Installing Control Compliance Suite

For test environment, you can install the CCS Manager and the CCS Application Server on a single computer. For a scale-out deployment, you can install the CCS Application Server on one computer and keep adding one more CCS Managers on other computers as per your sizing requirements. Installing more than one CCS Manager is conducive for load sharing and provides better scalability.
If you install the CCS Manager along with the CCS Application Server, using the CCS Suite installer, by default, that CCS Manager is registered in the System Topology in the CCS Console and all roles are assigned to that CCS Manager.
You can install a CCS Application Server and CCS Agent on a single computer, but you cannot install a CCS Manager and a CCS Agent on a single computer. Therefore, you cannot install a CCS Manager along with the CCS Application Server on a computer that contains a CCS Agent.
Control Compliance Suite makes available a set of predefined technical standards, frameworks, and regulations. The CCS Suite installer installs content for the following Technical Standards and Regulations by default. See the
CCS release notes
for more information.
You can install more content using the CCS Content installer. Installing CCS Content
See the following sections before installing the CCS Suite:
Installation of CCS components
CCS installs the following components:
  • CCS Application Server
  • CCS Manager
Do the following to install the CCS components:
The installer places a copy of the installation files in the media cache folder. On the Windows Server 2012 computers, the media cache is in the folder, C:\ProgramData\Symantec\CSM-RA\MediaCache. These files require approximately 1.2 GB disk space.
  1. To launch the Installation Wizard
    , download and open the CCS installation package
    Symantec_Control_Compliance_Suite_<VersionNumber>_Windows_EN.zip.
    .
  2. Extract the contents of the zip package.
  3. In the
    Installset
    folder, double-click
    Setup.exe
    .
  4. In the security warning dialog box, click
    Run
    .
  5. In the DemoShield, click
    CCS Suite
    .
  6. On the splash screen, click
    Install CCS Suite
    . The Setup file is located inside the CCS_Reporting folder of the product media.
    Setup prepares the CCS Suite installation wizard and prompts to install any prerequisites if required. During the prerequisite installation, if the computer prompts you to restart, restart the computer and launch the setup again.
  7. To install the CCS Suite
    , in the
    Welcome
    panel of the launched installation wizard, read and accept the license agreement, and then click
    Next
    .
    The Product Improvement Program is enabled by default. The Product Improvement Program does not collect any personally identifiable data and the participation is optional. If you do not want to share the data with Symantec, you must opt-out of the program. To opt-out of the product improvement program, clear the
    I agree to participate in the Product Improvement Program by sharing the installation and product usage information with Symantec
    box. To opt-out of the product improvement program later, on the CCS Console, hover over the Settings icon in the left navigation pane, click
    Application Settings
    , click
    Product Improvement Program
    and then clear the
    Share installation and product usage information with Symantec
    box. For more information about the product improvement program, Product Improvement Program
  8. In the
    Components
    panel, by default the CCS Manager is selected. You can install both CCS Application Server and CCS Manager, on a single computer. Uncheck
    CCS Manager
    if you do not want to install CCS Manager on this computer. To install a standalone CCS Manager for a scale-out deployment, Installing a standalone CCS Manager for a scale out deployment of CCS
  9. Click
    Next
    .
  10. In the
    Licensing
    panel, click
    Add Licenses
    to add licenses for the components that require mandatory licenses to install. You can add more licenses later using the CCS Console.The CCS Core license is required to install the CCS Application Server and the CCS Maintenance license is required to install the default CCS Content during the CCS installation.
  11. Click
    Next
    .
  12. In the
    Prerequisites
    panel, review the prerequisites that are required for the installation. Install any prerequisite application that is required to be installed. Click
    Check again
    to verify whether the installation is successful.
  13. Click
    Next
    .
  14. In the
    Installation Folder
    panel, review the installation path for product installation.
    Click browse (
    ...
    ) to specify a different installation path to install the product.
    You can change the default location of the Installation files cache folder where the setup files that are cached during installation. Click browse (
    ...
    ) to select a different location to store the setup files.
    Click
    Refresh disk space information
    to verify the available disk space on the computer.
