CA Total Defense Deploy Guide

CA DLP Deployment Guider12.0

This documentation and any related computer software help programs (hereinafter referred to as the Documentation) is for the end users informational purposes only and is subject to change or withdrawal by CA at any time.

This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and protected by the copyright laws of the United States and international treaties.

Notwithstanding the foregoing, licensed users may print a reasonable number of copies of the Documentation for their own internal use, and may make one copy of the related software as reasonably required for back-up and disaster recovery purposes, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only authorized employees, consultants, or agents of the user who are bound by the provisions of the license for the product are permitted to have access to such copies.

The right to print copies of the Documentation and to make a copy of the related software is limited to the period during which the applicable license for the product remains in full force and effect. Should the license terminate for any reason, it shall be the users responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.

EXCEPT AS OTHERWISE STATED IN THE APPLICABLE LICENSE AGREEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION AS IS WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED OF SUCH LOSS OR DAMAGE.

The use of any product referenced in the Documentation is governed by the end users applicable license agreement.

The manufacturer of this Documentation is CA.

Provided with Restricted Rights. Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors.

All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.

Copyright 2009 CA. All rights reserved.

Contents

Chapter 1 IntroductionContact Technical Support .................................................... 23

Deploying CA DLP ............................................................... 23

Database tasks................................................................... 23

Hardware and software requirements ....................................... 24CMS, gateway servers and utility machines............................ 24Client machines ........................................................... 25Event Import and Import Policy machines ............................ 26E-mail server agent and policy engine hub ........................ 26Policy engine host machines ........................................... 26iConsole machines ........................................................ 27External Agent machines ............................................... 27Archive integration host machines ...................................... 27

Architecture ..................................................................... 28

ContentsUpgrading CA DLP .............................................................. 28Post-upgrade tasks......................................................... 28Version compatibility...................................................... 28

Chapter 2 CA DLP serversServer types...................................................................... 29

CMS (Central Management Server) ...................................... 29Gateway servers ........................................................... 30Utility machines ........................................................... 30

Before installing................................................................. 30Server name resolution ................................................... 30Database configuration.................................................... 30

CA DLPDeployment guide

4Disable 8.3 file names .................................. 30Gateways ................................................................... 30Utility machines............................................................ 30

Server installation features .................................................. 31CA DLP Server .............................................................. 31Enterprise Server .......................................................... 31Management Console ..................................................... 32Documentation ............................................................ 32

Installing a CMS, gateway or utility machine .............................. 33Assign the Log on as a service privilege .............................. 37User accounts created automatically on the CMS .............................. 38Installations using Terminal Services .................................. 39Unattended installations.................................................. 40

Uninstalling a CMS, gateway or utility machine ........................... 41Manually uninstalling a server ........................................... 41

Installing an Administration console ......................................... 42Is the Administration console already installed? ...................... 42Console-only installations ................................................ 42

Chapter 3 Before you start using CA DLP1 Choose an appropriate account to configure CA DLP ................ 43

2 Install your license file.................................................... 43

3 Configure your CMS machine policy to handle new accounts ...... 44

4 Configure event purging ................................................. 45

5 Configure the management of free disk space on servers .......... 46

6 Configure the common client and gateway policies.................. 47

7 Synchronize the clocks on your CA DLP machines .................... 47

8 Configure the policy for the default user group ...................... 48

9 Create and organize a hierarchy of user groups ...................... 49

10 Create your administrators and managers ............................. 49

11 Set up support for Unicode characters ................................ 50

12 Install iConsole searches.................................................. 51

13 Integrate with third party object storage solutions .................. 51

14 Configure event auditing labels ......................................... 51

15 Set up policy engines...................................................... 51

Contents 5Chapter 4 Client machinesClient installation features .................................................... 53

CA DLP ....................................................................... 54Management Console ...................................................... 54Client Integration ......................................................... 54

Before installing ................................................................ 55

Manual installations (setup.exe).............................................. 55

Uninstalling client machines .................................................. 56Using Add/Remove Programs ............................................ 56Manually uninstalling ...................................................... 56

Command line operations ..................................................... 57Installing with msiexec.exe .............................................. 57Installing with setup.exe.................................................. 58Uninstalling ................................................................. 58

Group Policy operations ....................................................... 59Before installing............................................................ 59GPO installation ............................................................ 60Group Policy uninstallation............................................... 61

SMS operations .................................................................. 62Before installing............................................................ 62SMS installation ............................................................ 63SMS uninstallation.......................................................... 65

Snapshot operations ........................................................... 66Snapshot installation ...................................................... 66Follow-up installations .................................................... 68Snapshot considerations .................................................. 69

Integration with centralized applications................................... 70Lotus Notes integration .................................................. 70

Chapter 5 iConsoleSoftware components .......................................................... 71

iConsole architecture .......................................................... 72

iConsole registry values ........................................................ 73

Deployment procedure......................................................... 74

Pre-deployment tasks .......................................................... 74Requirements: servers .................................................. 74Requirements: browser host machine .................................. 78

Version check utility: Wgncheck.exe ................................... 78Set up SMTP e-mail ....................................................... 79


6Deploy the iConsole ............................................................ 81Before installing............................................................ 81Install the iConsole ........................................................ 81

Post-deployment tasks ......................................................... 82

Install iConsole searches and reports........................................ 83Install default searches and reports ................................... 83Set up the Review Queue ................................................ 83

Set up iConsole connectivity .................................................. 84Rename IIS virtual directory for front-end Web server ............. 84Connect iConsoles to multiple CMSs ................................... 84Enable pre-authentication ............................................. 85Enable anonymous access .............................................. 86Specify disallowed characters in logon passwords.................... 86Specify a non-default TCP port ......................................... 87Hide user logon credentials in the iConsole .......................... 88

Set up iConsole timeouts ...................................................... 90Modify the session timeout .............................................. 90Modify the event timeout ................................................ 91Modify the Web Service timeout ........................................ 92Modify the results conversion timeout ................................ 92

Set up search results handling ............................................. 93Specify the default format for downloaded search results ......... 93Specify the format for downloaded e-mails .......................... 94Creating an additional download button on the toolbar............. 94Setting the default format for displaying search results ............ 95Configure how many participants are displayed .................... 96Configure the search results cache ................................... 97

Set up event auditing .......................................................... 99Set up the auditing feature .............................................. 99Enable time recording for reviewed events ........................... 99Configure audit e-mails ................................................100Specify an address mask for audit e-mails .........................102Specify the LDAP attribute used to populate To, Cc and Bcc lists ..

