Important Update: Cohesity Products Documentation

All Cohesity product documentation are now managed via the Cohesity Docs Portal: https://docs.cohesity.com/HomePage/Content/home.htm. Some documentation available here may not reflect the latest information or may no longer be accessible.

Arctera Insight Information Governance Installation Guide

Last Published:
Product(s): Data Insight (7.2)
Platform: Windows
  1. Understanding the Arctera Insight Information Governance architecture
    1.  
      About Arctera Insight Information Governance
    2.  
      About the Management Server
    3. About the Collector worker node
      1.  
        About the Collector
      2.  
        About the Scanner
    4.  
      About the Indexer worker node
    5.  
      About the Classification worker node
    6.  
      About the Self-Service Portal node
    7.  
      About Communication Service
    8.  
      About the DataInsightWatchdog service
    9.  
      About the DataInsightWorkflow service
    10. About Arctera Insight Information Governance installation tiers
      1.  
        About three-tier installation
      2.  
        About two-tier installation
      3.  
        About single-tier installation
  2. Preinstallation
    1.  
      Pre-installation steps
    2.  
      Minimum system requirements
    3.  
      System requirements for classification components
  3. Installing Arctera Insight Information Governance
    1.  
      About installing Arctera Insight Information Governance
    2.  
      Federal Information Processing Standards (FIPS)
    3.  
      Performing a single-tier installation
    4.  
      Performing a two-tier installation
    5.  
      Performing a three-tier installation
    6.  
      Installing the Management Server
    7.  
      Installing the worker node
    8.  
      Installing the Classification Server
    9.  
      Installing the Self-Service Portal
    10.  
      Installing a Linux Classification Server or Collector worker node
    11.  
      Installing Arctera Insight Information Governance in Azure Cloud Environment
    12.  
      Installing Arctera Insight Information Governance in AWS Cloud Environment
  4. Upgrading Arctera Insight Information Governance
    1.  
      Upgrading Information Governance to 7.2
    2.  
      Upgrading the product data using the Upgrade Data Wizard
    3.  
      Names and locations of cache files
    4.  
      Upgrading the Information Governance web service for SharePoint
  5. Post-installation configuration
    1.  
      Post-installation configuration
    2.  
      Registering the worker node
    3. About post-installation security configuration for Management Server
      1.  
        About SSL client/server certificates
      2.  
        Enabling CA signed certificates for inter-node communication
      3.  
        Generating Management Console certificate
    4.  
      Configuring your corporate firewall
  6. Installing Windows File Server agent
    1.  
      About Windows File Server agent
    2.  
      Installing Windows File Server agent manually
    3.  
      Configuring the Windows File Server using ConfigureWindowsFileServer.exe
  7. Getting started with Information Governance
    1.  
      About the Information Governance Management Console
    2.  
      Logging in to the Information Governance Management Console
    3.  
      Logging out of the Information Governance Management Console
    4.  
      Displaying online help
  8. Uninstalling Arctera Insight Information Governance
    1.  
      Uninstalling Arctera Insight Information Governance
  9. Appendix A. Installing Information Governance using response files
    1.  
      About response files
    2.  
      Installing Information Governance using response files
    3.  
      Sample response files

Enabling CA signed certificates for inter-node communication

If you want to opt for CA signed certificates, perform the following steps on the Management Server

  1. Create a backup of <Data_Dir>\keys\commd.keystore.
  2. Create a backup of <Install_Dir>\jre\lib\security\cacerts.
  3. Import CA Issued Certifcate file (pfx) to the commd keystore. There are separate commands for FIPS and non FIPS mode. Execute either one command as per your FIPS configuration status.

    • For FIPS Mode, execute the following command: "C:\Program Files\DataInsight\jre\bin\keytool.exe" -importkeystore -srckeystore "<Location of .pfx file>" -destkeystore "C:\DataInsight\data\keys\commd_new.keystore" -srcalias <certificate Entry Name> -destalias tomcat -deststoretype bcfks -destkeypass changeit -provider com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider -providerpath "C:\Program Files\DataInsight\jre\lib\ext\ccj-3.0.1.jar"

    • For Non-FIPS Mode execute the following command: "C:\Program Files\DataInsight\jre\bin\keytool.exe" -importkeystore -srckeystore "<Location of .pfx file>" -destkeystore "C:\DataInsight\data\keys\commd_new.keystore" -srcalias <certificate Entry Name> -destalias tomcat -deststoretype jks -destkeypass changeit

  4. Create a copy of <Install_Dir>\jre\lib\security\cacerts and rename the copy as <Install_Dir>\jre\lib\security\cacerts_new.
  5. You need to delete the self-signed certificate from the cacerts keystore by executing a command. There are separate commands for FIPS and non FIPS mode. Execute either one command as per your FIPS configuration status.

