Signiant Support

13.0 Manager Installation User's Guide Print



Architecture

The Signiant Manager automates, accelerates, manages, and securely controls the movement of high-value digital content within and between organizations and ecosystems. Engineered for large-scale data transfer requirements, the Manager is built on a core system architecture that consists of a collection of agents and a web interface platform for administering and managing system tasks.

The Manager performs all administration, control, and reporting as well as orchestrating the execution of jobs (e.g. file transfers and notifications). Administrative users interact with the Manager through a web-based platform for configuring the system, automating tasks, managing system activity, and reporting. The Manager is installed on a central system or systems and coordinates and logs the data transfer activities carried out by the distributed Signiant agents. The agents are installed on remote computer systems and are responsible for the actual transfer of data.

Transfer replication is supported with Signiant agents. This replication enables that geographically distributed systems are up-to-date and in sync - regardless of location. All jobs are automatically replicated using push distribution between the source agent and the replicated target agents. Use the job view to see an up-to-date graph of the aggregate transfers to all replicating agents.


System Requirements

Before you install the Agent software, verify that the host machine meets all of the requirements described in this section. In addition, you should determine the agent configuration and installation options that are best for your data transfer system deployment. Depending on how your Manager is configured, you may need configuration information from your Signiant administrator before you can proceed with an agent installation. You must also first license the product for the number of agents you are allowed to install.

The following describes the system requirements for Signiant installation.

Signiant Manager and Media Exchange Web Server

Hardware

  • CPU: Xeon dual-core processor, 2 GHz or higher
  • Memory: 8 GB minimum, 16 GB recommended
  • Shared Memory Segment: On Linux, ensure the shared memory segment is set to a minimum of 1024 MB
  • Disk Space: 10 GB minimum (100 GB recommended). Additionally, 1 GB free for /tmp folder on UNIX/Linux, or for C: on Windows
  • Network Connection: 100 Mbps or faster

64-bit Operating Systems

  • CentOS 6.0+
  • Linux RedHat 6.0+
  • Windows 2008 R2 Server
  • Windows 2012 Server R2
  • Windows 2016 Server
  • Windows 10
  • CentOS 7.0+
  • Linux RedHat 7.0+

VM Ware Supported

  • All Manager operating systems.

Note: High availability is supported on a Linux RedHat cluster only.

Signiant Agent and Media Exchange Server

Hardware

  • CPU: Xeon dual-core processor, 2 GHz or higher
  • Memory: 4 GB minimum
  • Disk Space: 2 GB (preferably 4 GB)
  • Network Connection: 100 Mbps or faster

64-bit Operating Systems

  • Linux RedHat/CentOS 6.0+
  • Linux RedHat/CentOS 7.0+
  • Macintosh OS X 10.9, 10.10, 10.11
  • Solaris 10 x86
  • Windows Server 2008 R2
  • Windows 7, 8, 8.1, 10
  • Windows 2012 Server R2
  • Windows 2016 Server

VM Ware Supported

  • All Agent operating systems, except: Macintosh.

Additional Specifications

Cluster Set-up: You MUST set up and configure your clustered environment BEFORE installing the Signiant clustered Manager. Make sure your clustered environment is set up and working. A FULLY WORKING cluster is essential to having a reliable, working Signiant Manager. Details on how to set up a Linux cluster are available at http://www.redhat.com/cluster_suite.

Clustered Agents: Signiant software only provides support for active/passive style clusters (please consult Kb http://www.signiant.com/support/case-management---knowledge-base/ for more info.)

Agent/Media Exchange Server: Agents/Media Exchange Servers have to contact the Authentication Web Server on TCP 443 in order to perform SOAP authentication.

Time Synchronization: Date and time must be accurately set. Utilization of an NTP Server is recommended.

 

Signiant Manager Port Requirements

  • User to Web Server: TCP 443
  • Manager to and between Agents: TCP / UDP 49221
  • Agent to and between Agent: TCP 49221 / UDP 49221-49321
  • Relay to and between Agent: TCP / UDP 49221
  • Manager to and between Media Exchange Web Server: TCP 49221, 49226-49233*
  • Manager to SMTP mail server: TCP 25
  • Manager to Active Directory/LDAP server: TCP 389 or 636
  • User to Manager: TCP 443 (80 is optional)

 

Signiant Media Exchange Port Requirements

  • User to Media Exchange Relay / Media Exchange Server: TCP 8080, 49221 / UDP 49221-49321
  • Media Exchange Relay / Media Exchange Server to User: UDP 49221-49321
  • Media Exchange Relay to Media Exchange Server: TCP / UDP 49221
  • Media Exchange Enabled Agent to Media Exchange Web Server: TCP 443
  • Content Point to and between Content Point: TCP 49221 / UDP 49221-49321
  • Agent to Manager: TCP 443, TCP / UDP 49221**
  • Manager / Media Exchange Web Server to Internet: TCP 443***
  • Media Exchange Relay to and from Media Exchange Enabled Agent / Media Exchange Server: UDP 49222-49321

 

Notes on Port Requirements for Signiant Media Exchange

  • *Manager to and between Media Exchange Web Server: TCP 443: required during installation
  • **Agent to Manager: TCP 443: required for certificate renewals for relay-only agents and during agent installation. When not configured, offline certificate signing is required
  • ***Manager / Media Exchange Web Server to Internet: TCP 443: required when the Media Exchange desktop client is used

 

Web Browser Support

Signiant Manager and Media Exchange

Windows 7, Windows 8, Windows 8.1, Windows 10

  • Internet Explorer 10, 11
  • Microsoft Edge (HTML 12, 13, 14)
  • Mozilla Firefox 30 - 50
Signiant App
  • Internet Explorer 11
  • Google Chrome (Latest version)
  • Microsoft Edge (Latest version)
  • Mozilla Firefox (Latest version)
  • Apple Safari 7, 8, 9.0.3, 9.1, 10, 10.0.1

