

Table 2-2 Database Supported Platforms

Oracle 10g (32­bit)

SLES 11 (64) Not Supported Certified only

SLES 10 (32) Supported Not Supported Not Supported Not Supported Not Supported

SLES 10 (64) Not Supported Certified Not Supported Not Supported Not Supported

RHEL 4 (32) Supported Not Supported Not Supported Not Supported Not Supported

RHEL 4 (64) Not Supported Supported Not Supported Not Supported Not Supported

Solaris 10 (32) Supported Not Supported Not Supported Not Supported Not Supported

Solaris 10 (64) Not Supported Supported Not Supported Not Supported Not Supported

Oracle 10g and
Oracle 11g (64­bit)

on Oracle 11g

SQL Server 2005
(32)

Not Supported Not Supported Not Supported

SQL Server 2005
(64)

MS SQL 2008
(64)

Windows 2003
(32)

Windows 2003
(64)

Windows 2008
(64)

Not Supported Not Supported Supported Not Supported Not Supported

Not Supported Not Supported Not Supported Certified Not Supported

Not Supported Not Supported Not Supported Not Supported Supported

18 Sentinel 6.1 Installation Guide

Although 32-bit platforms are supported for the Sentinel database in development or proof-of­concept environments, Novell recommends 64-bit platforms for production databases in order to
obtain the best performance results.

NOTE: All databases should be installed on an operating system that is certified by the database
vendor and also by Novell for use with Sentinel components. Oracle must run on Linux* or Solaris
(not Windows). When you use the Oracle client to install or load seed data to the Sentinel database,
ensure that the Oracle client version is same or later than the Oracle server version.

2.1.3 Sentinel Component Supported Platforms

The Sentinel Server components include the Communication Server, Correlation Engine, Data
Access Service (DAS), and the Advisor data subscription service (which resides on the same
machine as DAS).

The Sentinel user applications that are mentioned in Table 2-3 on page 19 include the Sentinel
Control Center (SCC), Sentinel Data Manager (SDM), and Sentinel Solution Designer (SSD).

The Collector Manager, Collector Builder, and Crystal Reports* Server also have specific platform
requirements.

novdocx (en) 7 January 2010

The following software and operating system combinations are certified or supported. Certified
combinations have been tested with Novell Engineering’s full test suite. Supported combinations are
expected to be fully functional.

Table 2-3 Supported and Certified Components

Sentinel Server
Components

SLES 11 (64) Certified Certified Supported Not Supported Not Supported

SLES 10 (32) Supported Supported Certified Not Supported Not Supported

SLES 10 (64) Certified Supported Supported Not Supported Not Supported

RHEL 4 (32) Supported Supported Supported Not Supported Certified

RHEL 4 (64) Supported Supported Supported Not Supported Not Supported

Solaris 10 (32) Supported Supported Certified Not Supported Not Supported

Solaris 10 (64) Certified Supported Supported Not Supported Not Supported

Windows 2003
(32)

Windows 2003
(64)

Supported Supported Certified Supported Certified

Certified Supported Supported Supported Not Supported

Sentinel User
Applications

Collector
Manager

Collector
Builder

Crystal Reports
Server

Windows 2008
(64)

SLED 10 Not Supported Certified Not Supported Not Supported Not Supported

Windows XP Not Supported Certified Not Supported Supported Not Supported

Supported Supported Supported Supported Not Supported

System Requirements 19

novdocx (en) 7 January 2010

Sentinel Server
Components

Windows Vista Not Supported Supported Not Supported Supported Not Supported

SLES 9 (32) Not Supported Not Supported Not Supported Not Supported Certified

Sentinel User
Applications

Collector
Manager

Collector
Builder

Crystal Reports
Server

The supported reporting server is Crystal Reports Server XI R2 SP4, which is supported only on 32­bit hardware. The supported Crystal Reports service packs can be downloaded from the Novell

download Web site (http://download.novell.com/).

1 Go to the Novell download Web site (http://download.novell.com).

2 Select

3 Specify

SIEM/Sentinel

crystal

as the Keyword, then click search.

from the Product or Technology list.

