How to setup the Service Provider for Symantec Security Information Manager (SSIM) 4.6/4.7

book

Article ID: 177420

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

You are trying to setup the Service Provider model for Symantec Security Information Manager 4.6/4.7

 

Resolution

There are some limitations to this configuration, you can only have one Correlation appliance per SSIM domain sending incidents to the Service Provider and the Service Provider cannot perform any other SSIM function but Service Provider.


Configure Correlation appliance to send event to the Service Provider, these steps it will be referred to as the forwarding appliance.
 

  • Install SSIM 4.6 apply MP1
  • Log into the Client UI and click on System Tile -> Appliance configuration, expand the tree to the folder with the machine name
  • Select Incident Forwarding Rules and click on the plus sign and add a rule - enter the name of the rule , IP address of the SPM and check the enabled box.
  • Turn off IP Blocking. Open an SSH session to this appliance and using vi edit this section for this file: /opt/Symantec/simserver/etc/event-service-startup.xml and change the value from 60 to 0

    <!--
                            Number of seconds to block an IP address which has failed
                            to authenticate.  Set ipBlocking to "0" to disable IP blocking.
                    -->
                    <property name="ipBlocking" value="60" />

  • Using vi edit the /etc/hosts file and add the IP Address and hostname of the SPM appliance
  • Restart the appliance
  • Log into the Client UI and select the System Tile -> Administration and create a user specifically for the SPM authentication. You can use the existing admin Role or create a role that has access to incident tickets, events etc


SSIM installation used as the Service Provider Master referred to SPM
 

  • Install SSIM 4.6 apply MP1
  • Log into the Client UI and click on System Tile -> Appliance configuration, expand the tree to the folder with machine name.
  • Select Event Storage Rules, check the Service provider Master and click apply.
  • Turn off IP Blocking. Open an SSH session to this appliance and using vi edit this section for this file: /opt/Symantec/simserver/etc/event-service-startup.xml and change the value from 60 to 0

    <!--
                            Number of seconds to block an IP address which has failed
                            to authenticate.  Set ipBlocking to "0" to disable IP blocking.
                    -->
                    <property name="ipBlocking" value="60" />

  • Using vi edit the /etc/hosts file and add the IP Address and hostname of the forwarding appliance.
  • Restart appliance
  • Log into the Client UI of the SPM appliance
  • Go to System Tile -> Administration -> Client
    Right click select New
      Add client wizard
      Client name = what ever you want to call this client configuration
      Location = Location of the client - not location in SSIM
      Domain= SSIM Domain
      Hostname = hostname of Correlation appliance of the client
      IP address = IP address of the Correlation appliance


      Select Next

      Click on the Add button
      Enter username from the user you create on the incident forwarding appliance
      Enter the password and select the Analyst account you wish to use. Click on Save


      Select Next

      Contact list


      Click on new and enter the name and phone number of someone to contact and other information if you want
      Click on Save and then Finish
  • Log into the Client UI and check the Incidents tile you should see incidents from the forwarding appliance. If you do not see incidents from the forwarding appliance, go back over the steps above and make sure the username and password in the Clients configuration on the Service Provide matches the user you created on the forwarding appliance.
    Note: If you get the error "Cannot connect to domain: <domain name>. . ." The password you entered for the user on the forwarding box is not correct, edit the client configuration and enter the correct password, or copy and paste the password into the configuration to make sure it is correct.
  • The port used to forward incident is 10012 (the incident is forwarded in a form of an event by the Event Service)


    Because the Service Provider cannot be a collection or correlation appliance the hardware specifications are a bit lower than those required for a fully function SSIM appliance. Below is the hardware requirements for a SSIM Service Provider.
    Standard Intel based platforms with the following minimum characteristics
      
    Note: SSIM is supported on VMWare or any other virtualization environments only from version 4.7.1 PR1 onward.




 


Attachments