Macintosh OS X 10.9, 10.10, 10.11

  • Apple Safari 8, 9.0.3, 9.1.3, 10, 10.0.1
  • Mozilla Firefox 30 - 50
  • Google Chrome 30 - 54

Media Exchange Desktop Client

  • Windows 7, 8, 8.1, 10
  • Macintosh OS X 10.10, 10.11

Clustered System

A clustered Manager environment is available ONLY on Linux. It is NOT available for a Windows Manager. Installing a Manager in a clustered environment is a relatively easy process, as you can specify that the host is a member of a cluster during the actual Manager installation. With a small amount of additional configuration, this allows you to create a secondary Manager for High Availability.

You must have a working cluster set up BEFORE installing the Signiant Manager. There are a number of cluster requirements, which are detailed in the Clustered Installation User's Guide.

Installation Checklists

Before installation, make sure your systems meet these hardware requirements and then record the required installation information in the "Required Manager Installation Information" table below.

Required Manager Installation Information

Record the following information for the Manager installation:
Note: All host names/domain names required for the installation should be fully-qualified and resolvable at the time of installation.
Item Description Value
Organization Name This is typically your company name.  
Windows User ID NT Authority\system will be used by default. Usually a Signiant-dedicated user account under which all data transfers are performed. If only local data is being accessed, you can use the default installation account of "NT Authority\System". Otherwise, it is recommended that you create a new account within your Active Directory (or domain) and test its ability to logon to the intended systems- i.e., copy/move data while logged on using this account. This user ID must exist on the agent - it is not created during the installation.  
Windows Domain The domain of the User ID, above.  
Windows User ID Password The password for the User ID, above.   
Unix/Linux User ID Usually a Signiant-dedicated user account under which all data transfers are performed. This user ID must exist on the agent - it is not created during the installation.  
Mail Server A resolvable name for the local mail server (i.e., one which will allow the Manager to relay mail).  
"admin" Account Password A password to access the Manager UI and perform administrative tasks.  
Locality Information City, state, etc. where the Manager is installed.   
You may need to create the following passwords:Certificate Authority Pass PhrasesCA Admin. Pass Phrase During the "standard" (non-custom) installation, users are prompted to specify a password for use with the Signiant software. The password specified will actually be used for three different areas of the Signiant software: Certificate Authority Admin Pass Phrase, Certificate Authority Pass Phrase and the Admin user password (used to login to the Manager UI). Note that if you reset one of the passwords in the future, this will not reset all of the passwords. You must reset each password separately. For information on how to change these passwords, see Chapter 4 in the Manager User's Guide.!WARNING Keep these passwords secure. Record them only if you can keep the passwords in a secure location. The entire security of the system depends on this information remaining secret. Do not lose or forget the passwords. They are not recoverable. If you lose/forget them, you will have to reinstall the Signiant software.  

User Rights on Windows

In order to successfully install a Windows-based Manager, make sure that the secondary logon service is enabled and started. This is done through the Control Panel / Administrative Tools / Services. Also ensure that the user right "Logon as a service" exists under Control Panel / Administrative Tools / Local Security Policy / Local Policies / User Rights Assignment.

Installation Procedures

This section contains instructions for installing the Signiant software.

Prerequisites

Before installing the Manager, do the following:
  • Make sure that your system meets the system requirements.
  • Fill out the Installation Checklists.
  • On Linux, do the following:
    1. Disable ipv6 in /etc/hosts by commenting out the appropriate line. For example:

      # ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

    2. In /etc/hosts, ensure the following line exists:

      127.0.0.1 localhost.localdomain localhost

If you are installing in a clustered environment, you must configure the Linux cluster before performing the Signiant installation. 

Passwords

It is extremely important to make sure that you record certain passwords and keep them in a safe place to maintain security. It is not possible to recover the Certificate Authority Admin Pass Phrase or the CA Pass Phrase. If you lose either of these passwords, you will not be able to retrieve them, and the CA will be unable to issue certificates or generate certificate reports. You will have to reinstall the software to set new pass phrases.

Licensing, RBI & Keyless Installations

The installation prompts for a number of custom options including the following:
  • Agent installation keys
  • Rapid Basic Installation (RBI) mode

Signiant users have a license for the number of agents they are allowed to install. Installation keys are a mechanism that allows Signiant administrators to control the number of Agents a user can install. The Certificate Authority generates these keys, which are valid for a certain period of time.

As an enhanced security feature, keyless installation is no longer the default option. To install an agent in this mode, the administrator must generate and provide an Agent Certificate for the Agent. Please refer to the Trusts section in the Manager User's Guide for details on generating certificates.

Choosing keyless installation allows you to simplify agent installation by not requiring a user to enter an installation key to install an agent. Each agent install increments the "agent installed" counter on the Manager, regardless of whether a real key is used or not. The number of agents licensed in the license key has precedence. Once the count on the Manager reaches the maximum number of agent installations, further agent installations will not be allowed.

Rapid Basic Installation (RBI) automatically uses Signiant configuration options that make it easy to get started quickly, including using keyless agent installation. This mode of installation is appropriate in test environments or production environments where the advanced security functions of the Signiant software are not required.

User Accounts and the Manager - Linux Only

When using NIS for username/password management (i.e., no local user accounts), make sure the accounts are added on the NIS master before installation. The following Unix/Linux groups are required:
  • dtm
  • postgres
The following user accounts must also be members of the specified groups:
  1. User: postgres; Group: postgres 
  2. User: transmgr; Group: dtm
  3. User: transusr; Group: dtm

These user and group accounts are normally created by the Signiant Manager installer if local user & group creation is allowed on the system.

