The Symantec Control Compliance Suite 9.0 for Reporting and Analytic SP1 (Symantec_Control_Compliance_Suite_DC_9.0.1_Win.exe) Prerequisites

Article:TECH123159  |  Created: 2010-01-11  |  Updated: 2011-12-29  |  Article URL http://www.symantec.com/docs/TECH123159
Article Type
Technical Solution


Issue





 


Solution




Prerequisites for installing Control Compliance Suite 9.0.1

Before you install Control Compliance Suite 9.0.1, you must ensure that your
infrastructure meets the suitable requirements.

** Note: You must close all remote consoles before you upgrade to Control Compliance Suite 9.0.1 **

The prerequisites to install Control Compliance Suite 9.0.1 are as follows:
 

  • Before you install Control Compliance Suite 9.0.1, you must make a backup of

all the computers where the product databases and the components are installed.
 

  • Ensure that the same user who installed Control Compliance Suite9.0 or the user who is assigned the

CCS Administrator role, installs the Control Compliance Suite 9.0.1.
 

  • Ensure that you have installed Data Collection and Reporting and Analytics 9.0 components.
  • Ensure that no scheduled jobs are running to collect data from the RMS

infrastructure when upgrading the Data Collection components to 9.0.1.
 

  • Ensure that you install Control Compliance Suite 9.0.1 in the following order on the product components:
    • CCS Directory Support Service (DSS)
    • CCS Application Server
    • Data Processing Service
    • Web Portal
  • You must avoid parallel installation of Control Compliance Suite 9.0.1 on two

components such as DSS and Application Server.
 

  • To maintain the transaction logs, ensure that the hard disk space on the

reporting database computer is more than 100GB. The logs can increase in
size during the upgrade of the CCS Application Server component.
 

  • After installing Control Compliance Suite 9.0.1, we recommend that you run

the Scheduled Reporting Database Synchronization job before running any
other jobs.
 

  • We recommend that you run the utility, DBTuner

(Symantec.CSM.Reporting.DBTuner.exe) immediately after installing Control
Compliance Suite 9.0.1. This utility builds the required index on the
CSM_Reports database to improve the performance of the Reporting module.

System requirements

The following notes describe the system requirements for Control Compliance
Suite 9.0.1.

Required network privileges for the Control Compliance Suite infrastructure

The Control Compliance Suite must access your network during installation and
during normal operation. When you install the Control Compliance Suite
components, the account must have certain privileges. In addition, the accounts
that you supply for the Control Compliance Suite to use must have certain
privileges.

Table 2-1 lists the privileges that are required for the account that is used to install
the Control Compliance Suite components.

Table 2-2 Required Component Privileges




Component service accounts must be Local Administrator equivalent accounts
to access the digital certificates that are required for secure communications. In
addition, the service accounts must be Domain accounts to grant other Domain
accounts access to the Control Compliance Suite components.
You must also use the SetSpn tool to create Service Principal Names (SPN) for the
Directory Support Service and the Application Server service. Finally, you must
enable delegation for the account that is used by the Application Server.
For more information about Service Principal Names and delegation, see the
Symantec Control Compliance Suite Installation Guide.

____________________________________________________________________________________________

Note: You should set up the Microsoft SQL Agent Service as a local system account.
If you use a domain account, then the account must be assigned to the sysadmin
role for the Microsoft SQL Server. In addition, you must add the account to the
group SQLServer2005SQLAgentUserComputer_NameInstance_Name.

_____________________________________________________________________________________________

Control Compliance Suite infrastructure requirements

The Control Compliance Suite components have minimum requirements for
hardware and software. Symantec recommends that you do not install the Control
Compliance Suite on any computers that do not meet these requirements.
You must ensure that the computers that you use for your Control Compliance
Suite deployment meet the following minimum requirements:
 

  • Control Compliance Suite server requirements

See “Control Compliance Suite server requirements” on page 18.
 

  • Control Compliance Suite client requirements

See “Client requirements” on page 21.

