Installing Control Compliance Suite
For test environment, you can install the CCS Manager and the CCS Application Server on a single computer. For a scale-out deployment, you can install the CCS Application Server on one computer and keep adding one more CCS Managers on other computers as per your sizing requirements. Installing more than one CCS Manager is conducive for load sharing and provides better scalability.
If you install the CCS Manager along with the CCS Application Server, using the CCS Suite installer, by default, that CCS Manager is registered in the System Topology in the CCS Console and all roles are assigned to that CCS Manager.
You can install a CCS Application Server and CCS Agent on a single computer, but you cannot install a CCS Manager and a CCS Agent on a single computer. Therefore, you cannot install a CCS Manager along with the CCS Application Server on a computer that contains a CCS Agent.
Control Compliance Suite makes available a set of predefined technical standards, frameworks, and regulations. The CCS Suite installer installs content for the following Technical Standards and Regulations by default. See the
CCS release notes
for more information.You can install more content using the CCS Content installer. Installing CCS Content
See the following sections before installing the CCS Suite:
Installation of CCS components
CCS installs the following components:
- CCS Application Server
- CCS Manager
Do the following to install the CCS components:
- Launch the Installation Wizard
- Install the CCS Suite
- Provide details to install components and databases
The installer places a copy of the installation files in the media cache folder. On the Windows Server 2012 computers, the media cache is in the folder, C:\ProgramData\Symantec\CSM-RA\MediaCache. These files require approximately 1.2 GB disk space.
- To launch the Installation Wizard, download and open the CCS installation packageSymantec_Control_Compliance_Suite_<VersionNumber>_Windows_EN.zip..
- Extract the contents of the zip package.
- In theInstallsetfolder, double-clickSetup.exe.
- In the security warning dialog box, clickRun.
- In the DemoShield, clickCCS Suite.
- On the splash screen, clickInstall CCS Suite. The Setup file is located inside the CCS_Reporting folder of the product media.Setup prepares the CCS Suite installation wizard and prompts to install any prerequisites if required. During the prerequisite installation, if the computer prompts you to restart, restart the computer and launch the setup again.
- To install the CCS Suite, in theWelcomepanel of the launched installation wizard, read and accept the license agreement, and then clickNext.The Product Improvement Program is enabled by default. The Product Improvement Program does not collect any personally identifiable data and the participation is optional. If you do not want to share the data with Symantec, you must opt-out of the program. To opt-out of the product improvement program, clear theI agree to participate in the Product Improvement Program by sharing the installation and product usage information with Symantecbox. To opt-out of the product improvement program later, on the CCS Console, hover over the Settings icon in the left navigation pane, clickApplication Settings, clickProduct Improvement Programand then clear theShare installation and product usage information with Symantecbox. For more information about the product improvement program, Product Improvement Program
- In theComponentspanel, by default the CCS Manager is selected. You can install both CCS Application Server and CCS Manager, on a single computer. UncheckCCS Managerif you do not want to install CCS Manager on this computer. To install a standalone CCS Manager for a scale-out deployment, Installing a standalone CCS Manager for a scale out deployment of CCS
- ClickNext.
- In theLicensingpanel, clickAdd Licensesto add licenses for the components that require mandatory licenses to install. You can add more licenses later using the CCS Console.The CCS Core license is required to install the CCS Application Server and the CCS Maintenance license is required to install the default CCS Content during the CCS installation.
- ClickNext.
- In thePrerequisitespanel, review the prerequisites that are required for the installation. Install any prerequisite application that is required to be installed. ClickCheck againto verify whether the installation is successful.
- ClickNext.
- In theInstallation Folderpanel, review the installation path for product installation.Click browse (...) to specify a different installation path to install the product.You can change the default location of the Installation files cache folder where the setup files that are cached during installation. Click browse (...) to select a different location to store the setup files.ClickRefresh disk space informationto verify the available disk space on the computer.
- ClickNext. If you have specified a different installation path, and the installer folder does not exist, the installer prompts you to create the installation folder.
