Veritas Data Insight Installation Guide

Last Published:
Product(s): Data Insight (6.1.5)
  1. Understanding the Veritas Data Insight architecture
      About Veritas Data Insight
      About the Management Server
    3. About the Collector worker node
        About the Collector
        About the Scanner
      About the Indexer worker node
      About the Classification Server
      About the Self-Service Portal node
      About Communication Service
      About the DataInsightWatchdog service
      About the DataInsightWorkflow service
    10. About Veritas Data Insight installation tiers
        About three-tier installation
        About two-tier installation
        About single-tier installation
  2. Preinstallation
      Preinstallation steps
      Operating system requirements
    3. System requirements for Veritas Data Insight components
        System requirements for classification components
      Supported data sources and platforms
      Supported browsers
      List of ports
      Web server version
  3. Installing Veritas Data Insight
      About installing Veritas Data Insight
      Performing a single-tier installation
      Performing a two-tier installation
      Performing a three-tier installation
      Installing the Management Server
      Installing the worker node
      Installing the Classification Server
      Installing the Self-Service Portal
      Installing a Linux Indexer worker node
  4. Upgrading Veritas Data Insight
      Upgrading Data Insight to 6.1.5
      Upgrading the product data using the Upgrade Data Wizard
      Names and locations of cache files
      Upgrading the Data Insight web service for SharePoint
  5. Post-installation configuration
      Post-installation configuration
      Registering the worker node
    3. About post-installation security configuration for Management Server
        About SSL client/server certificates
        Generating Management Console certificate
      Configuring your corporate firewall
  6. Installing Windows File Server agent
      About Windows File Server agent
      Installing Windows File Server agent manually
      Configuring the Windows File Server using ConfigureWindowsFileServer.exe
  7. Getting started with Data Insight
      About the Data Insight Management Console
      Logging in to the Data Insight Management Console
      Logging out of the Data Insight Management Console
      Displaying online help
  8. Uninstalling Veritas Data Insight
      Uninstalling Veritas Data Insight
  9. Appendix A. Installing Data Insight using response files
      About response files
      Installing Data Insight using response files
      Sample response files

Generating Management Console certificate

The Management Server provides a web interface (administration console) for reporting and administration purposes. You access this interface with a web browser. The Management Server and browser communicate through an SSL connection.

To ensure confidentiality, all communication between the Management Server and the browser is encrypted using a symmetric key. To initiate a connection, the Management Server and browser negotiate the encryption algorithm (algorithm, key size, and encoding) and encryption key to use.

By default, connections between the Management Server and the browser use a single, self-signed certificate. The Management Server generates the certificate at install time and is unique to your deployment. The certificate is present on the Management Server node in a folder called keys under the data folder. The file is called webserver.keystore. While this certificate is secure, you get a warning message in the browser when accessing the web interface because it is a self-signed certificate. To avoid getting this warning, Veritas recommends that you generate a unique certificate for your organization's installation. This new certificate replaces the default certificate.

To generate a unique Management Console certificate

  1. Collect the following information to generate a certificate request:
    • Common name

      The fully qualified DNS name of the Management Server. This name must be the actual name of the server that is accessible by all the clients.

    • Organization name

      For example, Veritas, Inc.

    • Organizational unit (optional)

    • City

      For example, San Francisco

    • State

      For example, CA

    • Country

      For example, US

    • Expiration

      Expiration time in days (90)

  2. Use keytool.exe to create the self-signed certificate (keystore file), which you need to generate the Certificate Signing Request (CSR). keytool.exe is a utility for managing keys and certificates. These items are used in self-authentication or data integrity and authentication services, using digital signatures. Certificates also enable users to cache the public keys of their communicating peers.

    To create this file, go to the root directory of the Veritas Data Insight installation and perform the following steps in this order:

    • From a command window, go to the installdir\DataInsight\jre\bin directory, where installdir is the directory into which you installed the Management Server.

    • Run the following command with the information collected in 1:

      keytool -genkey -alias tomcat -keyalg RSA -validity 730 -keysize 1024
      -keypass changeit -keystore webserver.keystore -storepass changeit 
      -storetype JKS -dname cn=common_name,o=organization_name,

    The -storepass changeit command sets the password to changeit. Enter this password if you are prompted for a password after running the command. This command creates the self-signed certificate (webserver.keystore) in the <installdir>\jre\bin directory.


    Veritas recommends that you set the password as changeit. If you want to use a different password, perform the additional steps mentioned in 11 before you start the DataInsightWeb service.

  3. Generate the certificate signing request (CSR) file. The CSR file is the request that you submit to the Signature Authority to obtain a signed certificate.

    From the <installdir>\jre\bin directory and run the following command:

    keytool -certreq -alias tomcat -keyalg RSA -keystore webserver.keystore 
    -storetype JKS -storepass changeit -file "DataInsight.csr"

    If you are prompted for a password, press Enter. This command creates a file called DataInsight.csr. You submit this file to the Signature Authority.

