Symantec Enterprise Security Manager IBM DB2 Modules ...€¦ · Symantec™ Enterprise Security...

Symantec™ EnterpriseSecurity Manager IBM DB2Modules Installation Guidefor Windows and UNIX

Version 4.2

Symantec™ Enterprise Security Manager IBM DB2Modules Installation Guide

The software described in this book is furnished under a license agreement andmay be usedonly in accordance with the terms of the agreement.

Documentation version: 4.2

Legal NoticeCopyright © 2012 Symantec Corporation. All rights reserved.

Symantec and the Symantec Logo, ActiveAdmin, BindView, BV-Control, and LiveUpdateare trademarks or registered trademarks of Symantec Corporation or its affiliates in theU.S. and other countries. Other names may be trademarks of their respective owners.

This Symantec product may contain third party software for which Symantec is requiredto provide attribution to the third party (“Third Party Programs”). Some of the Third PartyPrograms are available under open source or free software licenses. The LicenseAgreementaccompanying the Software does not alter any rights or obligations you may have underthose open source or free software licenses. Please see theThird Party LegalNoticeAppendixto this Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.

THEDOCUMENTATIONISPROVIDED"ASIS"ANDALLEXPRESSORIMPLIEDCONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOTBELIABLEFORINCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software andDocumentation are deemed to be commercial computer softwareas defined in FAR12.212 and subject to restricted rights as defined in FARSection 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software andDocumentation by theU.S.Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

http://www.symantec.com

Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product featuresand functionality. TheTechnical Support group also creates content for our onlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion. For example, theTechnical Support groupworkswithProductEngineeringand Symantec Security Response to provide alerting services and virus definitionupdates.

Symantec’s support offerings include the following:

■ A range of support options that give you the flexibility to select the rightamount of service for any size organization

■ Telephone and/or Web-based support that provides rapid response andup-to-the-minute information

■ Upgrade assurance that delivers software upgrades

■ Global support purchased on a regional business hours or 24 hours a day, 7days a week basis

■ Premium service offerings that include Account Management Services

For information about Symantec’s support offerings, you can visit our website atthe following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.

Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:


Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer onwhich theproblemoccurred, in case it is necessary to replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

■ Product release level



■ Hardware information

■ Available memory, disk space, and NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registrationIf yourSymantecproduct requires registrationor a licensekey, access our technicalsupport Web page at the following URL:


Customer serviceCustomer service information is available at the following URL:


Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and support contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs, DVDs, or manuals



Support agreement resourcesIf youwant to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:

[email protected] and Japan

[email protected], Middle-East, and Africa

[email protected] America and Latin America

mailto:[email protected]



Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Chapter 1 Installing ESM DB2 Modules on Windows . . . . . . . . . . . . . . . . . . . . . . . 9

Before you install .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Minimum account privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10System requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Installing ESM DB2 module for IBM DB2 database .... . . . . . . . . . . . . . . . . . . . . . . . . . . 12About Content Separation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

About the content package folder structure ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Installing the security content on the ESM managers ... . . . . . . . . . . . . . . . . . 16Modifying the importcontent.conf file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18About the importcontent utility ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Using the importcontent utility ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Examples of using the importcontent utility ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Silent installation of ESM DB2 module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Chapter 2 Configuring ESM DB2 Modules on Windows . . . . . . . . . . . . . . . . . 23

Configure ESM DB2 module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Edit the configuration records ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Silent configuration of ESM DB2 module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Configure IBM DB2 Database by using ESM DB2 Discovery

module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Configuring a new IBM DB2 database .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Configuring IBM DB2 database with generic credentials ... . . . . . . . . . . . . . . . . . . . 26Reusing generic credentials of an IBM DB2 database .... . . . . . . . . . . . . . . . . . . . . . . . 27Removing deleted databases ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Chapter 3 Installing ESM DB2 Modules on UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Before you install .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Minimum account privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30System requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Installing ESM DB2 module for IBM DB2 database .... . . . . . . . . . . . . . . . . . . . . . . . . . . 31About Content Separation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

About the content package folder structure ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Contents

Installing the security content on the ESM managers ... . . . . . . . . . . . . . . . . . 37Modifying the importcontent.conf file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Silent installation of ESM DB2 module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Chapter 4 Configuring ESM DB2 Modules on UNIX . . . . . . . . . . . . . . . . . . . . . . . . 41

Silent configuration of ESM DB2 Audit Configuration and the ESMDB2 Fix Packs modules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Edit configuration records of ESM DB2 Audit Configuration and Fixpacks modules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Silent configuration of ESM DB2 module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Edit configuration records of ESM DB2 module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Configure IBM DB2 database and instance by using ESM DB2

Discovery module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Configuring a new IBM DB2 database .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Removing deleted databases ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Configuring a new IBM DB2 instance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Removing deleted instances ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Chapter 5 Uninstalling the ESM DB2 Application module . . . . . . . . . . . . 49

Uninstall ESM DB2 Application module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Running the uninstallation program .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Uninstallation logs ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Silent uninstallation of ESM DB2 module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Chapter 6 Logging DB2 Modules on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Log functionality on ESM DB2 modules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Log levels of the messages ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Creating the log level configuration file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Parameters of the log level configuration file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Log file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Format of the log file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Backup of logs ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Chapter 7 Logging DB2 modules on UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Log functionality on ESM DB2 modules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Log levels of the messages ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Creating the log configuration file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Parameters of the configuration file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Log file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Format of the log file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Backup of logs ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Contents8

Installing ESM DB2 Moduleson Windows

This chapter includes the following topics:

■ Before you install

■ Minimum account privileges

■ System requirements

■ Installing ESM DB2 module for IBM DB2 database

■ About Content Separation

■ Silent installation of ESM DB2 module

Before you installTo install the ESM DB2 module, you need the following:

At least one computermust have a CD-ROMdrive on your network.

Product disc access

Oneach computer, youmusthave super userprivileges of an account where you want toinstall the ESM DB2 modules.

Account privileges

You must verify that the Symantec ESMEnterprise Console can connect to theSymantec ESM manager.

Connection to the manager

1Chapter

You must ensure that the Symantec ESMagent must run and must be registered to atleast one Symantec ESM manager.

Agent and manager

In order to use the DB2 module, IBM DB2client and Symantec ESM DB2 applicationmodule should be installed on the agentcomputer.

IBM DB2 client

In order to use the host-based DB2 modulechecks, the IBM DB2 client and SymantecESM DB2 application module must beinstalled on the computer where the DB2server is located.

IBM DB2 client and server

Minimum account privilegesIn order to use the ESM DB2 Remote module to perform the ESM security checkson IBMDB2 server, the login accounts require theminimumprivileges to executethe following commands:

■ Select syscat.dbauth

■ Get database manager configuration

■ Get database configuration for <db>

Note: No specific account privileges are required for the ESM DB2 AuditConfiguration and the ESM DB2 Fix Packs modules to work on Windows.

Warning: If youuse less than the requiredprivileges for the accounts that theESMDB2 Application module uses for reporting, then a few checks may not functioncorrectly. As a result themodulemaynot report on a few conditions that youwantto be reported on.

System requirementsTable 1-1 lists the supported IBM DB2 versions and operating systems that theSymantec ESM DB2 application module for windows can be installed on.

Installing ESM DB2 Modules on WindowsMinimum account privileges

10

Table 1-1 Supported DB2 versions and operating systems

Supported IBMDB2 versions

Supported OSversions

ArchitectureSupportedoperatingsystems

9.1, 9.5, 9.7, and10.1

Windows Server2008

x86Windows (32-bit)

9.1, 9.5, 9.7, and10.1

Windows Server2003

x86Windows (32-bit)

9.1, 9.5, 9.7, and10.1

Windows Server2008

x64Windows (64-bit)

9.1, 9.5, 9.7, and10.1

Windows Server2003

x64Windows (64-bit)

Note: The Symantec ESM Application modules for DB2 are supported only whenrunning checks against the Enterprise Server Edition for the IBM DB2 databases.

Table 1-2 lists the supported IBM DB2 versions and operating systems on whichthe ESM DB2 module can report remotely.