In addition to these minimum requirements, each component has
recommendations to ensure the highest performance. Some recommendations
vary with the size of the deployment.

Control Compliance Suite server requirements

You must ensure that the computers that host the Control Compliance Suite
infrastructure components meet the minimum requirements. These requirements
are for a minimum system, and are sufficient only to run the components and
experiment with a limited test environment. Before you plan your Control
Compliance Suite deployment, review the component recommendations
individually.
For a minimum system in a lab setting, you can install all components on one or
two servers. If you do so, Control Compliance Suite performance diminishes. Any
production Control Compliance Suite deployment should plan for separate servers
for separate roles.
In addition to these minimum requirements, each component has
recommendations to ensure the highest performance. Some recommendations
vary with the size of the deployment. In particular, multiple SQL Servers are
normally used to host the databases.
These server requirements do not take into account the needs of the data collector
deployments that collect data from the network.

_________________________________________________________________________

Note: You must deploy the Control Compliance Suite Application Server and
Directory Server in a Windows Active Directory domain. You should deploy the
Data Processing Service in an Active Directory domain, although you can deploy
the service in a Windows workgroup when required.

__________________________________________________________________________

The domain where you install the Application Server and the Directory Server
must be a Windows Server 2003 or a Windows Server 2008 domain.
The functional level of the domain can be any of the following:
 

    • Windows Server 2008
    • Windows Server 2003
    • Windows 2000 native

The Control Compliance Suite has not been validated on Windows Server 2008 "Server Core only" installations.

Table 2-3 contains the minimum requirements for each component.

Table 2-3 Control Compliance Suite server requirements





If .NET is not installed, the Control Compliance Suite installer prompts you to
install it.

_______________________________________________________________________________

Note: The %temp% folder drive must have at least 700 MB free during the
installation of any Control Compliance Suite component. The installer deletes the
files that are created in the %temp% folder when the installation is complete.
The %temp% folder is normally on the C:\ drive. In addition, the installer places
a copy of the installation files in a media cache folder. On Windows Server 2003
computers, the media cache folder is C:\Documents and Settings\All
Users\Application Data\Symantec\Symantec Control Compliance Suite -
R and A\MediaCache.OnWindows Server 2008 computers, the media cache folder
is C:\ProgramData\Symantec\Symantec Control Compliance Suite - R and
A\MediaCache. These files require approximately 750 MB.

_________________________________________________________________________________

The computers that host the following components must be in the same LAN
segment:
 

    • Application Server
    • Directory Server
    • Data Processing Service Load Balancer
    • Data Processing Service Evaluator
    • Data Processing Service Reporter
    • Control Compliance Suite Production database
    • Control Compliance Suite Reporting database
    • Control Compliance Suite Evidence database
    • Control Compliance Suite Web Portal

Client requirements

Before you install the Control Compliance Suite clients, you must ensure that the
target computers meet the minimum requirements.
Table 2-4 contains the minimum requirements for the Control Compliance Suite
clients.



The Control Compliance Suite has not been validated on Windows Server 2008
"Server Core only" installations.
You must ensure that the connection between the Control Compliance Suite and
the Application Server has at least 256 kbps of bandwidth.

Microsoft Office and the Microsoft Office Primary Interop Assembly are required
to import Microsoft Word documents as policies. You can use Microsoft Office XP
or Microsoft Office 2003.
The Control Compliance Suite dashboards require the Adobe Flash Player.
You can download the Adobe Flash Player Installer from the Adobe Web site.
http://www.adobe.com/products/flashplayer/
To create user-defined reports, you must install Crystal Reports Developer 2008,
part of the third-party Crystal Reports 2008 product. Crystal Reports Developer
is required only on the Control Compliance Suite client that you use to create the
user-defined reports.

RMS data collector requirements

Before you install the RMS data collector components, you must ensure that the
computers that you select for the installation meet the minimum requirements.
If you install multiple components on the same computer, the requirements for
all of the installed components must be met.
When you plan the RMS deployment, assume one RMS Information Server for
every 2000 nodes that you want to monitor in the Control Compliance Suite.