Installing the Manager

The setup program presents a series of installation options and settings. You can leave most settings at the default value. Each screen contains instructions for selecting or editing options and navigating through the setup program. During the installation on Linux, to continue to the next screen, press TAB until the cursor is in the COMMAND section, and then type N for "Next". On Windows, tab between fields and click the "Next" button to continue to the next screen.

Installation Options

The installation prompts you to install one of the following:
  • Signiant Manager (installs the full Signiant Manager, including the Media Exchange Web Server and a Signiant Agent)
  • Signiant Media Exchange Web Server (installs on the Media Exchange Web Server and a Signiant Agent).

The Signiant Media Exchange Web Server can be installed on any host on your network that meets the installation requirements, as long as you have a regular Signiant Manager installed somewhere on your network. The Signiant Media Exchange Web Server helps with geographic scalability, allowing you to have a central Manager and then one or many distributed Media Exchange web servers (each of which communicate back to the central Manager).

Launching the Installer

If you perform a standard install, you will not be required to enter the CA passphrase or the CA Admin passphrase. These passphrases will be set automatically to what the admin user password has been set to.

Linux

To launch the installer on Linux, follow these steps:

  1. Contact Signiant Customer Support to obtain the installer.
  2. Extract the tar.gz file contents.

    tar -zxvf <filename>

    For example:

    tar -zxvf DTM_LRH6_64_120.0.SIGNIANT.tar.gz 

  3. Go to the extracted directory and Enter: install.sh.
  4. Follow the instructions on each screen, and input the required information.

For a clustered environment, you must specify the following values during the installation:

  • Select "Custom" setup type.

  • The install directory must be on shared storage. (e.g., /shared/dds).
  • Select "Host is a Member of a Cluster".

Cluster members must have an IP address that can be resolved by a reverse DNS lookup to determine the hostname.

Windows

Before installing a Windows-based Manager, make sure that the secondary logon service is enabled and started. This is done through the Control Panel>Administrative Tools>Services. Also ensure that the user right "Logon as a service" exists under Control Panel>Administrative Tools>Local Security Policy>Local Policies>User Rights Assignment.

To launch the installer on Windows, follow these steps:
  1. Contact Signiant Customer Support to obtain the installer.
  2. Double-click on the downloaded .exe file. This will extract the contents into a temporary folder and will automatically launch the Signiant installer.
  3. Follow the instructions on each screen, and input the required information.

Installer Prompts

The following table describes the fields in the various installation screens in the approximate order in which they appear. Note that some screens may not appear, depending on the options you choose during the installation. The screen names appear in bold, fields on those screens are in regular (non-bold) text.

A note about passwords associated with the Certificate Authority. The CA Pass Phrase is used to unlock the private key of the CA. The CA Admin Pass Phrase is required to request the installation keys needed to activate Agent hosts AND TO PERFORM MANY CERTIFICATE-RELATED ADMINISTRATIVE TASKS. Be sure to record both passwords in a safe place. If you lose the information, it cannot be recovered and you will have to reinstall the Certificate Authority. Also make sure that these passwords are unique.

