Transcription
Dell Data ProtectionConfiguration Guide
2014 Dell Inc.Registered trademarks and trademarks used in the DDP E, DDP ST, and DDP CE suite of documents: Dell and the Dell logo, DellPrecision , OptiPlex , ControlVault , Latitude , XPS , and KACE are trademarks of Dell Inc. Intel , Pentium , Intel Core InsideDuo , Itanium , and Xeon are registered trademarks of Intel Corporation in the U.S. and other countries. Adobe , Acrobat , andFlash are registered trademarks of Adobe Systems Incorporated. Authen Tec and Eikon are registered trademarks of Authen Tec.AMD is a registered trademark of Advanced Micro Devices, Inc. Microsoft , Windows , and Windows Server , Internet Explorer ,MS-DOS , Windows Vista , MSN , ActiveX , Active Directory , Access , ActiveSync , BitLocker , BitLocker To Go , Excel , HyperV , Silverlight , Outlook , PowerPoint , Skydrive , SQL Server , and Visual C are either trademarks or registered trademarks ofMicrosoft Corporation in the United States and/or other countries. VMware is a registered trademark or trademark of VMware, Inc. inthe United States or other countries. Box is a registered trademark of Box. DropboxSM is a service mark of Dropbox, Inc. Google ,Android , Google Chrome , Gmail , YouTube , and Google Play are either trademarks or registered trademarks of Google Inc. inthe United States and other countries. Apple , Aperture , App StoreSM, Apple Remote Desktop , Apple TV , Boot Camp , FileVault ,iCloud SM, iPad , iPhone , iPhoto , iTunes Music Store , Macintosh , Safari , and Siri are either servicemarks, trademarks, orregistered trademarks of Apple, Inc. in the United States and/or other countries. GO ID , RSA , and SecurID are registered trademarksof EMC Corporation. EnCase and Guidance Software are either trademarks or registered trademarks of Guidance Software. Entrust is a registered trademark of Entrust , Inc. in the United States and other countries. InstallShield is a registered trademark of FlexeraSoftware in the United States, China, European Community, Hong Kong, Japan, Taiwan, and United Kingdom. Micron and RealSSD are registered trademarks of Micron Technology, Inc. in the United States and other countries. Mozilla Firefox is a registered trademarkof Mozilla Foundation in the United States and/or other countries. iOS is a trademark or registered trademark of Cisco Systems, Inc. inthe United States and certain other countries and is used under license. Oracle and Java are registered trademarks of Oracle and/or itsaffiliates. Other names may be trademarks of their respective owners. SAMSUNG is a trademark of SAMSUNG in the United Statesor other countries. Seagate is a registered trademark of Seagate Technology LLC in the United States and/or other countries. Travelstar is a registered trademark of HGST, Inc. in the United States and other countries. UNIX is a registered trademark of The Open Group.VALIDITY is a trademark of Validity Sensors, Inc. in the United States and other countries. VeriSign and other related marks are thetrademarks or registered trademarks of VeriSign, Inc. or its affiliates or subsidiaries in the U.S. and other countries and licensed to SymantecCorporation. KVM on IP is a registered trademark of Video Products. Yahoo! is a registered trademark of Yahoo! Inc.This product uses parts of the 7-Zip program. The source code can be found at www.7-zip.org. Licensing is under the GNU LGPL license unRAR restrictions (www.7-zip.org/license.txt).2014-02Protected by one or more U.S. Patents, including: Number 7665125; Number 7437752; and Number 7665118.Information in this document is subject to change without notice.
