ArcSight Manager Installation

Summary:

### Startup and Initialization Process for ArcSight ESM Manager The initialization process for ArcSight ESM Manager involves several critical steps aimed at setting up the system correctly after potential data loss or during initial setup. The following is a detailed summary of the key stages involved in this process: #### 1. Starting the ArcSight ESM Manager The first step is to start the ArcSight ESM Manager based on the database initialization function. This involves launching the software and preparing it for further configuration. #### 2. Interacting with the Installation Wizard You will be prompted to interact with an ArcSight Installation Wizard, which requires a session capable of supporting the wizard interface. During this phase, you need to follow the prompts provided by the installation wizard to configure the system settings. #### 3. Completing Database Initialization The main task involves continuing and completing the initialization process as directed by the wizard instructions. Ensure that all parameter information responses reflect the specific deployment details, which can be found in Section 2 of the "Installing ArcSight Manager" component documentation. If there are discrepancies between database file sizing and the recommendations from the installation wizard template, refer to the database installation documentation for accurate parameter values used in your system setup. #### 4. Importing System Tables (Optional) If a fully operational ESM setup with a viable database and Manager is available, you can import system tables using the manager setup script. This process helps revert the system to a previous state without needing reinstallation of connectors or other components. After importing system tables, complete the task and start the Manager again to resume operations. #### 5. Connector Re-registration (Optional) If system tables are imported, connector re-registration is unnecessary as the system has already been restored. This minimizes disruption and ensures a smooth recovery without the need for reinstallation of connectors or other components. ### Summary of Key Points - **Startup**: The ArcSight ESM Manager starts based on database initialization functions. - **Wizard Interaction**: Follow prompts to interact with the installation wizard for configuration. - **Database Initialization**: Complete as directed by the wizard instructions, ensuring parameter information responses reflect specific deployment details. - **System Tables Import (Optional)**: Import system tables using the manager setup script if available; this helps in reverting to a previous state without reinstallation. - **Connector Re-registration (Optional)**: Not necessary after importing system tables, as connectors are automatically registered during the restoration process. ### Conclusion The initialization process for ArcSight ESM Manager is crucial for setting up and managing the system effectively post-recovery or initial setup. Proper adherence to these steps ensures a smooth operation with minimal disruption, maintaining the integrity of the entire infrastructure management framework.

Details:

The document provides a comprehensive guide on how to install or recover the ArcSight ESM Manager, which is crucial for managing the software solution. It outlines five main sections including installing Oracle software, setting up the ArcSight Manager component, initializing the ArcSight Oracle instance, initializing the ArcSight Manager Setup, and importing ArcSight System Tables. The document also specifies that it will not cover hardware restoration or operating system environment restoration, nor does it address incremental updates or changes post-installation. It focuses solely on the steps needed to establish an operational software installation of the ArcSight ESM Manager, with specific instructions for both a new installation and recovery from various failure scenarios such as database loss, complete database recovery, manager loss, and complete manager recovery. **Summary of Sections 1 & 2:** **Section 1 - Installing Oracle Software:**

• TJX DBSG installed Oracle 10g 10.2.0 64-bit software via the ArcSight customer support portal download page.

• Installation/recovery documentation for Oracle Database software should be referred to for specific instructions.

• Assumptions are made that the installation is on an identically provisioned server, and adjustments might be needed if a different configuration is required during recovery.

• Prior completion of the ArcSight Database recovery is necessary before proceeding with the documented actions.

**Section 2 - Installing ArcSight Manager Component:**

• Describes a basic ArcSight ESM Manager installation on a Linux 64-bit system.

• Installation involves setting up a graphical user interface for interaction, requiring enabling remote desktop display capabilities (e.g., using Putty and Xming or Hummingbird and Tectia).

