Upgrade Guide › Migrating PMDs to an Advanced Policy Management Environment › How the Migration Process Works › How CA ControlMinder Applies a Filter File to a Password PMD

How CA ControlMinder Applies a Filter File to a Password PMD

Advanced policy management does not support policies with password management commands. Use a password PMD to synchronize passwords between endpoints and to distribute password management rules. When you migrate a password PMD to the advanced policy management environment, you apply a filter file to the password PMD so that it only deploys password rules to its subscribers.

The following process explains how CA ControlMinder applies a filter file to a password PMD:

1. CA ControlMinder creates a text file named filter.flt and adds the following lines to it:

   #------------------------------------------------------------------------------
   # access  	env	class	objects	properties           	pass/nopass
   #------------------------------------------------------------------------------
     *      	*  	USER	*      	OLD_PASSWD;CLR_PASSWD	PASS
     *      	*  	*   	*      	*                    	NOPASS
   #------------------------------------------------------------------------------
   

2. CA ControlMinder saves filter.flt in the password PMD directory.
3. CA ControlMinder adds the full path of filter.flt to the "filter" configuration setting in the following location:
   • (UNIX) The [pmd] section of the pmd.ini file
   • (Windows) The following registry key:

     HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\Pmd\PMDB_Name
     

How to Migrate to Advanced Policy Management

Migrating to an advanced policy management environment lets you deploy and undeploy policies, and check the deployment and deviation status of policies.

Note: Advanced policy management does not support policies with password management commands. You must use a password PMD to synchronize passwords between endpoints and to distribute password management rules. You cannot migrate a password PMD to the advanced policy management environment.

Before you begin the migration process, verify that:

• All subscribers are available
• The subscribers have received all updates from the PMDB
• No subscribers are synchronized with the PMDB

Important! We strongly recommend that you back up the PMDB before you begin the migration process.

To migrate from a PMD environment to an advanced policy management environment, do the following:

1. Install the Enterprise Management server components.

   The advanced policy management environment is set up as part of the Enterprise Management installation process.

2. Upgrade the PMD host to CA ControlMinder r12.5 or later.
3. Migrate the endpoints.
4. Migrate the PMDB.

More information:

How the Migration Process Works

Migrate an Endpoint

Migrating the endpoints is the third step in the process to migrate from a PMD environment to an advanced policy management environment. In the preceding steps, you:

• Installed the Enterprise Management server components
• Upgraded the PMD host to CA ControlMinder r12.5 or later

In this step, you migrate the endpoints that subscribe to the migrated PMDB.

To migrate an endpoint

1. Upgrade the endpoint to CA ControlMinder r12.0 or later.
2. Run the following commands on the endpoint to configure advanced policy management client components:

   dmsmgr -config -endpoint
   dmsmgr -config -dh dh_name@host_name
   

   The endpoint is upgraded to the advanced policy management environment.

More information:

dmsmgr -config Function—Configure Advanced Policy Management

unsubs Command—Remove a Subscriber

Migrate a PMDB

We recommend that you understand the steps you must perform at each stage of the overall migration process before you migrate a PMDB. Migrating a PMDB is only one step in the process to migrate an enterprise deployment of CA ControlMinder to an advanced policy management environment.

Migrating a PMDB is the final step in the process to migrate from a PMD environment to an advanced policy management environment. In the preceding steps, you:

• Installed the Enterprise Management Server
• Upgraded the PMD host to CA ControlMinder r12.5 or later
• Migrated an endpoint (upgraded the endpoint to CA ControlMinder r12.0 or later and configured advanced policy management client components)

In this step, you use CA ControlMinder Enterprise Management to create a policy from the rules in the PMDB, create a host group for the migrated PMDB, and join the hosts that correspond to the PMDB subscribers to this host group. You can also choose to assign the new policy to the host group.

Important! Each time you click the Next button, CA ControlMinder Enterprise Management completes an action in the DMS or in the PMDB. It may be difficult to undo the result of these actions.

To migrate a PMDB

1. In CA ControlMinder Enterprise Management, click the Policy Management tab, click the Policy sub-tab, expand the Policy tree, and click PMDB Migrate.

   The PMDB Host Login page appears.

2. Type a user name and password that is authorized to access the PMDB and the name of the PMDB that you want to migrate, and click Log In.

   Format: PMDBname@host, for example, master_pmdb@example

   The PMDB Migrate Process page appears at the General task stage.

3. Complete the following fields, and click Next:

   Name

   Defines the name of the policy. The name must be unique on the DMS (enforced) and in your enterprise (not enforced but you will not be able to deploy a policy to a host if a policy of the same name already exists).