The download page displays the required service packs for Crystal Reports and also includes
the instructions for installing the service packs.

For more information on installing and configuring Crystal Reports, see Chapter 7, “Crystal Reports

for Windows,” on page 97 and Chapter 8, “Crystal Reports for Linux,” on page 125.

Crystal requires a Web server and a Central Management Server (CMS) database for operation, in
addition to the Sentinel database. The Crystal Reports Server can run on the following platforms in
the Sentinel environment:

 Red Hat Enterprise Linux 4 (32-bit)

 Crystal CMS database on MySQL*

 Web server on Apache Tomcat*

 Sentinel database on Oracle recommended; other configurations untested

 SUSE Linux Enterprise Server 9 SP2 (32-bit)

 Crystal CMS database on MySQL

 Web server on Apache Tomcat

 Sentinel database on Oracle recommended; other configurations untested

 Windows 2003 SP1 Server, Standard or Enterprise Edition (32-bit)

 Crystal CMS database on Microsoft SQL Server 2005

 Web server on Microsoft IIS with .NET

 Sentinel database on SQL Server recommended; other configurations untested

See the vendor documentation for additional details about system requirements, supported version
numbers, and known issues for these platforms.

2.1.4 Platform Support Exceptions and Cautions

The following platforms are not supported by their respective vendors and therefore are not
supported by Novell:

 The vendor for Crystal Reports Server XI R2 does not currently support Crystal on Solaris or

SUSE Linux Enterprise Server 10.

 Oracle does not currently support Oracle 10 (32-bit) on 32-bit Solaris 10.

20 Sentinel 6.1 Installation Guide

Although the following platform configurations might be supported by their respective vendors,
Novell does not recommend these configurations in a Sentinel environment:

 Sentinel on SUSE Linux Enterprise Server 10 running with the ReiserFS file system

 Oracle database on Microsoft Windows

 Crystal Reports Server on Microsoft Windows 2000

 Crystal Reports Server with MSDE as the database

Novell recommends running the Sentinel database and reporting engine on platforms that have been
fully quality assured by Novell. However, both the Oracle database and Crystal Reports Server are
supported by their respective vendors on additional platforms that are not fully quality assured by
Novell. If a customer wants to use one of these additional platforms, Novell support for these
platforms includes the following conditions.

 Because the Sentinel database installation and configuration are platform specific, only Novell

Consulting or a qualified partner should be engaged to perform the initial Sentinel installation
and setup.

 The standard installer might not work as expected on an untested platform.

novdocx (en) 7 January 2010

 When the Sentinel system is functional, any database or reporting issue that cannot be

duplicated on Novell in-house supported platforms must be addressed by the appropriate
vendor.

Finally, for full functionality, Novell recommends that the database and DAS be installed with the
same operating system (although not necessarily on the same machine). For example, Windows
Authentication cannot be used if DAS is installed in a mixed environment where DAS is on
Windows and the database is Oracle or where DAS is on UNIX* or Linux and the database is SQL
Server.

Collector Builder runs only on the Windows platform.

2.2 Hardware Recommendations

Sentinel has a highly scalable architecture, and if high event rates are expected, components can be
distributed across several machines to achieve the best performance for the system. As you plan
your system, make sure you take into account the following considerations:

 Section 2.2.1, “Architecture Considerations,” on page 21

 Section 2.2.2, “Supported Hardware,” on page 23

 Section 2.2.3, “Proof of Concept Configuration,” on page 23

 Section 2.2.4, “Production Configuration,” on page 24

 Section 2.2.5, “High-Performance Production Configuration,” on page 25

 Section 2.2.6, “Virtual Environments,” on page 26

2.2.1 Architecture Considerations

There are many factors that should be considered when designing a Sentinel system.:

 Event rate (events per second, or EPS)

 Geographic/network location of event sources, and bandwidth between networks

System Requirements 21

 Available hardware

 Preferred operating systems

 Plans for future scalability

 Amount of event filtering expected

 Local data retention policies

 Desired number and complexity of correlation rules

 Expected number of incidents per day

 Expected number of workflows to be managed per day

 Number of users logging in to the system

 Vulnerability and asset infrastructure

The most significant factor in the Sentinel system design is the event rate; almost every component
of the Sentinel architecture is affected by increasing event rates. In a high-event-rate environment,
the greatest demand is placed on the database, which is I/O-dependent and might be simultaneously
handling inserts of hundreds or thousands of events per second, object creation by multiple users,
workflow process updates, simple historical queries from the Sentinel Control Center, and long-term
reports from the Crystal Reports Server. Therefore, Novell makes the following recommendations:

novdocx (en) 7 January 2010

 The database should be installed without any other Sentinel components.