This text describes the process of installing the ArcSight ESM (Enterprise Security Manager) Manager software on a specific mount point for component installations, named /tjx/arcsight_prod/esm/. The installation involves verifying correct information, setting up a manager host name and port, and identifying physical location details. It also notes that this setup is new and specifies the use of a self-signed certificate for security. Additionally, it mentions that the Java Heap Memory Size can be adjusted in configuration files if needed. ArcSight ESM (Enterprise Security Manager) is a security information and event management solution that uses machine learning to identify threats. The document outlines various details about its configuration and usage: 1. **SSL Certificate**: The self-signed certificate properties have been identified, along with the SSL key store password which is managed by SOC Martin Walsh. 2. **Event Storage**: ArcSight ESM Manager uses Oracle for storing events. A related document titled "ArcSight Recovery Procedure Database" provides detailed information on installing and configuring the Oracle database for this purpose. 3. **Oracle Parameters**: The Oracle arcsight instance user's password is securely stored with SOC Martin Walsh, ensuring access control over sensitive data. 4. **User Administration**: TJS uses ArcSight ESM Manager for account administration through the Console Users Resource. The administrator account and its password are also managed by SOC Martin Walsh. 5. **Software Installation**: TJX has installed all necessary ArcSight ESM Manager foundation packages except for the specific package required for ArcSight Express. 6. **Notification Configuration**: The e-mail address computer_security_incident_response_team@tjx.com is used for notifications, where the From Address can be a descriptive placeholder rather than a valid email address. This setting can be adjusted in the server configuration file /tjx/arcsight_prod/esm/mgr/config/server.properties. 7. **Configuration Flexibility**: The error noted does not need to be resolved during installation; additional configuration can be done once coordination with relevant teams and users has taken place. This document provides a comprehensive overview of the operational aspects and configurations of ArcSight ESM Manager within TJX, emphasizing security, configuration details, and administrative procedures. The text outlines steps and considerations for setting up ArcSight ESM (Enterprise Security Manager) Manager on a system, particularly focusing on Unix (Linux) user account setup and configuration details. Key points include: 1. **Notification Acknowledgements**: It mentions that disabling notification acknowledgements is consistent with the previous selection of a "From Address" during email setup. The validity of this address depends on whether notifications are configured for acknowledgement. 2. **Web Server Configuration**: The ArcSight ESM Manager supports user access from both Console and Web resources. A fully qualified web server name should be established, noting that the port (8443) used by the web server must not conflict with the defined infrastructure port. 3. **Vulnerability Assessment**: It is recommended to use vulnerability assessment scanner technology like Rapid7 NeXpose for asset creation. This practice, as mentioned in the TJX case, aids in identifying and addressing potential security vulnerabilities in assets. 4. **Unix User Account**: A specific Unix (Linux) user account should be identified with the necessary rights to execute the /etc/init.d/arcsight_manager script. This account is crucial for managing and running the ArcSight ESM Manager service. 5. **Startup and Initialization**: The final stages of setup involve completing the installation process, establishing an Oracle instance (as part of normal initial setup), and referring to specific recovery procedures for the Oracle database as detailed in other documents. This summary captures the essential components of setting up ArcSight ESM Manager, emphasizing practical considerations like user access, system security, and technical specifications that are integral to its deployment and operation. When there's a risk of losing data in the ArcSight Database Server, you should follow the recovery steps from TJX DBSG Oracle software documentation. After successfully recovering the database server and Oracle operations, it's necessary to initialize the ArcSight database. Here’s how to do it: 1. Start the ArcSight ESM Manager based on the database initialization function. 2. You will interact with an ArcSight Installation Wizard, which requires a session capable of supporting the wizard. This involves setting up a session where you can follow the prompts provided by the installation wizard for configuration. 3. Continue to initiate and complete the ArcSight ESM Manager database initialization process as directed by the wizard instructions. Ensure that parameter information responses reflect the specific deployment details, which can be found in Section 2 of the "Installing ArcSight Manager" component documentation within the same document or from other related sections provided in the installation documentation for your TJX deployment. 4. If discrepancies are detected between database file sizing and the recommendations from the installation wizard template, you will encounter a message popup prompting you to refer to the database installation documentation for accurate parameter values used in the TJX deployment. This ensures that all settings align with the specific requirements of your system setup. The ArcSight ESM (Enterprise Security Manager) Manager database initialization process is a crucial step in setting up the system after recovering from a database loss or initializing a new installation. This involves completing the setup actions outlined in section 3 and following through with the manager setup script, as detailed in this document. The process starts by confirming that an appropriate system tables export is available for import; if not, the managersetup script will be used. The ArcSight ESM Manager requires completion of a database init before it can operate fully restored. This involves scripting and initialization commands to set up the necessary components. The manager setup script handles various tasks such as setting up databases, configuring users, and establishing connections with other systems like LDAP servers for authentication purposes. It's important that this process is followed correctly to ensure all aspects of the ArcSight ESM Manager are properly restored or configured. The ArcSight ESM (Extended System Management) Manager is a software application used for managing and monitoring network infrastructure, applications, and services in real-time. It provides unified visibility into the entire IT environment, including security, operations, and business data sources across heterogeneous platforms and technologies. The startup process of ArcSight ESM Manager includes several stages, with each stage requiring specific actions to be taken. In this particular scenario, the scripting for setting up the manager continues throughout multiple instances, emphasizing its importance in configuring and initializing the system. During the setup phase, the application allows users to perform various configurations, including database initialization before proceeding with the main setup process. The ArcSight ESM Manager's startup can now be successfully performed after completing these stages, allowing it to function optimally. Notably, this stage involves setting up connectors such as SmartConnectors (both appliance and software-based), Loggers, Web interfaces, etc. These components play a crucial role in registering with the new manager. Despite not needing reinstallation, each of these setup scripts must be executed for complete registration with the manager. The section concludes by mentioning that ArcSight ESM Manager configuration back is an essential part of setting up and managing the system effectively. This implies that proper documentation and adherence to established procedures are crucial for maintaining a smooth operation of the entire infrastructure management framework. The article discusses how UPS (unknown acronym for "ups know") uses system table exports as a recovery method to minimize investment loss in an Enterprise Security Management (ESM) deployment. A Manager system table export is essentially a database snapshot of the internal configuration, which can be imported back into the Manager to revert to a previous state. For ArcSight ESM Manager, importing system tables requires a fully operational ESM setup with a viable database and Manager. Once the import process begins, it continues in stages: first, the ArcSight ESM Manager imports system tables; then, it completes the task; finally, the Manager can be started again to resume operations. The article highlights that after completing this action, connector re-registration is unnecessary, as the system has already been restored. This entire process serves to ensure a smooth recovery and minimal disruption of business operations in case of any issues with the ESM deployment.