103

General setup tasks ...........................................................104Modify the iConsole log file registry values ..........................104Set up iConsole servers for Network Load Balancing ...........105Set global preferences ..................................................107

Contents 7Start the iConsole ............................................................ 107

Defining new iConsole event searches .................................... 108

Back up search files .......................................................... 109

About single sign-on ......................................................... 109

Chapter 6 Install iConsole searches and reportsAvailable searches and reports ............................................. 111

Compliance reports ...................................................... 112Dashboard ................................................................. 112Incident reports .......................................................... 112Issue reports .............................................................. 113Review Queue ............................................................ 113Standard Searches ....................................................... 114Additional notes.......................................................... 114

Requirements.................................................................. 115CA DLP requirements ................................................... 115Supported databases .................................................... 115Oracle user privilege .................................................... 115iConsole dashboards .................................................... 115

Database configuration ...................................................... 116Primary user requirements for iConsole dashboard ................ 116SQL Server CMSs: SQLAgentUserRole role ............................ 116

Installing searches and reports ............................................. 118CMS......................................................................... 118iConsole application servers............................................ 118iConsole front-end Web servers ....................................... 118

Setting up dashboard data aggregation ................................... 119Configurable aggregation parameters ............................... 119Configure the aggregation .............................................. 120Aggregation parameters ................................................ 121AF1, AF2 and AF3 aggregation parameters .......................... 124Change the aggregation frequency.................................... 124Manually schedule aggregation jobs for SQL Server Express ...... 125Event totals can appear incorrect when drilling into snapshot data..

126

Report customizations ....................................................... 127Incident Rate By Policy Report......................................... 127


8Chapter 7 Quarantine ManagerQuarantine Manager architecture ..........................................130

Pre-deployment considerations..............................................131If using e-mail client agents and the Exchange server agent ......131Multiple Quarantine Managers ..........................................131If using a Milter MTA agent, some e-mails may not be quarantined .

131

Deploy the Quarantine Manager .............................................132Specify a QM domain user ..............................................132Allow access to the designated mailbox ..............................134Install the Quarantine Manager ........................................135Configure the Quarantine Manager ....................................135Mark e-mails for Quarantine ............................................135Log files ...................................................................135

Quarantine Manager registry values .......................................136

E-mail release procedure.....................................................140Automatic release of timed-out e-mails ..............................140Failure to forward released e-mails ...................................140Encrypted e-mails.........................................................140

Chapter 8 Secure private tunnelConfigure the secure private tunnel .....................................142

Certificate management ...............................................142Generating authentication certificates ...............................142Configuring the secure private tunnel ...............................145

Chapter 9 Account ImportSynchronizing users............................................................147

Synchronizing e-mail addresses ............................................147

Import methods and sources .................................................148Import methods ..........................................................148Import sources ............................................................148

Account Import log files ......................................................149

Account Import privileges ....................................................149

Account Import wizard .......................................................150

Command line import operations ...........................................158Set up Secure Sockets Layer (SSL) .....................................159

Contents 9Parameter files ............................................................... 160Parameter rules .......................................................... 161Operation parameters ................................................... 161Data source parameters................................................. 161LDAP logon parameters ................................................. 162Source container and target group parameters ..................... 162Error handling parameter............................................... 164LDAP filter attributes.................................................... 165Source and target file parameters .................................... 165Comment markers ....................................................... 165User mapping and identification parameters........................ 165Example parameter file ................................................. 167

Multiple attribute values .................................................... 168Importing a single LDAP attribute with multiple values ........... 168Combining multiple LDAP attributes in single CA DLP attributes. 168

Command files to import users ............................................. 169Command file format.................................................... 169Format notes ............................................................. 172Group and user name requirements................................... 173Example group path ..................................................... 173Example Command file 1: new users and groups ................... 174Example Command file 2: user properties ........................... 175

Command files to import machines ...................................... 176Import from a command file ........................................... 176Command file format.................................................... 176

Example Command file ................................................ 177

Modify LDAP values with conversion expressions ....................... 178Conversion expression syntax .......................................... 178Section syntax ............................................................ 179Conversion expression variables ..................................... 179

Chapter 10 Object storageOverview ....................................................................... 183

Concurrent use of multiple object stores ........................... 183

Integrating with EMC Centera .............................................. 184About Centera integration.............................................. 185Set up Centera integration ............................................ 187Configure Centera integration ........................................ 187


10Integrating with IBM DB2 Content Manager ...............................189About IBM Content Manager integration ..............................190Set up IBM DB2 Content Manager integration ........................191Configure Content Manager integration ...............................192

Integrating with NetApp SnapLock .........................................194Set up SnapLock integration ............................................194

Temporary object store ......................................................195How are CA DLP events stored?.........................................195Configure the temporary object store.................................195Managing the temporary object store .................................196Optional data location structure .......................................197

Chapter 11 Policy enginesOverview ........................................................................199

Policy engine architecture ................................................200

Deploy policy engines ........................................................201Active and standby policy engines ....................................201E-mail address mapping .................................................201Policy engine requirements ............................................202

Specify user accounts .......................................................203Specify a PE domain user ..............................................203Create a corresponding CA DLP user ..................................203

Install policy engines .........................................................204

Configure policy engines .....................................................205Configure the local machine policy ...................................205Configure the policy engine registry values ..........................208

Monitor policy engines ........................................................210Performance counters ...................................................210Log files ....................................................................210

Uninstall policy engines.......................................................210

Policy engine maintenance...................................................210

Chapter 12 Policy engine hubsPolicy engine hub architecture .............................................212

Hub event queues ........................................................213

Registry flow chart: e-mail processing on the hub ......................214

Deploy the policy engine hub ..............................................215

Host machine requirements ..........................................215

Contents 11

Install the hub ................................................................ 216

Automatic installation with server agents ........................... 216

Configure the hub............................................................. 217Modify the hub registry values ......................................... 217Assign security privilege to the PE domain user..................... 217

Policy engine hub registry values .......................................... 218Policy Engine Hub key ................................................... 219Policy Engines subkey ................................................... 222DefaultSettings subkey .................................................. 222 subkey ................................................ 222Queues key................................................................ 222 subkey .................................................. 223Security key............................................................... 223

Hub maintenance ............................................................. 224Stop the policy engine hub ............................................ 224

Monitor policy engine hub activity ......................................... 225Performance counters .................................................. 225Log files .................................................................. 226

Uninstall policy engine hubs .............................................. 226

Chapter 13 Import policyDirect mode and hub mode.................................................. 227

Which imported e-mails are converted into events? ................... 227

Import policy versus server agents ......................................... 228

Architecture diagrams........................................................ 229

Direct mode ................................................................... 230Install Import Policy in direct mode .................................. 230Configure the Event Import job........................................ 230

Hub mode ..................................................................... 231Specify user accounts ................................................... 232Install a remote policy engine ......................................... 232Install Import Policy in hub mode ..................................... 233Configure the Remote PE Connector ................................. 233Configure the Event Import job........................................ 234

Event Import parameters ................................................... 234


12Chapter 14 E-mail server agentsE-mail server integration ....................................................236

