Previous Topic: How Policies Are Initially Sent to a Migrated EndpointNext Topic: Migrate Hierarchical PMDBs


How CA ControlMinder Applies a Filter File to a Password PMD

Advanced policy management does not support policies with password management commands. Use a password PMD to synchronize passwords between endpoints and to distribute password management rules. When you migrate a password PMD to the advanced policy management environment, you apply a filter file to the password PMD so that it only deploys password rules to its subscribers.

The following process explains how CA ControlMinder applies a filter file to a password PMD:

  1. CA ControlMinder creates a text file named filter.flt and adds the following lines to it:
    #------------------------------------------------------------------------------
    # access  	env	class	objects	properties           	pass/nopass
    #------------------------------------------------------------------------------
      *      	*  	USER	*      	OLD_PASSWD;CLR_PASSWD	PASS
      *      	*  	*   	*      	*                    	NOPASS
    #------------------------------------------------------------------------------
    
  2. CA ControlMinder saves filter.flt in the password PMD directory.
  3. CA ControlMinder adds the full path of filter.flt to the "filter" configuration setting in the following location:

How to Migrate to Advanced Policy Management

Migrating to an advanced policy management environment lets you deploy and undeploy policies, and check the deployment and deviation status of policies.

Note: Advanced policy management does not support policies with password management commands. You must use a password PMD to synchronize passwords between endpoints and to distribute password management rules. You cannot migrate a password PMD to the advanced policy management environment.

Before you begin the migration process, verify that:

Important! We strongly recommend that you back up the PMDB before you begin the migration process.

To migrate from a PMD environment to an advanced policy management environment, do the following:

  1. Install the Enterprise Management server components.

    The advanced policy management environment is set up as part of the Enterprise Management installation process.

  2. Upgrade the PMD host to CA ControlMinder r12.5 or later.
  3. Migrate the endpoints.
  4. Migrate the PMDB.

More information:

How the Migration Process Works

Migrate an Endpoint

Migrating the endpoints is the third step in the process to migrate from a PMD environment to an advanced policy management environment. In the preceding steps, you:

In this step, you migrate the endpoints that subscribe to the migrated PMDB.

To migrate an endpoint

  1. Upgrade the endpoint to CA ControlMinder r12.0 or later.
  2. Run the following commands on the endpoint to configure advanced policy management client components:
    dmsmgr -config -endpoint
    dmsmgr -config -dh dh_name@host_name
    

    The endpoint is upgraded to the advanced policy management environment.

More information:

dmsmgr -config Function—Configure Advanced Policy Management

unsubs Command—Remove a Subscriber

Migrate a PMDB

We recommend that you understand the steps you must perform at each stage of the overall migration process before you migrate a PMDB. Migrating a PMDB is only one step in the process to migrate an enterprise deployment of CA ControlMinder to an advanced policy management environment.

Migrating a PMDB is the final step in the process to migrate from a PMD environment to an advanced policy management environment. In the preceding steps, you:

In this step, you use CA ControlMinder Enterprise Management to create a policy from the rules in the PMDB, create a host group for the migrated PMDB, and join the hosts that correspond to the PMDB subscribers to this host group. You can also choose to assign the new policy to the host group.

Important! Each time you click the Next button, CA ControlMinder Enterprise Management completes an action in the DMS or in the PMDB. It may be difficult to undo the result of these actions.

To migrate a PMDB

  1. In CA ControlMinder Enterprise Management, click the Policy Management tab, click the Policy sub-tab, expand the Policy tree, and click PMDB Migrate.

    The PMDB Host Login page appears.

  2. Type a user name and password that is authorized to access the PMDB and the name of the PMDB that you want to migrate, and click Log In.

    Format: PMDBname@host, for example, master_pmdb@example

    The PMDB Migrate Process page appears at the General task stage.

  3. Complete the following fields, and click Next:
    Name

    Defines the name of the policy. The name must be unique on the DMS (enforced) and in your enterprise (not enforced but you will not be able to deploy a policy to a host if a policy of the same name already exists).

    Description

    (Optional) Defines a business description (free text) of the policy. Use this field to record what this policy is for and any other information that helps you identify the policy.

    Policy Classes

    Specifies the classes whose rules you want to export for inclusion in the policy. If you do not specify any classes in the Selected List column, all classes are exported and included in the policy.

    Export dependent classes

    Specifies to export all the classes that are dependent on the classes that you specify in the Selected List column. If you do not select this option, CA ControlMinder exports only the classes that you specify in the Selected List column.

    The Policy Script task stage appears.

  4. Review the exported rules and modify them as necessary, and click Next.

    CA ControlMinder Enterprise Management creates a policy from the rules. The Host Group task stage appears.

  5. Complete the dialog and click Next, as follows:
    Host Group

    Specifies the name of the host group to add the hosts to. You can specify an existing host group or create a new host group.

    Note: When you add a host to an existing host group, CA ControlMinder automatically deploys to the host any policies that are assigned to the host group.

    Assign Policy

    (Optional) Specifies to assign the policy to the host group.

    Assigned Hosts

    Specifies the hosts to add to the host group.

    Note: By default, this table contains all subscribers of the migrated PMDB that you have authority to access. You can add and remove hosts from the Assigned Hosts list; however, you cannot add a host to the host group if you do not have authority to access the host.

    CA ControlMinder Enterprise Management adds the hosts to the hosts group and, if specified, assigns the policy to the host group. The PMD Options task stage appears.

  6. Select any of the following options that you want to apply to the migrated PMDB:
    Unsubscribe the hosts that you specified in step 3 (Host Group step)

    Specifies to unsubscribe the endpoints that you selected in the previous task stage from the migrated PMDB.

    Unsubscribe all of the PMDB subscribers

    Specifies to unsubscribe all subscribers from the migrated PMDB.

    Delete the PMD

    Specifies to delete the migrated PMDB.

    Important! Do not delete the PMDB if you use it to propagate user password commands.

    Add PMD filter file

    Specifies to add a filter file to the migrated PMDB so that the PMDB only propagates user password commands to its subscribers. If you select this option, the migrated PMDB becomes a password PMDB.

  7. Click Next.

    CA ControlMinder performs the actions that you specified. The Migration Actions Summary task stage appears and the migration process is complete.

More information:

How Policies Are Created and Assigned

policydeploy -migrate Function—Migrate a PMD to Advanced Policy Management

Class Dependency

When you export the rules for specified classes from a PMDB, you can choose to also export the rules for dependent classes. If you specify that CA ControlMinder should export dependent classes, CA ControlMinder exports the following:

Duplicate HNODEs Appear In DMS

Symptom:

After I migrated a PMD to an advanced policy management environment, two HNODEs that represent the same endpoint are created in the DMS.

Solution:

The fully qualified host name of the endpoint is not the same on the DMS and on the endpoint. To fix this problem, delete one of the HNODE objects in the DMS.

Note: For more information about HNODE objects and the DMS, see the Enterprise Administration Guide.