Contents1Configure the Compatibility Serverserver config.xmlgkresource.xml . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12Configure the Core Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Disable Web Services13. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13. . . . . . . . . . . . . . . . . . . . . . . . . . . .14. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14Enable SMTP Server for License Email Notifications .NotificationObjects.configNotification.config . . . . . . . . . . . . . . . . . . .15. . . . . . . . . . . . . . . . . . . . . . .15Add Compatibility Server’s Folder Location to Core Server Config File .Allow Core Server to Iterate Through Authentication Methods .Configure the Device Servereserver.properties4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18Configure the Security Servercontext.properties513. . . . . . . . . . . . . . . . . . . . . .PolicyService.config.run-service.conf1111Change the Policy Arbitration from Most Secure to Least Secure35. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Enable Domain\Username Formatrun-service.conf5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure Encryption FeaturesPrevent Temporary File Deletion .Hide Overlay Icons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191921. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21Hide System Tray IconSlotted Activation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configuration Guide3
Forced Poll. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Inventory Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Non-Domain Activations .6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure Components for Kerberos Authentication/AuthorizationConfigure Components for Kerberos Authentication/Authorization .Windows Service Instructions .25. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25Sample Configuration File:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26Windows Service Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Assign Forensic Administrator RoleDisable Forensic AuthorizationCron Expressions2929. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33Cron Expression Formats .Special Characters .Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Introduction to Cron ExpressionsCreate a Self-Signed Certificate Using Keytool and Generate a Certificate Signing Request . . . . . . . . . . .Generate a New Key Pair and a Self-Signed Certificate. . . . . . . . . . . . . . . . .35. . . . . . . . . . . . . . . . . . . . . . . . . . .35Request a Signed Certificate from a Certificate AuthorityImport a Root Certificate. . . . . . . . . . . . . . . . . . . . . . . . . .36. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37Example Method to Request a Certificate .425. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Remote Management Console Instructions92325Remote Management Console Instructions823. . . . . . . . . . . . . . . . . . . . .Key Server Config File Instructions7. . . . . .22Configuration Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
1Configure the Compatibility ServerThis chapter details the parameters that may be changed to tune the Compatibility Server to your environment. Alwaysback up configuration files before editing.Only change documented parameters in these file. Changing other data in these file, including tags, can cause systemcorruption and failure. Dell cannot guarantee that problems resulting from unauthorized changes to these file can besolved without re-installing the Compatibility Server.server config.xmlYou may change some of the following parameters in Compatibility Server install dir \conf\server config.xml.Parameters that should not be changed are noted as such. If the Compatibility Server is running, you must stop theCompatibility Server Service, edit the server config.xml file, then restart the Compatibility Server Service in order forchanges to this file to take effect.server ion dell.home /conf/secretKeyStoreDefault location of the secretkeystore. Ifyou change this file from the defaultlocation, update this parameter.archive.location dell.home /conf/archiveDefault location of the archive. If youchange this file from the default location,update this ates whether a fully qualified userlogin name is required for all requests to theServer.If this value is changed, the Device Servermust be restarted before the new value takeseffect.directory.max.search.size1000Limit on a directory find, after which anexception is rver timeout in seconds for nt timeout in seconds for LDAPsearches.Configuration Guide5