  15. Click
    Next
    . If you have specified a different installation path, and the installer folder does not exist, the installer prompts you to create the installation folder.
  16. To provide details for installing the components and databases
  17. In the launched installation wizard, perform steps 7 to 15.
  18. In the
    CCS Application Server - Root Certificate
    panel, enter the required values for the fields to create the root certificate and then click
    Next
    .
    The root certificate is required for secure communication between CCS Application Server and CCS Manager. The root certificate is created on the CCS Application Server and contains the details that are used to create certificates for the CCS Manager. You must generate certificates for all CCS Manager installations. The root certificate is created using the CCS Installation Wizard during the installation of the product.
    The certificates that are deployed on the CCS Managers are created using the
    Certificate Management Console
    . The
    Certificate Management Console
    is installed on the CCS Application Server computer.
    The fields for the
    CCS Application Server - Root Certificate
    panel and their description are as follows:
    Organization
    The name of your organization.
    Expiration term (years)
    The expiration time period of the root certificate.
    The expiration time period of the root certificate must be more than 10 years.
    Password (Min. 8 char.)
    The password to authenticate the certificate.
    Re-type password
    Re-enter the password that you have typed.
    Signature Algorithm
    The Secure Hash Algorithm (SHA) that is required to create the certificates that use the cryptographic hash functions.
    The following hash functions are used in CCS:
    • sha1RSA
    • sha256RSA
    • sha384RSA
    • sha512RSA
    On the Windows Server 2003 computers, the sha256RSA or higher encryption algorithm appears in the drop-down list only if the computer is configured with sha256RSA or higher encryption capability.
    Key Size
    The key that is associated with a signature algorithm. The key sizes are, 2048, 3072, and 4096.
    Make sure that computers having the CCS Application Server and CCS Managers support the Signature Algorithm and Key Size.
  19. In the
    CCS Application Server - Directory Service Configuration
    panel, enter the required values for the fields and then click
    Next
    .
    The fields for the
    CCS Application Server - Directory Service Configuration
    panel and their description are as follows:
    User name
    Enter the user name in whose context the Directory Service is run on the computer. The user must be a domain user.
    Or click browse (
    ...
    ) to select the user name.
    Password
    Enter the password that authenticates the specified user account.
    Use the same user account for Application Server
    Check this option if you want to reuse the same user account for configuring the CCS Application Server.
    Directory Service port
    Enter the port number of the computer that hosts the CCS Application Server on which the Directory Service runs.
    By default, the port in which the Directory Service runs is, 12467.
    Encryption Management Service port
    Enter the port number of the computer that hosts the CCS Application Server on which the Encryption Management Service runs.
    By default, the port in which the Encryption Management Service runs is, 12468.
    LDAP port
    Enter the LDAP port number of the computer that hosts the CCS Application Server.
    By default, the Directory Service uses the port 3890 to communicate with the CCS Application Server.
    SSL port
    Currently CCS does not support SSL-based communication.
    Data Files
    Click browse (
    ...
    ) to change the location where you want to store the data files, which contain the Directory information.
    When you install the CCS Application Server on a domain controller or on any other computer on which the Active Directory is installed, the default port numbers for LDAP is 3890 and for SSL is 6360.
  20. In the
    CCS Application Server - Encryption Management Service Pass Phrase
    panel, enter the pass phrase that is used to generate the symmetric keys and click
    Next
    .
    The Encryption Management Service uses the symmetric keys generated by the pass phrase to encrypt and decrypt configuration information, including passwords and connection details.
    The pass phrase must be minimum 8 characters long.
    You require this pass phrase later to change the service user account, and to make changes to the installation.
  21. In the
    Application Server - Service Configuration
    panel, enter the required values in the text boxes and click
    Next
    .
    The fields of the
    Application Server - Service Configuration
    panel and their descriptions are as follows:
    User name
    Enter the user name in whose context the Application Server Service is run on the computer. The user must be a domain user.
    Or click browse (
    ...
    ) to select the user name.
    You can reuse the Directory Service user account
    This field is available only if you uncheck
    Use the same user account for Application Server
    in the
    CCS Application Server - Directory Service Configuration
    panel.