 The database server should be dedicated to Sentinel operations. Additional applications or

Extract Transform Load (ETL) processes might impact database performance.

 The database server should have a high-speed storage array that meets the I/O requirements

based on the event insertion rates.

 A dedicated database administrator should regularly evaluate and maintain the following

aspects of the database:

 Size

 I/O operations

 Disk space

 Memory

 Indexing

 Transaction logs

In low-event-rate environments (for example, EPS < 25), these recommendations can be relaxed,
because the database and other components use fewer resources.

This section includes some general hardware recommendations as guidance for Sentinel system
design. In general, design recommendations are based on event rate ranges. However, these
recommendations are based on the following assumptions:

 The event rate is at the high end of the EPS range.

 The average event size is 600 bytes.

 All events are stored in the database (that is, there are no filters to drop events).

 Thirty days worth of data is stored online in the database.

 Storage space for Advisor data is not included in the specifications mentioned in the tables later

in this section.

22 Sentinel 6.1 Installation Guide

 The Sentinel Server has a default 5 GB of disk space for temporarily caching event data that

fails to insert into the database.

 The Sentinel Server also has a default 5 GB of disk space for events that fail to be written to

aggregation event files.

 The optional Advisor subscription requires an additional 50 GB of disk space on the database

server.

The hardware recommendations for a Sentinel implementation can vary based on the individual
implementation, so you should consult Novell Consulting Services prior to finalizing the Sentinel
architecture. The recommendations in this section can be used as guidelines.

NOTE: The Sentinel Server machine with Data Access Server (DAS) must have a local or shared
striped disk array (RAID) with a minimum of four disk spindles because of high event loads and
local caching.

The distributed hosts must be connected to the other Sentinel Server hosts through a single high­speed switch (GigE) in order to prevent network traffic bottlenecks.

Novell recommends that the Crystal Reports Server be installed on its own dedicated machine,
particularly if the database is large or reporting usage is heavy. Crystal can be installed on the same
machine as the database if the database is small, the reporting usage is light, and the database is
installed on either Windows or Linux and not Solaris.

novdocx (en) 7 January 2010

2.2.2 Supported Hardware

When you install Sentinel on Linux or Windows, the Sentinel server and database components can
run on x86 (32-bit) or x86-64 (64-bit) hardware, with some exceptions based on the operating
system, as described in Section 2.2.1, “Architecture Considerations,” on page 21. Sentinel is
certified on AMD* Opteron* and Intel* Xeon* hardware. Itanium* servers are not supported.

For Solaris, the SPARC architecture is supported.

2.2.3 Proof of Concept Configuration

The proof of concept configuration supports up to 1350 events per second (EPS). This configuration
is suitable for demonstrations or limited proofs of concept and can be installed by using the Simple
option in the Sentinel installer. This configuration is not recommended for use in a production
system and has been tested only with the configuration described below.

Table 2-4 Hardware for Proof of Concept

Function RAM Model

Sentinel Server + Database (Oracle) 5 GB, Software RAID 5

with 5 SATA hard drives

SLES 10 SP1, two 64-bit dual core
processors (tested with two Intel
Xeon 5160s, 3.00 GHz)

Collector Manager, Correlation Engine,
and Sentinel Control Center

4 GB RAM Windows 2003 SP2, two 32-bit

single-core processors (tested with
Intel Xeon, 2.4 GHz)

System Requirements 23

Function RAM Model

novdocx (en) 7 January 2010

Crystal Reports Server 4 GB RAM

40 GB disk space

Table 2-5 System Setup for Proof of Concept

Attribute Rating Comments

Collectors deployed per Collector
Manager

Rules deployed per correlation
engine

Active Views running 10

Number of simultaneous users 3

Number of maps deployed 5 The largest map is 40 KB with over

3

10

One 32-bit dual core processor
(tested with Intel Xeon 5150, 2.66
GHz)

800 rows.

