Veritas Data Insight Installation Guide

Last Published:
Product(s): Data Insight (6.1.5)
  1. Understanding the Veritas Data Insight architecture
    1.  
      About Veritas Data Insight
    2.  
      About the Management Server
    3. About the Collector worker node
      1.  
        About the Collector
      2.  
        About the Scanner
    4.  
      About the Indexer worker node
    5.  
      About the Classification Server
    6.  
      About the Self-Service Portal node
    7.  
      About Communication Service
    8.  
      About the DataInsightWatchdog service
    9.  
      About the DataInsightWorkflow service
    10. About Veritas Data Insight installation tiers
      1.  
        About three-tier installation
      2.  
        About two-tier installation
      3.  
        About single-tier installation
  2. Preinstallation
    1.  
      Preinstallation steps
    2.  
      Operating system requirements
    3. System requirements for Veritas Data Insight components
      1.  
        System requirements for classification components
    4.  
      Supported data sources and platforms
    5.  
      Supported browsers
    6.  
      List of ports
    7.  
      Web server version
  3. Installing Veritas Data Insight
    1.  
      About installing Veritas Data Insight
    2.  
      Performing a single-tier installation
    3.  
      Performing a two-tier installation
    4.  
      Performing a three-tier installation
    5.  
      Installing the Management Server
    6.  
      Installing the worker node
    7.  
      Installing the Classification Server
    8.  
      Installing the Self-Service Portal
    9.  
      Installing a Linux Indexer worker node
  4. Upgrading Veritas Data Insight
    1.  
      Upgrading Data Insight to 6.1.5
    2.  
      Upgrading the product data using the Upgrade Data Wizard
    3.  
      Names and locations of cache files
    4.  
      Upgrading the Data Insight web service for SharePoint
  5. Post-installation configuration
    1.  
      Post-installation configuration
    2.  
      Registering the worker node
    3. About post-installation security configuration for Management Server
      1.  
        About SSL client/server certificates
      2.  
        Generating Management Console certificate
    4.  
      Configuring your corporate firewall
  6. Installing Windows File Server agent
    1.  
      About Windows File Server agent
    2.  
      Installing Windows File Server agent manually
    3.  
      Configuring the Windows File Server using ConfigureWindowsFileServer.exe
  7. Getting started with Data Insight
    1.  
      About the Data Insight Management Console
    2.  
      Logging in to the Data Insight Management Console
    3.  
      Logging out of the Data Insight Management Console
    4.  
      Displaying online help
  8. Uninstalling Veritas Data Insight
    1.  
      Uninstalling Veritas Data Insight
  9. Appendix A. Installing Data Insight using response files
    1.  
      About response files
    2.  
      Installing Data Insight using response files
    3.  
      Sample response files

Generating Management Console certificate

The Management Server provides a web interface (administration console) for reporting and administration purposes. You access this interface with a web browser. The Management Server and browser communicate through an SSL connection.

To ensure confidentiality, all communication between the Management Server and the browser is encrypted using a symmetric key. To initiate a connection, the Management Server and browser negotiate the encryption algorithm (algorithm, key size, and encoding) and encryption key to use.

By default, connections between the Management Server and the browser use a single, self-signed certificate. The Management Server generates the certificate at install time and is unique to your deployment. The certificate is present on the Management Server node in a folder called keys under the data folder. The file is called webserver.keystore. While this certificate is secure, you get a warning message in the browser when accessing the web interface because it is a self-signed certificate. To avoid getting this warning, Veritas recommends that you generate a unique certificate for your organization's installation. This new certificate replaces the default certificate.

To generate a unique Management Console certificate

  1. Collect the following information to generate a certificate request:
    • Common name

      The fully qualified DNS name of the Management Server. This name must be the actual name of the server that is accessible by all the clients.

    • Organization name

      For example, Veritas, Inc.

    • Organizational unit (optional)

    • City

      For example, San Francisco

    • State

      For example, CA

    • Country

      For example, US

    • Expiration

      Expiration time in days (90)

  2. Use keytool.exe to create the self-signed certificate (keystore file), which you need to generate the Certificate Signing Request (CSR). keytool.exe is a utility for managing keys and certificates. These items are used in self-authentication or data integrity and authentication services, using digital signatures. Certificates also enable users to cache the public keys of their communicating peers.

    To create this file, go to the root directory of the Veritas Data Insight installation and perform the following steps in this order:

    • From a command window, go to the installdir\DataInsight\jre\bin directory, where installdir is the directory into which you installed the Management Server.

    • Run the following command with the information collected in 1:

      keytool -genkey -alias tomcat -keyalg RSA -validity 730 -keysize 1024
      -keypass changeit -keystore webserver.keystore -storepass changeit 
      -storetype JKS -dname cn=common_name,o=organization_name,
      ou=organization_unit,l=city,s=state,c=US
      

    The -storepass changeit command sets the password to changeit. Enter this password if you are prompted for a password after running the command. This command creates the self-signed certificate (webserver.keystore) in the <installdir>\jre\bin directory.

    Note:

    Veritas recommends that you set the password as changeit. If you want to use a different password, perform the additional steps mentioned in 11 before you start the DataInsightWeb service.

  3. Generate the certificate signing request (CSR) file. The CSR file is the request that you submit to the Signature Authority to obtain a signed certificate.