Supported IBMDB2versions


ArchitectureSupportedoperating systems

9.1, 9.5, and 9.74x86Red Hat EnterpriseLinux ES (32-bit)

9.1, 9.5, 9.7, and 10.15 and 6x86Red Hat EnterpriseLinux ES (32-bit)


9.1 and 9.54x64Red Hat EnterpriseLinux ES (64-bit)

9.1 and 9.54x86Red Hat EnterpriseLinux AS (32-bit)

9.15.2RS6KAIX (32-bit)

9.1, 9.5, 9.7, and 10.15.3 and 6.1PPC64AIX (64-bit)

11Installing ESM DB2 Modules on WindowsSystem requirements

Table 1-2 Supported DB2 versions and operating systems (continued)

Supported IBMDB2versions


ArchitectureSupportedoperating systems

9.1, 9.5, 9.7, and 10.19 and 10SPARCSun Solaris

9.1, 9.5, 9.7, and 10.1Windows Server2003

x86, Itanium, andx64Windows (32-bit,64-bit, and IA64-bit)

9.1, 9.5, 9.7, and 10.1Windows Server2008

x86, Itanium, andx64Windows (32-bit,64-bit, and IA64-bit)

To install the Symantec ESM Application module for IBM DB2 Databases, youmust have the following free disk space:

Table 1-3 Disk space requirements

Disk spaceAgent operating system

15 MBWindows 2008 (x86)




Installing ESM DB2 module for IBM DB2 databaseYou can install the ESM DB2 module on the ESM agent computer by using theesmdb2tpi.exe.

The installation program does the following:

■ Extracts and installs the module executables.

■ Registers the module binaries to the ESM manager.

Note: You can skip this step if you have already registered the package forother agents that are installed on the same platform.

Installing ESM DB2 Modules on WindowsInstalling ESM DB2 module for IBM DB2 database

12

Running the installation program and registering the files

1 From the product disc, run \\Content_Update\App_Modules\DB2\<module

version>\Modules\<architecture>\esmdb2tpi.exe.

2 Choose one of the following option:

To display the contents of the package.Option 1

To install the module.Option 2

3 The Doyouwish to register theagent to themanager? message appears. Doone of the following:

■ Type a Y, if the files are not registered with the manager.

■ Type an N, the files have already been registered and skip to Enablingsecurity checking for your IBM DB2 database.

Note:Youmust register the template and the .m files once for the agents thatuse the same manager on the same operating system.

4 Enter the host name or IP address of the ESM manager that the agent isregistered to.

5 Enter the ESM login ID to connect to the ESM manager.

6 Enter the password that is used to log on to the ESM manager.

7 Enter the network protocol that is used to contact the ESM manager.

8 Enter the port that is used to contact the ESM Manager. The default port is5600.

9 Enter the name of the agent that is currently registered with the ESMmanager.

Usually, it is the name of the computer that the agent is installed on.

10 The Is this information correct? message appears. Do one of the following:

■ Type a Y, the agent continues with the registration to the ESM manager.

■ Type an N, the setup prompts to re-enter the details of the new manager.

13Installing ESM DB2 Modules on WindowsInstalling ESM DB2 module for IBM DB2 database

When the extraction is complete, you are prompted to add configurationrecords to enable the ESM security checking for your IBM DB2 databases.

11 The Do you want to continue and add the configuration records to enableESMsecurity checking for yourDB2database? [yes] appears. Do one of thefollowing:

■ Type a Y, to configure the ESM DB2 modules on the agent computer.The installation program reads the existing configuration records anddisplays them.

■ Type an N, the program installation continues without configuration.

When the extraction is complete, you are prompted to add configurationrecords to enable ESM security checking for your IBM DB2 instances.

Enabling security checking for your IBM DB2 database

1 The installation displays a list of auto-detected DB2 databases. Choose oneof the following:

Tomanually create a newconfiguration record for anundetecteddatabase.

Option 1

To modify or remove an existing configuration record.Option 2

To exit the configuration.Option 3

2 To add a configuration record for the database, do the following:

■ Either enter a DB2 Alias\Database name.Press Enter if you are satisfied the detected alias.

■ Enter the DB2 Node\Instance name.

■ Enter the DB2 database login.

■ Enter the password that is used to log on to the DB2 database.

■ Re-enter the password.

The ESM DB2 module searches for the installation path. If the module isunable to find the installation path, the module reports a Setup is unable tofind the Installation Path. Please enter DB2 Installation path. message.Re-enter the correct Installation path.


■ Type a Y to continue to add a configuration record for this database andenable ESM security check.

■ Type an N to re-enter the connection information.

Installing ESM DB2 Modules on WindowsInstalling ESM DB2 module for IBM DB2 database

14

4 The Do you want to validate the connection with the database? messageappears. Do one of the following:

■ Type a Y to connect to a database and validate the connection.

■ Type an N to add the configuration records directly in the configurationfile without validating the connection.

5 If the validation fails, theDoyouwanttoaddthisrecordtotheconfigurationfile message appears. Do one of the following:

■ Type Y to add the record in the configuration file without validating theconfiguration records.

■ Type N, the program lists all the existing configuration records specifiedin the DB2module.dat file and prompts you to choose one of the options.

6 After you have created configuration records for each database, the programlists all of the configuration records. Choose one of the following options:

To manually create a new configuration record for an undetecteddatabase.

Option 1

To modify or remove an existing configuration record.Option 2


Note: The encryption that is used to store the database connection credentials is256-bit AES encryption algorithm.

About Content SeparationUntil now, the content that was included in an Application module was firstinstalled on the agents and later through the registration process it was pushedfrom the ESM agents to the ESM manager.

From this release onwards, two separate content packages are included. Thepackage that contains themodule binaries is to be installed on the ESMagent andthe other package that contains the security content such as configuration (.m)files, word files, template files, properties files, and report content files (RDL) isto be installed on the ESM managers. A new folder named, Content is created onthe ESM manager that contains platform-specific data, which the importcontentutility imports.

15Installing ESM DB2 Modules on WindowsAbout Content Separation

Note: You are required to run the esmdb2contenttpi.exe installer on the newmanager. For the consecutive releases, perform a LiveUpdate to get the latestsecurity content.

About the content package folder structureThe content package folder on the ESM manager contains content files of theApplications modules.

Table 1-4 shows the file types and folder paths of the Application modules.

Table 1-4 File types and folder paths

Folder pathFile typeContent

#esm/content/<AppModuleName>/<platform>/config/.properties filesApplicationmodules

#esm/content/<AppModuleName>/<platform>/register/Security module(.m)files

#esm/content/<AppModuleName>/<platform>/template/Template files

#esm/content/words/Word filesCommon

#esm/content/ble/<SU_version>/<language>/Report contentfile(UpdatePackage.rdl)

Common

Installing the security content on the ESM managersYou can install the security content package on the ESM manager by using theesmdb2contenttpi.exe installer, which is applicable for Windows.

The installation program extracts and installs configuration (.m) files, templatefiles, word files, .properties files, and report content files (RDL).

Installing ESM DB2 Modules on WindowsAbout Content Separation

16

To install the security content on the ESM managers

1 Download and copy the esmdb2contenttpi.exe installer from the SecurityResponse Web site to the desired location.

2 Choose one of the following options:



Note: Before importing the content data for the Application modules, youmust ensure t hat content data for a Security Update (SU) is present on themanager database. Certain features of the Application modules may notfunction correctly if the Se curity Update (SU) content data is not alreadyimported to the manager database.

3 The Do you want to import the templates or the .m files? [no] messageappears. Do one of the following:

■ Type a Y, if you want to import the templates or the .m files.

Note:

Only an ESM administrator or any ESM user that have the permissionsto create policies, create templates, and perform remote installation orupgrade can install the content on the ESMmanager. The ESM superusercan also install content on the ESM manager as this user has all thepermissions. However Register only users cannot perform this task asthey do not have the specified permissions.

The program displays a message to include or exclude the platforms thatyou want to import. See “Modifying the importcontent.conf file”on page 18.

■ Type an N, if you do not want to import the templates or the .m files.You can skip this step if you want to import the content later. You canimport the content by running the importcontent utility.

4 Enter the ESM manager that the agent is registered to.

Usually, it is the name or the IP of the computer that themanager is installedon.

5 Enter the ESM access name (logon name) for the manager.


http://www.symantec.com/business/security_response/securityupdates/list.jsp?fid=esm


6 Enter the ESM password that is used to log on to the ESM manager.



■ Type a Y, the program continues with the installation.


9 The Do you want to import the report content file <UpdatePackage.rdl>?[yes] message appears. Do the following:

■ Type a Y, if you want to import the report content file.

■ Type an N, if you do not want to import the report content file.

When the installation completes, you are prompted to exit.

Modifying the importcontent.conf fileThe platforms that you specify in the importcontent.conf file are the platformsthat are available to the ESM manager when using the importcontent utility. Theimportcontent utility only imports the platforms on the ESM manager that arenot prefixed with a hash (#).