2.2.4 Production Configuration

This production configuration supports up to 3200 EPS. The Sentinel components are distributed to
enable a higher event rate than the proof of concept configuration.

 To achieve optimal performance, the Oracle database uses a StorCase disk array (16 disks) to

store data files, and a separate local SATA drive to hold the Oracle Redo log.

 To achieve optimal performance on the Sentinel server, the file directory that holds DAS

aggregation data and

Table 2-6 Hardware for Production Configuration

Function RAM Model

Sentinel Server and
Correlation Engine

Database (Oracle) 4 GB RAM

Collector Manager 1 4 GB RAM

insertErrorBuffer

4 GB RAM

90 GB disk
space

3 TB+ disk
space

20 GB disk
space

was pointed to a separate local SATA hard drive.

SLES 10 SP1, two 64-bit dual core processors (tested with
two Intel Xeon 5160s, 3.00 GHz)

SLES 10 SP1, two 64-bit dual core processors (tested with
two Opteron 275s, 2.2 GHz), StorCase disk array, and
software RAID 5

SLES 10 SP1, two 64-bit dual core processors (tested with
two Opteron 275s, 2.2 GHz)

24 Sentinel 6.1 Installation Guide

Function RAM Model

novdocx (en) 7 January 2010

Collector Manager 2 4 GB RAM

20 GB disk
space

Crystal Reports Server 4 GB RAM

40 GB disk
space

Table 2-7 System Setup for Production Configuration

Attribute Rating Comments

Collectors deployed per Collector
Manager

Rules deployed per Correlation
Engine

10 The Collector Manager 1 configuration handles up

20

Windows 2003, one dual core processor (tested with dual
core Intel Xeon, 2.50 GHz)

One 32-bit dual core processor (tested with Intel Xeon
5150, 2.66 GHz)

to 1750 EPS; the Collector Manager 2
configuration handles up to 850 EPS. A typical
collector running alone can output up to 600 EPS,
but adding more collectors to a Collector Manager
or using collectors with more complex parsing will
reduce the per-collector output.

Active Views running 20

Number of simultaneous users 5

Number of maps deployed 5 The largest map is 40 KB with over 800 rows.

2.2.5 High-Performance Production Configuration

The high-performance production configuration supports up to 5000 EPS.

 To achieve optimal performance, the Oracle database uses a StorCase disk array (16 disks) to

store data files and a separate local SATA drive to hold the Oracle Redo log.

 A secondary DAS_Binary process (which is responsible for event inserts into the database) is

installed on a dedicated machine to reduce the CPU utilization on the primary server.

 To achieve optimal performance on both DAS machines, the file directory that holds DAS

aggregation data and

Table 2-8 Hardware for High-Performance Production Configuration

Function Sizing Model

Sentinel Server (including primary
DAS_Binary process) and Correlation
Engine

insertErrorBuffer

4 GB RAM

90 GB disk space

was pointed to a separate local SATA hard drive.

SLES 10 SP1, two 64-bit dual core
processors (tested with two Intel Xeon
5160s, 3.00 GHz)

System Requirements 25

Function Sizing Model

novdocx (en) 7 January 2010

Database (Oracle) 4 GB RAM

4 TB+ disk space

Collector Manager 1 and secondary
DAS_Binary process

Collector Manager 2 4 GB RAM

Crystal Reports Server 4 GB RAM

Table 2-9 System Setup for High-Performance Production Configuration

Attribute Rating Comments

Collectors deployed per Collector
Manager

4 GB RAM

40 GB disk space

20 GB disk space

40 GB disk space

10 The Collector Manager 1 configuration

SLES 10 SP1, two 64-bit dual core
processors (tested with two Opteron
275s, 2.2 GHz), StorCase disk array,
and software RAID 5

SLES 10 SP1, two 64-bit dual core
processors (tested with two Opteron
275s, 2,2 GHz)

Windows 2003, one dual core processor
(tested with dual core Intel Xeon, 2.50
GHz)

One 32-bit dual core processor (tested
with Intel Xeon 5150, 2.66 GHz)

handles up to 1750 EPS; the Collector
Manager 2 configuration handles up to
850 EPS. A typical collector running
alone can output up to 600 EPS, but
adding more collectors to a Collector
Manager or using collectors with more
complex parsing will reduce the per­collector output.

