HP ArcSight ESM Customer Checklist v1.1_1

Summary:

The document titled "HP ArcSight ESM Customer Kit" serves as a comprehensive guide to assist customers in deploying HP's ArcSight Event Manager (ESM) system with Oracle databases. It provides detailed information on various aspects including disk layout, database instance setup, user accounts, SSL certificates for secure communication, email notifications, authentication methods, SmartConnectors, and network connectivity requirements. ### Key Points from the Document: 1. **Disk Layout**: - The HP ArcSight database requires multiple disk volumes (3-4) or LUNs to store its events database. - Disk size depends on factors like event rate, retention period, number of users, and assets. - Oracle’s S.A.M.E configuration or stripe and mirror setup is recommended for optimal performance. - RAID levels such as RAID 0+1 or RAID 10 are suggested based on fault tolerance requirements. 2. **Database Instance**: - The database should run in Archive Redo Log mode for warm backups. - Assign a name to the database instance, and configure Online and Redo volumes with RAID 0+1 or RAID 10. 3. **User Accounts**: - Use a non-administrative user account for managing HP ArcSight Manager installation. - This user should have a home directory with installation files easily accessible. - Obtain a valid license key from HP’s Software License Portal and install it securely. 4. **SSL Certificates**: - All communication between components like managers and connectors is encrypted using SSL technology. - The manager generates a key pair during setup, which is signed with a CA chosen by the user. - Choose CN (Common Name) as the name of the Manager; update hosts files if DNS resolution isn't available. 5. **Email Notifications**: - HP ArcSight systems can send warnings or both warnings and informational emails based on system health events. - Provide either notification or escalation email addresses depending on the event severity. 6. **Authentication Methods**: - Options include Active Directory, LDAP, and RADIUS. - Choose the correct type and obtain necessary configuration parameters before implementation. 7. **SmartConnectors**: - Ensure proper network connectivity between SmartConnectors and receiving devices based on their specific requirements. - If multiple SmartConnectors are planned for one server, add up the expected events from all Connectors in the Connector Appliance Hardware Specification table. ### Summary: The document provides a detailed setup guide for deploying HP ArcSight with Oracle databases, focusing on aspects such as disk layout, database configuration, user account management, secure communication, email notifications, authentication methods, and SmartConnectors. It also includes references to other relevant HP ArcSight documentation for further guidance.

Details:

The provided text outlines the structure and purpose of a comprehensive document titled "HP ArcSight ESM Customer Kit," which serves as an essential resource for customers deploying HP's enterprise security management solution, ArcSight Enterprise Security Manager (ESM). This kit is designed to aid in deployment planning discussions by facilitating the gathering of necessary information before the onsite consultation with a professional services consultant from HP. The document begins with a "Welcome" section that sets the stage for its contents, explaining that it aims to gather essential information and identify tasks required prior to the consultant's arrival. It also emphasizes that this initial document is not exhaustive but serves as a foundational framework for the broader deployment planning process. The kit includes various sections such as support and download checklist, platform preparation, network preparation, database considerations, manager considerations, smart connector considerations, and an appendix with detailed HP ArcSight documentation. Each section within the document provides specific guidance and checklists to help customers prepare for a successful implementation of ArcSight ESM, covering areas like general platform setup, database management, software licensing, SSL configurations, event retention policies, and more. This comprehensive approach ensures that all necessary elements are considered before the professional services team arrives on-site, thereby streamlining the deployment process and potentially reducing complexity or issues encountered during the implementation phase. The document provides essential resources and instructions for planning the installation and administration of HP ArcSight, a software suite used for security information and event management. It includes several key components designed to assist users in understanding and implementing the product effectively: 1. **Documentation Structure**:

• A planning worksheet formatted with entry-fields and pull-down menus is provided at the start, which guides users through tasks required before installation.

• The document is organized with sections that cover various aspects of the HP ArcSight components including Connectors, Console, Database, Manager, and Web Server.

• Each section in the Table of Contents is hyperlinked to its corresponding detailed explanation within the document.

2. **Usage Recommendations**:

• For beginners or those unfamiliar with the product, it is recommended to read the entire document before starting the planning worksheet.

• Experienced users can directly proceed to the planning worksheet.

3. **Documentation Submission**:

• Users are advised to work with their HP Services point of contact to complete the planning worksheet.

• Once completed, the worksheet should be returned to this contact for review and further action.

4. **Technical Specifications and Conventions**:

• The term "HP ArcSight components" refers to all interconnected parts including Connectors, Console, Database, Manager, and Web Server.

• System-related information such as file names or operating system modules are presented in Courier New font for clarity.

• Italic text is used to emphasize important points within the text.

• Specific notes indicate that certain sections of the document do not apply to Abbvie due to their specific software version (highlighted in blue).