To modify the importcontent.conf file

1 Go to C:\Program Files\Symantec\Enterprise SecurityManager\ESM\config\importcontent.conf.

2 Remove # before the platform that you want to include.

3 Save the file.

4 Go back to esmdb2contenttpi.exe installer and press <return> to continuewith the installation process.

About the importcontent utilityImportcontent utility is a command line utility, used to import the ESM content- IBMDB2 Applicationmodules information to the specifiedmanager. The utilitydisplays the content version on the GUI or on the CLI. The utility is located in thebin folder of the installation directory, along with other ESM Manager binariesin platform-specific folders.

For example,

C:\Program Files\Symantec\Enterprise Security Manager\ESM\bin\w3s-ix86\importcontent.exe

Installing ESM DB2 Modules on WindowsAbout Content Separation

18

Note: If the importcontent.exe is not found on the manager, then Content TPIpackage deploys the importcontent.exe in the bin folder.

Using the importcontent utilityYou can use the importcontent utility on Windows and Solaris platforms. Theutility provides the option of importing security module (.m) files, property(.properties) files, template files, word (.wrd) files, and report content(UpdatePackage.rdl) files for ESM IBMDB2Applicationmodules. You can use the-f option to force import content related information at a later stage.

Pre-requisites for using the importcontent utility:

■ You must be in the role of ESM administrator.

■ You must have ESM manager installed on the computer on which you arerunning the importcontent utility.

To use the importcontent utility

1 Install the ESM Manager and Agent using the ESM Suite Installer.

2 At the Windows command prompt, navigate to the platform-specific binfolder, where the importcontent utility is located.

3 Type the following command:

importcontent [-RLrnvfW] [-m manager] [-U user] [-P password] [-p

port] [-L app_module_name1, app_module_name2,...] [-a |

module_config_file1 [module_config_file2... ]]

The switch options that canbeusedwith the importcontent utility are listed below.

Manager name - the local manager name is used by default.-m

User name - the ESM user name is used by default.-U

Password - the ESM user account password.-P

TCP port number - the port number is 5600 by default.-p

Import and register all security module (.m) files with themanager.

-a

Import property files (.properties)-R

Import all templates-T

Import report content file (UpdatePackage.rdl)-r

Import word files-W


Synchronize policies-n

Force the import of security module information-f

Write C include file for security module compilation

Note: -h, and -M options can be used only with the -a option.

-h

Write VMS macro file for security module compilation

Note: -h, and -M options can be used only with the -a option.

-M

Set verbose mode, log each action as it is performed.-v

Log the program finish.-F

Examples of using the importcontent utilityThe following examples are provided for using the importcontent utility:

■ To access the help menu for the importcontent utility, type the followingcommand:importcontent

■ To import DB2 Applcation modules type the following command:importcontent -L DB2 -U <user1> -P <pwd123> -m <managerXYZ>

Note: The utility requires the application module names to be similar to thefolder names created in the <install dir>\ content directory.

■ To import templates for DB2, type the following command:importcontent -T -L DB2 -U <user1> -P <pwd123> -m <managerXYZ>

■ To synchronize policies, type the following command:importcontent -nv -U <user1> -P <pwd123> -m <managerXYZ> -U <user1>

-P <pwd123>

■ To register specific .m files with the manager, type the following command:importcontent -U <user1> -P <pwd123> -m <managerXYZ>

C:\Symantec\ESM\account.m D:\ESM\acctinfo.m E:\abc.m xyz.m

Silent installation of ESM DB2 moduleYou can use the esmdb2tpi.exe to install the ESM DB2 module silently.

Installing ESM DB2 Modules on WindowsSilent installation of ESM DB2 module

20

esmdb2tpi.exe -it -m <Manager Name> -U <Username> -p <5600> -P

<password> -g <Agent Name> -e

Table 1-5 lists the command-line options for installing the ESM DB2 modulesilently

Table 1-5 Options to install the ESM DB2 module silently

DescriptionOption

Install this tune-up/third-party package.-i

Display the description and contents of this tune-up/third-partypackage.

-d

Specify the ESM manager login ID.-U

Don't launch the module configuration after installation.-e

Specify the ESM manager password.-P

Specify the TCP port to connect to the ESM manager.-p

Specify the ESM manager name.-m

Connect to the ESM manager by using TCP.-t

Connect to the ESM manager by using IPX.-x

Specify the ESM agent name to use for registration.-g

Do not prompt for re-registration.-K

No return is required to exit the tune-up package.-n

Do not update the report content file on the manager.-N

Update the report content file on the manager.-Y

Specify the filename that will contain the encrypted generic credentialrecord

-gif

Specify the filename that should be createdwith the encrypted genericcredentials record.

-gof

21Installing ESM DB2 Modules on WindowsSilent installation of ESM DB2 module

Installing ESM DB2 Modules on WindowsSilent installation of ESM DB2 module

22

Configuring ESM DB2Modules on Windows


■ Configure ESM DB2 module

■ Silent configuration of ESM DB2 module

■ Configure IBM DB2 Database by using ESM DB2 Discovery module

■ Configuring a new IBM DB2 database

■ Configuring IBM DB2 database with generic credentials

■ Reusing generic credentials of an IBM DB2 database

■ Removing deleted databases

Configure ESM DB2 moduleAfter installing the ESMDB2module, you can edit the configuration records usingthe DB2Setup.exe. A configuration record is created for each database alias whenyou enable security checking during installation.

Note:OnWindows, you donot have to configure the ESMDB2module for the ESMDB2Audit ConfigurationandFixPackmodules toworkwith the localDB2database.

2Chapter

Edit the configuration recordsYou can add, modify, or remove the configuration records for the IBM DB2databases byusing theDB2Setup.exe program. Bydefault, DB2Setup.exe is locatedin the \\<InstallDir>\ESM\bin\<platform>\directory.

You can run the DB2Setup.exe with the following options:

Table 2-1 lists the options for configuring the ESM DB2 modules

Table 2-1 Options for configuring the ESM DB2 modules

CommandTask

DB2Setup -hDisplay Help

DB2Setup -cCreate configuration records for detected IBMDB2 databases.

DB2Setup -aAdd new configuration records for undetectedIBM DB2 databases.

DB2Setup -mModify or remove existing IBM DB2 databaseconfiguration records.

DB2Setup -lList existingDB2database configuration records.

DB2Setup -if <file name> -of<file name>Setup reads fromthe input file other thandefaultfile\\InstallDirectory\esm\config\DB2Module.dat.

This option works in collaboration with -ofoption.

DB2Setup -of <file name>Specify a new output file for the IBM DB2database configuration records. The default fileis\\InstallDirectory\esm\config\DB2Module.dat.

Silent configuration of ESM DB2 moduleOnce the application module is installed, you can use the DB2Setup.exe to addconfiguration records to the ESM DB2 module silently.

DB2Setup.exe -q -D <Database/Alias name> -I <Instance/Node name> -U

<username> -P <password> -X "<InstallPath>" [-V]

Use the following option to configure the ESM DB2 module silently:

Table 2-2 lists the options for configuring the ESM DB2 module silently

Configuring ESM DB2 Modules on WindowsSilent configuration of ESM DB2 module

24

Table 2-2 Options to configure the ESM DB2 module silently

DescriptionOptions

Silently configure the DB2 module.-q

Specify the database name.-D

Specify the instance name.-I

Specify the username.-U

Specify the password.-P

Specify the installation path.-X

Specify to validate the connection to the DB2 database with the giveninstance name, user name, and password.

-V

Configure IBM DB2 Database by using ESM DB2Discovery module

The ESM DB2 Discovery module includes four checks that let you automate thedetection and configuration of new databases that are not yet configured on thelocal ESMagent computers.Moreover, the checks also detect the deleted databasesand let you remove the deleted databases from the \\ProgramFiles\Symantec\ESM\config\DB2Module.dat configuration file.

Configuring a new IBM DB2 databaseTo report on the IBMDB2database youmust first configure the IBMDB2databaseon an ESM agent computer.

Configuring a new IBM DB2 database manually

1 Run the ESM DB2 Discovery module on the ESM agent computers that haveIBM DB2 installed.

The module lists all the new databases that were not previously configured.

2 Select multiple databases and do one of the following:

■ Right-click and select Correction option.The Correction option configures the databases with custom credentials.

■ Right-click and select Snapshot Update option.