Screen/Fields Description
Installation Directory(Appears if you select Custom Setup)
Install Dir Specify the installation directory for the Signiant Media Exchange Web Server. (If the directory does not exist it will be created.)
Organization Name
Organization Name The name to identify the organization using the software. This is usually your company name.
Agent Installation Keys
Agent installations require installation keys Choose this option to require users to specify installation keys when installing agents.
Agent Installations do not require installation keys Installation keys are a mechanism that allows Signiant administrators to control the number of Agents a user can install. The Certificate Authority generates these keys, which are valid for a certain period of time. However, you may wish to simplify agent installation by not requiring an installation key to install an agent. Not requiring agent installation keys is the default value.
Rapid Basic Installation (RBI) Mode
Enable Rapid Basic Installation Mode Rapid Basic Installation (RBI) automatically uses Signiant configuration options that make it easy to get started quickly with Signiant agents. It also includes keyless agent installation. This mode of installation is appropriate in production environments where the advanced security functions of the Signiant software are not required, as well as in test environments. RBI is enabled by default.
Disable Rapid Basic Installation Mode Disable RBI if you want to specify your own configuration options for Signiant agents. 
Default Users
Use "system" on Windows and "root" on UNIX/Linux Use the specified values as the default user (the user which jobs run as on the Agents) on Windows and Linux.
Specify other values for the default users Allows users to specify their own values for Windows and Linux default user and password, as well as for the Windows domain.
Default User IDs (Appears if you select "Specify other values for the default users")
Default Userid (UNIX/Linux) The user which jobs run as on Unix agents. This user ID must exist or be resolvable on the agent; it is not created during the installation.
Default Userid (Windows) The user which jobs run as on Windows agents. This user ID must exist or be resolvable on the agent; it is not created during the installation.
Windows Domain This value is used to qualify user IDs and grants for Windows hosts.
Windows Userid Password The password for the specified default user on Windows.
Verify Windows Userid Password Confirm the password for the specified default user on Windows.
Default Directories (Appears with Custom installation)
UNIX/Linux The default directory that Linux agents use to send or receive data when the directory is not explicitly specified in a workflow component.
Windows The default directory that Windows agents use to send or receive data when the directory is not explicitly specified in a workflow component.
Signiant Administrators (Appears with Custom installation)
Administrator # Specify up to five Signiant administrator userIDs. These users are able to perform administrative tasks on the local agent.
Manager Group Name(Appears with Custom installation)
Group Name The group to be used for group privileges on the Manager host. The installation creates this group if it does not already exist.
SigniantPort Numbers
AgentPort This port number is required to set up Signiant services on the Manager host. Enter the port number on which the specified service will be running. Note that Signiant requires that ports 80 and 443 be available for Manager/Agent communication. If another application on your system is using these ports, a warning appears, requesting you to release the port(s) and re-run the installer.
RulesServerPort This port number is required to set up Signiant services on the Manager host. Enter the port number on which the specified service will be running. Note that Signiant requires that ports 80 and 443 be available for Manager/Agent communication. If another application on your system is using these ports, a warning appears, requesting you to release the port(s) and re-run the installer.
SchedulerPort This port number is required to set up Signiant services on the Manager host. Enter the port number on which the specified service will be running. Note that Signiant requires that ports 80 and 443 be available for Manager/Agent communication. If another application on your system is using these ports, a warning appears, requesting you to release the port(s) and re-run the installer.
Cluster Configuration (Appears with Custom installation, only on UNIX/Linux)
Host is a member of a cluster Indicates the host is a member of a cluster. (Required for clustered installation to create a High Availability environment with secondary Manager.) Note that cluster members must have an IP address that can be resolved by a reverse DNS lookup to determine the hostname.
Host is not a member of a cluster Indicates the host is not a member of a cluster.
Cluster IP Address  The installer detects the IP address of the available cluster. Confirm that this is the host you want to use. If you select "No", the installation quits. If you select "Yes", the next screen lists the members of the cluster. If you have too many or too few nodes in your cluster (you must have two), or the cluster nodes are unresolvable, a screen indicating the error appears and the installation quits. Fix the problem with the cluster environment and restart the Signiant installation.
Signiant Certificate Authority Setup Parameters Screen
Organization Name  Name of your company (for example, Acme Inc.).
Locality (City) The city where your company is located.
State/Province The state/province where your company is located.
Country Code Note that the Country Code is in X.509 standard (for example US for United States, CA for Canada).
Organizational Unit  A division in your organization (for example, Acme Marketing).
CA Common Name  Common name for the Certificate Authority. Can be any combination of alphanumeric characters, symbols, and spaces (for example, Acme Company CA). If you plan to have Agents communicate with Agents in other organizations, this field must be unique across organizations. For this reason, the fully qualified domain name of the host is appended by default.
Signiant Administrative Password
Admin Password This password is used to log into the Signiant Manager Web interface.
Verify Admin Password Retype the password to confirm the entry.
SigniantCertificateAuthorityPass Phrase (Custom install)
CA Pass Phrase  Used to unlock the private key of the Certificate Authority (CA). Must be at least seven characters. Since the CA password phrase protects the actual CA, it should be long and complex, since it seldom (probably never) changes. RECORD IT IN A SAFE PLACE. IF YOU LOSE THIS INFORMATION, YOU CANNOT RECOVER IT AND YOU WILL HAVE TO REINSTALL THE CERTIFICATE AUTHORITY.

Note: If you perform a standard install, you will not be required to enter a CA passphrase. The passphrase is set automatically to what the admin user password is set. 

Verify CA Pass Phrase Retype the password phrase to confirm the entry.
CA AdminPass Phrase  Used to perform CA administrative functions (for example, requesting installation keys). Must be at least seven characters. This password phrase is used frequently in the Manager Web interface. RECORD IT IN A SAFE PLACE. IF YOU LOSE THIS INFORMATION, YOU CANNOT RECOVER IT, AND YOU WILL HAVE TO REINSTALL THE CERTIFICATE AUTHORITY.
Verify CA AdminPass Phrase Retype the admin password phrase to confirm the entry.

Post-Installation

This section contains instructions for post-installation tasks.

Logging in to the Manager Web Interface

To login to the Manager UI, open a browser that supports 128-bit encryption, for example Microsoft Internet Explorer 11.0 or higher, Firefox 27 or higher, Chrome 32 or higher, or Safari 7 or higher. The person who is your Signiant administrator provides you with the location of the Web server. The URL should be in the following format:

https://<Manager_address>/signiant

where: <Manager_address> is the fully qualified host name of the Manager.

You may need to configure the pop-up blocker in your browser to use certain parts of the Manager interface. For information on how to do this, refer to your browser’s help.

Verifying Server Services

Checking the process status allows users to see the state of each of the Manager components. The state is displayed as Running, Starting, Stopping, Stopped, Problem or Timing Out. To verify that the Manager services installed correctly, do the following:

  1. From the Manager, select Administration>Manager>Alarms>System Health.
  2. Click Run All Tests to display the current status of the Manager Components.

Performing System Setup Tasks

After verifying server services and logging in to the Signiant Manager, perform the tasks located on the "System Setup" widget on the dashboard. To perform system setup tasks, do the following:

  1. From the Manager, select Dashboard.
  2. Double-click on the icons in the System Setup widget to complete the following setup tasks:

Licensing

In order to use the Signiant software, and any additional features or applications you have purchased, you must license them. The license page displays a list of the features for which you have purchased a license, as well as the associated license key, its expiry date, the date it was added, its status (Active or Expired), the licensed agent count for the feature.

To add a license key to the product, do the following:

  1. From the Manager, select Administration>Manager>Licenses.
  2. Click the Add action button.
  3. Type the license key(s) into the field.

    Separate multiple keys with a space or place each key on a separate line.