Rules deployed per correlation Engine 20

Active Views running 20

Number of simultaneous users 4

Number of maps deployed 5 The largest map is 40 KB with over 800

rows.

2.2.6 Virtual Environments

Sentinel 6.1 has been tested extensively on VMware* ESX Server, and Novell fully supports
Sentinel running in this environment. Performance results in a virtual environment can be
comparable to the results achieved in tests on a physical machine, the virtual environment should
provide the same memory, CPU, disk space, and I/O as the physical machine recommendations.

26 Sentinel 6.1 Installation Guide

3

Installing Sentinel 6.1 SP2

 Section 3.1, “Installer Overview,” on page 27

 Section 3.2, “Sentinel Configurations,” on page 28

 Section 3.3, “Port Numbers Used for Sentinel 6.1,” on page 31

 Section 3.4, “General Installation Prerequisites,” on page 31

 Section 3.5, “Database Installation,” on page 37

 Section 3.6, “Simple Installation,” on page 40

 Section 3.7, “Custom Installation,” on page 42

 Section 3.8, “Installing Sentinel as a Domain user,” on page 54

 Section 3.9, “Post-Installation Configuration,” on page 54

 Section 3.10, “LDAP Authentication,” on page 62

 Section 3.11, “Updating the License Key,” on page 69

novdocx (en) 7 January 2010

3

3.1 Installer Overview

This section helps you install the major components of the SentinelTM system. The Sentinel installer
offers the option of a Simple installation or Custom installation. The Simple installation installs all
components on one machine and is intended for demonstration or training systems. This is not
intended for production use as many minimal default settings are used for a Simple installation. The
Custom installation can be used to install one or more Sentinel components at a time and can be used
for distributed production installations.

In addition to the Sentinel components, there are several other applications that can be part of the
Sentinel system:

 Database: The database stores the events, correlated events, and configuration information.

The database must be installed according to the best practices recommended by Oracle and
Microsoft for database installation, directory structure, and so on.

 Crystal Reports Server: Crystal (and its associated Web Server and database) is used to

generate reports from the Novell
installer for Crystal components. For more information about installing Crystal, see Chapter 7,

“Crystal Reports for Windows,” on page 97 and Chapter 8, “Crystal Reports for Linux,” on
page 125.

 Crystal Reports Developer: This application is used to create and modify reports.

 Advisor: Advisor provides real-time intelligence about attacks and vulnerabilities, including

real-time exploit detection to determine which threats are taking place against vulnerable
systems. For more information about Advisor, see “Advisor Usage and Maintenance” in the

Sentinel 6.1 User Guide.

®

report library or custom-designed reports, and has a separate

 Sentinel Link Solution: Sentinel Link is a mechanism that provides the ability to

hierarchically link multiple Sentinel systems, including Novell Sentinel Log Manager, Novell
Sentinel, and Novell Sentinel Rapid Deployment. You can hierarchically link two or more

Installing Sentinel 6.1 SP2

27

Sentinel systems to forward filtered events from one Sentinel system to another for further
evaluation. For more information on Sentinel Link Solution, see “Sentinel Link Solution” in
the Sentinel 6.1 User Guide.

NOTE: Remedy Service Desk integration was previously available as an installer option. With the
Sentinel 6.1 release, Remedy integration is available separately as an Integrator plug-in and is no
longer included in the Sentinel installer. With the proper license, the Remedy Integrator and
associated Action can be downloaded at the Novell Content Web site (http://support.novell.com/

products/sentinel/sentinel61.html).

3.2 Sentinel Configurations

The following are some typical configurations for Sentinel.