server tionTo use Multi-Server EMS Recovery: !-- uncomment and change host names toyour fully qualified domain names to chainrecovery property name "rmi.recovery.host" value rmi://foo.fabrikam.com:1099 /value /property property name "rmi.recovery.host" value rmi://foo.fabrikam2.com:1099 /value /property -- default.gatekeeper.group.remoteCMGREMOTEThe default name of the Group that allPolicy Proxies belong by default. You canchange this name here or in the DeviceServer context.properties.If you change the group name here, youneed to change it in the Device Server aswell if you plan to: Shield Windows devices Use CREDActivateWe recommend that all your Policy Proxiesbelong to a single group.rsa.securid.enabledfalseIf you are using RSA SecurID for MicrosoftWindows version 6 as your GINAreplacement, set this parameter to true, andthen stop and restart the CompatibilityServer Service.When Shield users activate in an RSAGINA replacement environment, RSAauthentication replaces ber of threads processing the mber of seconds before timeout occurs.3Number of times the Server tries to processthe inventory before it is ax120Maximum number of retry attempts.report.retry.wait.millis250Number of milliseconds to wait beforeretries.6Configuration Guide
server iption0 0 0/6 * *Triage is the process of reconciling the usersand groups that the Server already knowsabout.The default setting is 0 0 0/6 * * ?, whichmeans we do triage every 6 hours starting atmidnight (midnight, 6 AM, noon, 6 um number of Policy Proxy meout for maximum number of PolicyProxy tiveService.updateAdminRolesAcctAdminRole required to update a group or useradministrative le required to update a group or useradministrative s required to retrieve log tiveService.getLogsSystemAdmin,LogAdminRoles required to retrieve Service.getLogColumnListSystemAdmin,LogAdminRoles required to retrieve log column s required to retrieve log category s required to retrieve log priority list.security.authorization.method.IAdministrat AcctAdmin,SecAdmin,HelpDeskAdmin,Sys Roles required to retrieve Unique ID nistratorsAcctAdminRole required to retrieve the list ofadministrators in the veService.setSuperAdminPasswordSuperAdminRole required to set the rvice.addDomainSystemAdmin,SecAdminRoles required to add iveService.removeDomainSystemAdmin,SecAdminRoles required to remove iveService.updateDomainSystemAdmin,SecAdminRoles required to update iveService.addGroupsSystemAdmin,SecAdminRoles required to add veService.removeGroupSystemAdmin,SecAdminRoles required to remove groups.Role required to reset the superadminpassword.Configuration Guide7
server dmin,SecAdminRoles required to find LDAP veService.findLdapUsersSystemAdmin,SecAdminRoles required to find LDAP eService.addUsersSystemAdmin,SecAdminRoles required to add eService.addLicenseSystemAdminRole required to add enterprise tiveService.getLicenseSystemAdminRole required to view the enterprise er.recoverDeviceHelpDeskAdmin,SecAdminRoles required to recover a r.isUserSuspendedHelpDeskAdmin,SecAdminRoles required to suspend ervice.proxyActivateSecAdminRoles required to activate devices by inRoles required to manually recover a deviceby etGatekeeperResourceSystemAdminRole required to retrieve the Gatekeeperresource proveGatekeeperResourceSystemAdminRole required to approve the Gatekeeperresource proveGatekeeperConfigSystemAdminRoles required to approve demost-restrictiveDescriptionThis property controls how the policymapping algorithm works for policyelements that have a security bias when thepolicy has multiple parent nodes.Values:Least-restrictive - the least restrictiveelement value from the parents is usedMost-restrictive - the most restrictiveelement value from all parents is This flag indicates that the next externalsynchronization should add or remap allpolicy elements without setting themodified flag to true. This flag is toggled tofalse after every synchronization, so it mustbe reset if the security admin wants to addwithout modifications. This is an advancedoption.db.schema.version.majorMajor database schema.db.schema.version.minorMinor database schema.8Configuration Guide
server ao.db.driver.dirDescriptionPatch version of database schema. dell.home /lib/mssql-microsoftdao.db.hostDefault location of the database driver. Ifyou change this file from the defaultlocation, update this parameter.Your database server hostname.This parameter is changed in theConfiguration Tool.dao.db.nameThe name of your database.This parameter is changed in theConfiguration Tool.dao.db.userThe username with full permissions to yourdatabase.This parameter is changed in theConfiguration Tool.dao.db.passwordThe password for the username with fullpermissions to your database.This parameter is changed in theConfiguration Tool.dao.db.max.retry.count10The maximum number of times theCompatibility Server attempts to reconnectto the SQL Server when a specified socketerror occurs.dao.db.connection.retry.wait.seconds5The first reconnect attempt is immediate.The second happens the specified numberof seconds later. The third happens doublethe number of specified seconds later, thefourth triple, and so on.10000Allows connections to be retired, 0 meansdo not retire.900Used to determine when a connection hasnot been used and can be closed.dao.db.driver.socket.errors0The Compatibility Server attempts toreconnect to the SQL Server when errorscorresponding to the codes in thiscomma-separated list occur. 0 is the errorcode for socket errors for Microsoft SQL.You may also add 17142 for server pausederrors and 6002 for server shutting downerrors.dao.db.mssql.compatability.level90Value for SQL 2005 or hcom.credant.guardian.server.vfs.AuthFileHa Authorization file .guardian.server.vfs.InventoryFi Inventory file handler.leHandlerConfiguration Guide9
