Veritas Data Insight Installation Guide
- Understanding the Veritas Data Insight architecture- About Veritas Data Insight
- About the Management Server
- About the Collector worker node
- About the Indexer worker node
- About the Classification Server
- About the Self-Service Portal node
- About Communication Service
- About the DataInsightWatchdog service
- About the DataInsightWorkflow service
- About Veritas Data Insight installation tiers
 
- Preinstallation
- Installing Veritas Data Insight- About installing Veritas Data Insight
- Federal Information Processing Standards (FIPS)
- Performing a single-tier installation
- Performing a two-tier installation
- Performing a three-tier installation
- Installing the Management Server
- Installing the worker node
- Installing the Classification Server
- Installing the Self-Service Portal
- Installing a Linux Indexer worker node
- Installing Veritas Data Insight in Azure Cloud Environment
- Installing Veritas Data Insight in AWS Cloud Environment
 
- Upgrading Veritas Data Insight
- Post-installation configuration
- Installing Windows File Server agent
- Getting started with Data Insight
- Uninstalling Veritas Data Insight
- Appendix A. Installing Data Insight using response files
Generating Management Console certificate
The Management Server provides a web interface (administration console) for reporting and administration purposes. You access this interface with a web browser. The Management Server and browser communicate through an SSL connection.
To ensure confidentiality, all communication between the Management Server and the browser is encrypted using a symmetric key. To initiate a connection, the Management Server and browser negotiate the encryption algorithm (algorithm, key size, and encoding) and encryption key to use.
By default, connections between the Management Server and the browser use a single, self-signed certificate. The Management Server generates the certificate at install time and is unique to your deployment. The certificate is  present on the Management Server node in a folder called keys under the data folder. The file is called webserver.keystore. While this certificate is secure, you get a warning message in the browser when accessing the web interface because it is a self-signed  certificate. To avoid getting this warning, Veritas recommends that you generate a unique certificate for your organization's installation. This new certificate replaces the default certificate.
To generate a unique Management Console certificate
- Collect the following information to generate a certificate request:- Common name - The fully qualified DNS name of the Management Server. This name must be the actual name of the server that is accessible by all the clients. 
- Organization name - For example, Veritas, Inc. 
- Organizational unit (optional) 
- City - For example, San Francisco 
- State - For example, CA 
- Country - For example, US 
- Expiration - Expiration time in days (90) 
 
- Use keytool.exeto create the self-signed certificate (keystore file), which you need to generate the Certificate Signing Request (CSR).keytool.exeis a utility for managing keys and certificates. These items are used in self-authentication or data integrity and authentication services, using digital signatures. Certificates also enable users to cache the public keys of their communicating peers.To create this file, go to the root directory of the Veritas Data Insight installation and perform the following steps in this order: - From a command window, go to the - installdir\DataInsight\jre\bindirectory, where- installdiris the directory into which you installed the Management Server.
- Run the following command with the information collected in 1: - keytool -genkey -alias tomcat -keyalg RSA -validity 730 -keysize 1024 -keypass changeit -keystore webserver.keystore -storepass changeit -storetype JKS -dname cn=common_name,o=organization_name, ou=organization_unit,l=city,s=state,c=US 
 The -storepass changeit command sets the password to changeit. Enter this password if you are prompted for a password after running the command. This command creates the self-signed certificate (webserver.keystore) in the <installdir>\jre\bindirectory.Note: Veritas recommends that you set the password as changeit. If you want to use a different password, perform the additional steps mentioned in 11 before you start the DataInsightWeb service. 
- Generate the certificate signing request (CSR) file. The CSR file is the request that you submit to the Signature Authority to obtain a signed certificate.From the <installdir>\jre\bindirectory and run the following command:keytool -certreq -alias tomcat -keyalg RSA -keystore webserver.keystore -storetype JKS -storepass changeit -file "DataInsight.csr" If you are prompted for a password, press Enter. This command creates a file called DataInsight.csr. You submit this file to the Signature Authority.
- To generate a certificate you send the .CSR file to a Certified Signature Authority (your own or a third party, such as VeriSign). To obtain a signed certificate from your internal Signature Authority, contact your system administrator for instructions. For the VeriSign Signature Authority, perform one of the following actions: - Current Customers - If you are a current VeriSign customer, go to the following page and buy an additional certificate: http://www.symantec.com/ssl-certificates/?themeid=verisign-ssl-certificates&inid=vrsn_ss_Index - You need your Common Name, Order Number, or serial number to begin the transaction, as well as the CSR. 
- New customers - If you are not a current customer and want to purchase the signed certificate from VeriSign, go to the following page: http://www.VeriSign.com/products-services/security-services/ssl/buy-ssl-certificates/index.html. - To purchase the signed certificate, you need the following information, in addition to the CSR: - The length of time for the certificate (one year or two years). 
- The number of servers that host a single domain (up to five servers). 
- The server platform. 
- The organization, organizational unit, country, state, or locality (all spelled without abbreviations). 
- Payment information and a billing contact. 
- The common name. This name is the host name and domain name, such as www.company.com or company.com. 
- An email where VeriSign can reach you to validate the information. 
- Documentation to demonstrate that your organization is legitimate. 
 