    Password
    Enter the password that authenticates the specified user account.
    Application server port
    Enter the port number of the computer on which the Application Server Service runs.
    The Application Server Service runs on the computer on which the Application Server is installed. By default, the port number is, 1431.
    Application server integration service port
    Enter the port number of the computer on which the Application Server Integration Services run.
    The Application Server Integration Services is required for the Integration Services APIs and runs on the Application Server computer. By default, the service runs in the HTTPS port, whose number is, 12431.
    You can also configure the Integration Services to run in the TCP port or the HTTP port. The default HTTP port is 80 and the default TCP port is 1431.
    IIS site for Web Console
    Select the IIS site that launches the CCS Web Console.
    The IIS site is required because the Application Server and the Web Console are installed on the same computer.
    By default, you can use the Default website, which is configured for the IIS Manager that is installed on the Application Server computer. Alternatively, you can specify a custom website to launch the CCS Web Console.
    Symantec recommends to use an IIS site that accepts only HTTPS connections.
    If you use SSL connections, you must configure them before you install CCS.
    For information about configuring SSL connections, see the Microsoft SQL Server documentation at the following location:
    IIS site for Symantec Help
    Select the IIS site that launches the Symantec Help.
    The IIS site is required because the Application Server and the Symantec Help are installed on the same computer. The IIS site is also used to launch the Symantec Help on the remote computer.
    By default, you can use the Default website, which is configured for the IIS Manager that is installed on the Application Server computer. Alternatively, you can specify a custom website to launch the Symantec Help.
    Target path for Symantec Help
    Specify the location for the Symantec Help installation. You can accept the default location, or type a path, or click browse (
    ...
    ) to select a new location.
    You require minimum 30 MB disk space for Symantec Help installation.
    Click
    Yes
    in the SSL recommendation dialog box to proceed with the installation.
    To know the special characters that are supported to create the user account for CCS.
  22. In the
    Application Server - Production Database
    panel, enter the required values in the text boxes and click
    Next
    .
    The SQL server is used to create the production database on the Application Server computer that stores data, which is queried by the data collectors. The production database must be configured to use the Windows authentication.
    By default, the setup creates a production database, CSM_DB on the computer. If the user account that you specify to log in to the SQL Server, does not have the required privileges to create the database, the setup will not create the database. In this case, you must create the CSM_DB database, and then run the CCS Suite installer.
    The fields of the
    Application Server - Production Database
    panel and their descriptions are as follows:
    SQL Server
    Enter the computer name that hosts the SQL server.
    SQL\Instancename,port
    For example,
    CCSSQL\Instance1
    .
    Or click browse (
    ...
    ) to locate the SQL Server.
    Computer names must not use any characters that are invalid for a DNS name.
    The list of characters that are not allowed is available at the following location:
    Use SSL
    By default, this option is checked.
    You must have the required SSL certificate for establishing secured communication.
    If you use SSL connections, you must configure them before you install CCS.
    Refer to the Microsoft SQL Server documentation, http://support.microsoft.com/kb/316898 for information about configuring SSL connections.
    Use Windows NT Integrated Security
    Select this option if you have the SQL server installed in the Windows NT Authentication user context.
    Use a SQL user name and password
    Select this option if you have the SQL server installed in the SQL Authentication user context.
    You must specify the authentication details of the user in the respective text boxes.
    Use the same configuration for the reporting database
    Check this option if you want to replicate the same configuration for the Reporting Server.
    By default, this option is checked, which does not invoke the panel, Application Server - Reporting Database on clicking Next. You can uncheck this option to invoke the panel in step 22.
    If you check this option, the setup creates a reporting database, CSM_Reports on the computer. If the user account that you specify to log in to the SQL Server, does not have the required privileges to create the database, the setup will not create the database. In this case, you must create the CSM_Reports database, and then run the CCS Suite installer.
  23. The
    Application Server - Reporting Database
    panel is available only if you have unchecked
    Use the same configuration for the reporting database
    in step 21
    In the
    Application Server - Reporting Database
    panel, enter the requisite values in the text boxes and click
    Next
    .