25Configuring ESM DB2 Modules on WindowsConfigure IBM DB2 Database by using ESM DB2 Discovery module

The Snapshot Update option configures the database with genericcredentials. Before you select the Snapshot Update option, you shouldfirst configure the generic credentials.See “Configuring IBMDB2 database with generic credentials” on page 26.

Configuring a new IBM DB2 database automatically

1 Enable the check Automatically add new database.

The check uses the generic credentials to configure the newly discovereddatabase entry in the \\ProgramFiles\Symantec\ESM\config\DB2Module.datconfiguration fileautomatically.

If the connection attempt fails then themodule returns a correctablemessage.

2 To use the Correctable option, do the following:

■ Right-click on the message

■ Choose Correction option

■ Enter custom credentialsTheDB2Discoverymodule uses these credentials and attempts to connectand adds the configuration record in the configuration file after eachsuccessful connection.

Configuring IBM DB2 database with genericcredentials

You can configure a new IBM DB2 database on an ESM agent computer by usinga generic credential. The generic credential option helps you to configure acommon credential for all the IBM DB2 databases on an ESM agent computer.

Specifying generic credentials

1 On the Command Prompt, type DB2SETUP.exe -G.

2 Enter the Generic Login ID: User name.

3 Enter a password for the generic login. Reconfirm the password.

4 Press Enter.

The generic credentials are configured in the \\ProgramFiles\Symantec\ESM\config\DB2Module.dat.

Configuring ESM DB2 Modules on WindowsConfiguring IBM DB2 database with generic credentials

26

Reusing generic credentials of an IBM DB2 databaseIf you want to specify a common generic credential on multiple IBM DB2 serversit is not necessary to use DB2SETUP.exe -G option on every IBM DB2 server.Instead, you can use -gif and -gof options to specify a generic credential. Thespecified generic credential is then stored in an encrypted format in a file thatcan be reused on every IBM DB2 server. You should first specify the genericcredentials and then reuse the generic credentials.

Specifying generic credentials

1 On the Command Prompt, type DB2SETUP.exe -gof <filepath>

For example: DB2Setup.exe -gof C:\pass.dat.

2 Enter the Generic Login ID: User name

3 Enter a password for the generic login. Reconfirm the password.

4 Press Enter.

Thepass.dat file is createdwith the encrypted generic credentials that are specifiedin Step 1.

Reusing generic credentials

1 Copy the pass.dat file to each IBMDB2ESMagent computerwhere youwantto import the generic credentials.

2 On the Command Prompt, type DB2SETUP-gif <filepath>

For example: DB2Setup.exe -gof C:\pass.dat.

The generic credentials are imported into the \\ProgramFiles\Symantec\ESM\config\DB2Module.dat file.

Removing deleted databasesAlthough, you may have deleted an IBM DB2 database, the configurationinformation still exists in the ESMmodule. As a result, themodulewhen executedreports the deleted IBM DB2 databases as deleted databases.

Removing deleted databases manually

1 Run the Discovery module on the target ESM agent computers. The modulelists all the deleted databases that were configured earlier.

2 Select multiple databases, if appropriate, right-click and select SnapshotUpdate option.

27Configuring ESM DB2 Modules on WindowsReusing generic credentials of an IBM DB2 database

The Snapshot Update option deletes the configuration information of suchdatabases.

Removing deleted databases automatically

◆ Enable the check Automatically remove deleted databases.

The module automatically deletes the corresponding database records fromthe \\Program Files\Symantec\ESM\config\DB2Module.dat configurationfile.

Configuring ESM DB2 Modules on WindowsRemoving deleted databases

28

Installing ESM DB2 Moduleson UNIX


■ Before you install

■ Minimum account privileges

■ System requirements

■ Installing ESM DB2 module for IBM DB2 database

■ About Content Separation

■ Silent installation of ESM DB2 module

Before you installTo install the ESM DB2 module, you need the following:

At least one computermust have a CD-ROMdrive on your network.

Product disc access

Oneach computer, youmusthave super userprivileges of an account where you want toinstall the ESM DB2 modules.

Account privileges

You must verify that the Symantec ESMEnterprise Console can connect to theSymantec ESM manager.

Connection to the manager

3Chapter

You must ensure that the Symantec ESMagent must run and must be registered to atleast one Symantec ESM manager.

Agent and manager

You must ensure that Symantec ESM DB2module is installed for DB2 Host-basedmodules, client, and server.

IBM DB2 client and server

Note: The Symantec ESM Modules for IBM DB2 Databases supports 9.1, 9.5, and9.7 database versions.

Minimum account privilegesFor the ESMDB2Remotemodule to perform the ESM security checks on IBMDB2server, the login accounts require theminimumprivileges to execute the followingcommands:

■ Select syscat.dbauth

■ Get database manager configuration

■ Get database configuration for <db>

For the ESM DB2 Audit Configuration module, the login account that you specifyduring configuration must have the following authority:

■ sysadm

Warning: If youuse less than the requiredprivileges for the accounts that theESMDB2 Application module uses for reporting, then a few checks may not functioncorrectly. As a result themodulemaynot report on a few conditions that youwantto be reported on.

System requirementsTable 3-1 lists the IBM versions and the operating systems that support the ESMApplication modules for DB2.

Installing ESM DB2 Modules on UNIXMinimum account privileges

30


Supported IBM DB2versions


ArchitectureSupportedoperating system

9.1, 9.5, and 9.74x86Red Hat EnterpriseLinux ES (32-bit)



9.1, and 9.54x86Red Hat EnterpriseLinux AS (32-bit)

9.15.2RS6KAIX (32-bit)

9.1, 9.5, 9.7, and 10.15.3 and 6.1PPC64AIX (64-bit)

9.1, 9.5, 9.7, and 10.19 and 10SPARCSun Solaris

Note: The Symantec ESM Application modules for DB2 are supported only on theEnterprise Server Edition for the IBM DB2 databases.

Table 3-2 lists the disk space requirements for Symantec ESM DB2 modules forIBM DB2 databases.

Table 3-2 Disk space requirements

Disk spaceAgent operating system

30 MBSun Solaris SPARC

30 MBRHEL (x86)

35 MBAIX (RS6K)

65 MBAIX (PPC64)

Installing ESM DB2 module for IBM DB2 databaseYou can install the ESM DB2 module on the ESM agent computer by using theesmdb2.tpi.

The installation program does the following:

31Installing ESM DB2 Modules on UNIXInstalling ESM DB2 module for IBM DB2 database

■ Extracts and installs the module executables.

■ Registers the module binaries to the ESM manager.

Note: You can skip this step if you have already registered the package forother agents that are installed on the same platform.

To run the installation program and register the files

1 From the product disc, run/DATABASES/DB2/Modules/<architecture>/esmdb2.tpi

2 Choose one of the following option:



3 The Doyouwish to register theagent to themanager? message appears. Doone of the following:

■ Type a Y, if the files are not registered with the manager, type Y.

■ Type an N, if the files have already been registered, type N and skip to Toenable security checking for your IBM DB2 databases and instances.

Note: You must register the template and the .m files once for the agentsthat use the same manager on the same operating system.


Usually, it is the name of the computer that the manager is installed on.

5 The message Would you like to validate the existence of instance? [yes]appears.

■ Type a Y, to validate the existence of an instance.

■ Type an N, to proceed without validating the existence of an instance.



8 Enter the network port that is used to contact the ESM Manager.

The default port is 5600.

Installing ESM DB2 Modules on UNIXInstalling ESM DB2 module for IBM DB2 database

32

9 Enter the name of the agent that is currently registered to the ESMmanager.





When the extraction is complete, you are prompted to add configurationrecords to enable the ESM security checking for your IBM database.

11 The Doyouwant to continue andaddconfiguration records to enableESMsecurity checking foryourDB2database? [yes] message appears. Do one ofthe following:

■ Type a Y, to configure the ESM DB2 modules on the agent computer.

■ The installation program reads the existing configuration records anddisplays them.

■ Type an N, the program installation continues without configuration.

When the extraction is complete, you are prompted to add configurationrecords to enable ESM security checking for your IBM DB2 instances.

To enable security checking for your IBM DB2 databases and instances

1 The installation displays a list of auto-detected DB2 databases. Choose oneof the following:

To manually create a new configurationrecord for an undetected database.

Option 1

To modify or remove an existingconfiguration record.

Option 2


2 To add a configuration record for the database, do the following:

■ Enter the DB2 Alias\Database name. Press Enter if you are satisfied withthe detected alias.

■ Enter the Node name that is remotely configured.

■ Enter the DB2 database login.


■ Type aY to continue to add this configuration record and to add anymore.