E-mail integration: server-side versus client-side ..................236Exchange 2007 server agent ............................................236

Deploy the Exchange or Domino server agent ..........................237Host machine requirements ..........................................237Deploy policy engines ....................................................237

Install a Exchange or Domino server agent ..............................238

Configure the hub .............................................................238

Configure the Exchange or Domino agent .................................238MIME configuration for Domino servers ...............................239

E-mail server agent registry values ........................................241Automatic registry values ..............................................242Manually created registry values .....................................247

Turn on Exchange or Domino integration .................................250

Set up server-side interactive warning messages ........................251Warnings and follow-up messages......................................251Deployment procedure ..................................................253

Monitor the Exchange and Domino server agents.........................255Log files ...................................................................255Diagnostic files for Exchange server agent ...........................255

Uninstall Exchange or Domino server agents ............................256

IIS SMTP integration .........................................................257Host machine requirements .............................................257Install the IIS SMTP agent................................................257Configure the IIS SMTP agent ...........................................257Turn on ISS SMTP integration ...........................................257Hosting a CA DLP service for use by other organizations ...........258

Sendmail and Postfix integration .........................................260Applying policy triggers to Sendmail and Postfix e-mails...........260Deployment process ......................................................260Deployment architecture ................................................261Host machine requirements ...........................................262Deploy policy engines ....................................................262Deploy the Socket API and a remote PE connector .................262Create user for Milter MTA agent ......................................262Configure Postfix..........................................................262

Contents 13Configure Sendmail integration ............................................ 263

Install the Milter MTA agent................................................. 264

Configure the Milter MTA agent ............................................ 266Wgnmilter.conf parameters ............................................ 266

Turn on Sendmail and Postfix integration ............................... 270Stop or start the Milter MTA agent .................................... 270Disable or enable integration .......................................... 270Uninstall the Milter MTA agent ........................................ 270

E-mail integration issues..................................................... 271Prevent users receiving multiple notifications from single e-mail 271Prevent repeat processing by server agents in multiple domains 271Using e-mail client agents and e-mail server agents together .. 272Do not release dead messages in Domino Administrator ........ 272Integration with an Exchange Server cluster ....................... 273Configure all Exchange server agents................................. 273

Chapter 15 File Scanning Agent (FSA)About the FSA ................................................................. 276

Scanning jobs ............................................................. 276Applying policy to scanned items...................................... 276File system scans......................................................... 276SharePoint scans ........................................................ 277Exchange Public Folders scans ......................................... 278Database scans .......................................................... 278

FSA terminology ............................................................... 279Scanned file database ................................................... 279NIST database............................................................. 279File hashes ................................................................ 279DoD deletion ............................................................. 279DSN ......................................................................... 279

FSA architecture ............................................................. 280

Deploy the FSA ............................................................... 281FSA requirements ........................................................ 281

Deploy a NIST database ..................................................... 283

Install database client tools................................................. 283

Specify FSA user accounts .................................................. 284FSA job setup user ...................................................... 284FSA service user ......................................................... 284

FSA Run As user .......................................................... 285


14Install the FSA .................................................................286Configure the hub.........................................................287Securely store logon credentials for database scans ................287

Deploy FSA Remote Connectors .............................................288Why deploy an FSA Remote Connector? ...............................288Install the FSA Remote Connector......................................288

Configure the FSA .............................................................289

Set up CA DLP policy triggers ................................................292Data At Rest triggers .....................................................292Data At Rest control actions ............................................292Which user policy gets applied? ........................................293Apply smart tags to scanned items.....................................293

Scanning jobs ...................................................................294Scanning job log files.....................................................294Add a scanning job........................................................294Run a scanning job........................................................295Schedule a scanning job .................................................296Stop and restart a scanning jobs .......................................297Purge the scanned file database .......................................297

Scanning job FAQs .............................................................298How are scanned items associated with CA DLP users? .............298How do I delete a scanned file database?.............................298Do I use multiple scanning jobs or multiple FSAs? ...................298Can jobs overlap? .........................................................298What happens if no event participant is specified? .................299

Uninstall the FSA...............................................................299

Chapter 16 Client Agents: File and PrintAbout the Client File System Agent ......................................302

What filters does the CFSA use? ........................................302CFSA flow chart: Removable devices, CD drives, network folders 303CFSA flow chart: scanned files on local hard disk ...................304How does the CFSA apply policy to protect files? ...................304Terminology ...............................................................305

Deploy the CFSA ...............................................................306Which policies are applied? .............................................306Configure the local machine policy ...................................307Configure the user policy ...............................................311

Contents 15About the Client Print System Agent ..................................... 314What filters does the CPSA use? ...................................... 314Which user policy is applied?........................................... 314CPSA flow chart .......................................................... 315

Deploy the CPSA............................................................... 316CPSA user policy changes ............................................... 316CPSA optional registry changes ........................................ 318

Chapter 17 Third party integrationIntegration components...................................................... 319

Supported archive versions ................................................. 320

Integration models ........................................................... 321Model 1: Push from archive ............................................ 321Model 2: Push to archive (direct) ..................................... 322Model 3: Push to archive (via mailbox) .............................. 323Comparison of ingestion methods into CA DLP ..................... 324

CA Message Manager integration ........................................... 325Set up CA Message Manager integration .............................. 326

ZANTAZ EAS integration ................................................... 327Set up EAS integration .................................................. 328Configure EAS integration .............................................. 328Retrieve archived events with RDM ................................... 328

Symantec Enterprise Vault integration .................................. 329About Smart Tagging .................................................... 330Deployment procedure ................................................. 331Set up Enterprise Vault integration .................................. 331Register the EV archive agent.......................................... 332Configure Enterprise Vault integration .............................. 333Install and configure RDM .............................................. 338Turn on Enterprise Vault integration ................................ 338

IBM DB2 CommonStore for Exchange ...................................... 339Deployment procedure ................................................. 340Install CommonStore for Exchange ................................... 340Configure integration with CommonStore for Exchange ........... 342

IBM DB2 CommonStore for Lotus Domino ................................. 348Deployment procedure ................................................. 349Install CommonStore for Domino ..................................... 349Configure integration with CommonStore for Domino ............. 351


16ZANTAZ Digital Safe integration ............................................357About the Digital Safe Adapter ........................................358Secure communication based on SSL authentication ...............358Deployment procedure .................................................359Set up Digital Safe integration .........................................359Configure Digital Safe integration .....................................361

EMC EmailXtender integration ..............................................364Set up EmailXtender integration .......................................365Configure EmailXtender integration ...................................365Retrieve archived events with RDM ....................................365

EMC SourceOne for Exchange integration .................................366Deployment procedure...................................................367Set up SourceOne integration...........................................367Configure SourceOne business components...........................368Retrieve archived events with the RDM ..............................368