 Section 3.2.1, “Linux,” on page 28

 Section 3.2.2, “Solaris,” on page 29

 Section 3.2.3, “Windows,” on page 29

 Section 3.2.4, “High-Performance Configuration,” on page 29

novdocx (en) 7 January 2010

3.2.1 Linux

Figure 3-1 Sentinel Configuration on Linux

28 Sentinel 6.1 Installation Guide

3.2.2 Solaris

Figure 3-2 Sentinel Configuration on Solaris

novdocx (en) 7 January 2010

3.2.3 Windows

Figure 3-3 Sentinel Configuration on Windows

3.2.4 High-Performance Configuration

The 64-bit JVM*can allocate much more RAM to Sentinel processes than the 32-bit JVM. The
highest Xmx value that can be used by a 32-bit JVM is 1200m, but it is virtually unlimited in a 64­bit JVM. Therefore, a 64-bit JVM is useful if processing requires a lot of RAM and it is available on

Installing Sentinel 6.1 SP2 29

the machine. However, performance testing shows that the 64-bit JVM requires nearly double the
RAM to perform the same tasks as compared to the 32-bit JVM. So using the 64-bit JVM for a
process that does not require this additional RAM wastes memory resources. For example, if a
process was allocated 1200m with a 32-bit JVM, there is no benefit to running that process on a 64­bit JVM unless more than double the amount of RAM is allocated to it. In this example, the amount
must be more than 2400m.

There are several processes that can benefit from having an additional RAM at their disposal
(beyond the 1200m limit of a 32-bit JVM). For example, DAS_RT can hold more Active Views. A
Collector Manager can support more Collectors and Connectors. The Correlation Engine can
support more rules. DAS_Query, DAS_Binary, and DAS_Aggregation can also take advantage of
additional RAM. However, a few processes such as DAS_iTRAC, DAS_Proxy, and Sonic are not
likely to make use of memory beyond the 1200m that is supplied with a 32-bit JVM.

To move all the processes on a machine to use the 64-bit JVM:

1 Stop the Sentinel services. Select Start > Control Panel > Administrative Tools > Services,

right-click Sentinel, then select Stop.

novdocx (en) 7 January 2010

2 Back up the

3 Modify the

 Windows: Set

 Linux: Set

ESEC_HOME/config/configuration.xml

ESEC_JAVA_HOME

ESEC_JAVA_HOME

ESEC_JAVA_HOME

path environment variable to point to 64-bit JVM.

to

%ESEC_HOME%\jre64\bin

to

$ESEC_HOME/jre64/bin

file.

4 Reload the environment variables.

 Windows: Replace

%ESEC_HOME%\lib\x86

with

%ESEC_HOME%\lib\x86_64

in the path

variable.

 Linux: Log out and log in to Sentinel.

5 Open the

6 Modify the

ESEC_HOME/config/configuration.xml

-Xmx<#>m

setting of every process entry in the

file in a text editor.

configuration.xml

file for which

you want to allocate additional memory.

Start by doubling the value that was already there for every process. This is necessary because
of the overhead of the 64-bit JVM as described earlier. Then, for processes that you want to
have additional RAM, modify their values again and choose an even higher number.

7 Save the

configuration.xml

file and open the file in a Web browser to validate the XML

syntax.

8 Start the Sentinel services. Select Start > Control Panel > Administrative Tools > Services,

right-click Sentinel, then select Start.

To move individual processes on a machine to use the 64-bit JVM:

NOTE: On Windows, only the Correlation Engine and Collector Manager can be moved
individually to 64-bit JVM. This limitation exists because other processes use the dynamic link
libraries (DLLs) found in the PATH environment variable, and there is only one PATH environment
variable for both 32-bit and 64-bit processes. Only one type of DLL (32-bit or 64-bit) can appear
first in the PATH. On UNIX, any process can be moved individually to 64-bit.

1 Stop the Sentinel services. Select Start > Control Panel > Administrative Tools > Services,

right-click Sentinel, then select Stop.

2 Back up the

30 Sentinel 6.1 Installation Guide

ESEC_HOME/config/configuration.xml

file.