■ Type an N to re-enter the connection information.


4 The Do you want to validate the connection with the database? messageappears. Do one of the following:

■ Type a Y to validate the connection to the newly configured database.

■ Type an N, the program lists all the existing configuration records andyou are prompted to add more if required.

5 If the validation fails, theDoyouwanttoaddthisrecordtotheconfigurationfile message appears. Do one of the following:

■ Type a Y to add the record in the configuration file without validating theconfiguration records.

■ Type an N, the program lists all the configuration records and promptingyou to choose one of the options.

6 After you have created configuration records for each database, the programlists all of the configuration records. Choose one of the following options:

To manually create a new configurationrecord for an undetected database.

Option 1


Option 2


Configuring ESM DB2 module

1 You are prompted to configure the ESM DB2 module. Type a Y, if you wantto continue with the configuration of the ESM DB2 module.

Note: Create a configuration record for only the DB2 instances that youwantto perform checks against.

2 Do one of the following:

■ Enter the IBM DB2 database alias.

■ Enter the IBM DB2 instance name.

■ Enter the User ID to log on to the IBM DB2 database.

Note: The ESM module is enhanced to configure the DB2 database withoutthe password. Now the module prompts for the database name, the instancename, and the user name.

Installing ESM DB2 Modules on UNIXInstalling ESM DB2 module for IBM DB2 database

34

3 The Is this information correct? message appears. Do one the following:

■ Type a Y to save the configuration record and continue with the nextdatabase.

■ Type an N to begin again with the same instance.

Note: The user name is encrypted when it is displayed for your approval.

4 Repeat steps the first three steps to configure another database.

After you have created a DB2 module configuration record for your chosendatabases, the program lists all of the configuration records. Choose one ofthe following options:

To create a new configuration recorddatabase.

Option 1


Option 2

To finish the installation and exit theprogram.

Option 3

Note:The encryption that is used to store the credentials is 256-bit AES encryptionalgorithm.

Configuring ESM DB2 Audit Configuration and ESM DB2 Fix Packs modules

1 You are prompted to configure the ESM DB2 Audit Configuration and theESM DB2 Fix Packs module. Do one of the following:

■ Type a Y to continue the ESM DB2 Audit Configuration and ESM DB2 FixPacks modules configuration.

■ Type an N to end the installation without configuration.

2 Do the following:

■ Enter the IBM DB2 instance name.

■ Enter the user with SYSADM authority.


■ Type a Y to save the configuration record and continue with the nextinstance.


■ Type an N to begin again with the same instance.

4 Repeat steps the first three steps for each IBM DB2 instance.

5 After you have created configuration records for each instance, the programlists all of the configuration records. Choose one of the following options:

To create a new configuration record foran instance.

Option 1


Option 2

To finish the installation and exit theprogram.

Option 3

About Content SeparationUntil now, the content that was included in an Application module was firstinstalled on the agents and later through the registration process it was pushedfrom the ESM agents to the ESM manager.

From this release onwards, two separate content packages are included. Thepackage that contains themodule binaries is to be installed on the ESMagent andthe other package that contains the security content such as configuration (.m)files, word files, template files, properties files, and report content files (RDL) isto be installed on the ESM managers. A new folder named, Content is created onthe ESM manager that contains platform-specific data, which the importcontentutility imports.

Note:Youare required to run the esmdb2content.tpi installer on thenewmanager.For the consecutive releases, perform a LiveUpdate to get the latest securitycontent.

About the content package folder structureThe content package folder on the ESM manager contains content files of theApplications modules.

Table 3-3 shows the file types and folder paths of the Application modules.

Installing ESM DB2 Modules on UNIXAbout Content Separation

36

Table 3-3 File types and folder paths

Folder pathFile typeContent

#esm/content/<AppModuleName>/<platform>/config/.properties filesApplicationmodules

#esm/content/<AppModuleName>/<platform>/register/Security module(.m)files

#esm/content/<AppModuleName>/<platform>/template/Template files

#esm/content/words/Word filesCommon

#esm/content/ble/<SU_version>/<language>/Report contentfile(UpdatePackage.rdl)

Common

Installing the security content on the ESM managersYou can install the security content package on the ESM manager by using theesmdb2content.tpi installer, which is applicable for UNIX.

The installation program extracts and installs configuration (.m) files, templatefiles, word files, .properties files, and report content files (RDL).

To install the security content on the ESM managers

1 Download and copy the esmdb2content.tpi installer from the SecurityResponse Web site to the desired location.

2 Choose one of the following options:



Note: Before importing the content data for the Application modules, youmust ensure that content data for a Security Update (SU) is present on themanager database. Certain features of the Application modules may notfunction correctly if the Se curity Update (SU) content data is not alreadyimported to the manager database.

3 The Do you want to import the templates or the .m files? [no] messageappears. Do one of the following:

■ Type a Y, if you want to import the templates or the .m files.

37Installing ESM DB2 Modules on UNIXAbout Content Separation



Note:

Only an ESM administrator or any ESM user that have the permissionsto create policies, create templates, and perform remote installation orupgrade can install the content on the ESMmanager. The ESM superusercan also install content on the ESM manager as this user has all thepermissions. However Register only users cannot perform this task asthey do not have the specified permissions.

The program displays a message to include or exclude the platforms thatyou want to import. See “Modifying the importcontent.conf file”on page 38.

■ Type an N, if you do not want to import the templates or the .m files.You can skip this step if you want to import the content later. You canimport the content by running the importcontent utility.


Usually, it is the name or the IP of the computer that themanager is installedon.





■ Type a Y, the program continues with the installation.


9 The Do you want to import the report content file <UpdatePackage.rdl>?[yes] message appears. Do the following:

■ Type a Y, if you want to import the report content file.

■ Type an N, if you do not want to import the report content file.

When the installation completes, you are prompted to exit.

Modifying the importcontent.conf fileThe platforms that you specify in the importcontent.conf file are the platformsthat are available to the ESM manager when using the importcontent utility. Theimportcontent utility only imports the platforms on the ESM manager that arenot prefixed with a hash (#).

Installing ESM DB2 Modules on UNIXAbout Content Separation

38

To modify the importcontent.conf file

1 Go to C:\Program Files\Symantec\Enterprise SecurityManager\ESM\config\importcontent.conf.

2 Remove # before the platform that you want to include.

Note: As, the UNIX folder contains common content for all UNIX subplatforms, a semi-colon (;) separates these sub-platforms from UNIX. Forexample: lnx-x86;unix.

3 Save the file.

4 Go back to esmdb2contenttpi.exe installer and press <return> to continuewith the installation process.

Silent installation of ESM DB2 moduleYou can use the esmdb2.tpi to install the ESM DB2 module silently.

esmdb2.tpi -it -m <Manager Name> -U <Username> -p <5600> -P <password>- g<Agent Name> -e

Table 3-4 lists the command-line options for installing the ESM DB2 modulesilently

Table 3-4 Options to install the ESM DB2 module silently

OptionTask

-iInstall this tune-up/third-party package.

-dDisplay the description and contents of this tune-up/third-partypackage.

-USpecify the ESM manager login name.

-eDonot execute the before and after executables (installationwithoutconfiguration).

-pSpecify the TCP port to use.

-PSpecify the ESM manager password.

-mSpecify the ESM manager name.

-tConnect to the ESM manager by using TCP.

39Installing ESM DB2 Modules on UNIXSilent installation of ESM DB2 module

Table 3-4 Options to install the ESM DB2 module silently (continued)

OptionTask

-gSpecify the ESM agent name for registration.

-KDo not prompt for and do the re-registration of the agents.

-YUpdate the report content file on the manager.

Installing ESM DB2 Modules on UNIXSilent installation of ESM DB2 module

40

Configuring ESM DB2Modules on UNIX


■ Silent configuration of ESM DB2 Audit Configuration and the ESM DB2 FixPacks modules

■ Edit configuration records of ESM DB2 Audit Configuration and Fix packsmodules

■ Silent configuration of ESM DB2 module

■ Edit configuration records of ESM DB2 module

■ Configure IBMDB2database and instance byusingESMDB2Discoverymodule

Silent configuration of ESM DB2 Audit Configurationand the ESM DB2 Fix Packs modules

You can use the db2setup utility to configure the ESM DB2 Audit Configurationand the ESM DB2 Fix Packs modules silently.

Use the following option to configure the ESM DB2 module silently for the DB2Audit Configuration and Fix Packs modules:

Table 4-1 lists the options for configuring the ESM DB2 module for the AuditConfiguration and the Fix Packs modules silently.

