Implementing Central Management in an Existing Installation
Implement Central Management in an existing Guardium environment and migrate a CAS collector with active instances to be managed.
In an existing Guardium environment, refer to the procedure outlined to develop a plan for implementing central management. If you are converting an existing Guardium unit to a Central Manager, keep in mind that a Central Manager cannot monitor network traffic. For example, inspection engines cannot be defined on a Central Manager.
- Select a system shared secret to be used by the Central Manager and all managed units. For more information, see the system shared secret in System Configuration.
- Install the Central Manager unit or designate one of the existing systems as the Central Manager. In either case, use the store unit type command to set the manager attribute for the Central Manager.
- Any definitions from the stand-alone unit that you want to have
available in the central management environment must be exported before
the stand-alone unit is registered for management. Later, those definitions
are imported on the Central Manager. BEFORE exporting or importing
any definitions, follow the procedure that is outlined for each stand-alone
unit that is to become a managed unit. Read through the introductory
information under Export/Import Definitions.
- Decide which definitions from the standalone system you want to have available after the system becomes a managed unit. Ignore any components on the stand-alone system you do not want to have available.
- Compare the security roles and groups that are defined on the stand-alone unit with those defined on the Central Manager. Under central management, a single version of these definitions applies to all units. If a security role with the same name exists on both systems and it is used for different purposes, add a new role on the Central Manager and assign the new role to the appropriate definitions after they are imported.
- If the same group name exists on the stand-alone unit and the Central Manager but it has different members, create a new duplicate group on the stand-alone system, taking care to select a group name that does not exist on the Central Manager. In all of the definitions to be exported, change the old group name references to new group name references.
- All security roles that are assigned to all definitions that are exported from the stand-alone system. When definitions are imported, they are imported WITHOUT roles, so you must add them manually.
- Check the application role permissions on each system. If any security roles assigned to an application on the stand-alone unit are missing from the Central Manager, add them to the Central Manager.
- Export all definitions from the stand-alone system that you want to have available after the system becomes a managed unit. (See Export/Import Definitions) Do not export users or security roles. If you are unsure about a definition, export it in a separate export operation so that you can decide in the future whether to import that definition to the Central Manager. After you register for central management, none of the old definitions from the stand-alone unit are available.
- On the stand-alone unit, create PDF versions audit process results and store them in an appropriate location. Under central management, only the audit results produced under central management are available.
- On the stand-alone unit, instruct all users to remove all portlets that contain custom report, and to not create any new reports until the conversion to central management is complete.
- On the Central Manager, manually add all users from the stand-alone unit.
- On the stand-alone unit, delete all user definitions except for the admin user (which cannot be deleted).
- Register the stand-alone unit for central management. See Registering Units for Central Management.
- On the Central Manager, import all definitions that are exported from the stand-alone system. Check to make sure that references to included items (receivers in alert notifications, for example) are correct. Reassign security roles, as necessary, to all imported definitions.
- Inform users of the managed unit that they must use the Report Builder application to regenerate the portlets for any custom reports they want to display in their layouts.
Migrating a stand-alone CAS collector to managed
Use the following steps when you migrate a CAS collector with active instances to managed.
- Export the CAS host definitions from the stand-alone collector.
- Manage the stand-alone collector.
- Restart the CAS host from the GUI of the now managed collector.
- Import the CAS host definition to the manager.
- Restart the CAS host from the GUI of the managed collector again.
After these steps are performed, the CAS collector has the same instances and monitor the same files that it did when it was a stand-alone.
Note: The CAS data that was collected when it was a standalone is deleted. There is no collected CAS
data unless a file changes.