How to install Control Compliance Suite (CCS) Reporting & Analytics v.10

Article:TECH131944  |  Created: 2010-01-23  |  Updated: 2010-01-07  |  Article URL http://www.symantec.com/docs/TECH131944
Article Type
Technical Solution


Issue






Solution



The installation procedure for CCS v.10 is divided into several parts. Follow the steps below to install CCS Reporting & Analytics v.10.

PART 1: Obtain a copy of the CCS software and licenses
PART 2: Perform a prerequisite check
CCS requires that certain software dependencies are met prior to installation, which includes the following:
    1. General deployment considerations include:
      • Each CCS component must be installed in a Windows Active Directory Domain with a domain functional level of Windows Server 2008, Windows Server 2003, or Windows 2000 native mode.
      • CCS has not been certified for use on Windows Server 2008 Server Core Only installations.
      • All CCS components must be installed on the same LAN segment to minimize delays.
      • CCS should not be installed in single-setup mode, or with all components on the same server, unless it is for demonstration or testing purposes in a lab environment.
      • Windows Update or some other patch management method must be used to install the latest operating system patches on any server that will host a CCS components.
      • Each server component must meet minimum hardware requirements as outlined in the CCS Installation Guide.
    2. Install and configure an RMS or ESM Data Provider, or setup an ODBC 3rd-party Data Provider for CCS v.10.
    3. Install SQL Server on the computer that will host the CCS Databases. For more information, see "What versions of SQL Server are certified for use with Control Compliance Suite (CCS) v.10" at http://service1.symantec.com/support/intrusiondetectkb.nsf/docid/2010042308410353.
    4. During a distributed installation, the following are automatically installed by the CCS installation utilities:
      • Visual C++ 2005 and 2008 redistributable framework
      • Microsoft .NET 3.5 SP1 redistributable framework
      • Microsoft SQL Server 2008 management object collection
      • SSL connections from the SQL Servers that host the CCS databases must be installed prior to installing the Application Server
      • Internet Information Server (IIS), with Windows Authentication and Static Content enabled in Windows 2008
      • Crystal Reports 2008 SP1only for the DPS instance acting in the reporting role
      • ADAM SP1 on the Directory Server
      • Symantec LiveUpdate Client
    5. Confirm that the installation account has the necessary privileges.
      • Directory Server
        • Local Administrator equivalent
        • Domain user account
        • Ability to grant Directory Server rights to other domain accounts
        • Automatically becomes a CCS Directory Server administrator
      • Application Server
        • Local Administrator equivalent
        • Domain user account (if SQL server uses Windows authentication)
        • Ability to grant other domain accounts rights to Directory Server
        • Must have the sysadmin role on SQL server
        • Needs the Directory Service installer credentials
        • NOTE: This account automatically becomes a Directory Server administrator
      • Data Processing Service (DPS)
        • Local Administrator equivalent
      • Web Console Server (installed on the same computer as the Application Server)
        • Requires IIS
        • Local Administrator equivalent
        • Login as a service right and member of the IIS_WPG group if installing on Server 2003
        • Windows Authentication feature enabled if installing on Server 2008
        • NOTE: Symantec also recommends the use of SSL certificates for web sites.
    6. Confirm that the component service accounts have the necessary rights.
      • In general the component service accounts must be local administrator equivalent accounts to access the digital certificates that are required for secure communications.
      • The service accounts must also be domain accounts to grant other domain accounts access to the CCS components.
      • The account that is used to operate the Directory Server must be a local administrator equivalent and domain user account.
      • The account under which the Application Server runs must also be a local administrator equivalent account on the local host and domain user account. In addition, the account must have log on locally privileges on DPS Reporter host computer which enables the application server to impersonate the DPS Reporter Service Account.
      • The Application Service account is automatically added by the installer to the CCS Administrator role and SQL Server public role on the SQL Server.
      • Also, the accounts used to access the CCS Databases have the db_datareader role set to the CSM_DB production database on the SQL Server.
    7. Configure firewall ports to allow the various CCS components access to each other if necessary. WARNING: Be sure that the CCS Application Server and CCS Directory Server are not separated by a firewall. Refer to the following chart or consult the CCS v.10 Installation Guide for more information about port settings.

PART 3: Install or upgrade CCS Reporting & Analytics
The installation of CCS must follow a specific sequence and it is assumed that an RMS or ESM Data Provider is configured and fully operational before proceeding. Be sure to follow the prerequisite checklist in PART 2 before continuing with this part.