 To obtain signed certificates from other Signature Authorities, go to their web sites and follow the instructions to enroll and obtain a signed certificate. This process is similar to the VeriSign process. However, check with the organization to identify any additional environment information that may be needed for the certificate. The certified Signature Authority sends you the signed certificate (this process might take 3-5 days). Internal Signature Authorities must return the root certificate along with the signed certificate. 
- Place the signed certificate into the directory (<installdir>\jre\bin) with thewebserver.keystorefile. To email the certificate, paste it into a text document exactly as it appears on the screen. Include the top line and bottom line (-----Begin Certificate----- and -----End Certificate-----). Make sure that no extra lines, spaces, trailing carriage returns, or characters have been inadvertently added. Save this file in the same directory where thewebserver.keystorefile is located. If the signed certificate is provided as an attachment to an email, copy this file into the same directory where thewebserver.keystorefile is located.
- Keep a copy of both the webserver.keystorefile and the signed certificate file in a separate, secure location.
- Confirm the signed certificate is correct. Open a command prompt and run the following command to view the certificate's fingerprint(s)keytool -printcert -file signed_certificate_filename The following is an example output: Owner: CN=ll, OU=ll, O=ll, L=ll, S=ll, C=ll Issuer: CN=ll, OU=ll, O=ll, L=ll, S=ll, C=ll Serial Number: 59092b34 Valid from: Thu Sep 25 18:01:13 PDT 1997 until: Wed Dec 24 17:01:13 PST 1997 Certificate Fingerprints: MD5: 11:81:AD:92:C8:E5:0E:A2:01:2E:D4:7A:D7:5F:07:6F SHA1: 20:B6:17:FA:EF:E5:55:8A:D0:71:1F:E8:D6:9D:C0:37 37:13:0E:5E:FE 
- Call or email the person who sent the certificate and compare the fingerprint(s) you see with the fingerprint(s) they sent you. If the fingerprint(s) are not exactly equivalent, the certificate may have been replaced in transit by an attacker's certificate.If you used an Internal Signing Authority, also view the fingerprint(s) of the root certificate using the same -printcert command. keytool -printcert -filename_of_root_certificate_provided _by_internal_signature_authority Compare the displayed fingerprint with the well-known fingerprint (obtained from a newspaper or the root CA's web page). Contact the certificate's issuer if you have questions. When you execute the command, the -importcert command prints out the certificate information and prompts you to verify it. 
- Return to the <installdir>jre\bindirectory and update the localwebserver.keystorefile with the signed certificate as follows:- Internal signature authority - Use the following command to update the - webserver.keystorefile with the root certificate:- <installdir>\jre\bin\keytool.exe -importcert -file root_certificate_filename -keystore webserver.keystore -storepass changeit - Use the following command to update the webserver.keystore file with the signed certificate: - <installdir>\jre\bin\keytool -importcert -alias tomcat -keystore webserver.keystore -trustcacerts -file signed_certificate_filename 
- VeriSign or third-party signature authority - Use the following command to update the local webserver .keystore file with the signed certificate: - <installdir>\jre\bin\keytool -importcert -alias tomcat -keystore webserver.keystore -trustcacerts -file signed_certificate_filename 
 
- Copy the updated  webserver.keystorefile into the$datadir\keysdirectory. By default,$datadiris located atC:\DataInsight\data. Note that this operation overwrites an existing file of the same name in that location. Rename the existing file if you want to keep it.
- If you have used a password other than changeit in 2, perform the following additional steps: - Log into the Management Server with Administrator privileges. 
- Open a command prompt window, and change to the bin directory in the installation folder for Data Insight. By default, the bin directory is located at - C:\Program Files\DataInsight\bin.
- Execute the following command: - configcli.exe keystore_password webserver <new password> 
 
- Restart the Data Insight web service by performing the following steps in the specified  order:- net stop DataInsightWeb 
- net start DataInsightWeb