Implementation Guide › Installing and Customizing a UNIX Endpoint › Before You Begin › Installation Notes

Installation Notes

When installing CA Access Control (whether for the first time or as part of an upgrade), note the following:

• Read the Release Notes.

  This document contains information about supported platforms, known issues, considerations, and other important information you should read before installing CA Access Control.

• If your environment is set up with a PMDB hierarchy or you are setting such an environment, we recommend that you:
  • Install or upgrade the Deployment Map Server (DMS) computer first.

    This is only required if you are going to use advanced policy-based management, and ensures that the DMS registers each Policy Model node and its subscribers.

  • Install or upgrade each computer in your hierarchy bottom-up (subscribers first).

    Upgraded PMDBs having subscribers with an earlier version may result in erroneous commands being sent. This can happen as a result of new PMDBs containing classes and properties that do not exist in the earlier version PMDBs.

    Note: A PMDB hierarchy running on a single computer can be upgraded simultaneously.

  • Do not upgrade during PMDB or policy updates.
  • Back up subscriber and PMDB policies.

  Note: Earlier PMDB versions are permitted to have later versions of subscribers, but not vice versa. As commands in earlier versions are supported in later versions, earlier PMDBs can propagate to CA Access Control r12.0 subscribers.

• If you are upgrading from a pre-r12.0 version:
  • Programs that should be bypassed by STOP are now defined as database rules; SPECIALPGM records of a stop type.
  • Programs that should be bypassed by SURROGATE are now be defined as database rules; SPECIALPGM records of a surrogate type.

  Note: The upgrade process converts old definitions (kept in a file) to the new database rules. Add these new rules to any existing selang scripts.

• You can upgrade the existing seos.ini and pmd.ini files, or create new ones.

  Either way, the installation script saves a copy of the old seos.ini file as seos_ini.back and a copy of each pmd.ini file as pmd_ini.back (in its respective Policy Model directory).

• CA Access Control backs up the following existing files during an upgrade: serevu.cfg, audit.cfg, trcfilter.init, and sereport.cfg.

  If you want to keep the changes you made to these files, you need to use the backed up files.

• If you are upgrading an existing database, we recommend that you:
  • Back it up first.

    Use dbmgr -b to backup the database.

  • Ensure that there are no subscribers in sync mode.

    Use sepmd -L to verify subscriber's status.

• Unicenter security integration and migration is only available for AIX, HP-UX PA-RISC, Solaris SPARC, and Linux x86 platforms.
• Unicenter TNG and CA Access Control for UNIX

  If you have a version of Unicenter TNG installed earlier than Unicenter NSM 3.0, install the following Unicenter TNG fix to permit CA Access Control to get process information:

  • HP-UX users with Unicenter TNG 2.4, install fix QO01182.
  • Linux users with Unicenter TNG 2.4, install fix PTF LO91335.
  • Sun users with Unicenter TNG 2.4, install fix QO00890.

  Note: Users with AIX 5.x running Unicenter NSM 3.0 must contact the CA Technologies Unicenter support team for a compatibility patch. You must install this compatibility patch before installing CA Access Control on the host.

• If you want to install Unicenter related options (install_base options: -uni or -mfsd) on Linux s390, you must have korn shell (ksh) installed before you install CA Access Control.

  The setup script for CCI Standalone (CCISA) uses ksh which is not installed by default on Linux.

• To install CA Access Control 32-bit binaries on Linux x86 64-bit we recommend that you use the _LINUX_xxx.tar.Z or CAeAC-xxxx-y.y.iiii.i386.rpm installation packages. These installation packages install 32-bit CA Access Control binaries on Linux x86 64-bit systems. If you are upgrading, these packages maintain compatibility with the previous 32-bit CA Access Control installation. Before you install CA Access Control, you must make sure that the following operating system 32-bit libraries are installed:

  ld-linux.so.2, libICE.so.6, libSM.so.6, libX11.so.6, libXext.so.6, libXp.so.6, libXt.so.6, libc.so.6, libcrypt.so.1, libdl.so.2, libgcc_s.so.1, libm.so.6, libncurses.so.5, libnsl.so.1, libpam.so.0, libpthread.so.0, libresolv.so.2, libstdc++.so.5, libaudit.so.0 (RHEL5 and OEL 5 and up only).