NOTE: Only CCS v.9.0.1 Reporting & Analytics can be upgraded to CCS v.10. If CCS v.9.0 Reporting & Analytics is installed, the CCS components must be upgraded to CCS v.9.0.1 and meet all minimum system requirements before performing the upgrade to CCS v.10.


Part 3 A: Install the CCS Directory Server
Install the CCS Directory Server and the Certificate Management Console. Part 3 A must be completed before installing any other CCS components.
    1. Copy the installation files from Part 1 to a temporary directory on the server that will host the CCS Directory Server.
    2. Browse to the installation files, then double click Setup.exe. If prompted, click Run to begin the installation.
    3. On the CCS v.10 splash screen, click Reporting & Analytics in the left column then click Reporting & Analytics in the middle of the resulting pane.
    4. If prompted, click Yes to install Windows Installer 4.5 and Visual C++. File extraction for the installation will begin after the required components are installed.
    5. Click "I accept the terms in the agreement" in the End-User License Agreement (EULA) dialog box, then click Next.
    6. Check the box CCS Directory Server in the Select Program Components dialog box, then click Next. Or, to review the prerequisite checklist, click the Details link, then click OK and Next.
    7. Click Next again then click the Add Licenses button in the Licensing dialog box. Browse to the location of the .SLF files provided by Symantec Sales in Part 1.
    8. Select the required SLF files for Reporting & Analytics, then click Open. Click Next. Expand the ADAM tree, then click the Install link. Click OK to begin the installation for ADAM.
    9. Click Next then click OK to create the target installation folder in the Install Product Components dialog box. Or, select an alternate destination directory for the installation, then click Next and Ok.
    10. Enter the required information to generate the root certificate in the Certificate Information dialog box, then click Next.
    11. Enter the user account information for the CCS Directory Server in the User Account and Port Information dialog box, then click Next. Use the default ports, or consult the CCS Installation Guide for more information about service ports.
    12. Enter a pass phrase to generate a symmetric key in the Encryption Management Service Pass Phrase dialog box. Click Next.
    13. Click the Export Configuration Details link at the top right, then choose a directory to save the information. Close the dialog box.
    14. Click Install. The CCS installation utility automatically installs the following components:
      • Directory Support Service
      • ADAM SP1 (Server 2003 only - see note below.)
      • Encryption Management Service
      • Certificate Management Console
      • NOTE: If installing the Directory Server on a Windows 2008 computer, ADLDS must be manually installed.
    15. When the installation completes, click the Log Files link at the bottom right. Select all of the files in ..\Symantec.CSM\Logs\Installs directory. Right click the selected files, then click Send To | Compressed (zipped) folder to compress the files. Save the resulting compressed file to the desktop. Close the Windows Explorer dialog box.
    16. In the Reporting & Analytics Installation Wizard dialog box, check Launch Certificate Management Console, then click Finish to complete the installation.


Part 3 B: Create CCS certificates
Create certificates for the other components including the Application Server and each of the DPSes to be installed.
    1. Before creating certificates, ensure that you have the necessary information.
    2. To launch the Certificate Management Console, click Start | Programs | Symantec Corporation | Symantec Control Compliance Suite | Certificate Management Console.
    3. Click the Create Certificates button at the top.
    4. Select Application Server in the Service Type picklist.
    5. Under Signature Algorithm, click the down arrow to examine the Signature Algorithm selections. Standard installations will use sha1RSA for the signature algorithm type.
    6. Under Key Size, select 2048 for standard installations, or choose a different key size of 3072 or 4096.
    7. Next to NetBIOS Name, click the Browse button. Type the server name that will host the CCS Application Server, then click Ok. If the server name is not resolved, click the Advanced | Find Now buttons to search for the name of the Application Server. Click Ok.
      NOTE: Be sure that the location points to "Entire Directory" when searching for the name of the Application Server.
    8. Beside the Destination Folder field, click Browse to specify a location for the Application Server certificate. The default location is X:\Program Files\Symantec\CCS\Reporting and Analytics\ManagementServices\DefaultCerts, where X:\ is the default installation directory for the Directory Server.
    9. Type a password for the Application Server certificate twice in the Password fields, then click Create Certificate.
    10. When prompted, click Yes to create another certificate.
    11. Select Application Server SSL in the Service Type picklist. All other fields should remain populated. Continue to use the same settings.
    12. Type a password for the Application Server SSL certificate twice in the Password fields, then click Create Certificate.
    13. When prompted, click Yes to create another certificate.
    14. Select DPS in the Service Type picklist. All other fields should remain populated.
    15. Next to NetBIOS Name, click the Browse button. Type the server name that will host the first CCS DPS instance, then click Ok. If the server name is not resolved, click the Advanced | Find Now buttons to search for the name of the Server hosting the DPS instance. Click Ok.
    16. Type a password for the DPS certificate twice in the Password fields, then click Create Certificate.
    17. Repeat the procedure for creating certificates for any additional DPS instances. Otherwise, click No to complete certificate creation.
    18. Examine the results, then close the Certificate Management Console.