  4. Click OK.

Configuring E-Mail Notification

The default Manager configuration is to send email from transmgr@<manager_host_name>. In most cases, mail servers will have no problem accepting mail from this address, however, some email server configurations require a valid email address (one that actually exists in the domain) in order to deliver the mail. In such systems, failure to update the "Email Address of Sender" will result in no email notification delivery, and errors be recorded in the mail server event log/mail log that indicate mail being rejected from the Signiant Manager server.

The following section describes the procedure to configure and test email notification:

  1. From the Manager, select Administration>Manager>Email Notification.
  2. Email configuration is comprised of the following:

Edit

To specify email properties, do the following:

  1. In the Edit tab, specify the name or address of the network's mail server in the Mail Server field.
  2. In the Mail Server Port field specify the port you want to use. The default value is 25.
  3. In the Mail Server Connection Timeout (seconds) specify the timeout value in seconds for your mail server. This is a mandatory field with a minimum value of 10 seconds and a maximum value of 600 seconds.
  4. In the Email Address of Sender field, specify the email address that will appear in the "From" field of Signiant notification messages.
  5. In the Name of Sender field, specify the name of the sender to associate with the email address.
  6. Click OK to save and exit, or Apply to save and keep the dialog open.

Send a Test Email

To test the email notification feature, do the followin:

  1. Select the Send a Test Email tab or select the Send a Test Email action from the action menu.
  2. In the To field, type an email address to send the test email.
  3. Place a check in the SMTP Logging checkbox to retrieve and display SMTP logging messages for this test email in the Mail Log panel. These messages are not saved to a log file.
  4. Click Test.
  5. Click OK to save and exit, or Apply to save and keep the dialog open.
  6. Login to the account for the test email address to verify that the test email was received. If not, reconfigure your email notification options and re-test.

Updating Maintenance and Backup Jobs

On a fresh install, Signiant creates default log maintenance and Manager backup jobs, with a default schedule and preferences. You will want to modify these jobs to suit your own scheduling needs, particularly specifying a target agent to send the backup to (the default job specifies to backup to the agent on the Manager itself, which is not ideal for disastrous situations), and adding an e-mail address to both jobs for notification in the case of job failure.

In the case of the backup job, you must first install an agent to which you want to assign the backup before you can specify a different agent from the default (Manager agent).

It is important that you verify that these old jobs were properly migrated to the new ones and that you can delete the legacy ones. You can do so by selecting the Maintenance job group in the Jobs and Report>Job Groups menu, and comparing them to the migrated versions. Do not un-suspend them, or they will interfere with the new backup/maintenance jobs.

Additional Post-Installation Tasks

In addition to the system setup tasks described above, you may also want to complete following additional tasks. Refer to the Manager User's Guide and the Signiant Manager online help for details on the following:

  • Creating a Copy of the Administrative User

  • Configuring Third Party Certificate Usage

  • Setting Certificate Alarms

  • Configuring common remote access privileges

  • Configuring common relays

  • Configuring tunnels 

  • Configuring multiple Managers so that agents installed from one Manager trust other Managers
  • Scheduling a Maintenance job

  • Scheduling a Backup job

  • Using Health Check

Note that the configuration options listed are tasks you may want to complete before installing agents. The configuration tasks involve changing default options in the sigsetup.inf file. This file is downloaded for use in the agent installation process. Configuring this file before installing agents ensures that all of the agents have the same configuration, and means you do not have to manually configure this information on an agent-by-agent basis after agent installation.

Installation Files

It is recommended that you keep the original installation bundle - you will need this if you need to do a re-installation. Store the installation bundle in a secure location.

Creating a Copy of the Administrative User

There are several scenarios where having only one Signiant administrative account may cause problems (the account gets locked out, the password is forgotten, and so on). Signiant recommends that you have at least one other account with administrative access.

To create a second administrative account, do the following:

  1. From the Manager, select Administration>Users>List.
  2. In the user list, select "User, Admin" and click Copy.
  3. Fill in new information for the user and click OK.

Configuring A Third Party Certificate Usage

Depending on the browser you are using, you may get a warning message every time you login to the Signiant Manager or the Signiant Media Exchange Web Interface.

To avoid receiving this message, you can obtain a Comodo certificate for your JBoss server through Signiant. Contact Signiant customer support for details on obtaining a Comodo certificate.

Setting Certificate Alarms

The Signiant Manager Web server and each of the agents use a digital certificate.  These certificates have a lifespan associated with them, and generally automatically renew. There may be circumstances where a certificate does not renew automatically, such as:

  • Web server certificate issued by third party (e.g., Comodo)
  • Agents unable to communicate with Manager for an extended period of time

To renew its certificate, the agent must be able to contact the Manager using port 443. Failure to renew the Web server's certificate before expiry results in agents being unable to renew their certificates. Agents without a valid certificate will no longer function.

Signiant recommends that you configure Certificate Alarms to receive e-mail alerts at user-specified times before certificates expire. The e-mail shows Web server and agent certificates that have not yet renewed within the user-configured threshold period, and directions on where to find information about renewing certificates.

The user will receive a daily notification until someone renews the agent certificate, or if the certificate is not renewed, up to 5 days after the certificate expires.

To set up certificate expiry alerts, do the following:

  1. From the Manager, select Administration>Manager>Alarms>Certificates.
  2. Click Add.

    The certificate alarm configuration screen appears.

  3. Complete the information in the dialog.

Upgrading

Upgrading ensures you have the latest features and updates to the Signiant Manager and Agents software. Rather than performing a new installation, upgrading enables you to keep your configuration and receive the latest Signiant software release. This chapter details the steps and procedures you should follow to ensure a smooth and secure upgrade process.