4Chapter

Table 4-1 Options to configure the ESM DB2 module for Audit Configurationand Fix Packs modules silently

OptionTask

-q -HSilently configure the DB2 Audit Configuration module and the DB2Fix Packs modules.

-NSpecify the host instance name.

-ASpecify the user that has SYSADM authority.

-VSpecify to validate the connection to theDB2databasewith the giveninstance name and user name.

For example,

db2setup -q -H -N <instance name> -A <username> -V

Edit configuration records of ESM DB2 AuditConfiguration and Fix packs modules

After installing the ESMDB2Audit Configuration and Fix packsmodules you canadd, modify, or remove the configuration records for the IBM DB2 databaseinstances by using the db2setup utility program.A configuration record is createdfor each IBMDB2 instance in theDB2ModulePath.dat filewhenyouenable securitychecking during installation. By default, db2setup utility is located in the/<InstallDir>/ESM/bin/<platform>/ directory.

Table 4-2 list the editing options to configure records for the ESM DB2 AuditConfiguration and the ESM DB2 Fix Packs modules

Table 4-2 Edit configuration records for the ESM DB2 Audit Configuration andthe ESM DB2 Fix Packs modules

CommandTask

DB2Setup –H -cAdd a new configuration record for DB2 database.

Warning: This option deletes the existing configuration records.

DB2Setup –H -aAdd a new configuration record for DB2 database.

DB2Setup –H -mModify the existing DB2 instance configuration records.

DB2Setup –H -lList the existing DB2 instance configuration records.

Configuring ESM DB2 Modules on UNIXEdit configuration records of ESM DB2 Audit Configuration and Fix packs modules

42

Silent configuration of ESM DB2 moduleYou can use the db2setup utility to configure the ESM DB2 module silently.

Use the following option to configure the ESM DB2 module silently:

Table 4-3 lists the options for configuring the ESM DB2 module silently

Table 4-3 Options to configure the ESM DB2 module silently

OptionTask

-qSilently configure the DB2 module.

-DSpecify the database name.

-ISpecify the instance name.

-USpecify the username.

-VSpecify to validate the connection to the DB2 database with the giveninstance name and user name.

Note: The ESM module is enhanced to configure the DB2 database without apassword. The module no longer requires the –P option. db2setup -q –D

<Database name> -I <Instance name> -U <User name>

Edit configuration records of ESM DB2 moduleAfter installing the ESM DB2 module you can add, modify, or remove theconfiguration records for the IBM DB2 database instances by using the db2setuputility program. A configuration record is created for each database in theDB2module.dat file when you enable security checking during installation

Bydefault, db2setuputility is located in the/<InstallDir>/ESM/bin/<platform>/directory.

Run db2setup utility on the ESM DB2 module with the following options:

Table 4-4 lists the editing configuration records.

Table 4-4 Edit configuration records for the ESM DB2 module

CommandTask

DB2Setup -hDisplay Help

DB2Setup -cCreate configuration records for the detected IBM DB2 databases.

43Configuring ESM DB2 Modules on UNIXSilent configuration of ESM DB2 module

Table 4-4 Edit configuration records for the ESM DB2 module (continued)

CommandTask

DB2Setup -aAdd new configuration records for the undetected IBM DB2databases.

DB2Setup -mModify or remove existing IBMDB2database configuration records.

DB2Setup -lList the existing IBM DB2 database configuration records.

Note: The ESM module is enhanced to configure the DB2 database without apassword. Now the module prompts for the database name, the instance name,and the user name.

Configure IBM DB2 database and instance by usingESM DB2 Discovery module

The ESM DB2 Discovery module includes eight checks that let you automate thedetection and configuration of new databases and instances that are not yetconfigured on the local ESM agent computers. The checks also detect the deleteddatabases and instances and let you remove the deleted databases and instancesfrom the configuration file.

The following checks in theESMDB2Discoverymodule update theDB2Module.datfile that the ESM DB2 modules use:

■ Detect New Database

■ Detect Deleted Database

■ Automatically Add New Database

■ Automatically Remove Deleted Database

See “Configuring a new IBM DB2 database” on page 45.

The following checks in the ESM DB2 Discovery module update theDB2ModulePath.dat file that the ESMDB2Audit Configuration andESMFix Packsmodules use:

■ Detect New Instance

■ Detect Deleted Instance

■ Automatically Add New Instance

■ Automatically Remove Deleted Instance

Configuring ESM DB2 Modules on UNIXConfigure IBM DB2 database and instance by using ESM DB2 Discovery module

44

See “Configuring a new IBM DB2 instance” on page 46.

For more information on the checks in the ESM DB2 Discovery module, see theSymantec™ Enterprise Security Manager IBM DB2Modules User Guide.

Configuring a new IBM DB2 databaseTo report on a new IBM DB2 database you should first create a configurationrecord for the IBM DB2 database on an ESM agent computer that already has theDB2 application module installed.

To configure a new IBM DB2 database manually

1 Run the Discovery module on the ESM agent computers that have IBM DB2installed.

The module lists all the new databases that were not previously configured.

2 Select the databases, right-click, and then select Correction option.

The Correction option configures the databases with the user name.

To configure a new IBM DB2 database automatically

1 Enable the check Automatically add new database.

The check uses the user name that is specified in the User Name text box toconfigure the newly discovered database entry in the configuration file/esm/config/DB2Module.dat.

If the connection attempt fails then themodule returns a correctablemessage.



■ Choose correction option

■ Enter the user name

The ESMDB2Discoverymodule uses the user name and attempts to connectto the database. After each successful connection, the ESM DB2 Discoverymodule adds a configuration record in the configuration file.

Removing deleted databasesAlthough, you may have deleted an IBM DB2 database, the configurationinformation still exists in the ESM DB2 configuration file/esm/config/DB2Module.dat.As a result, themodulewhen executed reports thedeleted IBM DB2 databases as deleted databases.

45Configuring ESM DB2 Modules on UNIXConfigure IBM DB2 database and instance by using ESM DB2 Discovery module

To remove deleted databases manually

1 Run the Discovery module on the target ESM agent computers. The modulelists all the deleted databases that were configured earlier.

2 Select the databases, right-click and select Snapshot Update option.

The Snapshot Update option deletes the configuration information of suchdatabases.

To remove the deleted databases automatically

◆ Enable the check Automatically remove deleted databases.

The module automatically deletes the corresponding database records fromthe configuration file /esm/config/DB2Module.dat.

Configuring a new IBM DB2 instanceTo report on the IBMDB2 instance you should first configure the IBMDB2 instanceon an ESM agent computer.

To configure a new IBM DB2 instance manually

1 Run the Discovery module on the ESM agent computers that have IBM DB2installed.

2 The module lists all the new instances that were not previously configured.

3 Select the instances, right-click, and select Correction option.

The Correction option configures the instances with the user name.

To configure a new IBM DB2 instance automatically

1 Enable the check Automatically add new instance.

The check uses the user name that is specified in the User Name text box toautomatically configure the newly discovered instance entry in theconfiguration file /esm/config/DB2ModulePath.dat.

If ESM DB2 discovery module fails to add the configuration record then themodule returns a correctable message.



■ Choose Correction option

■ Enter the user nameThe DB2 Discovery module uses the user name and attempts to connectand adds the configuration record in the configuration file after eachsuccessful connection.


46

Removing deleted instancesAlthough, you may have deleted an IBM DB2 instance, the configurationinformation still exists in the ESMDB2 configuration file. As a result, themodulewhen executed reports the deleted IBM DB2 instances as deleted instances.

To remove deleted instances manually

1 Run the Discovery module on the target ESM agent computers. The modulelists all the deleted instances that were configured earlier.

2 Select the instances, right-click and select Snapshot Update option.

The Snapshot Update option deletes the configuration information of suchinstances.

To remove the deleted instances automatically

◆ Enable the check Automatically remove deleted instances.

The module automatically deletes the corresponding instance records fromthe configuration file /esm/config/DB2ModulePath.dat.

47Configuring ESM DB2 Modules on UNIXConfigure IBM DB2 database and instance by using ESM DB2 Discovery module


48

Uninstalling the ESM DB2Application module


■ Uninstall ESM DB2 Application module

■ Silent uninstallation of ESM DB2 module

Uninstall ESM DB2 Application moduleYou can uninstall all the components of the ESM DB2 Application module thatare installed on the ESM agent computer and unregister the module from themanager. You canuninstall theESMDB2Applicationmodule using theuninstallerprogram.