    The SQL server information is used to create the reporting database for the Reporting Server. The reporting database is used to store the reports that are generated for the evaluated data. You can choose either Windows or SQL authentication modes to connect to the SQL server.
    By default, the setup creates a reporting database, CSM_Reports on the computer. If the user account that you specify to log in to the SQL Server, does not have the required privileges to create the database, the setup will not create the database. In this case, you must create the CSM_Reports database, and then run the CCS Suite installer.
    The fields of the
    Application Server - Reporting Database
    panel and their descriptions are as follows:
    SQL Server
    Enter the computer name that hosts the SQL server.
    SQL\Instancename,port
    For example,
    CCSSQL\Instance1
    .
    Or click browse (
    ...
    ) to locate the SQL Server.
    Computer names must not use any characters that are invalid for a DNS name.
    The list of characters that are not allowed is available at the following location:
    Use SSL
    By default, this option is checked.
    You must have the required SSL certificate for establishing secured communication.
    If you use SSL connections, you must configure them before you install CCS.
    Refer to the Microsoft SQL Server documentation, http://support.microsoft.com/kb/316898 for information about configuring SSL connections.
    Use Windows NT Integrated Security
    Select this option if you have the SQL server installed in the Windows NT Authentication user context.
    Use a SQL user name and password
    Select this option if you have the SQL server installed in the SQL Authentication user context.
    You must specify the authentication details of the user in the respective text boxes.
  24. In the
    CCS Application Server - Pass Phrase
    panel, enter the pass phrase that is used to generate the symmetric keys and then click
    Next
    .
    The Application Server Service uses the symmetric keys generated by the pass phrase to encrypt and decrypt configuration information, including passwords and connection details.
    The pass phrase must be minimum 8 characters long.
    You require this pass phrase later to change the service user account, and to make changes to the installation.
  25. The
    CCS Manager - Service Configuration
    panel is available on if you are installing the CCS Application Server and CCS Manager on a single computer and you have checked
    CCS Manager
    in the
    Components
    panel.
    In the
    CCS Manager - Service Configuration
    panel, enter a port for the CCS Manager and then click
    Next
    .
    CCS components use this port to communicate with the CCS Manager. The default port is 5600.
  26. In the
    Summary
    panel, review the installation details and click
    Install
    .
    You can click the link,
    Export Summary
    to export the configuration details of all the components that are installed on the computer. The details appear in a browser, after you specify the location to export the summary.
  27. The
    Install
    panel indicates the progress of the component installation. After the installation finishes, the
    Result
    panel appears.
    If the installation is completed with warnings, a
    Warning
    panel displays warning messages or a
    Result
    panel displays critical errors, perform the remediation steps displayed in the
    Detail
    window to complete the installation.
    You can click the link,
    Log Files
    to view the CCS installation log files. The log files are in .csv format. You can use the Log Viewer in the <Install_Directory>\Application Server to view the log files. The LogViewer helps you to easily identify warnings and errors using the color codes. Warnings are highlighted in yellow color and errors are highlighted in red color.
  28. In the
    Result
    panel, review the installation result and then click
    Next
    .
    You can click the link,
    Log Files
    to view the CCS installation log files. The log files are in .csv format. You can use the LogViewer in the <Install_Directory>\Application Server to view the log files. The LogViewer helps you to easily identify warnings and errors using the color codes. Warnings are highlighted in yellow color and errors are highlighted in red color.
  29. The
    Next Steps
    panel displays the additional steps that you must perform to complete the CCS deployment. Perform the next steps and then click
    Finish
    .
    You can click the link,
    Save the next steps
    to save the next steps for future reference. The details appear in a browser, after you specify the location to save the next steps.
    You can check options to launch the CCS console or view the release notes.
    You can click the link,
    Log Files
    to view the CCS installation log files. The log files are in .csv format. You can use the LogViewer in the <Install_Directory>\Application Server to view the log files. The LogViewer helps you to easily identify warnings and errors using the color codes. Warnings are highlighted in yellow color and errors are highlighted in red color.