server redant.guardian.server.vfs.EventFileH Event file handler.andler dell.home /conf/gkresource.xmlIf you move the Gatekeeper resource filefrom the default location, update thisparameter. dell.home /conf/gkconfig.xmlIf you move the Gatekeeper resource filefrom the default location, update thisparameter.rmi.server.registry.hostlocalhostThe host property is only for the benefit ofclient programs to determine where theregistry is. It is not used during creation ofthe RMI registry and remote objects. Willbe created in localhost.rmi.server.registry.port1099The RMI registry port is configurable duringinstallation. You can also change the portafter installation using this parameter.If you change this value, you also need toconfigure Gatekeeper Web r AcctAdmin,HelpDeskAdmin,SystemAdmin Roles required to set Server moveEntitySystemAdminRole required to remove Server ervice.setEntityVisibilitySystemAdminRole required to set the visibility of rtingSe AcctAdmin,HelpDeskAdmin,SystemAdmin Roles required to view the device ecurity.authorization.method.IReportingSe AcctAdmin,HelpDeskAdmin,SystemAdmin Roles required to open a Server zation.method.IReportingSe AcctAdmin,HelpDeskAdmin,SystemAdmin Roles required to view the paged rization.method.IReportingSe AcctAdmin,HelpDeskAdmin,SystemAdmin Roles required to view the device ity.authorization.method.IReportingSe AcctAdmin,HelpDeskAdmin,SystemAdmin Roles required to view the operating ity.authorization.method.IReportingSe AcctAdmin,HelpDeskAdmin,SystemAdmin Roles required to view the device curity.authorization.method.IReportingSe AcctAdmin,HelpDeskAdmin,SystemAdmin Roles required to view the policy ecurity.authorization.method.IReportingSe AcctAdmin,HelpDeskAdmin,SystemAdmin Roles required to view the indetail report.security.authorization.method.IReportingSe AcctAdmin,HelpDeskAdmin,SystemAdmin Roles required to view the encryption eport.security.authorization.method.IReportingSe AcctAdmin,HelpDeskAdmin,SystemAdmin Roles required to view the nsummary report.10Configuration Guide
server orization.method.IReportingSe AcctAdmin,HelpDeskAdmin,SystemAdmin Roles required to view the user detail ization.method.IReportingSe AcctAdmin,HelpDeskAdmin,SystemAdmin Roles required to view the group .authorization.method.IReportingSe AcctAdmin,HelpDeskAdmin,SystemAdmin Roles required to view the list of Type.nonActiveDirectory.enabledForensicAdminThis setting is used with a forensicintegration plug-in. Contact Dell Support ifforensic tool integration is needed.falseEnabling non-domain activations is anadvanced configuration, with wide-rangingconsequences. BEFORE enabling thisconfiguration, contact Customer Support todiscuss your specific environmental needs.Restart the Compatibility Server Serviceafter changing this value.In addition to this setting, create or modifythe registry setting on the Windowscomputer as ersion\Winlogon\CMGShieldAllowNonDomainActivations REG DWORD:1gkresource.xmlYou may change the parameters in Compatibility Server install dir \conf\gkresource.xml.We recommend that you track your changes in comments at the beginning of the file. This will allow you to easily transferyour changes to the new file when you upgrade.NOTE: The gkresource.xml file must be a well-formed XML file. Dell recommends that if you are not familiar with XML, you not attempt to editthis file. Be sure to use entity references where appropriate rather than raw (unescaped) special characters. A System Administrator must approve changes to the Gatekeeper resource file before they take effect.Enable Domain\Username FormatAdd the following string to enable (or disable) the domain\username format. The format is disabled if the string does notexist in the file. It can also be disabled by setting the value to 0.1 Go to Compatibility Server install dir \conf.2 Open gkresource.xml with an .xml editor.3 Add the string: string name "EnableGKProbeMultiDomainSupport" 1 /string 4 Save and close the file.Configuration Guide11
run-service.confYou may change some of the following parameters in Compatibility Server install dir \conf\run-service.conf. Theseparameters are automatically set at installation. To customize or make configuration changes to any Service:1 Stop the Service.2 Remove the Service.3 Edit and save the run-service.conf file. We recommend that you track your changes in comments at the beginning of thefile.4 Re-install the Service.5 Start the Service.run-service.confParameterJAVA HOMEDefaultDell\Java ionLocation of the Java installation directory.The mac address in this line is the macaddress of the local ethernet adapter.If a server has multiple NICS or you want tobind to an adapter other than the primaryadapter, enter the physical mac address ofthe NIC here, without tservice.displaynameDell Compatibility Serverwrapper.ntservice.descriptionEnterprise Compatibility uration GuideName of the Service.Display name of the Service.Description of the Service.Service dependencies. Add dependencies asneeded, starting from 1.AUTO STARTMode in which the Service is installed:AUTO START or DEMAND START.falseA setting of true allows the Service tointeract with the desktop.