Part 3 C: Install the CCS Application Server & Web Console Server
Install the Application Server and Web Console Server on the Application Server host computer. Several other components are installed with the CCS Application Server, including Technical Standards Packs (TSPs), Regulations and Frameworks Pack, CCS Web Console, and the SymCert Utility. The SymCert Utility is installed with every CCS component to store and manage the certificates on the local computers.

NOTE: Be sure that the Directory Server has been installed before proceeding with installing the CCS Application Server & Web Console Server.
    1. Copy the installation files from Part 1 to a temporary directory on the server that will host the CCS Application Server.
    2. Browse to the installation files, then double click Setup.exe. If prompted, click Run to begin the installation.
    3. On the CCS v.10 splash screen, click Reporting & Analytics in the left column then click Reporting & Analytics in the middle of the resulting pane.
    4. After the installation files are extracted, click "I accept the terms in the agreement" in the End-User License Agreement (EULA) dialog box, then click Next.
    5. Check the box CCS Application Server in the Select Program Components dialog box, then click Next. Or, to review the prerequisite checklist, click the Details link, then click OK and Next.
    6. Review the components to install, then click Next. NOTE: Clear the checkbox for any unlicensed components that require licenses, otherwise the installation will not proceed.
    7. Click Next again then click the Add Licenses button in the Licensing dialog box. Browse to the location of the .SLF files provided by Symantec Sales in Part 1. Provide licenses to active any missing product components, then click Next.
    8. Review the prerequisite check list. Install any missing prerequisite applications that require manual installation. Otherwise, click Next to continue the installation process.
    9. Click Next then click OK to create the target installation folder in the Install Product Components dialog box. Or, select an alternate destination directory for the installation, then click Next.
    10. Enter the account information for the CCS Directory Server. In the computer name field, type the name of the CCS Directory Server or click the ellipsis [ . . . ] on the right to browse for the CCS Directory Server. Enter the same user credentials used to install the CCS Directory Server, then click Next.
    11. Enter the SQL Server information for the Application Server database. Refer to Part 2 above if a SQL Server has not been setup to host the CCS Reporting & Analytics databases.
    12. Type the name of the SQL Server in the SQL Server name field, or click the ellipsis [ . . . ] on the right to browse for the SQL Server. The default instance will be used if the Instance name field is blank, and the default TCP port number 1433 is already populated. "Use Windows NT Integrated Security" and "Use the same configuration for Reporting Server database settings" are also already selected. Do not check the box Use existing empty database for a new installation. Click Next.
    13. Enter the required information for the Application Server security certificate. To the right of the Certificate location field, click the ellipsis [ . . . ] button. In the left column, double click My Network Places | Entire Network | Microsoft Windows Network | {Domain Name}. Double click the name of the Directory Computer, then open the directory containing the certificates created in Part 3 B. Double click the APPSERVER.p12 certificate, then type the password (decrypt key).
    NOTE: The default location for certificates is X:\Program Files\Symantec\CCS\Reporting and Analytics\ManagementServices\DefaultCerts, where X:\ is the default installation directory on the Directory Server.
    14. Enter the required information for the Application Server SLL security certificate. To the right of the Certificate location field, click the ellipsis [ . . . ] button. In the left column, then confirm the certificate directory is selected in the Look In pick list at the top. Double click the SSL-APPSERVER.p12 certificate, then type the password (decrypt key). Click Next.
    15. Enter a pass phrase to generate a symmetric key, then click Next.
    16. Click the Export Configuration Details link at the top right, then choose a directory to save the information. Close the dialog box.
    17. Click Install. The CCS installation utility automatically installs the following components:
      • SymCert
      • Application Server
      • TSPs
      • Regulation and Framework Content Packs
      • CCS Web Console
    18. Click Finish to complete the installation.