External Agent API ............................................................369Output destinations ......................................................369Integrating programmatically with the External Agent API ........369Requirements ............................................................369Installing the External Agent API ......................................370EVF file cache guidelines ...............................................372Configuring the External Agent API ...................................372

Socket API ......................................................................374Installation methods......................................................374Requirements .............................................................374Configure the Socket API ................................................374Socket API throttling .....................................................381Monitoring the Socket API ...............................................381

ICAP Agent .....................................................................382Deployment procedure...................................................383Configuring the proxy server and ICAP client ........................383Install the ICAP agent and PE hub......................................384Import DN details to CA DLP user address lists ......................384Configuring the ICAP agent .............................................385

Remote Data Manager.........................................................388RDM requirements ........................................................388Install the RDM ............................................................388Post-installation tasks ...................................................390Do not rename archive servers .........................................391

Support for multiple RDM servers .....................................391

Contents 17Chapter 18 Event ImportSoftware components ........................................................ 394

Importing from e-mail archives ............................................ 395Identifying the owners of imported e-mail events.................. 396Synchronize e-mail accounts and CA DLP users ..................... 396E-mails ignored by Event Import....................................... 396Events abandoned by Event Import .................................. 396Filtering e-mail import operations ................................... 397Support for Exchange envelope journaling ......................... 397Single import operations only from each Exchange mailbox ..... 398E-mails sent from Outlook 2003 in Cached Exchange mode....... 398

Event Import operations .................................................... 399Event Import requirements ............................................ 399Logon requirements for the CMS....................................... 400

Logon requirements for Event Import ................................ 400Installing Event Import ................................................. 401Running an Event Import operation .................................. 401Individual import operations ........................................... 401Continuous import operations.......................................... 402Scheduling remote CMS import jobs .................................. 403Multiple import operations ............................................. 404

Event Import types ........................................................... 405

Import failures ................................................................ 406Batch jobs importing from files........................................ 406Continuous jobs importing from PST or MSG files................... 406Imported events cached if replication fails.......................... 406Exchange mailbox import jobs ........................................ 406Remote CMS import failures ........................................... 407

Event Import log files ........................................................ 407

Template configuration files ............................................... 408Import template files.................................................... 408

Bloomberg message attachments ........................................ 408

Example import configuration file ......................................... 409

Event Import parameters .................................................... 410Import type parameter ................................................. 413Engine parameters ....................................................... 414E-mail general parameters ............................................. 419File handling parameters .............................................. 423


18Exchange Server import parameters ..................................426NSF file parameters ......................................................430PST file parameters ......................................................434EML file parameters .....................................................435Bloomberg e-mail parameters .........................................436File import parameters .................................................437Remote CMS Import parameters........................................441

Chapter 19 IM ImportAbout IM Import................................................................450

Supported IM formats ....................................................450Mapping IM conversations to users ...................................451How is the IM network assigned? ......................................451Embedding IM conversations in e-mails ..............................451

Deploy IM Import...............................................................452Software requirements...................................................452Installing IM Import ......................................................452Parameter requirements.................................................452

IM Import parameters (IMFrontEnd.exe) ...................................453

Configure IMlogic dump files ................................................460

Chapter 20 EML utilities: Cnv2email and BB2emailEML utilities: deployment architecture .................................462

Cnv2email.exe utility .............................................................463Converting IM conversations to EML e-mails..........................463IM conversion process ....................................................463Install Cnv2email.exe ....................................................464Run a CNV conversion job ...............................................464

BB2email.exe utility ...............................................................465Converting Bloomberg e-mails to EML e-mails .......................465Bloomberg e-mail conversion process .................................465Install BB2email.exe .....................................................465

Ingesting attachments ...................................................466Run a Bloomberg e-mail conversion job...............................466

Contents 19Embedded content details saved in EML x-headers .................... 467Custom x-headers in EML e-mails contain event details ........... 467Configure policy engines to detect embedded content e-mails . 467

Conversion parameters ..................................................... 469

UE requirements ............................................................. 477

Run an extraction job ....................................................... 477

Chapter 21 Universal ExtractorXML schema for UE job definitions ........................................ 478

Example job definition ................................................ 480

XML metadata extractor ................................................... 481Which events are extracted? ........................................... 481How is event metadata selected for extraction?.................... 481Format for XML output files ............................................ 482Archive acknowledgements............................................. 482Monitor metadata extraction jobs..................................... 482Extraction job parameters.............................................. 482

Chapter 22 Mapping e-mail addresses to usersAddress mapping procedure................................................. 488

Which features use e-mail address mapping?............................. 489

Synchronizing e-mail accounts addresses ................................. 490

E-mail address FAQs ......................................................... 490

Chapter 23 Backing up and restoring the CMSDatabase backup tasks ....................................................... 491

General backup tasks......................................................... 491Back up the Data folder................................................. 491Back up the master encryption key ................................... 492

Restoring the CMS............................................................. 493Restoring a CMS .......................................................... 493

Chapter 24 Log filesAbout log files ................................................................ 495

Log file names ............................................................ 496Log file types ............................................................. 496

About policy incident logs ............................................. 498


20Viewing log files ...............................................................499Where are log files saved?...............................................499View log files in the Administration console..........................499

Configure log files ............................................................500Configuration for non-infrastructure logs .............................500General log configuration in machine policy .........................500Policy configuration for specific log types ............................500

Write to the Windows event log ...........................................502Machine policy configuration ...........................................502Registry configuration....................................................502

Write to Syslog servers .......................................................503Machine policy configuration ...........................................503

Chapter 25 Technical informationPerforming an administrative installation .................................505

Installation transforms........................................................506Identify the CMS: SetParentName.mst ................................506Prevent automatic start-up: DisableAutostart.mst .................506Prevent consoles being installed: HideConsole.mst .................507Prevent unauthorized uninstallations of CA DLP: ClientLockDown.mst

............................................................................507Configure Outlook client agent: EmailClientOptions.mst ..........507Install application integration: EnableAppmon.mst ................508Silent uninstallations for SMS: SMSQuietUninstall.mst .............508

Stopping and restarting the infrastructure ...............................508

Command line parameters for Msiexec.exe ..............................509Operations .................................................................509General variables .........................................................510Database variables........................................................512

Standalone installations ......................................................516Installing a full-featured standalone ..................................516Installing a standalone to demonstrate client agents ...............517Prevent standalone installations .......................................517

Set account credentials with wgncred.exe ...............................518Supported components...................................................518Account credentials operations.........................................519

Manually uninstalling CA DLP ..............................................520

Contents 21

Importing and exporting CMS profiles .................................... 522

Export a CMS profile ..................................................... 522Import a CMS profile..................................................... 522Retain existing properties .............................................. 523Reset CMS profile default properties ................................. 523