_______________________________________________________________________

Note: The installer places a copy of the installation files in the media cache folder.
On Windows Server 2003 computers, the media cache is in C:\Documents and
Settings\All Users\Application Data\Symantec\ Symantec Control
Compliance Suite 8.50 - Data Collection\MediaCache. On Windows Server
2008 computers, the media cache is in C:\ProgramData\Symantec\Symantec
Control Compliance Suite - R and A\MediaCache. These files require
approximately 1.2 GB.

_______________________________________________________________________


RMS Console requirements

Your RMS data collector deployment requires at least one RMS Console and a
single RMS Information Server. If you install multiple RMS Consoles, then the
additional RMS Consoles can be installed on a computer without any other RMS
components. If you install a Console and Information Server on the same computer,
the computer must meet all of the listed system requirements.
Before you install theRMSConsole, make sure that your workstation environment
and network environment meet the following minimum requirements:

Hardware

Pentium II 450 MHz
256 MB RAM
1000 MB of free disk space
SVGAmonitor that supports 256 colors with the display set to 800x600
pixels or greater

Software

Microsoft Windows 2000 SP4 (server or workstation)
Windows XP Professional SP1
Windows Server 2003 or later
Microsoft Internet Explorer 5.5 SP2 or later
Microsoft Outlook 2000, Novell GroupWise 5.5, Lotus Notes 5.0, or
Lotus Domino (only required for emailing export files)
Microsoft Excel (required for Excel (using OLE) export files)
Client for Microsoft Networks

Information Server requirements

Your RMS deployment requires a single Information Server. The Information
Server must also have a copy of the RMS Console installed. Before you install the
Information Server, make sure that your computer and your network environment
meet the following minimum requirements:
Pentium III 800 MHz
512 MB RAM
1500 MB of free disk space
Hardware
Microsoft Windows 2000 SP4 (server or workstation), Windows XP
Professional SP1, or Windows Server 2003 or later
A Local installation of SQL Server 2005 Express SP2 or later, or
Microsoft SQL Server 2005 SP2 or later
Microsoft Internet Explorer 5.5 SP1 or later
Microsoft Outlook 2000, Novell GroupWise 5.5, Lotus Notes 5.0, or
Lotus Domino (only required for emailing export files)
Microsoft Excel (required for Excel (using OLE) export files)
Client for Microsoft Networks

Note: For enhanced security, performance, and to simplify installation, only a
local SQL Server is supported. The Control Compliance Suite 9.0.1 supports only
the default instance of the SQL Server. Named instances are not supported.


bv-Control for Windows requirements

TheRMSdata collector uses the bv-Control for Windows snap-in module to collect
data from Windows computers. When you use bv-Control for Windows, you must
install additional components to perform the actual data collection from your
network.
The individual components have the following requirements:

Enterprise Configuration Service;
Pentium III 600 MHz
128 MB RAM
300 MB of free disk space
Microsoft Windows 2000 SP3 (Server or
Professional), Microsoft Windows
XPProfessional, Microsoft Windows Server
2003, or later

Query Engines

Pentium III 600 MHz
256 MB RAM
500 MB of free disk space
Microsoft Windows 2000 SP3 (Server or
Professional), Microsoft Windows
XPProfessional, Microsoft Windows Server
2003, or later
Microsoft Internet Explorer 5.0 or later

Support Service
32 MB RAM
Microsoft Windows 2000 SP3 (Server or
Professional), Microsoft Windows
XPProfessional, Microsoft Windows Server
2003, or later

In large enterprises, the support service may require additional disk space for
last logon data storage.
These minimum hardware requirements are the minimum requirements for the
default installation configuration, and do not reflect the needs of real-world
environments. Actual processor speed and RAM requirements are a function of
the number of simultaneous users. Query engine processor speed and RAM
requirements are a function of the number of agents that the Slave Query Engine
employs.

bv-Control for UNIX requirements

The RMS data collector uses the bv-Control for UNIX snap-in module to collect
data from UNIX computers. The snap-in can operate in both agent-based and
agentless modes. The agentless mode uses software on the Information Server to
collect data from assets. The agent-based mode uses a software agent that you
install on each computer to collect data.
For additional information on using agent-based or agentless data collection in
bv-Control for UNIX, see the bv-Control for UNIX Help.
Make sure the operating systems on all UNIX computers have the latest patches
installed. Consult your UNIX vendor documentation for information on the latest
patches for your operating system.