2Configure the Core ServerThis chapter details the parameters that may be changed to tune the Core Server to your environment.Only change documented parameters in these file. Changing other data in these file, including tags, can cause systemcorruption and failure. Dell cannot guarantee that problems resulting from unauthorized changes to these file can besolved without re-installing the Core Server.Change the Policy Arbitration from Most Secure to Least SecurePolicyService.configModify this setting to change the policy arbitration from most secure to least secure. Change the setting in Core Serverinstall dir \PolicyService.config. If the Core Server is running, you must stop the Service, edit the PolicyService.configfile, then restart the Service in order for changes to this file to take effect.We recommend that you track your changes in comments at the beginning of the file. This will allow you to easily transferyour changes to the new PolicyServiceConfig.xml file when you upgrade.Modify the following section: !-- Web Service Targets -- object id "PolicyService" singleton "false" type cy.ServiceImplementation" property name "TemplateDataAccess" ref "TemplateDataAccess"/ property name "PolicyDataAccess" ref "PolicyDataAccess"/ property name "SupportDataAccess" ref "SupportDataAccess"/ property name "AuditLog" ref "ServiceAuditLog"/ property name "GlobalArbitrationBias" value "1" / [change this value from “0” to “1” to set the value to leastsecure] /object Disable Web ServicesNOTE: This is an advanced setting that should only be changed under the guidance of Customer Support.To disable web services on the Core Server (for example, if there is a second Core Server installation that only doesinventory processing), change the settings in: Core Server install dir \Credant.Server2.WindowsService.exe.Configand Core Server install dir \Spring.configIf the Core Server is running, you must stop the Service, edit the settings in these two files, then restart the Service inorder for changes to this file to take effect.Configuration Guide13
Credant.Server2.WindowsService.exe.ConfigRemove the following section: !-- Web Services Configuration -- system.serviceModel services configSource "Services.config"/ behaviors configSource "Behaviors.config"/ bindings configSource "Bindings.config"/ /system.serviceModel Spring.configRemove the following:Remove all the object /object definitions under AOP Advice, Web Service Target Definition, and Web ServiceHost Definition headings.Enable SMTP Server for License Email NotificationsIf using Dell Data Protection Cloud Edition, these settings are automated by using the Server Configuration Tool. Usethis procedure if you need to enable the SMTP Server for license email notifications for purposes outside of Dell DataProtection Cloud Edition.NotificationObjects.configTo configure your SMTP server for license email notifications, modify the NotificationObjects.config file located at Core Server install dir .Modify the following: object name "EmailNotification" singleton "false" type tification" [Do not change this value] property name "NotificationDataFactory" ref "NotificationDataFactory"/ [Do not change this value] property name "Host" value "test.dell.com"/ property name "Port" value "25"/ property name "Username" value "username"/ property name "Password" value " {SmtpPassword}"/ [Do not change this value] property name "Logger" ref "NotificationLogger"/ [Do not change this value] /object Notification.configIf your email server requires authentication, modify the Notification.config file located at Core Server install dir .Modify the following: notification add key "SmtpPassword" value "your email server password"/ /notification 14Configuration Guide
Add Compatibility Server’s Folder Location to Core Server Config FileThe Core Server, being a .Net application, can sometimes be blocked from accessing registry information, due topermissions. The issue is that the Core Server, to read the secretkeystore (the database encryption key), needs to access theCompatibility Server's registry configuration information for the location of the secretkeystore. If the registry permissionsblock this access, then the Core Server fails to authenticate Console users. This setting adds the Compatibility Server'sfolder location into the Core Server’s config file in case of registry access issues.1 Navigate to Core Server install dir \EntityDataAccessObjects.config.2 Change the following bold item: object id "DomainDataAccess" singleton "f
rsa.securid.enabled false If you are using RSA SecurID for Microsoft Windows version 6 as your GINA replacement, set this parameter to true, and then stop and restart the Compatibility Server Service. When Shield users activate in an RSA GINA replacement environment, RSA authentication replaces LDAP authentication.