Allocating UDP and TCP ports ............................................... 524Example communication sequence.................................... 524Controlling port allocation ............................................. 524Reallocating default port numbers .................................... 525Configuration changes to support an Internet firewall or router 526

Export, import and copy policies ......................................... 527Wgnpol.exe command line syntax..................................... 527Wgnpol.exe examples ................................................... 531

Replication holding cache .................................................. 534Cache configuration ..................................................... 534Managing the cache ..................................................... 534Reset the holding cache ............................................... 535

CA DLP installations on 64-bit machines ................................ 536Exchange 2007 server agent and policy engine hub ................ 536

Chapter 26 Known issuesGeneral deployment.......................................................... 539

Stopping or starting the infrastructure without rebooting ........ 539Do not install to encrypted folders.................................... 540Laptop users and dial-up connections ................................ 540

Policy engines ................................................................. 540Policy engine upgrades from version 3.0 ............................ 540

Far Eastern characters ....................................................... 541Do not use Far Eastern characters in installation paths ........... 541Computer names with Far Eastern characters....................... 541Displaying Far Eastern characters ..................................... 541

E-mail server agents.......................................................... 542Failure to generate e-mail events..................................... 542Unable to expand distribution lists with hidden membership..... 542Multiple notifications in response to a single e-mail ............... 543


22Event Import ...................................................................544Importing from Exchange requires MAPI and CDO 1.2.1 ...........544Cannot access an Exchange mailbox ..................................544Imported e-mail timestamps are truncated .........................545NSF import and End MIME to CD Conversion messages ...........545Cannot import unparented e-mails from a Notes database .......545

IM Import........................................................................546Bloomberg IM dump files are in US ASCII format.....................546Identifying conversation participants..................................546Timestamps in IB Unified dump files are in EST .....................546Format requirement for imported attachments .....................546Increase size of .CNV cache to improve import performance .....546More recipients entries are ignored..................................547Anomalous Join and Leave chat room actions........................547Mismatch between participants information .........................547

Quarantine Manager .........................................................547Encrypted e-mails decrypted when released from quarantine ....547Do not quarantine encrypted e-mails captured by server agents .547

Windows XP and 2003 ...................................................548RDM, EAS and Windows 2003............................................548Firewall configuration on Windows XP SP2 and 2003 SP1...........548

iConsole ........................................................................549HTTP 404 error when browsing to the iConsole URL ...............549Unable to download or forward original .msg file ..................549Unable to send audit e-mails ...........................................549Problem with multiple iConsoles on the same client machine ...550Display problems due to IE Enhanced Security Configuration......550

Index..........................................................................551

All of these tasks are described in the following chapters. Known deployment issues are also covered in If you do contact Technical Support, they may ask you to

1. Introductionchapter 25, Technical information.

Database tasksBefore installing the CMS or a gateway, your chosen database engine must already be installed and correctly configured on the target server. CA DLP currently supports Oracle and SQL Server database engines. For configuration guidelines, plus details about purging and backing up your database, please refer to the Database guide.

supply the following log files:

The infrastructure log file, wgninfra.out.

Any relevant system log files. These take the format: stderr_200201200945.log.

These are all located in CA's \data\log subfolder of the Windows All Users profile; see page 499. chapter 1

Introduction

his chapter outlines the recommended methods for installing and deploying CA DLP. It also presents the hardware and software requirements for the

Central Management Server (CMS), gateways and client machines.

Contact Technical Support

Deploying CA DLPAfter installing CA DLP on your CMS, some further configuration is needed before continuing with the deployment. When this is complete, you can install CA DLP on as many gateways and client machines as your license agreement permits.

We also recommend that you make a full backup of your CMS at least once per week, and incremental backups on a daily basis. To contact Technical Support, go to:

http://ca.com/support

T


24Hardware and software requirements

CMS, gateway servers and utility machines

Item Details

Operating System

`Microsoft Windows Server 2003 or 2008

Database CA DLP servers need sufficient memory and processing power to run your chosen database application. See your database documentation for details. The supported databases are:

`Oracle 10g`Microsoft SQL Server 2005

Recommended: SQL Server 2005 SP2

`Microsoft SQL Server 2005 Express Edition

Not recommended for CMSs

`Microsoft SQL Server 2008 SQL Server supported on Windows

servers only. Also, for SQL Server 2005, ensure that the SQL Server Browser service has started. See the Database guide; search the index for SQL Server 2005.

Windows Installer

Windows Installer 2.0, 3.0, 3.1 or 4.0

i

Item Details

Disk space 20Gb Ultra ATA or SCSI

This storage estimate covers the CA DLP infrastructure, consoles and captured data (based on typical usage rates). Note:

`The CMS needs sufficient free disk space to store data captured on all client machines.

`A gateway server needs enough free disk space to store data captured on the client machines that it serves. (Note that you can purge this captured data as soon as it has been replicated to the CMS.)

See also the Calculate disk space values section on page 46.

Browser integration

Microsoft Internet Explorer 6, 7 or 8

If using Internet Explorer 8, be aware that because CA DLP is an IE extension, it will be disabled if InPrivate Browsing is enabled (this is an IE safety feature) on the CA DLP host machine.

Console To run the Administration console, or Data Management console, you require:

Microsoft Internet Explorer 6 or 7

i

Chapter 1Introduction


Client machines

Item Details

Operating System

Microsoft Windows Vista or XP

On XP machines, the Client File System Agent (CFSA) requires SP2 or later.

For details about CA DLP and the

Windows XP SP2 firewalls, see Known Issues on page 548.

Memory 128MB

Disk space You must allow approximately 45MB for the CA DLP infrastructure plus an Administration console.

You also need sufficient free disk space to store captured data in a local database. (Note that you can purge this captured data as soon as it has been replicated to the parent server.)

See also the Architecture on page 28.

Windows Installer

Windows Installer 2.0, 3.0, 3.1 or 4.0

i

Item Details

E-mail integration

`Microsoft Outlook 2003, or 2007 ` Lotus Notes Release 6, 6.5, 7, or 8

Browser integration

`Microsoft Internet Explorer 6, 7 or 8` Integration with the Microsoft Outlook browser requires Microsoft Internet Explorer 6, 7 or 8

If using Internet Explorer 8, be aware that because CA DLP is an IE extension, it will be disabled if InPrivate Browsing is enabled (this is an IE safety feature) on the CA DLP host machine.

File systemintegration

The CFSA requires Windows XP SP2 or later

Print integration

Before installing the CPSA, close down any applications that are running. For details, see page 55.

Console To run the Administration console or Data Management console, you require:

`Microsoft Windows 2003, XP, or Vista`Microsoft Internet Explorer 6, 7 or 8

i



Event Import and Import Policy machines

E-mail server agent and policy engine hub

Policy engine host machines

Item Details

Host server You must install Event Import and Import Policy on a gateway serversee page 24 for their requirements.