This comprehensive approach ensures that users have a clear and structured guide to follow when setting up and planning for HP ArcSight, tailored to both new and experienced users. This document outlines the setup and configuration process for HP ArcSight, including specific details about notifications, user authentication, smart storage configuration, software downloads, connectors, consoles, manager, web server, and Oracle database software if applicable. It emphasizes confirming access to specified web sites, downloading appropriate installer packages based on intended operating systems, and seeking assistance from the account manager for any difficulties encountered during setup or access issues. This summary provides an overview of preparing platforms and networks for deploying the HP ArcSight product suite. It emphasizes the importance of ensuring compatibility with each component by referring to the 'Product and Platform Lifecycle' document. The preparation includes downloading and uploading software packages from the HP ArcSight software download site, followed by specific IP addressing considerations for network server components such as the Database server and Manager server. Additionally, it details communication protocols and port usage across various components like Web servers and databases. Finally, a sample network diagram is referenced to visually understand the integration of the entire suite. The text outlines essential steps and considerations for installing HP ArcSight components within an existing network. It emphasizes meeting specific access requirements to ensure smooth communication between all components including the Manager, Database, and Web Server. Installation should follow a particular order due to component dependencies: first, install the HP ArcSight Database (including Oracle), then the HP ArcSight Manager, followed by HP ArcSight SmartConnectors and ArcSight Consoles (not necessarily in that order). The Web Server will be installed last. The document also highlights database considerations such as storage requirements and event retention policies, which may need to be adjusted based on factors like the volume of incoming events, maximum event rates, and online data retention periods. It advises referring to detailed guidelines in the HP ArcSight Administrator’s Guide for Oracle deployments when planning the Database setup. Lastly, the text provides a basic overview of how storage needs for the database are determined by the amount of received event data, expected peak rates, and desired retention periods. It includes a table that maps out storage requirements based on 1 TB capacity, suggesting feasible configurations depending on these factors. The text discusses several aspects related to setting up an HP ArcSight system with specific configurations for disk volumes and user accounts, as well as considerations for software licensing and installation. 1. Disk Layout: The HP ArcSight database needs multiple disk volumes (3-4) or LUNs to store its events database, which size depends on factors like event rate, retention period, number of users, and assets. It recommends using Oracle’s S.A.M.E or stripe and mirror configuration for optimal performance, with RAID levels such as RAID 0+1 or RAID 10 depending on fault tolerance requirements. 2. Database Instance: The database should run in Archive Redo Log mode to perform warm backups, and a name should be assigned to the database instance. RAID 0+1 or RAID 10 is recommended for Online and Redo volumes for better performance. 3. User Accounts: A non-administrative user account should manage the HP ArcSight Manager installation and run it securely. This user should have a home directory, with installation files easily accessible within this directory. Additionally, software licensing requires obtaining a valid license key from HP’s Software License Portal (http://www.hp.com/software/licensing), downloaded as a .zip file without extracting its contents. The text discusses the configuration and usage of SSL certificates in HP ArcSight management tools. It explains that all communication between components like managers and connectors is encrypted using SSL technology. The manager generates a key pair during setup, which it then signs with a certificate authority (CA) chosen by the user, returning the CA's certificate in Base64 format for verification. The article also details different types of SSL certificates available to the manager, each providing an equivalent level of data security regardless of their method of signing. It provides a table listing these options and their respective pros and cons, advising users to choose based on their environment. The CN (Common Name) in the certificate should be chosen as the name of the Manager; if DNS resolution isn't available, updates must be made to hosts files across all components like Connectors, Consoles, and Web Servers for access by that name. Lastly, the text touches upon email notifications capabilities within HP ArcSight systems, which can send warnings or both warnings and informational emails based on system health events. Users need to provide either notification or escalation email addresses, depending on the severity of the event being managed. This document outlines the configuration details for using an ArcSight system to manage notifications and acknowledgments, along with considerations for authentication and SmartConnectors. For notification management, the system can be set up to either limit outgoing notifications or also receive acknowledged responses. When configuring this setup, users must provide information about outbound email (including sender ID and SMTP server details) and, if applicable, inbound email (POP/IMAP servers for receiving acknowledgments). They should also include account details such as user IDs and passwords for IMAP or POP3 connections. Authentication can be internal or external, with options including Active Directory, LDAP, and RADIUS. It is crucial to choose the correct type and obtain necessary configuration parameters before implementation, considering potential planning implications like change control and maintenance windows. When dealing with SmartConnectors, complete a deployment questionnaire indicating whether they will be installed on the same machine as another Connector. If multiple SmartConnectors are planned for one server, add up the expected events from all Connectors in the 'Events Per Day (x Million)' column of the Connector Appliance Hardware Specification table. Lastly, this document focuses on devices such as firewalls and IDSs whose logs will be received by HP ArcSight. Ensure proper network connectivity exists between all SmartConnectors and these devices based on their specific requirements. This document outlines a setup for using an HP ArcSight connector with a specific default installation directory (C:\Program Files\ArcSightSmartConnectors-snort\) and provides references to various HP ArcSight documentation, including manuals like "HP ArcSight 101," "HP ArcSight Product Lifecycle," and "HP ArcSight SmartConnector User’s Guide." Additionally, it suggests that all relevant HP ArcSight documentation is available online for easy access.