A software upgrade stops all Signiant processes. During the upgrade, any jobs that you have scheduled will not run. Make sure that you perform your upgrade at a time that will ensure the least disruption to your system. For example, if you have a job that is scheduled to run infrequently (once a week, once a month, quarterly, yearly and so on), do not perform the upgrade on the date and time during which this particular job would run. The job will not run until its next scheduled time, which may be a week, month or year later.

During the upgrade, on Linux, to continue to the next screen, press TAB until the cursor is in the COMMAND section, and then type N for "Next". On Windows, tab between fields and click the "Next" button to continue to the next screen. Make sure you are not running System Health when performing an upgrade.

If you are upgrading the Manager, and are running any Media Exchange Web Servers, you must upgrade the Media Exchange Web Servers as well (they must be the same version number as the Manager). Customers who are running the Signiant Media Exchange application should clear their browser cache after a Manager upgrade.

Note: MANAGER UPGRADES CAN TAKE A VERY LONG TIME, SOMETIMES UP TO AN HOUR. THERE MAY BE LITTLE INDICATION OF PROGRESS, EVEN THOUGH THE UPGRADE IS PROCEEDING. UPGRADE TIME VARIES GREATLY DEPENDING ON THE SYSTEM BEING UPGRADED.

Upgrading in a Clustered Environment

For information on how to upgrade in a clustered environment, see the Clustered Installation User's Guide.

Upgrading the Manager on Linux

If you are currently running the Manager on a non-enterprise version of Linux and want to upgrade the OS before upgrading the Manager, see Upgrading a Linux Installation from non-Enterprise to Enterprise.

A Manager upgrade requires 400 MB of disk space. Before installing or upgrading on Linux, make sure the shared memory segment is set to a minimum of 256 MB.

During the installation on Linux, to continue to the next screen, press Tab until the cursor is in the COMMAND section, and then type N for "Next".

Note: MAKE SURE YOU ARE NOT RUNNING SYSTEM HEALTH WHEN PERFORMING AN UPGRADE. FOR INFORMATION ON THE PMU AND TO CHECK WHETHER OR NOT IT IS RUNNING, SEE MONITORING SYSTEM HEALTH IN CHAPTER 4 IN THE MANAGER USER'S GUIDE. BEFORE UPGRADING YOUR MANAGER, YOU SHOULD BACK IT UP USING THE SIGNIANT BACKUP JOB. IF YOU DO NOT BACKUP THE MANAGER AND AN UPGRADE FAILS, YOU WILL NOT BE ABLE TO ROLLBACK THE DATABASE. FOR INFORMATION ON HOW TO BACKUP AND RESTORE THE MANAGER, SEE CONFIGURING MANAGER BACKUP IN CHAPTER 4 IN THE MANAGER USER'S GUIDE.

To launch the installer on Linux, follow these steps:

  1. Download the compressed tar.gz file from Signiant web site (www.signiant.com) to a temporary location on your Linux server.
  2. Extract the tar.gz file contents.

    tar -zxvf <filename>

    tar -zxvf DTM_LRH6_64_12.0.100.SIGNIANT.tar.gz 

  3. Go to the extracted directory and Enter: install.sh.
  4. Follow the instructions on each screen, and input the required information.

    The installation process stops all Signiant processes while it upgrades the software. During the upgrade, any jobs that you have scheduled will not run. In the Signiant Administrative Password screen, the existing Manager Web interface admin password will be reset to what you enter.

  5. Verify that a backup job exists and still works.

    Signiant supports restoring from backups by the same version of the Manager. Ensuring that the backup job exists and works in your upgraded Manager makes restoring from a backup possible. (Refer to the Manager User's Guide for information on running the backup job).

Upgrading the Manager on Windows

A Manager upgrade requires 400 MB of disk space.

On Windows, tab between fields and click the "Next" button to continue to the next screen.

Note: MAKE SURE YOU ARE NOT RUNNING SYSTEM HEALTH WHEN PERFORMING AN UPGRADE. FOR INFORMATION ON THE PMU AND TO CHECK WHETHER OR NOT IT IS RUNNING, SEE MONITORING SYSTEM HEALTH IN CHAPTER 4 IN THE MANAGER USER'S GUIDE. BEFORE UPGRADING YOUR MANAGER, YOU SHOULD BACK IT UP USING THE SIGNIANT BACKUP JOB. IF YOU DO NOT BACKUP THE MANAGER AND AN UPGRADE FAILS, YOU WILL NOT BE ABLE TO ROLLBACK THE DATABASE. FOR INFORMATION ON HOW TO BACKUP AND RESTORE THE MANAGER, SEE CONFIGURING MANAGER BACKUP IN CHAPTER 4 IN THE MANAGER USER'S GUIDE.

To launch the installer on Windows, follow these steps:

  1. Contact Signiant Customer Support to obtain the installer.
  2. Double-click on the downloaded .exe file. This will extract the contents into a temporary folder and will automatically launch the Signiant installer.
  3. Follow the instructions on each screen, and input the required information.

    The installation process stops all Signiant processes while it upgrades the software. During the upgrade, any jobs that you have scheduled will not run. In the Signiant Administrative Password screen, the existing Manager Web interface admin password will be reset to what you enter.

  4. Verify that a backup job exists and still works.

    Signiant supports restoring from backups by the same version of the Manager. Ensuring that the backup job exists and works in your upgraded Manager makes restoring from a backup possible. (Refer to the Manager User's Guide for information on running the backup template).

Upgrading a Linux Installation from non-Enterprise to Enterprise

Note that Red Hat does not supply an upgrade utility for Enterprise - an upgrade is effectively a new installation. You must perform a fresh installation, which will erase all existing files and data.

