Previous Topic: sepmdd Daemon (UNIX)Next Topic: UID/GID Synchronization


How sepmdd Works

The CA ControlMinder agent, seagent, starts sepmdd; You do not need to run sepmdd explicitly. The sepmdd daemon runs under the logical user id “_seagent” for CA ControlMinder, and with the user id root in UNIX. You cannot designate another logical user under which sepmdd runs.

The PMDBs are stored in a common directory. You specify the name of the common directory with the _pmd_directory_ token in the [pmd] section of the seos.ini file, on the station where the Policy Models reside. Each Policy Model resides in a subdirectory of the common directory. The name of the Policy Model is the name of the subdirectory in which it resides.

When sepmdd starts, it checks whether any subscriber databases need updating, and updates them if necessary. After this startup process, sepmdd waits for user requests, which are sent by the Policy Model management program, sepmd, and by the selang utility, using seagent.

When sepmdd receives a request, it applies the request to the PMDB and sends the result back to the user. If the request should be propagated, sepmdd propagates the update to its subscriber databases.

The sepmdd daemon attempts to update a subscriber database for the period specified in the _QD_timeout_ token. If the maximum time elapses and the daemon does not succeed in updating a subscriber, it skips that particular subscriber and tries to update the remainder of the subscribers on its list. After it completes its first scan of the subscriber list, sepmdd then performs a second scan, in which it tries to update the subscribers that it did not succeed in updating during its first scan. During the second scan, it tries to update a subscriber until the connect system call times out (approximately 90 seconds).

Note: The _QD_timeout_ token may exist in both the seos.ini and pmd.ini files. If it does, sepmdd uses the value in the pmd.ini file.

If a subscriber is unavailable during the second scan, sepmdd attempts to send it updates every 30 minutes. To modify this interval, set the _retry_timeout_ token. Since the updates must be sent in the order in which they are received, sepmdd does not send subsequent updates to the subscriber database until it becomes available.

If you set the pull_option token in the [pmd] section of the subscriber database's seos.ini file to yes, the subscriber database is updated as soon as possible. seagent informs the parent Policy Models that the host is up for every Policy Model on the machine, and that its subscriber PMDBs are up, and sepmdd sends the update immediately.

Whenever sepmdd fails to update a subscriber database, it writes a warning message in the Policy Model error log. For more information about the Policy Model error log see the Endpoint Administration Guide for UNIX.

CA ControlMinder attempts to fully qualify subscribers as they are added or deleted from the Policy Model.

To remove a subscriber from the list of unavailable subscribers, enter the following command:

sepmd ‑r policyModel subscriber

If a subscriber database rejects an update, as can occur if the subscriber database differs from the PMDB, sepmdd writes an error message in the Policy Model error log and continues.

To view the error log, enter the following command on the host where the PMDB resides, enter:

sepmd ‑e policyModel

You can have sepmdd automatically shut itself down after a period of inactivity. By default, however, sepmdd does not shut itself down. If you want sepmdd to shut itself down, set the _shutoff_time_ token to a value greater than 0. This value indicates the minutes of inactivity allowed before sepmdd shuts itself down. To shut sepmdd down manually, enter:

sepmd ‑k policyModel

Important! Do not use the UNIX command kill 9 to shut down sepmdd manually; this may destroy the PMDB.