    From the <installdir>\jre\bin directory and run the following command:

    keytool -certreq -alias tomcat -keyalg RSA -keystore webserver.keystore 
    -storetype JKS -storepass changeit -file "DataInsight.csr"

    If you are prompted for a password, press Enter. This command creates a file called DataInsight.csr. You submit this file to the Signature Authority.

  4. To generate a certificate you send the .CSR file to a Certified Signature Authority (your own or a third party, such as VeriSign).

    To obtain a signed certificate from your internal Signature Authority, contact your system administrator for instructions.

    For the VeriSign Signature Authority, perform one of the following actions:

    • Current Customers

      If you are a current VeriSign customer, go to the following page and buy an additional certificate: http://www.symantec.com/ssl-certificates/?themeid=verisign-ssl-certificates&inid=vrsn_ss_Index

      You need your Common Name, Order Number, or serial number to begin the transaction, as well as the CSR.

    • New customers

      If you are not a current customer and want to purchase the signed certificate from VeriSign, go to the following page: http://www.VeriSign.com/products-services/security-services/ssl/buy-ssl-certificates/index.html.

      To purchase the signed certificate, you need the following information, in addition to the CSR:

      • The length of time for the certificate (one year or two years).

      • The number of servers that host a single domain (up to five servers).

      • The server platform.

      • The organization, organizational unit, country, state, or locality (all spelled without abbreviations).

      • Payment information and a billing contact.

      • The common name. This name is the host name and domain name, such as www.company.com or company.com.

      • An email where VeriSign can reach you to validate the information.

      • Documentation to demonstrate that your organization is legitimate.

    To obtain signed certificates from other Signature Authorities, go to their web sites and follow the instructions to enroll and obtain a signed certificate. This process is similar to the VeriSign process. However, check with the organization to identify any additional environment information that may be needed for the certificate.

    The certified Signature Authority sends you the signed certificate (this process might take 3-5 days). Internal Signature Authorities must return the root certificate along with the signed certificate.

  5. Place the signed certificate into the directory (<installdir>\jre\bin) with the webserver.keystore file. To email the certificate, paste it into a text document exactly as it appears on the screen. Include the top line and bottom line (-----Begin Certificate----- and -----End Certificate-----). Make sure that no extra lines, spaces, trailing carriage returns, or characters have been inadvertently added. Save this file in the same directory where the webserver.keystore file is located. If the signed certificate is provided as an attachment to an email, copy this file into the same directory where the webserver.keystore file is located.
  6. Keep a copy of both the webserver.keystore file and the signed certificate file in a separate, secure location.
  7. Confirm the signed certificate is correct. Open a command prompt and run the following command to view the certificate's fingerprint(s)

    keytool -printcert -file signed_certificate_filename

    The following is an example output:

    Owner: CN=ll, OU=ll, O=ll, L=ll, S=ll, C=ll
    Issuer: CN=ll, OU=ll, O=ll, L=ll, S=ll, C=ll
    Serial Number: 59092b34
    Valid from: Thu Sep 25 18:01:13 PDT 1997 until: Wed Dec 24 17:01:13
    PST 1997
    Certificate Fingerprints:
    MD5: 11:81:AD:92:C8:E5:0E:A2:01:2E:D4:7A:D7:5F:07:6F SHA1: 
    20:B6:17:FA:EF:E5:55:8A:D0:71:1F:E8:D6:9D:C0:37 37:13:0E:5E:FE
  8. Call or email the person who sent the certificate and compare the fingerprint(s) you see with the fingerprint(s) they sent you. If the fingerprint(s) are not exactly equivalent, the certificate may have been replaced in transit by an attacker's certificate.

    If you used an Internal Signing Authority, also view the fingerprint(s) of the root certificate using the same -printcert command.

    keytool -printcert -file

    name_of_root_certificate_provided_by_internal_signature_authority

    Compare the displayed fingerprint with the well-known fingerprint (obtained from a newspaper or the root CA's web page). Contact the certificate's issuer if you have questions.

    When you execute the command, the -importcert command prints out the certificate information and prompts you to verify it.

  9. Return to the <installdir>jre\bin directory and update the local webserver.keystore file with the signed certificate as follows:
    • Internal signature authority

      Use the following command to update the webserver.keystore file with the root certificate:

      <installdir>\jre\bin\keytool.exe -importcert -file 
      root_certificate_filename -keystore webserver.keystore 
      -storepass changeit
       
      

      Use the following command to update the webserver.keystore file with the signed certificate:

      <installdir>\jre\bin\keytool 
      -importcert -alias tomcat -keystore webserver.keystore -trustcacerts 
      -file signed_certificate_filename
    • VeriSign or third-party signature authority

      Use the following command to update the local webserver .keystore file with the signed certificate:

      <installdir>\jre\bin\keytool 
      -importcert -alias tomcat -keystore webserver.keystore -trustcacerts
      -file signed_certificate_filename
  10. Copy the updated webserver.keystore file into the $datadir\keys directory. By default, $datadir is located at C:\DataInsight\data. Note that this operation overwrites an existing file of the same name in that location. Rename the existing file if you want to keep it.
  11. If you have used a password other than changeit in 2, perform the following additional steps:
    • Log into the Management Server with Administrator privileges.

    • Open a command prompt window, and change to the bin directory in the installation folder for Data Insight. By default, the bin directory is located at C:\Program Files\DataInsight\bin.

    • Execute the following command:

      configcli.exe keystore_password webserver <new password>

  12. Restart the Data Insight web service by performing the following steps in the specified order:
    • net stop DataInsightWeb

    • net start DataInsightWeb