Advanced policy management does not support policies with password management commands. Use a password PMD to synchronize passwords between endpoints and to distribute password management rules. When you migrate a password PMD to the advanced policy management environment, you apply a filter file to the password PMD so that it only deploys password rules to its subscribers.
The following process explains how CA ControlMinder applies a filter file to a password PMD:
#------------------------------------------------------------------------------ # access env class objects properties pass/nopass #------------------------------------------------------------------------------ * * USER * OLD_PASSWD;CLR_PASSWD PASS * * * * * NOPASS #------------------------------------------------------------------------------
HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\Pmd\PMDB_Name
Migrating to an advanced policy management environment lets you deploy and undeploy policies, and check the deployment and deviation status of policies.
Note: Advanced policy management does not support policies with password management commands. You must use a password PMD to synchronize passwords between endpoints and to distribute password management rules. You cannot migrate a password PMD to the advanced policy management environment.
Before you begin the migration process, verify that:
Important! We strongly recommend that you back up the PMDB before you begin the migration process.
To migrate from a PMD environment to an advanced policy management environment, do the following:
The advanced policy management environment is set up as part of the Enterprise Management installation process.
Migrating the endpoints is the third step in the process to migrate from a PMD environment to an advanced policy management environment. In the preceding steps, you:
In this step, you migrate the endpoints that subscribe to the migrated PMDB.
To migrate an endpoint
dmsmgr -config -endpoint dmsmgr -config -dh dh_name@host_name
The endpoint is upgraded to the advanced policy management environment.
We recommend that you understand the steps you must perform at each stage of the overall migration process before you migrate a PMDB. Migrating a PMDB is only one step in the process to migrate an enterprise deployment of CA ControlMinder to an advanced policy management environment.
Migrating a PMDB is the final step in the process to migrate from a PMD environment to an advanced policy management environment. In the preceding steps, you:
In this step, you use CA ControlMinder Enterprise Management to create a policy from the rules in the PMDB, create a host group for the migrated PMDB, and join the hosts that correspond to the PMDB subscribers to this host group. You can also choose to assign the new policy to the host group.
Important! Each time you click the Next button, CA ControlMinder Enterprise Management completes an action in the DMS or in the PMDB. It may be difficult to undo the result of these actions.
To migrate a PMDB
The PMDB Host Login page appears.
Format: PMDBname@host, for example, master_pmdb@example
The PMDB Migrate Process page appears at the General task stage.
Defines the name of the policy. The name must be unique on the DMS (enforced) and in your enterprise (not enforced but you will not be able to deploy a policy to a host if a policy of the same name already exists).
(Optional) Defines a business description (free text) of the policy. Use this field to record what this policy is for and any other information that helps you identify the policy.
Specifies the classes whose rules you want to export for inclusion in the policy. If you do not specify any classes in the Selected List column, all classes are exported and included in the policy.
Specifies to export all the classes that are dependent on the classes that you specify in the Selected List column. If you do not select this option, CA ControlMinder exports only the classes that you specify in the Selected List column.
The Policy Script task stage appears.
CA ControlMinder Enterprise Management creates a policy from the rules. The Host Group task stage appears.
Specifies the name of the host group to add the hosts to. You can specify an existing host group or create a new host group.
Note: When you add a host to an existing host group, CA ControlMinder automatically deploys to the host any policies that are assigned to the host group.
(Optional) Specifies to assign the policy to the host group.
Specifies the hosts to add to the host group.
Note: By default, this table contains all subscribers of the migrated PMDB that you have authority to access. You can add and remove hosts from the Assigned Hosts list; however, you cannot add a host to the host group if you do not have authority to access the host.
CA ControlMinder Enterprise Management adds the hosts to the hosts group and, if specified, assigns the policy to the host group. The PMD Options task stage appears.
Specifies to unsubscribe the endpoints that you selected in the previous task stage from the migrated PMDB.
Specifies to unsubscribe all subscribers from the migrated PMDB.
Specifies to delete the migrated PMDB.
Important! Do not delete the PMDB if you use it to propagate user password commands.
Specifies to add a filter file to the migrated PMDB so that the PMDB only propagates user password commands to its subscribers. If you select this option, the migrated PMDB becomes a password PMDB.
CA ControlMinder performs the actions that you specified. The Migration Actions Summary task stage appears and the migration process is complete.
When you export the rules for specified classes from a PMDB, you can choose to also export the rules for dependent classes. If you specify that CA ControlMinder should export dependent classes, CA ControlMinder exports the following:
For example, if you specify to export FILE class rules, CA ControlMinder exports the rules that modify resources in the FILE and GFILE classes.
For example, if you specify to export GFILE class rules, CA ControlMinder exports the rules that modify resources in the GFILE and FILE classes.
For example, if you specify to export CONTAINER class rules, and the CONTAINER object holds FILE objects, CA ControlMinder exports the rules that modify resources in the CONTAINER and FILE classes.
Symptom:
After I migrated a PMD to an advanced policy management environment, two HNODEs that represent the same endpoint are created in the DMS.
Solution:
The fully qualified host name of the endpoint is not the same on the DMS and on the endpoint. To fix this problem, delete one of the HNODE objects in the DMS.
Note: For more information about HNODE objects and the DMS, see the Enterprise Administration Guide.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|