If you are upgrading your O/S to Enterprise, then you will have to do the following:

  1. Backup your existing installation via the Backup template in the Manager Administration menu.
  2. Ensure that the Manager backup is stored offline.
  3. Use Red Hat CDs to install the operating system.
  4. After the Enterprise Linux installation is complete, use the original version of the Manager installer to re-install your original version of Signiant.
  5. Restore the Signiant backup created in step 1.
  6. Proceed to upgrade the Manager software.

What if the Upgrade Fails?

If the upgrade fails, you can rollback the database and retry the upgrade if you backed up the Manager before upgrading.

Upgrading the Agents

For information on upgrading the Agents, refer tothe Agent Installation User's Guide. For information on remotely upgrading Agents using the Manager, see Chapter 3 in the Manager User's Guide.


Uninstalling

Use the following steps to remove the existing installation.

Note: You cannot undo the removal of the Signiant Manager components. If you are using clustering to run an active and standby Manager, you should uninstall the standby server first before uninstalling the active server.

Uninstalling on Linux

To uninstall the Manager, follow these steps:

  1. Type siguninstall.

    You must run this command from /<signiant_install_directory>/bin, or fully-qualify the command:

    /<signiant_install_directory>/bin/siguninstall

  2. Follow the on-screen prompts to remove the software. Eventually, you are prompted to remove the database.
  3. Choose Y to remove the database. If you choose N, you can remove the database manually at a later point.
  4. Choose Y to remove users and groups. If you choose N, you can remove the users and groups manually at a later point.

Uninstalling on Windows

To uninstall the Signiant Manager from Windows, follow these steps:

  1. Choose Control Panel>Add or Remove Programs.
  2. Locate the Signiant software and click Remove.

Manually Removing the Database

If you choose not to remove the database when uninstalling the Manager components on Linux, you can do so manually by following these steps:

  1. At the command prompt, type the following:

    rm -fR <install_directory>/db

    Where <install_directory>is the location where the software was installed.

Manually Removing Users and Groups

If you choose not to remove users and groups when uninstalling the Manager components on Linux, you can do so manually by following these steps:

  1. Type the following:

    userdel [-r] <userid>

    groupdel <groupid>

    The -r on userdel means that files in the user's home directory will be removed along with the home directory itself and the user's mail spool.

Note: The Linux Manager installation requires the following user accounts:

  • transmgr (used by the Supervisor and Scheduler components)

  • transusr (used by the Agent)
  • postgres (used by the Postgres database)

Miscellaneous

This section contains miscellaneous information about installation procedures.

Installation Argument Options

If you want to set up only the network or the date and time when installing, you can run the installation using just those argument options, as described below.

Setting up Only the Date and Time

To set up only the date and time information during an installation, follow these steps:
  • Login as root.
  • Change to the directory containing the Manager installer and  type install.sh -d
  • Follow the prompts to set up the date and time.

Manager User Accounts

The Linux Manager installation requires the following user accounts:

  • transmgr (used by the Supervisor and Scheduler components)

  • transusr (used by the Agent)
  • postgres (used by the Postgres database)
The following lists these users and the primary group to which they belong. Note that although these user IDs are created on the Manager, their passwords are set to "*" to disable direct login access to them. One can use them only by logging in as root and using the "su" Operating System command to switch to the desired user. 
  • transmgr (Primary Group: dtm)
  • transusr (Primary Group: dtm)
  • postgres (Primary Group: postgres)

Enabling and Disabling SSL V3

Note: to disable SSL V3, your Signiant Manager and Agents must be running version 11.4.

Use the sslEnableDisable.pl script to manage the enabling and disabling of SSL V3 communication. This script is located in <signiantHome>/bin.

The parameter options for sslEnableDisable.pl are: enableSSLv3 or disableSSLv3. For example:

sslEnableDisable.pl disableSSLv3

By default on new installations, SSL V3 communications is disabled. For any upgraded installations, the SSL V3 status is not impacted.

Note: TSL 1.0, 1.1, and 1.2 are always supported.

If SSL V3 is disabled on your Signiant Manager and you have written Perl scripts that use the Net::SSL Perl module for HTTPS communication, you must modify your Perl script to use IO::Socket::SSL module.

If you have the following line in your Perl script: use Net::SSL, do the following:

  1. Remove use Net::SSL.
  2. Insert the following:
    if (eval {require IO::Socket::SSL;1})
    {                       
         IO::Socket::SSL->import();
              
         IO::Socket::SSL::set_defaults(SSL_verify_mode => SSL_VERIFY_NONE);
    }
    else
    {
         require Net::SSL;
         Net::SSL->import();
    }
    
    

If the SSL verify mode needs to verify the server certificate, insert the following:

if (eval {require IO::Socket::SSL;1})
{                       
     IO::Socket::SSL->import();
          
     my $caCertString = '<PEM encoded CA certificate string>';     
     require IO::Socket::SSL::Utils;
     IO::Socket::SSL::Utils->import('PEM_string2cert');
     my $caCertHandle = PEM_string2cert($caCertString);
     IO::Socket::SSL::set_defaults(
                 SSL_verify_mode => SSL_VERIFY_PEER,
                 SSL_ca => [$caCertHandle]
                 );
}
else
{
     require Net::SSL;
     Net::SSL->import();
}
	

With these changes, your Perl script will work without any further modifications.

Hardening Guide

This Signiant Manager and Agents Hardening Guide describes hardening steps for Signiant Manager and Agent installations. Each hardening step removes or limits functionality available in default Manager and Agent installations to eliminate potential attack vectors. The primary purpose of this guide is to educate customers on the functional consequences of each hardening step and the potential security exposures associated with not performing the hardening step.