Part 3 D: Install the DPS instance(s)
Install the DPS instance(s). Each DPS instance can act in any combination of the roles load balancer, data collector, evaluator, or reporter. Or, a single DPS instance can act in all of the roles simultaneous. NOTE: Each ESM Manager and each CCS RMS Information Server data provider installed in the enterprise must have a DPS data collector installed.
    1. Copy the installation files from Part 1 to a temporary directory on the server that will host the DPS instance.
    2. Browse to the installation files, then double click Setup.exe. If prompted, click Run to begin the installation.
    3. On the CCS v.10 splash screen, click Reporting & Analytics in the left column then click Reporting & Analytics in the middle of the resulting pane.
    4. Click "I accept the terms in the agreement" in the End-User License Agreement (EULA) dialog box, then click Next.
    5. Check the box CCS Data Processing Service in the Select Program Components dialog box, then click Next. Or, to review the prerequisite checklist, click the Details link, then click OK and Next.
    6. In the Prerequisites dialog box, expand the Microsoft Visual C++ tree, then click the Install link. Click OK to begin the installation for Visual C++. Repeat this step to install Crystal Reports 2008.
    NOTE: Crystal Reports 2008 must be installed on every DPS Reporter instance.
    7. Click Next then click OK to create the target installation folder in the Install Product Components dialog box. Or, select an alternate destination directory for the installation, then click Next and Ok.
    8. Enter the required information for the DPS Server security certificate. To the right of the Certificate location field, click the ellipsis [ . . . ] button. In the left column, double click My Network Places | Entire Network | Microsoft Windows Network | {Domain Name}. Double click the name of the Directory Computer, then open the directory containing the certificates created in Part 3 B. Double click the DPS.p12 certificate, then type the password (decrypt key).
    NOTE: A unique certificate is required for each DPS instance. Review Part 3 B for help creating additional DPS certificates.
    9. Click Install. The CCS installation utility automatically installs the following components:
      • Symantec LiveUpdate Client
      • SymCert
      • Data Processing Service
      • Data Collectors
    10. Click Finish.

Part 3 E: Installing optional CCS components
CCS Connector
The CCS Connector is the mechanism through which you plug in external applications such as Symantec Data Loss Prevention (DLP) or third-party applications. Follow these steps to install the CCS Connector.
    1. Copy the installation files from Part 1 to a temporary directory on the server that will host the CCS Connector.
    2. Browse to the installation files, then double click Setup.exe. If prompted, click Run to begin the installation.
    3. On the CCS v.10 splash screen, click Reporting & Analytics in the left column then click Reporting & Analytics in the middle of the resulting pane.
    4. Click "I accept the terms in the agreement" in the End-User License Agreement (EULA) dialog box, then click Next.
    5. Check the box CCS Connector in the Select Program Components dialog box, then click Next. Or, to review the prerequisite checklist, click the Details link, then click OK and Next.
    6. The installation wizard guides you through the remainder of the installation process.

CCS Asset Export Task
The CCS Asset Export Task requires the latest versions of Symantec Installation Manager and Altiris Notification Server 7.
    1. To start the installation, logon to the Altiris Notification Server 7 host, then launch the Symantec Installation Manager.
    2. On the installed products pane, select the option to install new products, then select CCS Asset Export.
    3. Click Review Selected Products. Verify that the correct product was chosen, then click Next.
    4. Click "I accept the terms in the agreement" in the End-User License Agreement (EULA) dialog box, then click Next.
    5. Enter the contact information as required, then click Install. The installation wizard guides you through the remainder of the installation process.

Part 3 E: Configure the system for operation
Configure the system for operation. Register the installed DPS with the Application Server. Specify DPS roles and if appropriate data types to collect, then assign the DPS to the default site or create a new site. Create asset folders or asset reconciliation rules if applicable, then create an asset job to collect, evaluate, and report on assets. Finally, view a report based on the enterprise.

