You are trying to setup the Service Provider model for Symantec Security Information Manager 4.6/4.7

 

There are some limitations to this configuration, you can only have one Correlation appliance per SSIM domain sending incidents to the Service Provider and the Service Provider cannot perform any other SSIM function but Service Provider.


Configure Correlation appliance to send event to the Service Provider, these steps it will be referred to as the forwarding appliance.
 

• Install SSIM 4.6 apply MP1
• Log into the Client UI and click on System Tile -> Appliance configuration, expand the tree to the folder with the machine name
• Select Incident Forwarding Rules and click on the plus sign and add a rule - enter the name of the rule , IP address of the SPM and check the enabled box.
• Turn off IP Blocking. Open an SSH session to this appliance and using vi edit this section for this file: /opt/Symantec/simserver/etc/event-service-startup.xml and change the value from 60 to 0
  

  <!--
                          Number of seconds to block an IP address which has failed
                          to authenticate.  Set ipBlocking to "0" to disable IP blocking.
                  -->
                  <property name="ipBlocking" value="60" />

• Using vi edit the /etc/hosts file and add the IP Address and hostname of the SPM appliance
• Restart the appliance
• Log into the Client UI and select the System Tile -> Administration and create a user specifically for the SPM authentication. You can use the existing admin Role or create a role that has access to incident tickets, events etc

SSIM installation used as the Service Provider Master referred to SPM
 

• Install SSIM 4.6 apply MP1
• Log into the Client UI and click on System Tile -> Appliance configuration, expand the tree to the folder with machine name.
• Select Event Storage Rules, check the Service provider Master and click apply.
• Turn off IP Blocking. Open an SSH session to this appliance and using vi edit this section for this file: /opt/Symantec/simserver/etc/event-service-startup.xml and change the value from 60 to 0
  

  <!--
                          Number of seconds to block an IP address which has failed
                          to authenticate.  Set ipBlocking to "0" to disable IP blocking.
                  -->
                  <property name="ipBlocking" value="60" />

• Using vi edit the /etc/hosts file and add the IP Address and hostname of the forwarding appliance.
• Restart appliance
• Log into the Client UI of the SPM appliance
• Go to System Tile -> Administration -> Client
  Right click select New
  Add client wizard
  Client name = what ever you want to call this client configuration
  Location = Location of the client - not location in SSIM
  Domain= SSIM Domain
  Hostname = hostname of Correlation appliance of the client
  IP address = IP address of the Correlation appliance
  
  
  Select Next
  
  Click on the Add button
  Enter username from the user you create on the incident forwarding appliance
  Enter the password and select the Analyst account you wish to use. Click on Save
  
  
  Select Next
  
  Contact list
  
  
  Click on new and enter the name and phone number of someone to contact and other information if you want
  Click on Save and then Finish
  
• Log into the Client UI and check the Incidents tile you should see incidents from the forwarding appliance. If you do not see incidents from the forwarding appliance, go back over the steps above and make sure the username and password in the Clients configuration on the Service Provide matches the user you created on the forwarding appliance.
  Note: If you get the error "Cannot connect to domain: <domain name>. . ." The password you entered for the user on the forwarding box is not correct, edit the client configuration and enter the correct password, or copy and paste the password into the configuration to make sure it is correct.
• The port used to forward incident is 10012 (the incident is forwarded in a form of an event by the Event Service)
  
  
  Because the Service Provider cannot be a collection or correlation appliance the hardware specifications are a bit lower than those required for a fully function SSIM appliance. Below is the hardware requirements for a SSIM Service Provider.
  Standard Intel based platforms with the following minimum characteristics
  Intel Core 2 Duo class processor or better
  4 GB of RAM (minimum)
  8 GB of RAM (recommended)
  50 GB of available Disk space
  Hardware must be certified to run RedHat Enterprise Linux 4.6
  The following list on RedHats Web site provides a catalog of hardware that is certified to run RHEL 4. Note that Symantec does not test or formally certify support for this hardware. The link is provided for reference only.
  https://hardware.redhat.com/list.cgi?product=Red%20Hat%20Hardware%20Certification&search_type=&component=Red%20Hat%20Enterprise%20Linux&version=4∫ernal_whiteboard=Server&rep_platform=i386&quicksearch=&showall=1

  
Note: SSIM is supported on VMWare or any other virtualization environments only from version 4.7.1 PR1 onward.