    • For FIPS Mode, execute the following command: "C:\Program Files\DataInsight\jre\bin\keytool.exe" -delete -alias tomcatTrustedCA -storepass changeit -keystore "C:\Program Files\DataInsight\jre\lib\security\cacerts_new" -storetype bcfks -provider com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider -providerpath "C:\ProgramFiles\DataInsight\jre\lib\ext\ccj-3.0.1.jar"

    • For Non-FIPS Mode execute the following command: "C:\Program Files\DataInsight\jre\bin\keytool.exe" -delete -alias tomcatTrustedCA -storepass changeit -keystore "C:\Program Files\DataInsight\jre\lib\security\cacerts_new"

  6. If you already have root certificate (.CER) file provided by the certification authority, execute the command given in step 8.
  7. If you do not have root certificate, follow the steps given below to export Root Certificate using MMC and then execute the command given in step 8.

    • Press the Windows key+R in your system.

    • In the Run window, enter mmc.exe to open MMC.

    • Go to File > Add/Remove Snap-in.

    • In the Add or Remove Snap-ins window, select Certificates, and then click Add.

    • In the Certificates snap-in window, select Computer account, and then click Next.

    • In the Select Computer window, select Local computer, and then click Finish.

    • Click OK to save the snap-in settings.

    • In MMC, go to Console Root > Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates.

    • Select a root certificate provided by your root certification authority.

    • Right-click the certificate, and then select All Tasks > Export from the drop-down.

    • In the Certificate Export Wizard, click Next.

    • In Export File Format, select Base-64 encoded X.509 (.CER), and then click Next.

    • In File to Export, browse to the location where you want to export the certificate and provide the name of the certificate file, and then click Next.

    • Click Finish.

    For more information, click the link below.https://learn.microsoft.com/en-us/windows-hardware/drivers/install/certificate-stores

  8. Import Root Certificate using Keytool utility into the cacerts keystore.

    • For FIPS Mode, execute the following command: <Install Directory>\jre\bin>keytool.exe -import -alias tomcat -file "<Location of root certificate (.CER) file>"-keystore "<Install Directory>\jre\lib\security\cacerts_new" -storetype BCFKS -provider com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider

    • For Non-FIPS Mode execute the following command: <Install Directory>\jre\bin\keytool.exe -import -alias tomcat -file "<Location of root certificate (.CER) file>" -keystore "<Install Directory>\jre\lib\security\cacerts_new" -storetype JKS

To automatically copy the updated commd.keystore and cacerts from the Management Server to all remote Information Governance Nodes, perform the following steps:

  1. On the Management Server, execute the Batch Script available at <Install_Dir>\bin\certificate_operations.bat
  2. Press 1, which is Copy CA-Signed Certificate to all secondary nodes.
  3. Wait for the utility to complete copying of the Keystores and return to the main screen.
  4. Check if there are any failures reported by the utility. If any, follow the instructions on the screen to resolve it.
  5. Exit the utility.
  6. Restart all Information Governance services on the Management Server using Services.msc.
  7. After 10 minutes, log in to Information Governance and navigate to Settings-> Inventory-> Servers.
  8. Check the Health column of all the remote nodes. If it is green and servers are online, the updated keystore files have been copied successful.
  9. If any of the remote nodes appears offline, restart the DataInsightComm service from services.msc on the remote node.

To manually copy the updated commd.keystore and cacerts from the Management Server to all remote Information Governance nodes, perform the following steps on the Management Server.

  1. Rename <Data_Dir>\data\keys\commd_new.keystore to commd.keystore.
  2. Rename <Install_Dir>\jre\lib\security\cacerts_new to cacerts.
  3. Copy <Data_Dir>\keys\commd.keystore from the Management Server and paste it to the same location on all remote servers.
  4. Copy <Install_Dir>\jre\lib\security\cacerts from the Management Server.