The DB2uninstall executable uninstalls the following components:

■ Application executables

■ Configuration files

■ Environment configuration files

■ Configuration file with server records

■ Snapshot files (Windows)

■ DB2 Application module version file

■ Registry entry of DB2 Application module (Windows)

■ Application-specific log file

■ Manifest entries of the DB2 Application module

■ ESM DB2 Application module entry in the agentapp.dat file

5Chapter

Running the uninstallation programYou can uninstall the DB2 Application modules on the ESM agent computer byusing the DB2uninstall executable.

To uninstall the DB2 Application module

1 On Windows, at the command prompt, type cd <path> to open the directorythat corresponds to vendor\bin\operating system\DB2uninstall.exe.

OnUNIX, at the command prompt, type cd <path> to open the directory thatcorresponds to vendor/bin/operating system/DB2uninstall.

The program first checks for the version of the installed register binary. Theregister binary that is required to uninstall the ESMDB2ApplicationModulemust be of version 10.0.285.10011 or later on Windows and 10.0.285.10003or later onUNIX. If the programdoes not find the required version, it reportsan error and aborts the uninstallation process.

2 The This will uninstall the application module permanently. Do you wantto continue? [yes] message appears. Do one of the following:

■ Type a Y, if you want to continue with the uninstallation.

■ Type an N, if you want to exit.

3 The Do you want to register the agent to the manager after uninstallation?[yes] message appears. Do one of the following:

■ Type a Y, if you want to register the agent to the manager.The program informs the manager about the uninstallation of the DB2Application module from the agent computer that is registered to it.

■ Type an N, if you do not want to register the agent to the manager.


Usually, it is the name of the computer that the manager is installed on.

5 Enter the name of the agent as it is currently registered to the ESMmanager.




8 Re-enter the password.

9 Enter the port that is used to contact the ESM Manager.

The default port is 5600.


Uninstalling the ESM DB2 Application moduleUninstall ESM DB2 Application module

50



Note:Theuninstaller programvalidates themanager namewith themanagername that is present in the manager.dat file. If the manager name does notmatch, the program reports a message, Specified manager is not found inmanager.dat file. Skipping re-registration for <manager name>.

11 The Would you like to add registration information of another manager?[no] message appears. Do one of the following:

■ Type a Y, the agent continues with the registration of another manager.

■ Type an N, the agent is successfully registered to the manager.

Note: If the uninstallation fails, thenESMrolls-back the uninstallation action andbrings back the agent to its original state.

Uninstallation logsThe uninstaller creates a log file for you to know about the changes that theuninstaller program performed. The log file, ESM_DB2_Uninstall.log is stored inthe system folder. The specified folder is located at C:\ProgramFiles\Symantec\Enterprise Security Manager\ESM\system\<Host_Name> onWindows and <esm_install_dir>/ESM/system/<Host_Name> on UNIX. Theuninstaller program automatically creates the log file and captures theuninstallation events and errors in it.

Silent uninstallation of ESM DB2 moduleYou can use the DB2uninstall.exe to uninstall the ESM DB2 module silently, byusing the following command:

db2uninstall -S -m <manager> -N <agent> [-p <port>] [-mfile <mgrfile>]

-U <user> -P <password> or

db2uninstall -S -F <mgrfile> or

db2uninstall -S

Table 5-1 lists the command-line options for uninstalling the ESM DB2 modulesilently

51Uninstalling the ESM DB2 Application moduleSilent uninstallation of ESM DB2 module

Table 5-1 Options to uninstall the ESM DB2 module silently

DescriptionOption

Enters the interactivemode and invokes theuninstall operation.

-F

Enters the interactive mode and creates adata file with details of the ESM managerand user credentials.

-mfile

Invokes the uninstallation in a silent mode.

Note: If -S is specified without any otheroption then the re-registration is notperformed. The uninstall program entersthe interactive mode and invokes theuninstall operation.

-S

Specify the ESM manager name.-m

Specify the agent name as registered withthe ESM manager.

-N

Specify the TCP port to to connect to theESM manager.

-p

Specify the ESM manager login ID.-U

Specify the ESM manager password.-P

Uninstalling the ESM DB2 Application moduleSilent uninstallation of ESM DB2 module

52

Logging DB2 Modules onWindows


■ Log functionality on ESM DB2 modules

Log functionality on ESM DB2 modulesThe logging feature in the ESM DB2 modules enables specific modules to loginformation such as errors and exceptions generated at runtime. This feature isenabled for the Audit configuration, Fix pack, Remote, System, Configuration,Privileges, and Discovery modules. Detailed logging is also enabled for theDB2Setup.exe that is used for DB2 configuration.

Log levels of the messagesThe log level specifies the type and criticality of a message. You can manuallycreate a configuration file named esmlog.conf and specify the log level messagesthat you want to be logged.

ESM checks the log level that you set in the configuration file and stores only thequalifying messages in the log file.

See “Creating the log level configuration file” on page 55.

You can specify the following log levels:

Disable logging for the module.

If ESMNOLOG is specified in the log level configurationfile, even critical failure messages are not logged.

ESMNOLOG

6Chapter

All critical failures are logged.

Note: ESMCRITICALFAILURE|ESMERROR|ESMEXCEPTION is the default log level and you neednot explicitly specify it in the configuration file.

ESMCRITICALFAILURES

All errors are logged.

The following are some examples of the errors:

■ Template file not found

■ Configuration file not found

ESMERRORS

All exceptions are logged.ESMEXCEPTIONS

All warnings are logged.ESMWARNINGS

All information messages are logged.

The information that is gathered during a policy run isalso logged at this level.

Note: When you enable the ESMINFORMATION level,the performance of the module may be affected sinceall the information messages are logged.

ESMINFORMATION

All debug information is logged.ESMTRACE

All time-consuming operations are logged.ESMPERFMANCETIMING

All audit information is logged.

This level covers the datamodification operations suchas Correction and Update.

ESMAUDIT

Includes all log levels except ESMNOLOG.ESMMAXIMUM

Specify the log level in the LogLevel parameter of the configuration file. Forexample, to log the messages for the discovery module that are related to criticalfailures, specify the log level as follows:

[db2discovery_LogLevel] = ESMCRITICALFAILURES

You can also specifymultiple log levels by separating themwith a pipe (|) characteras follows:

[db2discovery_LogLevel] = ESMCRITICALFAILURES|ESMPERFMANCETIMING

You can use log levels for specific operations as follows:

ESMCRITICALFAILURES and ESMERRORSFor regular policy runs

Logging DB2 Modules on WindowsLog functionality on ESM DB2 modules

54

ESMCRITICALFAILURES, ESMERRORS, ESMTRACE, andESMINFORMATION

To generate detailed logs forpolicy failure

Creating the log level configuration fileTomanually change the log level for amodule ormodules, create a configurationfile named esmlog.conf in the <esm_install_dir> \config folder and specifythe values that ESM uses to store the logs of a module.

Creating the configuration file

1 Change to the <esm_install_dir> \config folder.

2 Create a new text file and specify the parameters and their values.

3 Save the text file as esmlog.conf.

See Table 6-1 on page 55.

The following is an example of the entries in the configuration file:

[MaxFileSize] = 1024

[NoOfBackupFile] = 20

[LogFileDirectory] = <esm_install_dir>\system\agentname\logs

[db2discovery_LogLevel] = ESMINFORMATION|ESMTRACE

[db2discovery_LogLevel] = ESMMAXIMUM

Note: A default log level configuration file is not installed with the ESM DB2modules. You must manually create the file and specify the parameters in it.

Note: If the esmlog.conf file already exists, you can append the DB2 module loglevel information to the existing file.

Parameters of the log level configuration fileTable 6-1 lists the parameters that you need to specify in the configuration file.

Table 6-1 Configuration file parameters

Default valueRange of valuesDescriptionParameter name

1 MB1 MB to 1024 MB (1GB)

Specify themaximum file sizefor the log file in MB

[MaxFileSize]

55Logging DB2 Modules on WindowsLog functionality on ESM DB2 modules

Table 6-1 Configuration file parameters (continued)


10 to 20Specify the numberof backup files of logsthat canbe storedpermodule.

For example, if thevalue ofNOOFBACKUPFILEis3, then ESM stores amaximum of 3backup files for themodule.

[NoOfBackupFile]

The %systemroot%\tempdirectory is used onthe Windowsoperating systems.

N/ASpecify the absolutepath to store the logfile and backup logfiles.