Note: You must have administrative rights for each computer where you install
the agent.

The bv-Control for UNIX agent installation has the following hardware
requirements:
 

  • Sun SPARCstation 1 or UltraSPARC for Solaris
  • HP 9000 UNIX servers, or HP Visualize UNIX workstations (classes B, C, and J)
  • IBM RS/6000 UNIX workstations and servers
  • Intel or equivalent for Red Hat and SUSE Linux
  • 20 MB disk space
  • TCP/IP network


The bv-Control for UNIX agent installation on the target computer has the
following software requirements:
 

  • Sun Solaris operating environment versions 5.8, 5.9, and 5.10 of both SPARC

   and x86 architecture

  • Red Hat Linux versions 8.0 and 9.0
  • Red Hat Enterprise Linux AS/ES version 3.0, 4.0 and Red Hat Enterprise Linux

   5.0, and 5.0 of Intel Itanium architecture
 

  • Hewlett-Packard HP-UX versions 11.00, 11.11(11iv1), 11.23(11iv2), 11.23

(11iv2) of Intel Itanium architecture, and 11.31 (of both PA-RISC and Itanium
architecture)

  • IBM AIX versions 5.1, 5.2, 5.3, and 6.1
  • SUSE Linux versions 8.2, 9.0, and 9.1
  • SUSE Linux Enterprise Server (ES) versions 9.0, 9.2, 9.3, 10.0, and 10.0 of Intel

Itanium architecture

  • openSSH installed on each UNIX target computer

Because bv-Control for UNIX packages the x86 32-bit package for RHEL and SLES
Itanium platforms, the IA32 emulation layer is required to run the agent.
The following packages must be present on the RHEL Itanium target computers
and SLES Itanium target computers along with their respective dependencies:
 

  • bash-x86
  • coreutils-x86
  • cracklib-x86
  • db-x86
  • glibc-x86
  • Ia32el
  • libgcc-x86
  • libxcrypt-x86
  • ncurses-x86
  • pam-modules-x86
  • pam-x86
  • readline-x86
  • libstdc++-x86


The Ia32el service that is required for query execution must be running on the
target computers before installation of the UNIX agent.
The command to run the service is as follows:
[root@rhel5ita rpm]#
service ia32el status
Intel IA-32 Execution Layer in use
[root@rhel5ita rpm]#

The operating systems that are supported by the target computers in the agentless
registration mode only are as follows:

VMware ESX
The supported versions for the VMware ESX operating system are
as follows:
 

  • Version 3.0
  • Version 3.5


Linux

The supported versions for Linux are as follows:

  • Linux is supported on zSeries of IBM computers
  • Red Hat Linux Advanced Server (AS) 2.1
  • SUSE Linux 8.0 and 8.1
  • SUSE Linux Enterprise Server (ES) 8.1


The architecture that is supported by the operating systems, when configured in
both the agent-based and agentless registration modes is as follows:

AMD Opteron

The operating systems are as follows:

  • Red Hat Enterprise Linux 5.0
  • SUSE Linux Enterprise Server 10.0
  • Sun OS 5.10


bv-Control for Oracle requirements


The RMS data collector uses the bv-Control for Oracle snap-in module to collect
data from Oracle databases. Before you deploy bv-Control for Oracle, you must
evaluate your environment to ensure that your workstations meet the minimum
system requirements for running the product.
To successfully validate credentials in bv-Control for Oracle, you must have the
appropriate permissions on the Information Server, the databases, and the
operating systems.