    • For Windows remote servers, paste it to <Install_Dir>\jre\lib\security\cacerts.

    • For Linux remote servers, paste it to <Install_Dir>\jre\jre\lib\security\cacerts

  5. Restart all Information Governance services on the Management Server and all remote Information Governance nodes using services.msc.
  6. After 10 minutes, log in to Information Governance and navigate to Settings-> Inventory-> Servers.
  7. Check the Health column of all the remote nodes. If it is green and servers are online, the updated keystore files have been copied successful.
  8. If any of the remote nodes appears offline, restart the DataInsightComm service from services.msc on the remote node.

To apply the CA provided certificate to secure web portal communications, perform the following steps on the Management Server:

Caution:

For signed certificate in .p7b format, See Generating Management Console certificate. and follow the steps given.

  1. Rename C:\DataInsight\data\keys\webserver.keystore to webserver-org.keystore.
  2. Import CA Issued Certifcate file (pfx) to the webserver.keystore.
  3. There are separate commands for FIPS and non FIPS mode. Execute either one command as per your FIPS configuration status.

    • For FIPS Mode, execute the following command: "C:\Program Files\DataInsight\jre\bin\keytool.exe" -importkeystore -srckeystore "<Location of .pfx file>" -destkeystore "C:\DataInsight\data\keys\webserver.keystore" -srcalias <certificate Entry Name> -destalias tomcat -deststoretype bcfks -destkeypass changeit -provider com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider -providerpath "C:\Program Files\DataInsight\jre\lib\ext\ccj-3.0.1.jar"

    • For Non-FIPS Mode, execute the following command: "C:\Program Files\DataInsight\jre\bin\keytool.exe" -importkeystore -srckeystore "<Location of .pfx file>" -destkeystore C:\DataInsight\data\keys\webserver.keystore -srcalias <certificate Entry Name> -destalias tomcat -deststoretype jks -destkeypass changeit

  4. Restart the DataInsightWebService on the Management Server.

To apply the CA provided certificate to secure Self Service portal communications, perform the following steps on the Server designated as the Self Service Portal

  1. Rename C:\DataInsight\data\keys\portal.keystore to portal-org.keystore.
  2. Import CA Issued Certifcate file (pfx) to the webserver portal. There are separate commands for FIPS and non FIPS mode. Execute either one command as per your FIPS configuration status.

    • For FIPS Mode, execute the following command "C:\Program Files\DataInsight\jre\bin\keytool.exe" -importkeystore -srckeystore "<Location of .pfx file>" -destkeystore "C:\DataInsight\data\keys\portal.keystore" -srcalias <certificate Entry Name> -destalias tomcat -deststoretype bcfks -destkeypass changeit -provider com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider -providerpath "C:\Program Files\DataInsight\jre\lib\ext\ccj-3.0.1.jar"

    • For Non-FIPS Mode execute the following command "C:\Program Files\DataInsight\jre\bin\keytool.exe" -importkeystore -srckeystore "<Location of .pfx file>" -destkeystore C:\DataInsight\data\keys\portal.keystore -srcalias <certificate Entry Name> -destalias tomcat -deststoretype jks -destkeypass changeit

  3. Restart the DataInsightPortalService on the Server designated as the Self Service Portal.

To set custom password for cacerts in Information Governance, perform the following steps on the Management Server:

  1. Open command prompt in <Install_Dir>/bin
  2. Enter the following command: configcli.exe truststore_password truststore <new password>.

    Note:

    changeit is the default password of cacerts. If you have changed it, provide the changed password.

    • For FIPS Mode, execute the following command keytool -storepasswd -storepass changeit -keystore "C:\Program Files\DataInsight\jre\lib\security\cacerts" -storetype BCFKS -providerclass com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider --noprompt -providerpath "C:\Program Files\DataInsight\vic\vic-service\ccj-3.0.2.1.jar"

    • For Non-FIPS Mode execute the following command keytool -storepasswd -storepass changeit -keystore "C:\Program Files\DataInsight\jre\lib\security\cacerts"

  3. Wait for replicating the new configuration on all nodes.
  4. Stop all the services on the Management Server.
  5. Replace the updated truststore (cacerts) file saved at C:\Program Files\DataInsight\jre\lib\security\cacerts on all the nodes.
  6. Restart all the services.

If you are registering a new node, provide the cacerts available on the Management Server on the register window and provide a new custom password.