- To provide details for installing the components and databases
- In theCCS Application Server - Root Certificatepanel, enter the required values for the fields to create the root certificate and then clickNext.The root certificate is required for secure communication between CCS Application Server and CCS Manager. The root certificate is created on the CCS Application Server and contains the details that are used to create certificates for the CCS Manager. You must generate certificates for all CCS Manager installations. The root certificate is created using the CCS Installation Wizard during the installation of the product.The certificates that are deployed on the CCS Managers are created using theCertificate Management Console. TheCertificate Management Consoleis installed on the CCS Application Server computer.The fields for theCCS Application Server - Root Certificatepanel and their description are as follows:OrganizationThe name of your organization.Expiration term (years)The expiration time period of the root certificate.The expiration time period of the root certificate must be more than 10 years.Password (Min. 8 char.)The password to authenticate the certificate.Re-type passwordRe-enter the password that you have typed.Signature AlgorithmThe Secure Hash Algorithm (SHA) that is required to create the certificates that use the cryptographic hash functions.The following hash functions are used in CCS:
- sha1RSA
- sha256RSA
- sha384RSA
- sha512RSA
On the Windows Server 2003 computers, the sha256RSA or higher encryption algorithm appears in the drop-down list only if the computer is configured with sha256RSA or higher encryption capability.Key SizeThe key that is associated with a signature algorithm. The key sizes are, 2048, 3072, and 4096.Make sure that computers having the CCS Application Server and CCS Managers support the Signature Algorithm and Key Size. - In theCCS Application Server - Directory Service Configurationpanel, enter the required values for the fields and then clickNext.The fields for theCCS Application Server - Directory Service Configurationpanel and their description are as follows:User nameEnter the user name in whose context the Directory Service is run on the computer. The user must be a domain user.Or click browse (...) to select the user name.PasswordEnter the password that authenticates the specified user account.Use the same user account for Application ServerCheck this option if you want to reuse the same user account for configuring the CCS Application Server.Directory Service portEnter the port number of the computer that hosts the CCS Application Server on which the Directory Service runs.By default, the port in which the Directory Service runs is, 12467.Encryption Management Service portEnter the port number of the computer that hosts the CCS Application Server on which the Encryption Management Service runs.By default, the port in which the Encryption Management Service runs is, 12468.LDAP portEnter the LDAP port number of the computer that hosts the CCS Application Server.By default, the Directory Service uses the port 3890 to communicate with the CCS Application Server.SSL portCurrently CCS does not support SSL-based communication.Data FilesClick browse (...) to change the location where you want to store the data files, which contain the Directory information.When you install the CCS Application Server on a domain controller or on any other computer on which the Active Directory is installed, the default port numbers for LDAP is 3890 and for SSL is 6360.
- In theCCS Application Server - Encryption Management Service Pass Phrasepanel, enter the pass phrase that is used to generate the symmetric keys and clickNext.The Encryption Management Service uses the symmetric keys generated by the pass phrase to encrypt and decrypt configuration information, including passwords and connection details.The pass phrase must be minimum 8 characters long.You require this pass phrase later to change the service user account, and to make changes to the installation.
- In theApplication Server - Service Configurationpanel, enter the required values in the text boxes and clickNext.The fields of theApplication Server - Service Configurationpanel and their descriptions are as follows:User nameEnter the user name in whose context the Application Server Service is run on the computer. The user must be a domain user.Or click browse (...) to select the user name.You can reuse the Directory Service user accountThis field is available only if you uncheckUse the same user account for Application Serverin theCCS Application Server - Directory Service Configurationpanel.PasswordEnter the password that authenticates the specified user account.Application server portEnter the port number of the computer on which the Application Server Service runs.The Application Server Service runs on the computer on which the Application Server is installed. By default, the port number is, 1431.Application server integration service portEnter the port number of the computer on which the Application Server Integration Services run.The Application Server Integration Services is required for the Integration Services APIs and runs on the Application Server computer. By default, the service runs in the HTTPS port, whose number is, 12431.You can also configure the Integration Services to run in the TCP port or the HTTP port. The default HTTP port is 80 and the default TCP port is 1431.IIS site for Web ConsoleSelect the IIS site that launches the CCS Web Console.The IIS site is required because the Application Server and the Web Console are installed on the same computer.By default, you can use the Default website, which is configured for the IIS Manager that is installed on the Application Server computer. Alternatively, you can specify a custom website to launch the CCS Web Console.Symantec recommends to use an IIS site that accepts only HTTPS connections.If you use SSL connections, you must configure them before you install CCS.For information about configuring SSL connections, see the Microsoft SQL Server documentation at the following location:IIS site for Symantec HelpSelect the IIS site that launches the Symantec Help.The IIS site is required because the Application Server and the Symantec Help are installed on the same computer. The IIS site is also used to launch the Symantec Help on the remote computer.By default, you can use the Default website, which is configured for the IIS Manager that is installed on the Application Server computer. Alternatively, you can specify a custom website to launch the Symantec Help.Target path for Symantec HelpSpecify the location for the Symantec Help installation. You can accept the default location, or type a path, or click browse (...) to select a new location.You require minimum 30 MB disk space for Symantec Help installation.ClickYesin the SSL recommendation dialog box to proceed with the installation.To know the special characters that are supported to create the user account for CCS.
