Previous Topic: sepmd Utility—Restore the PMDBNext Topic: sepropadm Utility—Administer Database Properties


sepmdadm Utility—Create PMDB Definitions

Valid on UNIX

The sepmdadm utility creates the definitions needed to run a PMDB. The sepmdadm utility is a script consisting of the CA ControlMinder and UNIX commands required to define a PMBD, to define the relationship of the PMDB to PMDBs above and below it, and to define its subscriber stations. By default, the user root is defined as the administrator and auditor of the PMDB. You must run the sepmdadm utility locally, although you can also run it through a remote shell. When you use sepmdadm to create a new PMDB, you probably want to follow up by pointing subscribers to the PMDB and by synchronizing the UIDs and GIDs.

You can run this utility in interactive or non‑interactive modes:

When creating a new PMDB with sepmdadm, you identify the stations that are the subscribers of the Policy Model. However, you must also update the parent_pmd token in each subscriber's seos.ini file with the name of the PMDB to which you have subscribed the station. If you do not do this, the subscribers do not accept updates from the PMDB.

By subscribing several stations to the same PMDB, and by subscribing one PMDB station to another, you can create a hierarchy of PMDBs.

This command has the following format:

sepmdadm options
-‑admin name

Defines the CA ControlMinder administrator of the PMDB.

-‑auditor name

Defines the CA ControlMinder auditor of the PMDB.

‑c | -‑clean pmdbName

Removes the specified Policy Model. This option shuts down the Policy Model daemon, removes the file protections from the database, and deletes the Policy Model directory with all its contents.

You cannot use this option with the -‑noconfirm option.

-‑desktop hostname

Specifies a station from which the administrators can administer PMDBs located on the local host. If you do not specify any stations, the administrators can only administer the PMDBs from the local host.

-‑group_fname fileName

Defines the location of the groups file under NIS.

‑h | -‑help

Displays the help screen.

‑i | ‑-interactive

Runs sepmdadm in interactive mode.

-l

Specifies to run sepmdadm in local mode, meaning that you can create a PMDB when CA ControlMinder is not running.

Note: Unless you specify this option you must have CA ControlMinder running to use sepmdadm.

-‑nis | --NIS

Performs NIS setup on the Policy Model. You must use this option if the PMDB is installed on a NIS server.

-‑noconfirm

Specifies that the user is not asked to confirm answers. This option is useful when invoking sepmdadm from within a shell script in non‑interactive mode.

-‑parentpmd pmdbName

Specifies the name of the parent PMDB to which this PMDB is subscribed. If you use this parameter with the ‑subsconfig parameter, sepmdadm updates the parent_pmd token in the seos.ini file. If you use this parameter without the ‑‑subsconfig parameter, sepmdadm updates the parent_pmd token in the pmd.ini file.

Note: If you want to define multiple parent Policy Models, you must to use quotation marks. For example, to create a Policy Model and define its parent, use the following command:

sepmdadm --pmdname subs2 --admin abc123 --admin root --auditors abc123 --desktop pcp36949 \
--parentpmd "aa@pcp36949,bb@pcp36949"
-‑passwd_fname fileName

Defines the location of the passwd file under NIS.

-‑passwdpmd pmdbName

Specifies the PMDB to which sepass sends password updates. This option updates the passwd_pmd token in the [seos] section of the seos.ini file.

Note: You can use this parameter only when you also use the -‑subsconfig switch.

When creating a multi‑level Policy Model, set this parameter to the PMDB at the top of the pyramid, so that password changes can be propagated to all levels in the PMDB system.

-‑pmdname pmdbName

Specifies the name of the PMDB to be created.

-‑pwmanager name

Specifies the CA ControlMinder password manager of the PMDB.

-‑seosdir directory

Specifies the directory in which CA ControlMinder is installed. Use this option only if CA ControlMinder is not installed in the default directory.

-‑subsconfig

Specifies that the local station is a subscriber. When using this parameter, you must specify the parameters --parentpmd pmdbName and --passwdpmd pmdbName to update the relevant tokens in the seos.ini file.

Note: The parameters should follow the ‑subsconfig option when configuring a subscriber.

-‑subscriber name

Specifies subscribers of this PMDB. They can be PMDBs or stations.

-‑xadmin name

Defines the enterprise user administrator of the PMDB.

-‑xauditor name

Defines the enterprise user auditor of the PMDB.

-‑xpwmanager name

Specifies the enterprise user password manager of the PMDB.

Example: Create a PMDB using the command line

Suppose you have a station called bigcentral, where you want to maintain a PMDB for other stations to subscribe to. To create the PMDB at bigcentral, run sepmdadm there. This utility is located in the directory ACInstallDir/bin.

To create a PMDB on bigcentral named pmdb1 with workstat1 and workstat2 as subscribers and enterprise users adm1 and adm2 as administrators, run the following command from bigcentral:

sepmdadm --pmdname pmdb1 --subscriber workstat1 --subscriber workstat2 \
--xadmin adm1 --xadmin adm2

Example: Pointing subscriber stations to the PMDB

To establish a station as a subscriber to a PMDB, it is not sufficient to specify the subscriber's name at the PMDB's station; you must also perform a procedure at the subscriber station.

To subscribe the local station to a PMDB using the command line, you must use the parameters --parentpmd and --passwdpmd, in addition to the parameter --subsconfig.

For example, to subscribe the local station to the PMDB called pmdb2 located on HOST2 and to the password PMDB called master1 located on HOST1, enter the following command:

sepmdadm --subsconfig --parentpmd pmdb2@HOST2 --passwdpmd master1@HOST1