The bv-Control for Oracle installation has the following system requirements:
 

  • Windows XP Professional SP2 or later or Windows Server 2003 SP2 or later
  • Microsoft Internet Explorer 5.5 SP2 or later
  • 500 MB disk space
  • TCP/IP network


On UNIX hosts, some information that bv-Control for Oracle requires is based on
the underlying UNIX operating system. The bv-Control for UNIX snap-in can collect
the data if the bv-Control for UNIX snap-in is installed. If you do not use
bv-Control for UNIX, you must install the bv-Control for Oracle UNIX agent.

Note: Make sure that the operating systems on all UNIX computers have the latest
patches installed. Consult your UNIX vendor documentation for information on
the latest patches for your operating system.

The UNIX agent for bv-Control for Oracle (UNIX agent) can be installed only on
the computers that meet certain requirements. You must ensure that your
workstation is compliant with the system requirements before you install and
execute the UNIX agents.

Note: You must have administrative rights on the computer where you install the
UNIX agent for bv-Control for Oracle

The UNIX agent for bv-Control for Oracle installation on the target computer has
the following hardware requirements:
 

  • Sun SPARCstation1 or UltraSPARC for Solaris, or x86 Solaris
  • HP9000 UNIX servers, HP Visualize UNIX workstations (classes B, C, and J)
  • IBM RS/6000 UNIX workstations and servers
  • Intel or equivalent for Red Hat and SUSE Linux
  • 20 MB disk space
  • TCP/IP network


The UNIX agent installation on the target computer has the following software
requirements:
 

  • Sun Solaris Operating Environment 5.8, 5.9, and 10
  • Red Hat Linux 8.0 and 9.0
  • Red Hat Linux Advanced Server (AS) 2.1, and Red Hat Enterprise Linux AS/ES

version 3.0, and 4.0

  • Hewlett-Packard HP-UX 11.00, 11.11(11iv1), and 11.23(11iv2)
  • IBM AIX 5.1, 5.2, and 5.3
  • SUSE Linux 8.0, 8.1, 8.2, 9.0, and 9.1
  • SUSE Linux Enterprise Server (ES) 8.1, 9.0, 9.2, and 9.3
  • openSSH installed on each UNIX target computer
  • xterm terminal on each UNIX target computer


You must address some additional requirements to install the UNIX agents for
bv-Control for Oracle.

The additional requirements are as follows:
 

  • All UNIX target computers with open SSH installed
  • All UNIX target computers with xterm terminal


The domain of the Windows credentials that are supplied for connecting with the
Oracle server must have a one-way trust with the Information Server domain.
Otherwise, the server is displayed as Unknown during the product configuration.
The credential user needs certain privileges to run queries on database-related
data sources.
For information on specific SELECT privileges to query database-related data
sources, see the bv-Control for Oracle Getting Started Guide.
For Oracle Database Version 9i and later, you can provide the following privileges:

SELECT ANY DICTIONARY

    Allows access to the required data dictionary
    objects.


SELECT ON SYSTEM.PRODUCT_USER_PROFILE

    Allows access to the
    SYSTEM.PRODUCT_USER_PROFILE synonym,
    which is used for reporting in the SQL*Plus
    Security data source.


For Oracle Database Version 8i, you can provide the following privileges:

SELECT_CATALOG_ROLE
 

    Allows access to the required DBA_ views and the
    V$ dynamic performance views

SELECT ON SYSTEM.PRODUCT_USER_PROFILE
 

    Allows access to the
    SYSTEM.PRODUCT_USER_PROFILE synonym,
    which is used for reporting in the SQL*Plus
    Security data source.

Note: Oracle 8i does not have SELECTANYDICTIONARY privilege, and the SELECT
ANY TABLE PRIVILEGE is not useful if O7_DICTIONARY_ACCESSIBILITY is set
to false.