  4. To generate a certificate you send the .CSR file to a Certified Signature Authority (your own or a third party, such as VeriSign).

    To obtain a signed certificate from your internal Signature Authority, contact your system administrator for instructions.

    For the VeriSign Signature Authority, perform one of the following actions:

    • Current Customers

      If you are a current VeriSign customer, go to the following page and buy an additional certificate:

      You need your Common Name, Order Number, or serial number to begin the transaction, as well as the CSR.

    • New customers

      If you are not a current customer and want to purchase the signed certificate from VeriSign, go to the following page:

      To purchase the signed certificate, you need the following information, in addition to the CSR:

      • The length of time for the certificate (one year or two years).

      • The number of servers that host a single domain (up to five servers).

      • The server platform.

      • The organization, organizational unit, country, state, or locality (all spelled without abbreviations).

      • Payment information and a billing contact.

      • The common name. This name is the host name and domain name, such as or

      • An email where VeriSign can reach you to validate the information.

      • Documentation to demonstrate that your organization is legitimate.

    To obtain signed certificates from other Signature Authorities, go to their web sites and follow the instructions to enroll and obtain a signed certificate. This process is similar to the VeriSign process. However, check with the organization to identify any additional environment information that may be needed for the certificate.

    The certified Signature Authority sends you the signed certificate (this process might take 3-5 days). Internal Signature Authorities must return the root certificate along with the signed certificate.

  5. Place the signed certificate into the directory (<installdir>\jre\bin) with the webserver.keystore file. To email the certificate, paste it into a text document exactly as it appears on the screen. Include the top line and bottom line (-----Begin Certificate----- and -----End Certificate-----). Make sure that no extra lines, spaces, trailing carriage returns, or characters have been inadvertently added. Save this file in the same directory where the webserver.keystore file is located. If the signed certificate is provided as an attachment to an email, copy this file into the same directory where the webserver.keystore file is located.
  6. Keep a copy of both the webserver.keystore file and the signed certificate file in a separate, secure location.
  7. Confirm the signed certificate is correct. Open a command prompt and run the following command to view the certificate's fingerprint(s)

    keytool -printcert -file signed_certificate_filename

    The following is an example output:

    Owner: CN=ll, OU=ll, O=ll, L=ll, S=ll, C=ll
    Issuer: CN=ll, OU=ll, O=ll, L=ll, S=ll, C=ll
    Serial Number: 59092b34
    Valid from: Thu Sep 25 18:01:13 PDT 1997 until: Wed Dec 24 17:01:13
    PST 1997
    Certificate Fingerprints:
    MD5: 11:81:AD:92:C8:E5:0E:A2:01:2E:D4:7A:D7:5F:07:6F SHA1: 
    20:B6:17:FA:EF:E5:55:8A:D0:71:1F:E8:D6:9D:C0:37 37:13:0E:5E:FE
  8. Call or email the person who sent the certificate and compare the fingerprint(s) you see with the fingerprint(s) they sent you. If the fingerprint(s) are not exactly equivalent, the certificate may have been replaced in transit by an attacker's certificate.

    If you used an Internal Signing Authority, also view the fingerprint(s) of the root certificate using the same -printcert command.

    keytool -printcert -file


    Compare the displayed fingerprint with the well-known fingerprint (obtained from a newspaper or the root CA's web page). Contact the certificate's issuer if you have questions.

    When you execute the command, the -importcert command prints out the certificate information and prompts you to verify it.

  9. Return to the <installdir>jre\bin directory and update the local webserver.keystore file with the signed certificate as follows:
    • Internal signature authority

      Use the following command to update the webserver.keystore file with the root certificate:

      <installdir>\jre\bin\keytool.exe -importcert -file 
      root_certificate_filename -keystore webserver.keystore 
      -storepass changeit

      Use the following command to update the webserver.keystore file with the signed certificate:

      -importcert -alias tomcat -keystore webserver.keystore -trustcacerts 
      -file signed_certificate_filename
    • VeriSign or third-party signature authority

      Use the following command to update the local webserver .keystore file with the signed certificate:

      -importcert -alias tomcat -keystore webserver.keystore -trustcacerts
      -file signed_certificate_filename
  10. Copy the updated webserver.keystore file into the $datadir\keys directory. By default, $datadir is located at C:\DataInsight\data. Note that this operation overwrites an existing file of the same name in that location. Rename the existing file if you want to keep it.
  11. If you have used a password other than changeit in 2, perform the following additional steps:
    • Log into the Management Server with Administrator privileges.

    • Open a command prompt window, and change to the bin directory in the installation folder for Data Insight. By default, the bin directory is located at C:\Program Files\DataInsight\bin.

    • Execute the following command:

      configcli.exe keystore_password webserver <new password>

  12. Restart the Data Insight web service by performing the following steps in the specified order:
    • net stop DataInsightWeb

    • net start DataInsightWeb