How to install IBM Security Governance and Intelligence IGI 5.2

How to install ISIG 5 Virtual Appliance

This is an example on how to install a 2 system demo IGI environment, using external SLES VMs for DB and LDAP

Create the Data VM

  • Use nat network 10.10.1.1/24
  • Data VM setup - enable shared folder, automount and permanent, put user into vboxfs group, enable bidirectional clipboard
  • Disable firewall - start yast, go to firewall under security settings, stop and disable from autostart .

Configure SMTP server on SLES

Run yast, go to mail, select "standard", make sure "accept remote SMTP" is checked and accept all other defaults.

Manual way:

sudo chkconfig postfix on
mv /etc/sysconfig/postfix /etc/sysconfig/postfix.old
inet_interfaces = all

sudo vi /etc/postfix/main.cf
user@sds:~> sudo /etc/init.d/postfix restart

IGI 5.2 docs

DB2 install on the SLES server

mount shared folder

sudo mount -t vboxsf Shared_Folder /mnt
sudo ./db2_install

Use default folder /opt/ibm/db2/V10.5
select SERVER
no to pureScale

FP install

sudo ./installFixPack -b /opt/ibm/db2/V10.5
check DB2 version:
/usr/local/bin/db2ls

SDS 6.4 install on a sles system (using the DB2 installed previously)

IGI docs - http://www-01.ibm.com/support/knowledgecenter/SSGHJR_5.2.0/com.ibm.igi.doc/installing/tsk/t_install_igiva_unix_ldap.html?lang=en
(sds own docs are here - http://www-01.ibm.com/support/knowledgecenter/SSVJJU_6.4.0/com.ibm.IBMDS.doc_6.4/t_po_SDS_custom_sysreq.html?lang=en)
you need graphical environment as root, the easiest way to get it is to

ssh -X root@localhost
/media/DirectoryV6.4/launchpad.sh

pick IBM Directory Server installation, then Install SDS.
Hit next, accept license, accept install manager defaults, accept default path (/opt/ibm/ldap/V6.4)
On the features page deselect DB2, reselect Server, hit next
Next page should find the DB2 server you installed before
accept all defaults (ibm_jdk 6.0.16.2-ISS-JAVA-LinuxX64-FP0002.tar will be installed)

Note: You need a separate install of WAS 8.5.5 for the web admin tool to work

FP install


from the fixpack folder:
sudo ./idsinstall -u -f
verify
rpm -qa | grep idsldap

Configure DB2

per http://www-01.ibm.com/support/knowledgecenter/SSGHJR_5.2.0/com.ibm.igi.doc/installing/tsk/t_db2_configuring_isig.html?lang=en
sudo to root:

useradd -g root igiinst
passwd igiinst - set to "ideas"
mkdir /home/igiinst
chown igiinst /home/igiinst
/opt/ibm/db2/V10.5/instance/db2icrt -u igiinst igiinst

Get the DB instance port: grep DB2_igiinst /etc/services

su - igiinst
. sqllib/db2profile 
db2 update dbm cfg using SVCENAME [port from the previous command - 60000]
db2set DB2COMM=tcpip
db2set -all DB2COMM
db2start
db2set DB2_COMPATIBILITY_VECTOR=ORA
db2set DB2_RESTRICT_DDF=TRUE
db2stop force
db2start
db2 create database IGI_DB
db2 connect to IGI_DB
db2 update db cfg using LOGFILSIZ 5000 LOGPRIMARY 50 LOGSECOND 50
db2 create bufferpool IDEAS_BP IMMEDIATE PAGESIZE 32K
db2 create system temporary tablespace IDEAS_SYS_TEMP pagesize 32k bufferpool IDEAS_BP
db2 create user temporary tablespace IDEAS_TEMP pagesize 32k bufferpool IDEAS_BP
db2stop force
db2start 

unzip SEC_IDNTY_GVN_INTL_xxx_V5.2_DT_IN_.zip
Change the path to this directory
Run the chmod -R 777 * command

cd __FOR_DBAs__
dos2unix unix_create_users.sh
sudo ./unix_create_users.sh

edit DB_INSTALLATION/login.sql
set
DEFINE ISIG_DB = 10.10.1.50:60000/IGI_DB

Logoff, and login as the root user (Next steps uses X server but ssh X forwarding does not work - gives some gargbage on SLES)