The following privileges grant access to the dictionary objects that are required
for reporting on the Database Audit Trail data source:

  • SELECT ON SYS.OBJAUTH$
  • SELECT ON SYS.OBJ$
  • SELECT ON SYS.USER$
  • SELECT ON SYS.COL$
  • SELECT ON SYS.TABLE_PRIVILEGE_MAP


For Oracle 8i, you must grant the SELECT privileges on individual data dictionary
objects because Oracle 8i does not support the SELECTANYDICTIONARY privilege.
Also, the SELECT ANY TABLE privilege does not allow access to data dictionary
objects when the O7_DICTIONARY_ACCESSIBILITY parameter is set to FALSE.
bv-Control for Oracle normally does not require the Oracle Client to be installed
on the Information Server. The Oracle client must be installed with Oracle
Advanced Security that is enabled only in the case that network data encryption
is required.
For more information on configuring Network Data Encryption, see the bv-Control
for Oracle Help.

bv-Control for Microsoft SQL Server requirements
The RMS data collector uses the bv-Control for Microsoft SQL Server snap-in
module to collect data from Microsoft SQL Server databases. Before you install
bv-Control for Microsoft SQL Server, ensure that your workstation and SQL Server
environment meet the minimum requirements to run the product.
In addition to the general system requirements for the Information Server, your
Information Server should have a minimum of 1 GB RAM.
bv-Control for Microsoft SQL Server can query and report on various versions of
the Microsoft SQL Server.
The bv-Control for Microsoft SQL Server snap-in supports the following Microsoft
SQL Server platforms:
¡ Microsoft SQL Server Desktop Edition 1.0 and 2000
¡ Microsoft SQL Server Standard Edition 7.0, 2000, and 2005
¡ Microsoft SQL Server Personal Edition 2000
¡ Microsoft SQL Server Enterprise Edition 7.0, 2000, and 2005
¡ Microsoft SQL Server Developer Edition 2000 and 2005
¡ Microsoft SQL Server Workgroup Edition 2005
¡ Microsoft SQL Server Express Edition 2005 (the auditing feature is not
supported)

Note: To query against Microsoft SQL Server 2005, you must install the SQL
Distributed Management Object component, SQLDMO.dll, on the Information
Server. You can install the component either separately or from the
CCS_DataCollection\Redist folder on the product disc.


Certain minimum rights are required for querying against the data sources. You
specify the credentials that meet these minimum rights in the Credentials
Database.
The following minimum user rights are required to query the SQL Server:
¡ The user credentials for Windows or SQL Server that are supplied for
connecting to the SQL Server must be a user for the SQL Server. Otherwise,
the credential verification in bv-Control for Microsoft SQL Server fails.
¡ User credentials for Windows or SQL Server that are supplied for connecting
to the SQL Server must have read rights on the master database. This master
database must belong to the SQL Server that is queried. Otherwise, the
credential verification in bv-Control for Microsoft SQL Server fails.
¡ For a query on a particular database on the SQL Server, the read rights are
required on that database.
The product supports queries for the target SQL Servers in an untrusted domain.
You should use SSL to encrypt application traffic between the Information Server
and the target SQL Server. The bv-Control for Microsoft SQL Server functionality
does not require SSL communication to be enabled. The product works seamlessly
with the encrypted or non-encrypted protocols to communicate with the SQL
Server. The communications preferences are set in the SQL Server client
configuration. You should also ensure that your SQL Server is patched
appropriately and regularly for any vulnerabilities that are related to the open
SQL port.
When you use SQL audits, you may configure bv-Control for SQL Server to collect
only the required information. SQL audits can generate large data sets. The large
data sets can have an impact on the disk space requirement or the network
bandwidth requirements. In addition, the amount of data might degrade SQL
Server performance

ESM data collector requirements
Before you install the ESM data collector components, you must ensure that the
computers that you select for the installation meet the minimum requirements.




 



Legacy ID



2010021111373253


Article URL http://www.symantec.com/docs/TECH123159


Terms of use for this information are found in Legal Notices