E-mail Exchange import: Host machines must be running an Exchange-compatible e-mail application such as Outlook 2003, or 2007.

This must be the default e-mail application on the host machine.

For .PST import operations, note

also the Outlook requirement on page 405.

Notes import: Host machines must be running Lotus Notes 6, 6.5, 7, or 8.

E-mail server

Exchange server: 2003 or 2007

Lotus Domino server: 6.0.4, 6.5, 7.0.2, or 8

!

i

Host machine Details

Operating system Microsoft Windows 2003

Exchange server agent

`Microsoft Exchange Server 2003 or 2007

Domino server agent

Lotus Domino 6.0.4, 6.5, 7.0.2, or 8

Integration has been tested

using the Domino versions listed above. It may work with other versions, but these have not been tested.

Host machine Details

Operating System Windows 2003

Disk space The host machine needs sufficient memory to cache all effective user policies. See page 202.

CA DLP server The host machine must be the CMS or (recommended) a gateway.

i

Chapter 1 27

Introduction

iConsole machines

External Agent machines

Archive integration host machines

Item Details

These requirements apply to the iConsole front-end Web server and application server host machines. The Dashboard requirement applies to browser host machines.

Operating System

Microsoft Windows Server 2003 or 2008

Web service The host server requires:

`Microsoft Internet Information Services (IIS) version 5 or 6

` .Net Framework 2.0

Browser Microsoft Internet Explorer 6, 7 or 8

Dashboard Browser host machines must be running:

Adobe Flash Player 9 or later(minimum version 9.0.124.0)

For full iConsole requirements, see page 74.

Item Details

Operating System

Microsoft Windows Server 2003, 2008, Windows XP or Vista

E-mail Host machines must be running a Microsoft Exchange-compatible e-mail application (such as Outlook 2002, 2003, or 2007) or Lotus Notes 6, 6.5, 7, or 8.

For full External Agent requirements, see page 369.

i

i

Archive Details

ZANTAZ EAS You need to install the External Agent API on the EAS serversee the next table.

Enterprise Vault The can only process e-mails extracted from Microsoft Exchange Server 2003see page 331.

ZANTAZ Digital Safe

The host server requires:

` .Net Framework 2.0 `Web Services Enhancements (WSE) SP3

`Outlook 2003For details, see page 359.

For version details of all supported archive

integrations, see page 320.

i

CA DLP28

Deployment guide

ArchitectureCA DLP machines are organized into hierarchical branches, with the central management server (CMS) as the top level server. The CMS acts as a central repository for all policy details and captured data. Below the CMS, each branch of the hierarchy is optionally managed by a gateway, and each gateway can serve multiple client machines.

Database changes on the CMS are copied automatically via gateway servers to local databases on client machines. These changes can include policy updates and modifications to user and machine accounts. Similarly, at intervals defined in the machine policy, captured data and local policy changes are copied automatically up to the CMS, again via gateway servers.

You manage CA DLP using a console. You can deploy consoles on any machine in your CA DLP installation. You can also have console-only installations, that is, you can install the console without installing any CA DLP server software or client integration featuressee page 42.

Upgrading CA DLP For details about upgrading CMSs, gateway servers, and client machines to the latest version of CA DLP, please see the Upgrade guide. This guide highlights the essential issues you need to be aware of when rolling out an upgrade across your organization and describes the necessary post-upgrade tasks.

Post-upgrade tasksThe database schema was substantially revised in CA DLP 4.0 to optimize performance in many key areas and to support emerging customer requirements. Because of this, two post-upgrade tasks are also required when upgrading to version 4.0; these tasks are described in the Upgrade guide.

Version compatibilityIdeally, when upgrading individual CA DLP machines we recommend that you upgrade all your CA DLP servers (gateways, Event Import machines, policy engines, and so on) at the same time as the CMS. Do this during a period of minimal user activity, beginning with the CMS and then working down the machine hierarchy to each server successively. When this is complete, we also recommend that you upgrade your client machines as soon as possible to reduce the amount of event data that needs to be periodically upgraded.

In practice, this is not possible and an upgrade rollout can easily take several weeks. Likewise, unforeseen complications may force you to upgrade some child machines before their parent server has been upgraded. For these reasons, you will inevitably have different version machines operating alongside each other during the upgrade rollout. Before starting the rollout, you need to understand how CA DLP handles data transfers (policy changes and captured data) between machines running different versions of the product. Full details about version compatibility are provided in the Upgrade guide.

1

Example machine hierarchy CA DLP machines are organized in a virtual hierarchy. This need not correspond to your actual network topology.

1 CMS. 2 Gateway servers. 3 Client machines. 4 Consoles on CA DLP machines. 5 Console-only machine.

3

2

4

4

4 5

events) associated with these users. 1

2. CA DLP serversYou must install the CMS before deploying CA DLP to client machines. You must also install an Administration console: you will use the console to perform various configuration tasks before you roll out CA DLP across your organization.

Note the following:

`Standalone CMS installations are described in chapter 4, Client machines.

`CMS backup and restore operations are described in chapter 23, Backing up and

Administration console: CA DLP servers1 Machine Administration branch. 2 CMS. 3 Gateway. 4 Client machines. 5 Active utility machine. 6 Disconnected utility machine.

2

3

5

6

4

i chapter 2

CA DLP servers

his chapter describes how to install and uninstall CA DLP servers, that is, CMSs, gateways and utility machines. In particular, it provides

instructions for running the CA DLP server installation wizard (on Windows computers). This chapter also highlights the various server requirements that you must address before installation.

You manage CA DLP servers in the Administration console. Instructions for a console installations are given on page 42:

Server typesThis section summarizes the key characteristics of CMSs, gateways and utility machines.

CMS (Central Management Server)The CMS holds the central database for your CA DLP installation. This database contains the policies for all your machines and users, plus all the captured data (Web pages, e-mails, transactions, and application

Trestoring the CMS.

`CMS upgrades are described in the Upgrade guide. See also page 28.


30Gateway servers Gateways are optional data-routing servers, operating between the CMS and client machines. Each gateway can serve multiple client machines and is connected to a single parent server. The Event Import utility is also hosted on a gateway. The parent is either the CMS or another gatewaysee the architecture diagram on page 28. This type of hierarchical, distributed deployment provides resilience and network load balancing.

Gateways are optional. You can connect any client

machine directly to the CMS if preferred. Gateway

upgrades are discussed in the Upgrade guide; see

also page 28. The Event Import utility is described in

chapter 18, Event Import.

Utility machines These act as Content Proxy servers or iConsole application servers. Utility machines enable you to run these components without overloading your existing CA DLP servers.

A utility machine is created automatically when you install a Content Proxy server (see page 462), but you must install a utility machine separately before installing an iConsole application server (page 81).