System Protection Resources

Although it is not required to run the Agent, it is highly recommended that you protect or "harden" systems that perform data transfers with other companies or over unprotected networks. While system security configuration goes beyond the scope of this guide, the following resources available on the Internet may be useful for securing your systems against unwanted intrusions.

Disclaimer: Signiant makes no warranty as to the fitness or viability of any product mentioned here, nor does Signiant have any reseller relationship with the authors or vendors of these products. This information is provided for informational purposes only. The final decision to use or not to use these products is to be made by the host administrators.

Red Hat Linux

Bastille is a script used to harden Red Hat and Mandrake Linux distributions. You can find more information about Bastille at http://www.bastille-linux.org/.

Windows 2000

If your Windows hosts are running Internet Information Server (IIS), you may wish to use the IIS Lockdown Tool available from Microsoft. You can find more information about the tool at:

http://www.microsoft.com/technet/security/tools/locktool.asp

For information on general Microsoft Windows security, visit http://www.microsoft.com/security/.


Disaster Recovery

While cluster-based high availability is supported for Managers within a location, "global" or "geographic" high availability is not currently supported in the product. It is possible , however to accomplish this using a combination of built-in utilities and manual procedures, as outlined in this appendix.

Disaster recovery for Managers can be implemented through the configuration of a ‘warm’ standby whereby the standby machine can assume the role of the active, but this does require some manual intervention. Specifically, a backup is taken of the active (master) server and transferred to a standby server. Should a recovery or failover be required, the backup is restored on the standby and the standby then assumes the role of active. Several configuration steps are required in order to set up and configure such an environment.

Note: This disaster recovery solution works only between "like" versioned Managers (i.e., 11.0 to 11.0). This disaster recovery solution will not work with differently versioned Managers such as between 10.2 and 10.4.

Prerequisites

Before configuring a disaster recovery implementation, make sure your network meets the following criteria:

  • Active and standby servers are configured with correct network parameters (hostname, IP address) and are network accessible

  • A working Manager is installed and configured on both the active and standby servers

Make sure you do NOT use the standby Manager as a general-purpose Agent. It should be a dedicated Disaster Recovery Manager.

Configuration

You must complete the following tasks to configure the active and standby servers to trust each other in order to transfer the backup file from the active to the standby:

Extract Certificates

On the active and the standby servers, follow these steps:

  1. Run the following command on each server: dds_cert extract.

    dds_cert is found in the bin subdirectory (i.e., /usr/signiant/dds/bin or c:\Program Files\Signiant\Mobilize\bin).

  2. Take the ddsCA_cert.pem file and copy it to the other server (i.e., copy the active one to the standby server and the standby to the active).

Import Certificates

On the active and the standby servers, follow these steps:

  1. Stop the agent process (on Linux, type /etc/init.d/siginit stop sigagent. On Windows, use the Services Control Panel stop the Signiant Process Control Service).
  2. Type dds_cert addca <path_to_ddsCA_cert.pem>.
  3. Start the agent process (on Linux, type /etc/init.d/siginit start sigagent. On Windows, use the Services Control Panel to start the Signiant Process Control Service).

Add the Standby Server agent to the Active Server

To add the standby server agent to the list of agents the active server recognizes, follow these steps:

  1. Login to the active server as "admin" or a user with admin rights.
  2. Choose Administration>Agents>List
  3. Click Add.
  4. Add an entry for the exact name of your standby server and click Save.

    Note: use the utility "dds_hostnm" on the standby server to see the exact hostname that the Signiant software knows the machines as.

Grant Access/Admin to Active Server

The active server needs rights in order to transfer the backup file to the standby server. For convenience, the active server should also have rights to administer the agent on the standby server.

To create the appropriate access/admin grants, do the following:

Standby Server:

  1. Login to the standby server.
  2. Select Administration>Agents>List.
  3. In the right pane, select the standby  host and click Edit.
  4. On the General Tab>Environment, take note of the default user.
  5. Click the Remote Access tab.

    If "Simple" is defined as the Remote Access selection then no further configuration is required. If "Advanced" is defined as the Remote Access selection, add the following Access Entity configuration (grant):

    • Click Add.
    • In the drop-down, select the hostname of the active server.

    • On the Access Rights/Job Environment tab, make sure the "Jobs Run As" user is the same as the default user noted in step 4 above.
    • On the Access Rights/Administration tab, check all boxes (except "Upgrade Software") and click "Apply/Ok"

Active Server:

  1. From Administration>Agents>List, select the entry for the standby server from the agent list and click Edit.

    If no errors occur and all agent properties are retrieved, the standby now trusts the active server.

Setup Backup Job

After completing the server configuration tasks you need to setup a backup job on the active server to transfer its backup to the standby.

To setup a backup job on the active server, do the following:

  1. Login to the active server.
  2. Select Administration>Manager>Backup.
  3. Click Add.

    If this is the first time you are scheduling a Backup job, the schedule screen appears automatically and you do not have to click Add a Job.

  4. Specify a schedule for the backup job, choosing the standby server as the target.

Recovery in a Remote Failure Scenario

In the case of failure of the Active Manager site, do the following:

  1. Shut down Manager processes on the remote/standby machine.
  2. Rename the remote/standby host to the so it has the exact hostname that the former active server has.
  3. Update the DNS record for active Manager hostname so that its IP address points to the remote/standby server.

    The standby server MUST take the name of the former active server .

  4. Restore the latest Active Manager backup on the remote/standby server by following the directions in the Restoring the Manager in Chapter 4 in the Manager User's Guide but in addition, include the "-nonet" parameter in the restore_dtm command.

    The "-nonet" parameter prevents the standby from restoring the primary's network configuration.

  5. Restart all services on the remote/standby server.
  6. Once all services are up, the system should be functioning as the new active server.