  The following is a list of relevant RPM packages that are required:

  • SLES 10: compat-libstdc++, glibc-32bit, libgcc, ncurses-32bit, pam-32bit, xorg-x11-libs-32bit
  • SLES 9: glibc-32bit, libgcc, libstdc++, ncurses-32bit, pam-32bit, XFree86-libs-32bit
  • RHEL 5 and OEL 5: audit-libs, compat-libstdc++, glibc, libgcc, libICE, libSM, libXext, libXp, libXt, ncurses, pam
  • RHEL 4 and OEL 4: compat-libstdc++, glibc, libgcc, ncurses, pam, xorg-x11-deprecated-libs, xorg-x11-libs
  • RHEL 3: glibc, libgcc, libstdc++, ncurses, pam, XFree86-libs
• To install CA Access Control 64-bit binaries on Linux x86 64-bit, use the _LINUX_X64_xxx.tar.Z or CAeAC-xxxx-y.y.iiii.x86_64.rpm installation packages. If you use these installation packages, you do not have to install any additional RPM packages.

  Note the following before installing or upgrading CA Access Control 64-bit binaries on Linux x86 64-bit:

  • The 64-bit installation package does not support CA Access Control GUI utilities, such as selock and selogo.
  • If the install_base script can access both the 32-bit and 64-bit tar files, then by default the install_base script uses the 32-bit tar file. To override this behavior, specify the desired tar file when you run the install_base command. If you install the 64-bit RPM package you install only 64-bit binaries and libraries. For example:

    ./install_base_LINUX_X64_125.tar.Z
    

  • Any applications that are built and linked to the API must be rebuilt for the 64-bit installation. Use the LINUX64 target to build 64-bit API samples. This target uses D64BIT and -D64BITALL (-m32 removed). You need -m elf_x86_64 to build libraries.
  • If you use the install_base script to upgrade to a 64-bit CA Access Control installation from a 32-bit installation, you must set the -force_install flag prior to installation. The installation will fail if you do not set this flag.
  • To fully uninstall cawin after uninstalling CA Access Control, use rpm -e --allmatches to ensure that the uninstall process removes both 32-bit and 64-bit versions of cawin.
• To install CA Access Control on Linux s390x 64-bit, you must make sure that the following operating system 32-bit libraries are installed:

  ld.so.1, libcrypt.so.1, libc.so.6, libdl.so.2, libICE.so.6, liblaus.so.1 (SLES 8, RHEL 3), libaudit.so.0 (RHEL 4, RHEL 5), libm.so.6, libnsl.so.1, libpam.so.0, libresolv.so.2, libSM.so.6, libX11.so.6, libXext.so.6, libXp.so.6, libXt.so.6

  The following is a list of relevant RPM packages that are required:

  • SLES 10: glibc-32bit, pam-32bit, xorg-x11-libs-32bit
  • SLES 9: XFree86-libs-32bit, glibc-32bit, pam-32bit
  • RHEL 5: audit-libs, libXp, glibc, libICE, libSM, libX11, libXext, libXt, pam
  • RHEL 4: audit-libs, glibc, pam, xorg-x11-deprecated-libs, xorg-x11-libs
  • RHEL 3: glibc, laus-libs, pam
• If you install CA Access Control on Linux and Linux-IA64 platforms using the -all option, mfsd is not installed.
• If you install CA Access Control on Solaris, install the SUNWlibc (Sun Workshop Compilers Bundled libC) package.
• Before you install CA Access Control 32-bit binaries on a 32-bit or 64-bit Linux computer, you must make sure that the libstdc++.so.5 32-bit library is installed. If you do not install this library, the ReportAgent daemon will not start after you install CA Access Control.
• Before you install CA Access Control on Linux, specify the home directory in the environment.