. ~igiinst/sqllib/db2profile 
from IGI-db2scripts/DB_INSTALLATION run
clpplus igiinst/ideas@10.10.1.50:60000/IGI_DB @01-FULL-TBLS_USER_AND_OBJ-CREATION.sql

enter /home/igiinst/igiinst/NODE0000/IGI_DB
enter (M)
wait for the command to complete - the SQL> prompt should come back
the logs are in the folder you were in - IGI_V5_2_0_Installation.log

Configuring LDAP

done per ISIM 7.0 manual LDAP configuration steps https://www-01.ibm.com/support/knowledgecenter/SSRMWJ_7.0.0/com.ibm.isim.doc_7.0/installing/tsk/tsk_ic_ins_dir_itds_config_manual.htm
(note that another instance of the dB will be created for the LDAP, IGIDB, as opposed to IGI_DB used for DB storage)

sudo to root
cd /opt/IBM/ldap/V6.4/sbin
create a user and add it to the proper group
./idsadduser -n -u igildap -w Passw0rd -g idsldap -l /home/igildap
create ldap instance with the same name as the user)
./idsicrt -I igildap -e seedseedseed -l /home/igildap
create db for the instance
./idscfgdb -I igildap -a igildap -w Passw0rd -t igidb -l /home/igildap
Set cn=root password
./idsdnpw -I igildap -u cn=root -p Passw0rd
Create the default suffix
./idscfgsuf -I igildap -s dc=com
vi /tmp/dccom.ldif with the following content:

dn:dc=com
objectclass:domain

start the instance
./ibmslapd -I igildap -n -t &
wait till it says 'server started' then import the file
../bin/idsldapadd -D cn=root -w Passw0rd -f /tmp/dccom.ldif

Configure the IGI VA

go to http://10.10.1.20:9443 admin/admin

Host name 10.10.1.50
LDAP: Gnosis Corp, gnosis
DB name: IGI_DB
User password: ideas

Reboot and test by going to the VA admin and checking that all the components are working
and then
https://vbox:9343/ideas
admin/admin

After everything has been verified

set db2 to start on boot
su - igiinst (not igildap - db2 for ldap is started automatically by slapd)

. sqllib/db2profile 
db2iauto -on igiinst

Check:
grep DB2AUTOSTART sqllib/profile.env
should say 'YES'

re-add the startup for the fault monitor:
to remove from inittab and init.d and systemd (for RHEL)

grep db2fm /etc/inittab
fmc:2345:respawn:/opt/ibm/db2/V10.5/bin/db2fmcd #DB2 Fault Monitor Coordinator
sudo db2fmcu -d
grep db2fm /etc/inittab
readd to inittab and init.d and systemd
sudo db2fmcu -u -p /opt/ibm/db2/V10.5/bin/db2fmcd 
grep db2fm /etc/inittab
fmc:2345:respawn:/opt/ibm/db2/V10.5/bin/db2fmcd #DB2 Fault Monitor Coordinator

Start the fauilt monitor daemon
db2fm -U
Start the failt monitor service
db2fm -u
turn it on for this instance
db2fm -f on
Validate that it's configured
db2fm -s -S
should show

Gcf module 'fault monitor' state is AVAILABLE
Gcf module '/opt/ibm/db2/V10.5/lib64/libdb2gcf.so' state is AVAILABLE

In case of error it shows

Gcf module 'fault monitor' is NOT operable - means it is not configured
Gcf module '/opt/ibm/db2/V10.5/lib64/libdb2gcf.so' is INSTALLED PROPERLY but NOT ALIVE

Set LDAP to start on boot:
sudo vi /etc/inittab
add at the end
ids1:2345:once:/opt/IBM/ldap/V6.4/sbin/ibmslapd -I igildap > /dev/null 2>&1

Reboot
check if the db is started, su into the instance owner

su - db2admin
db2fm -s -S
db2 list active databases

Check LDAP - look for port 389
netstat -pant | grep 389

http://www-01.ibm.com/support/docview.wss?uid=swg21209001

idmdepot.com:Technical Notes:Inside a mesa virtual appliance
idmdepot.com:Troubleshooting:IGI Troubleshooting
Running ISIM or ISIG VA on VirtualBox