Before installing Before installing a CA DLP server, you need to configure your database and ensure that computer name resolution is operating correctly on your network.

Server name resolution When you deploy CA DLP to client machines, you will need to identify its parent server (the CMS or gateway) by name or IP address. If you specify the CMS or gateway by its name, you must ensure that the client machines can resolve this name. If they cannot do so, they will be unable to locate it. Choose a method of computer name resolution that suits the needs of your organization, for example, DNS or a WINS server.

Database configurationBefore installing a CMS or gateway server, your chosen database engine must already be installed and correctly configured on the target computer. For Oracle and SQL Server configuration guidelines, please refer to the Database guide.

Disable 8.3 file names For NTFS file systems, we recommend that you disable creation of 8.3 file names on the machine hosting the CA DLP data folder (see step 6 on page 33). If 8.3 file creation remains enabled, performance may be adversely affected. To disable 8.3 file creation, you set the NtfsDisable8dot3NameCreation registry value to 1 (one) and reboot; for further details, search for this registry value on www.support.microsoft.com.

Gateways To simplify mass deployments, you can bulk create new gateway accounts and pre-assign gateways to parent servers in advance of the CA DLP rollout. This enables you to deploy multiple gateways using a single source image (which identifies a single parent server) whilst ensuring that each gateway automatically connects to its 'correct' parent server immediately after installation. To bulk create new accounts, you use the Account Import featuresee page 169.

Event Import and Import Policy requirements: If you install Event Import or Import Policy on a gateway, the target server must meet the e-mail archive integration requirementssee page 26.

Utility machinesUtility machines inherit the common client machine policy. For Content Proxy servers and iConsole application servers, the Communications Encryption policy setting (in the Security folder) and settings in the Logging folder are relevant.

i

Chapter 2 31

CA DLP servers

Server installation features When you install a CA DLP server, the following features are available:

CA DLP ServerThis installs the CA DLP infrastructure, enabling the various components to run and communicate.

Enterprise Server This enables the local computer to function as a CA DLP server. Exclude this feature if you want a console-only installationsee page 42.

Policy Engine: Policy engines permit CA DLP to integrate with Microsoft Exchange and other external e-mail sources. Policy Engines are normally installed on a gateway server. For details, see page 204.

`Socket API: Enables you to call a policy engine from a remote location (via the External Agent API), including from a non-Windows system. For example the CA DLP Network Boundary Agent uses the Socket API to analyze traffic leaving or entering the corporate network from the internet. For details, please contact Technical Supportsee page 23.

Event Import: The Event Import utility can import e-mails and IM conversations from external sources such as Microsoft Exchange mailboxes. See page 401.

`Remote Policy Engine Connector: This installs a modified policy engine hub that enables Event Import to connect to policy engines. It is part of the Import Policy featuresee page 227.

`Templates: This installs predefined import configuration files. These can be customized as requiredsee page 408.

Content Services: This installs the content proxy server and content indexer components that interact with the CA DLP infrastructuresee page 472.

`Content Indexer Console: The console lets you specify which events to index.

`Content Indexer Server: This installs the indexing service to index events into a Content database.

`Content Proxy Server: This installs the service that the CMS uses to connect to a content database.

Remote Data Manager: This enables the Data Management console to retrieve and display events archived in third party remote storage locations. This feature is normally installed on a utility machine. For details, see page 388.

Quarantine Manager: This component ensures that e-mails released from quarantine are sent on to their

CA DLP Server

Management Console

Documentation

Custom Setup screen: Available server features

Enterprise Server

Data Management ConsoleAdministration Console

Event Import

Remote Data Manager

Policy Engine

Policy Engine Conn.

Quarantine Manager

Content Services

Content Indexer Con.Content Indexer Serv.Content Proxy Server

Templates

CMS Storage Connectors

EMC Centera Conn.

IBM Content Mgr.

Socket APIoriginal recipients. For details, see page 129.


32 CMS Storage Connectors: This installs the connectors needed to implement third party object storage integration. For details, see page 183.

`EMC Centera Connector: This enables EMC Corporation's Centera content addressed storage (CAS) solution to integrate with CA DLP. For details, see page 184.

` IBM Content Manager: This enables IBM DB2 Content Manager to integrate with CA DLP. This feature allows storage management, archiving and retrieval of large volumes of captured data. For details, see page 189.

Management Console This enables the host machine to run these consoles:

Administration Console: This enables administrators to manage users, machines and policies, view log files, train content agents, and so on.

Data Management Console: This allows reviewers to search for, view and update the audit status for captured and imported events.

By default, only the Administration console is

installed with the Management Console.

Documentation This installs the following CA DLP manuals in PDF format to guide you through the various aspects of the CA DLP enterprise:

Database guideThis guide is for DBAs. It contains guidelines for setting up Oracle or SQL Server database engines. Separate chapters provide general indexing advice; instructions for setting up database purges; and information on database partitioning and backing up Oracle and SQL databases.

Deployment guideThis guide is for administrators. It describes how to install, configure and back up CA DLP. Separate chapters describe: installation methods for the CMS, gateways, client machines and the iConsole; Account Import; secure private tunnels; Event Import; policy engines and hubs; Exchange and Domino integration; Import Policy; content services; integration with third party storage and archive solutions; and the Quarantine Manager.

Deployment OverviewCA DLP deployments can be very complex and vary from one organization to the next. This manual provides an overview of the overall process and summarizes the key deployment tasks. It is aimed at system administrators. The first chapter summarizes the product architecture. The second chapter maps a route through the overall deployment process, plotting each major task, then breaking each task down into a series of installation or configuration steps.

iConsole search definition guideThis guide is for administrators and DBAs, auditors, reviewers and compliance officers. It provides guidelines for creating and modifying event searches in the iConsole. It also includes reference information for stored procedures and XML search definition files.

Upgrade guide This guide is for administrators. It contains instructions for upgrading CMSs, gateway servers, and client machines to the latest version of CA DLP. It also highlights the essential issues you need to be aware of when rolling out an upgrade across your organization.

i

Chapter 2 33

CA DLP servers

Installing a CMS, gateway or utility machine

To install a CMS, gateway or utility machine, you

need local administrator rights on the target server.

This section describes how to install a CA DLP server using the Windows server installation wizard.

1 To launch the CMS installation wizard, run setup.exe. Find this in the \Server folder on your CA DLP distribution media.

2 In the Customer Information screen, enter your user name and organization. This information is required for licensing purposes.

3 In the Custom Setup screen, choose the features that you want to install. These are described on page 31.

3.1 Installation folders: To install these components to a non-default location, click the Change button.

If you install to a non-default location, the

target path must not include folders whose names

contain Far Eastern characters. The CA DLP

infrastructure cannot handle these paths.

3.2 Free disk space: To check whether the target volumes have sufficient free disk space for the selected features, click the Disk Space button.