    Initial Tasks
    1. Launch the CCS Reporting & Analytics Console.
    2. Select GO | Settings | System Topology on the main menu across the top..
    3. Click the Default Site, then click Register DPS.
    4. Check the box next to the DPS to register, then click Next.
    5. Check the box next to the Default Site, then click Next. Or, select the user defined sites to assign the DPS to, then click Next.
    6. Select all of the available DPS Roles, then click Next. Or, to assign specific roles, select the corresponding roles, then click Next.
    7. Examine the default selections for reporting synchronization, then click Next. Do not make any changes if configuring a DPS Reporter instance.
    8. Select all the available Data Sources, then click Next.
    9. Review the settings for the new DPS instance, then click Finish.
    10. Click the Change advanced setting for new DPS link. Click Windows - Information Server. Enter the following information for the CCS RMS Information Server in the respective fields:
      • Machine name: Computer hosting the CCS RMS Information Server
      • Domain: Domain name where the CCS Service Account is located
      • User: CCS Service Account name
      • Password: CCS Service Account password
    11. Click Test Credentials, then click Save.

    Assets, Data Collection, and Evaluation Tasks
    An asset collection called RMS Assets is created in this example.
    1. Launch the CCS Reporting & Analytics Console.
    2. Select Go | Manage | Assets on the main menu across the top.
    3. Right click the Asset System folder on the right.
    4. Type the name RMS Assets in the dialog box that appears.
    5. Configure a Reconciliation Rule that will add RMS assets into the RMS Assets folder. Select Asset System | Reconciliation Rules on the Manage Assets menu. Enter the following information:
      • Rule name: Import RMS Assets
      • Rule type: Add Rule
      • Asset type: Windows Machine
    6. Click next. Click the Add Condition button. Ensure that the "If an asset being imported does not exist in the asset system" condition type is selected, then click Ok.
    7. Click the Add Action button. Ensure that the "Add an asset being imported to the specified folder" action type is selected. In the Folder field, browse to the RMS Assets folder, then click Ok. Click Ok again, then click Next.
    8. In the Rule Created Successfully dialog box, click Finish.
    9. Create an asset import job to import assets from the network. Click Assets on the Assets menu. Click Import Assets. In the Name field, type RMS Asset Import Job, then click Next.
    10. In the Create or Edit Asset Import Job dialog box, enter the following information:
      • Asset platform: Windows Platform
      • Asset type: Windows Machine
      • Data collector: Default
    11. Click Next, then click the ellipsis [ . . . ] button. Clear the Windows domain check box and check the Site check box. Click Ok.
    12. Click the Sites folder in the left column, then highlight the Default Site. Click Add. Click Ok.
    13. Click Next, then click Add Rules. Highlight Import RMS Assets. Click Add, then click Ok.
    14. Click Next twice. Check the Run Now box, then click Next.
    10. Review the summary information, then click Finish, then click Ok to run the Asset Import Job.
    11. Monitor the status of the job to be sure it completes successfully. Click Monitor | Job on the button bar across the top. When the status completed appears, the Asset Import Job is finished.

    A Collection-Evaluation-Reporting job is created in this example.
    1. Click Manage | Asset System on the button bar across the top.
    2. Mark the assets on which to run the job. Check the boxes next to the assets in the middle column.
    3. On the console view menu across the top, click Global Tasks | Run Collection-Evaluation-Reporting.
    4. In the name filed, type Collection-Evaluation-Reporting, then click Next.
    5. Select the standard against which to evaluate the assets. Expand Predefined | Windows. Highlight the standard in the column on the right, then click Add. Click Next.
    6. In the Select Report Templates dialog box, check the box Generate reports for this evaluation result.
    7. Expand Predefined, then highlight the report to run. Click the Define Scope and Add Template button.
    8. Enter the report name, then click Save. Click Next four times to run the job now.
    9. Examine the summary information, then click Finish. Click OK.
    10. Monitor the status of the job to be sure it completes successfully. Click Monitor | Job on the button bar across the top. When the status completed appears, the Collection-Evaluation-Reporting Import Job is finished.
    11. To view the report, click the Reporting button on the console view menu at the top. Right click the report, then click View on the menu.

    Dashboard & Reporting Tasks

    For more information about Entitlements, Reports, & Dashboard tasks or for Response Assessment Module (RAM) Policy Configuration tasks, refer to the Symantec Control Compliance Suite User or Installation Guides. Documentation for CCS is available online at http://www.symantec.com/business/support/all_products.jsp.





Legacy ID



2010042311115953


Article URL http://www.symantec.com/docs/TECH131944


Terms of use for this information are found in Legal Notices