   Description

   (Optional) Defines a business description (free text) of the policy. Use this field to record what this policy is for and any other information that helps you identify the policy.

   Policy Classes

   Specifies the classes whose rules you want to export for inclusion in the policy. If you do not specify any classes in the Selected List column, all classes are exported and included in the policy.

   Export dependent classes

   Specifies to export all the classes that are dependent on the classes that you specify in the Selected List column. If you do not select this option, CA ControlMinder exports only the classes that you specify in the Selected List column.

   The Policy Script task stage appears.

4. Review the exported rules and modify them as necessary, and click Next.

   CA ControlMinder Enterprise Management creates a policy from the rules. The Host Group task stage appears.

5. Complete the dialog and click Next, as follows:

   Host Group

   Specifies the name of the host group to add the hosts to. You can specify an existing host group or create a new host group.

   Note: When you add a host to an existing host group, CA ControlMinder automatically deploys to the host any policies that are assigned to the host group.

   Assign Policy

   (Optional) Specifies to assign the policy to the host group.

   Assigned Hosts

   Specifies the hosts to add to the host group.

   Note: By default, this table contains all subscribers of the migrated PMDB that you have authority to access. You can add and remove hosts from the Assigned Hosts list; however, you cannot add a host to the host group if you do not have authority to access the host.

   CA ControlMinder Enterprise Management adds the hosts to the hosts group and, if specified, assigns the policy to the host group. The PMD Options task stage appears.

6. Select any of the following options that you want to apply to the migrated PMDB:

   Unsubscribe the hosts that you specified in step 3 (Host Group step)

   Specifies to unsubscribe the endpoints that you selected in the previous task stage from the migrated PMDB.

   Unsubscribe all of the PMDB subscribers

   Specifies to unsubscribe all subscribers from the migrated PMDB.

   Delete the PMD

   Specifies to delete the migrated PMDB.

   Important! Do not delete the PMDB if you use it to propagate user password commands.

   Add PMD filter file

   Specifies to add a filter file to the migrated PMDB so that the PMDB only propagates user password commands to its subscribers. If you select this option, the migrated PMDB becomes a password PMDB.

7. Click Next.

   CA ControlMinder performs the actions that you specified. The Migration Actions Summary task stage appears and the migration process is complete.

More information:

How Policies Are Created and Assigned

policydeploy -migrate Function—Migrate a PMD to Advanced Policy Management

Class Dependency

When you export the rules for specified classes from a PMDB, you can choose to also export the rules for dependent classes. If you specify that CA ControlMinder should export dependent classes, CA ControlMinder exports the following:

• If you export rules that modify resources in a particular class, and the class has a corresponding resource group, CA ControlMinder also exports the rules that modify resources in that resource group.

  For example, if you specify to export FILE class rules, CA ControlMinder exports the rules that modify resources in the FILE and GFILE classes.

• If you export rules that modify resources in a particular resource group, CA ControlMinder also exports the rules that modify the member resource of the resource group.

  For example, if you specify to export GFILE class rules, CA ControlMinder exports the rules that modify resources in the GFILE and FILE classes.

• If you export rules that modify resources in a particular class and that class has a PACL The PACL property of a resource is an access control list. Each entry in the list specifies an accessor, the type of access to the resource that the accessor is allowed, and the name of the program that the accessor needs to use when accessing the resource. The program name can include wildcard characters. See also ACL, CALACL, NACL., CA ControlMinder also exports the rules that modify resources in the PROGRAM class.
• If you export rules that modify resources in a particular class and that class has a CALACL The CALACL property of a resource is an access control list that defines the accessors that are granted authorization to a resource, together with the type of access granted (for example, write) according to the accessors' status in the Unicenter TNG calendar. See also ACL, NACL, PACL., CA ControlMinder also exports the rules that modify resources in the CALENDAR class.
• If you export rules that modify resources in a particular class, and one of the resources in that class is a member of a CONTAINER resource group, CA ControlMinder exports the rules that modify resources in the CONTAINER class and the rules that modify the resources that are members of each CONTAINER resource group.

  For example, if you specify to export CONTAINER class rules, and the CONTAINER object holds FILE objects, CA ControlMinder exports the rules that modify resources in the CONTAINER and FILE classes.

Duplicate HNODEs Appear In DMS

Symptom:

After I migrated a PMD to an advanced policy management environment, two HNODEs that represent the same endpoint are created in the DMS.

Solution:

The fully qualified host name of the endpoint is not the same on the DMS and on the endpoint. To fix this problem, delete one of the HNODE objects in the DMS.

Note: For more information about HNODE objects and the DMS, see the Enterprise Administration Guide.