3.3 Other features: For details about installing Event Import, policy engines, or the RDM, please see:

Èvent Import: page 401`Policy engines: page 204`Remote Data Manager: page 388

4 In the Server Type screen, choose to install one of the following:

`Central Management Server If you install a CMS, note that three user accounts are created automaticallysee page 38.

`Gateway You typically use a gateway to host Event Import or a policy engine.

5 For gateways and utility machines only. In the Connectivity screen, enter the name or IP address of the parent server. This may be the CMS or a gateway server.

6 In the Data Location screen, specify the name and network location of the data folder. This contains all the configuration data and captured data associated with the current server. You can either accept the default location or click Change to specify a different location. If you:

Àccept the default location, go to step 7. ` Specify a different location, note the warning below. Remote locations and NAS devices are also described below.

See the recommendation to disable 8.3 file

names on page 30.

Do not install the data folder to an encrypted

folder or file system! Also, do not compress the

data folder if you are using SQL Server.

`Specifying a remote data folder: If you want to specify a remote location, you can specify a network file share, using the universal naming convention (UNC) or mapped network drive. For example:

Sharing and Security settings for the remote folder must allow Full Control for both the user running the installation wizard and the machine running the CA DLP Enterprise Server software.

For SQL Server users, you cannot specify a

network file share. This is a known issue. See the

Database guide; search the index for Data

folder: remote, and SQL Server.

i

!

\\MyMachine\share_name\target_folder

or

\\NAS_device\share_name\target_folder

i

!

iÙtility Machine For guidance on when to choose a utility machine, see page 30.


347 The next step depends on whether you are reusing an existing CA DLP database:

` If this is a wholly new installation, and the installation wizard does not detect any existing CA DLP database, go to step 9.

` If an existing CA DLP database is detected, the installation wizard displays details about the database here, in the Data Location screen. If you do not want to re-use this database or you do want to re-use the database but in step 6 you specified a new Data folder, go to step 9.

8 If an existing CA DLP database is detected, the installation wizard displays details about the database here, in the Data Location screen. If you want to re-use this database and the original Data folder, no further configuration is required; simply click Next. Go directly to step 19.

9 In the Database Type screen, select the database engine that you will use on the current server. Choose Oracle or Microsoft SQL Server.

10 In the Database Identification screen, enter details about your chosen database.

10.1 You can select a local or remote database. In either case, you must specify the host server (enter localhost to specify a database on the local machine) and the TCP/IP port number used by the host server.

Regardless of the type of database engine, if

the installation wizard is unable to validate the

host server, for example because it is not

switched on, the wizard adds a Bypass Database

Validation check box to the screen. You can select

this check box to skip the validation, but you must

ensure you have correctly spelt the server name,

otherwise the installation will fail!

10.2 Depending on your chosen database engine, you need to supply further details. For:

`Oracle, go to step 11.`SQL Server, go to step 12.

11 Oracle databaseYou must provide an appropriate service identifier (SID) to identify the correct database. The SID corresponds to the SID_NAME value in the listener.ora file on the Oracle host server. The installation wizard attempts to validate this SID if you chose the current machine as the host server.

Now go to step 13.

i

Installation wizard: Database Identification screen for Oracle1 Server hosting the database. 2 Port number used by the host server. 3 Database SID.

1

3

2

Chapter 2CA DLP servers

3512 SQL Server databaseTypically, all you need to do is select the host server; the IP port and database name are then set automatically, though both can be changed.

12.1 Click the Server button to select the host server in the Database Server dialog. This dialog lists any servers found to be hosting SQL Server. In the case of multiple SQL Server instances running concurrently on the same computer, the dialog identifies each instance as:

Where is the name of the server on which SQL Server is running, and is the name of the SQL Server instance.

12.2 The IP port is set automatically when you choose the host server. You do not normally need to change this. But if necessary, click the Port button

to manually set the port number.

12.3 Enter the database name. This defaults to:

Where is the name of the server on which you are installing the CMS (CMS-HARDY in the example above). If you have already created a database for CA DLP, change the default name to the name used in SQL Server.

For SQL Server 2005 databases, you must

ensure that the SQL Server Browser service has

started. For details, see the Database guide;

search the index for SQL Server 2005.

13 In the Database Accounts screen, you must specify the database accounts used by CA DLP to access the CMS database:

`Primary User: This is the main CA DLP database login. For SQL Server databases, the primary user owns the schema.

`Search User: The CA DLP consoles use this account when running event searches. This is a secure account that is subject to row level security when searching the database for events. This ensures that reviewers cannot see events associated with users outside of their management groups.

`Schema Owner: Only available for Oracle CMSs. This optional account owns the database schema. Some organizations choose to have separate accounts for the primary user and the database owner. This is typically for security reasons, for example, to ensure that employees cannot connect to the CMS database as the primary user and delete sensitive data or drop the underlying database objects.

In all cases, you can specify existing database accounts or instruct the wizard to create new ones. If you specify existing accounts, you must ensure that they have appropriate roles and privileges. The requirements for your Oracle users or SQL Server logins are provided in the Database guide.

\

For example, MyDBServer\Instance_1

Installation wizard: Database Identification screen for SQL Server1 Database host server. 2 Server button. 3 Port number used by the host server. 4 Port button. 5 Database name.

2

5

3 41

WGN_

For example, WGN_CMS-HARDY

i


36To specify the database user credentials:

13.1 For the Primary User account, click the button. In the resulting User Credentials dialog, specify the username and password for the database account (but see the following warning). If this is a new account, select the Create User check box.

All SQL Server accountsfor the Primary User,

Search User, and even the database administrator

in step 14must use SQL Server Authentication!.

You specify the authentication method in the

Login Properties dialog in SQL Server Enterprise

Manager.

13.2 Repeat the above steps for the Search User account (but see the SQL Server warning above) and, optionally for Oracle CMSs, for the Schema Owner.

The installation wizard does not try to validate

these account details. You must ensure that you

have entered them correctly, otherwise the

installation will fail!

13.3 If any of the specified database user accounts are new, you must specify an existing database account (the Database Administrator user) that the installation wizard can use to log in to SQL Server or Oracle to create the new accounts; go to step 14.

If all the specified accounts are existing database user accounts, go directly to step 17.

14 Still in the Database Accounts screen, go to the Database Administrator User field and click the button. In the resulting User Credentials dialog, specify the username and password for the database administrator account (but see the SQL Server warning in step 13.1).

` For Oracle CMSs, you now need to define a tablespace for each new user; go to step 15.

` For SQL Server CMSs, go directly to step 17.

15 For Oracle CMSs only. In the Database Tablespace Names screen, you must define the tablespace names for each new account.

By default, Oracle creates all new databases in the Users tablespace, but we strongly recommend that you create separate tablespa

Documents

CA Total Defense Deploy Guide