- In theApplication Server - Production Databasepanel, enter the required values in the text boxes and clickNext.The SQL server is used to create the production database on the Application Server computer that stores data, which is queried by the data collectors. The production database must be configured to use the Windows authentication.By default, the setup creates a production database, CSM_DB on the computer. If the user account that you specify to log in to the SQL Server, does not have the required privileges to create the database, the setup will not create the database. In this case, you must create the CSM_DB database, and then run the CCS Suite installer.The fields of theApplication Server - Production Databasepanel and their descriptions are as follows:SQL ServerEnter the computer name that hosts the SQL server.SQL\Instancename,portFor example,CCSSQL\Instance1.Or click browse (...) to locate the SQL Server.Computer names must not use any characters that are invalid for a DNS name.The list of characters that are not allowed is available at the following location:Use SSLBy default, this option is checked.You must have the required SSL certificate for establishing secured communication.If you use SSL connections, you must configure them before you install CCS.Refer to the Microsoft SQL Server documentation, http://support.microsoft.com/kb/316898 for information about configuring SSL connections.Use Windows NT Integrated SecuritySelect this option if you have the SQL server installed in the Windows NT Authentication user context.Use a SQL user name and passwordSelect this option if you have the SQL server installed in the SQL Authentication user context.You must specify the authentication details of the user in the respective text boxes.Use the same configuration for the reporting databaseCheck this option if you want to replicate the same configuration for the Reporting Server.By default, this option is checked, which does not invoke the panel, Application Server - Reporting Database on clicking Next. You can uncheck this option to invoke the panel in step 22.If you check this option, the setup creates a reporting database, CSM_Reports on the computer. If the user account that you specify to log in to the SQL Server, does not have the required privileges to create the database, the setup will not create the database. In this case, you must create the CSM_Reports database, and then run the CCS Suite installer.
- TheApplication Server - Reporting Databasepanel is available only if you have uncheckedUse the same configuration for the reporting databasein step 21In theApplication Server - Reporting Databasepanel, enter the requisite values in the text boxes and clickNext.The SQL server information is used to create the reporting database for the Reporting Server. The reporting database is used to store the reports that are generated for the evaluated data. You can choose either Windows or SQL authentication modes to connect to the SQL server.By default, the setup creates a reporting database, CSM_Reports on the computer. If the user account that you specify to log in to the SQL Server, does not have the required privileges to create the database, the setup will not create the database. In this case, you must create the CSM_Reports database, and then run the CCS Suite installer.The fields of theApplication Server - Reporting Databasepanel and their descriptions are as follows:SQL ServerEnter the computer name that hosts the SQL server.SQL\Instancename,portFor example,CCSSQL\Instance1.Or click browse (...) to locate the SQL Server.Computer names must not use any characters that are invalid for a DNS name.The list of characters that are not allowed is available at the following location:Use SSLBy default, this option is checked.You must have the required SSL certificate for establishing secured communication.If you use SSL connections, you must configure them before you install CCS.Refer to the Microsoft SQL Server documentation, http://support.microsoft.com/kb/316898 for information about configuring SSL connections.Use Windows NT Integrated SecuritySelect this option if you have the SQL server installed in the Windows NT Authentication user context.Use a SQL user name and passwordSelect this option if you have the SQL server installed in the SQL Authentication user context.You must specify the authentication details of the user in the respective text boxes.
- In theCCS Application Server - Pass Phrasepanel, enter the pass phrase that is used to generate the symmetric keys and then clickNext.The Application Server Service uses the symmetric keys generated by the pass phrase to encrypt and decrypt configuration information, including passwords and connection details.The pass phrase must be minimum 8 characters long.You require this pass phrase later to change the service user account, and to make changes to the installation.
- TheCCS Manager - Service Configurationpanel is available on if you are installing the CCS Application Server and CCS Manager on a single computer and you have checkedCCS Managerin theComponentspanel.In theCCS Manager - Service Configurationpanel, enter a port for the CCS Manager and then clickNext.CCS components use this port to communicate with the CCS Manager. The default port is 5600.
- In theSummarypanel, review the installation details and clickInstall.You can click the link,Export Summaryto export the configuration details of all the components that are installed on the computer. The details appear in a browser, after you specify the location to export the summary.
- TheInstallpanel indicates the progress of the component installation. After the installation finishes, theResultpanel appears.If the installation is completed with warnings, aWarningpanel displays warning messages or aResultpanel displays critical errors, perform the remediation steps displayed in theDetailwindow to complete the installation.You can click the link,Log Filesto view the CCS installation log files. The log files are in .csv format. You can use the Log Viewer in the <Install_Directory>\Application Server to view the log files. The LogViewer helps you to easily identify warnings and errors using the color codes. Warnings are highlighted in yellow color and errors are highlighted in red color.
- In theResultpanel, review the installation result and then clickNext.You can click the link,Log Filesto view the CCS installation log files. The log files are in .csv format. You can use the LogViewer in the <Install_Directory>\Application Server to view the log files. The LogViewer helps you to easily identify warnings and errors using the color codes. Warnings are highlighted in yellow color and errors are highlighted in red color.
- TheNext Stepspanel displays the additional steps that you must perform to complete the CCS deployment. Perform the next steps and then clickFinish.You can click the link,Save the next stepsto save the next steps for future reference. The details appear in a browser, after you specify the location to save the next steps.You can check options to launch the CCS console or view the release notes.You can click the link,Log Filesto view the CCS installation log files. The log files are in .csv format. You can use the LogViewer in the <Install_Directory>\Application Server to view the log files. The LogViewer helps you to easily identify warnings and errors using the color codes. Warnings are highlighted in yellow color and errors are highlighted in red color.