[LogFileDirectory]


56

Table 6-1 Configuration file parameters (continued)


ESMCRITICALFAILURE|ESMERROR|ESMEXCEPTION

N/ASpecify the log levelalong with the shortname of the module.

Following are theshort names for DB2modules:

■ db2module forDB2 Remotemodule

■ db2auditconfigforDB2Audit andConfigurationmodule

■ db2discovery forDB2 Discoverymodule

■ db2system forDB2 systemmodule

■ db2privileges forDB2 Privilegesmodule

■ db2patch for DB2Fix Pack module

■ db2config forDB2Configurationmodule

For example, to logall errormessages forthe ESM DB2Discovery module,specify the following:

[db2discovery_LogLevel]=ESMERRORS

[<module>_LogLevel]

If the esmlog.conf file is not present then no log file is written.


Log fileThe ESM application now stores the log file of the modules in the directory thatthe user specifies. If the directory that the user specifies does not exist, then themodule first creates the directory and then stores the log files in it.

The log file has the following format:

<module_name>.log

The <module_name> is the short name of the module. For example, the log fileof the ESM DB2 Discovery module is named db2discovery.log. The backup filename for ESMDB2Discoverymodule is named db2discovery.log_1.bak and so on.

Note: During the process of logging, ESM locks the log file to store the logginginformation. If the log file is open at that time, the information to be written tothe logs may be lost.

Format of the log fileA log file contains the following fields:

Serial number of the log file entry

The serial number is displayed in hexadecimal format.

The serial number is reset in the next policy run on themodule.

Serial Number

Thread identifier of the process that generated the messageThread ID

Nameof the source file that caused themessage to be generatedSource File Name

Line number in the source file from where the message wasgenerated

Line Number

Date on which the log was createdDate

Time at which the log was createdTime

The actual message that was generated along with the log levelof that message.

Message

Backup of logsWhen the log file reaches a specified size limit, ESM backs up the log file. Thissize limit is configurable and you can specify it in the MaxFileSize parameter ofthe configuration file.


58

If the log file reaches the MaxFileSize value, ESM creates a backup of the log filedepending on the No of BackupFile value that is specified in the configurationfile. For example, if the No of BackupFile value is 0, ESM overwrites the existinglog file, if any, for the module.



60

Logging DB2 modules onUNIX


■ Log functionality on ESM DB2 modules

Log functionality on ESM DB2 modulesThe logging feature in the ESM DB2 modules enables the ESM to log theinformation, such as errors and exceptions that amodule generates at the runtime.This feature is enabled for the Audit configuration, Fix pack, Remote, System,Configuration, Privileges, andDiscoverymodules. Detailed logging is also enabledfor the DB2Setup.exe that is used for DB2 configuration.

Log levels of the messagesThe log level specifies the type and criticality of a message. You can manuallycreate a configuration file and specify the log level messages that you want to belogged.

ESM checks the log level that you set in the configuration file and stores only thequalifying messages in the log file.

See “Creating the log configuration file” on page 63.

You can specify the following log levels:

Disable logging for the moduleESMNOLOG

7Chapter

All critical failures are logged.

ESM always logs all critical failuresirrespective of the log level that you specifyin the configuration file. However, ifESMNOLOG is specified in the configurationfile, ESM does not log the critical failures.

ESMCRITICALFAILURE|ESMERROR|ESMEXCEPTION is the default log level andyou need not explicitly specify it in theconfiguration file.

ESMCRITICALFAILURES

All errors are logged.

The following are some examples of theerrors:

■ Template file not found

■ Configuration file not found

ESMERRORS

All exceptions are logged.ESMEXCEPTIONS

All warnings are logged.ESMWARNINGS

All information messages are logged.

The information that is gathered during apolicy run is also logged at this level.

Note: When you enable theESMINFORMATION level, the performanceof the module may be affected because allthe information messages get logged.

ESMINFORMATION

All debug information is logged.ESMTRACE

All time-consuming operations are logged.ESMPERFMANCETIMING

All audit information is logged.

This level covers the data modificationoperations such as Correction and Update.

ESMAUDIT

Includes all log levels except ESMNOLOG.ESMMAXIMUM

You specify the log level in the LogLevel parameter of the configuration file. Forexample, to log the messages that are related to critical failures for the DB2Discovery module, specify the log level as follows:

[db2discovery_LogLevel] = ESMCRITICALFAILURES

Logging DB2 modules on UNIXLog functionality on ESM DB2 modules

62

You can also specifymultiple log levels by separating themwith a pipe (|) characteras follows:

[db2discovery_LogLevel] = ESMCRITICALFAILURES|ESMPERFMANCETIMING

You can use log levels for specific operations as follows:

ESMCRITICALFAILURES and ESMERRORSFor regular policy runs

ESMCRITICALFAILURES, ESMERRORS,ESMTRACE, and ESMINFORMATION

To generate detailed logs for policy failure

Creating the log configuration fileYou can create a configuration file named esmlog.conf in the <esm_install_dir>/config folder and specify the values that ESMuses to store the logs of amodule.

To create the configuration file

1 Change to the <esm_install_dir>/config folder.

2 Create a new text file and specify the parameters and their values.

3 Save the text file as esmlog.conf.

See “Parameters of the configuration file” on page 63.

The following is an example of the entries in the configuration file:

[MaxFileSize] = 1024

[NoOfBackupFile] = 20

[LogFileDirectory] = <esm_install_dir>/system/agentname/logs

[db2discovery_LogLevel] = ESMINFORMATION|ESMTRACE

[db2discovery_LogLevel] = ESMMAXIMUM

Note: No default configuration file is shipped with the ESM DB2 modules. Youneed to manually create the file and specify the parameters in it. To specify adifferent module to log messages for, substitute the binary name of the modulefor db2discovery in the specified example.

Parameters of the configuration fileTable 7-1 lists the parameters that you need to specify in the configuration file.

63Logging DB2 modules on UNIXLog functionality on ESM DB2 modules

Table 7-1 Configuration file parameters


1 MB1 MB to 1024 MB (1GB)

Specify themaximum file sizefor the log file in MB

[MaxFileSize]

10 to 20Specify the numberof backup files of thelogs that can bestored per module.

For example, if thevalue ofNOOFBACKUPFILEis3, then ESM stores amaximum of 3backup files for themodule.

[NoOfBackupFile]

The directory/esm/system/<hostname>/tmp/

N/ASpecify the absolutepath to store the logfile and backup logfiles.

[LogFileDirectory]

ESMCRITICALFAILURE|ESMERROR|ESMEXCEPTION

N/ASpecify the log levelalong with the shortname of the module.

For example, to logall errormessages forthe ESM DB2Discovery module,specify the following:

[db2discovery_LogLevel]=ESMERRORS

[<module>_LogLevel]

If the configuration file esmlog.conf is not present then the logging functionalityappears to be disabled and no logs are generated.

Log fileThe ESM application now stores the log file of the modules in the directory thatthe user specifies in the esmlog.conf file. If the directory that the user specifiesdoes not exist, then the module first creates the directory and then stores the logfiles in it.


64

The log file has the following format:

<module_name>.log

The <module_name> is the short name of the module. For example, the log fileof the ESMDB2Discovermodule is nameddb2discovery.log. The backup file namefor ESM DB2 Discovery module is named db2discovery.log_1.bak and so on.

Note: During the process of logging, ESM locks the log file to store the logginginformation. If the log file is open at that time, the information about the logsmay be lost.

Format of the log fileA log file contains the following fields:

Serial number of the log file entry

The serial number is displayed inhexadecimal format.

The serial number is reset in the next policyrun on the module.

Serial Number

Thread identifier of the process thatgenerated the message

Thread ID

Name of the source file that generates themessage.

Source File Name

Line number in the source file from wherethe message generates

Line Number

Date on which the log was createdDate

Time at which the log was createdTime

Theactualmessage thatwasgeneratedalongwith the log level of that message.

Message

Backup of logsWhen the log file reaches a specified size limit, ESM backs up the log file. Thissize limit is configurable and you can specify it in the MaxFileSize parameter ofthe configuration file.

If the log file reaches the MaxFileSize value, ESM creates a backup of the log filedepending on the No of BackupFile value that is specified in configuration file.

65Logging DB2 modules on UNIXLog functionality on ESM DB2 modules

For example, if the No of BackupFile value is 0, ESM overwrites the existing logfile, if any, for the module.


66

Date post:	30-May-2020
Category:	Documents
Upload:	others
View:	13 times
Download:	0 times

Symantec Enterprise Security Manager IBM DB2 Modules ...€¦ · Symantec™ Enterprise Security...

Documents