Upgrade Guide › Upgrading Server and Endpoint Components › Upgrading from CA ControlMinder r8.0SP1

Upgrading from CA ControlMinder r8.0SP1

The purpose of this scenario is to describe the steps that you follow to upgrade from CA ControlMinder r8.0SP1. The upgrade process in the chapter assumes that you installed CA ControlMinder r8.0SP1 components on separate computers.

The information in this section is intended for system or CA ControlMinder administrators that are tasked with managing CA ControlMinder.

The following diagram illustrates the steps to complete to upgrade from CA ControlMinder r8.0SP1:

The following diagram illustrate the steps to complete to upgrade from CA Access Control r8.0SP1:

Important!

Back up all CA ControlMinder components before you start the upgrade process.
Customize the software package to specify the 'eTrustAccessControl' path. The r8 SP1 package had eTrust in the product name and was therefore installed into the eTrustAccessControl subdirectory. Newer versions install into the AccessControl subdirectory.

You upgrade your existing CA ControlMinder r8.0SP1 deployment by following these steps:

Prepare the Enterprise Management Server.
Before you install the Enterprise Management Server, prepare the computer by installing and configuring the prerequisites.
Install CA ControlMinder Enterprise Management.
Upgrade from Policy Model environment to an advanced policy management environment.
Upgrade the CA ControlMinder endpoins:
- Windows—Install using Product Explorer
- UNIX—Install Using install_base script
Note: The installation also upgrades the password PMD.
(Optional) Migrate (iRecorder product) to CA User Activity Reporting.

Note: You cannot upgrade the Policy Manager. Use CA ControlMinder Endpoint Management to manage policies on the endpoints.

Prepare the Central Database for Enterprise Management

CA ControlMinder Enterprise Management requires a relational database management system (RDBMS). You set it up before you install CA ControlMinder Enterprise Management.

You have two options for setting up your database to work with CA ControlMinder Enterprise Management:

Prepopulate the central database using the deployment scripts that CA ControlMinder provides.
Database preparation and CA ControlMinder Enterprise Management installation are separate. The database administrator can review and control the changes that CA ControlMinder makes to the database.
Let CA ControlMinder Enterprise Management prepare the central database during installation.
The CA ControlMinder Enterprise Management installation populates the database as part of the installation process.

Follow these steps:

If you do not already have one, install a supported RDBMS as the central database.
Note: For a list of supported RDBMS software, see the Release Notes.
Configure the RDBMS for CA ControlMinder Enterprise Management:
Verify that the database can be accessed locally and from a remote client.
- For Oracle, create a user for the central database.
  This user must have the following permissions and settings:
  - CONNECT (granting the following system privileges: ALTER SESSION, CREATE CLUSTER, CREATE DATABASE LINK, CREATE SEQUENCE, CREATE SESSION, CREATE SYNONYM, CREATE TABLE, CREATE VIEW)
  - RESOURCE (granting the following system privileges: CREATE CLUSTER, CREATE INDEXTYPE, CREATE OPERATOR, CREATE PROCEDURE, CREATE SEQUENCE, CREATE TABLE, CREATE TRIGGER, CREATE TYPE)
  - Unlimited quota on the tablespace that hosts the CA ControlMinder Enterprise Management Server.
- For SQL Server:
  - Create a new case-insensitive database.
    The database must have the sort order SQL_Latin1_General_CP1_CI_AS.
  - Create a user, make the new database the default database of the user, and assign the user to the following privileges: DBCREATOR, SYSADMIN
(Optional) Prepopulate the central database using the deployment scripts that CA ControlMinder provides.
1. Customize the deployment scripts before you deploy them.
  The deployment scripts define four default user accounts that CA ControlMinder Enterprise Management uses (superadmin, selfreguser, neteautoadmin, [default user]). You can change the names of these default accounts and their passwords.
  
  Important! Customize the scripts only if you plan to use the embedded user store. If you use Active Directory, CA ControlMinder Enterprise Management does not store account information in the central database. For more information, refer to the Implementation Guide.
2. Deploy the deployment scripts.
3. Configure the database user that you use for CA ControlMinder Enterprise Management installation.
  - (For Oracle) Keep the CONNECT and RESOURCE roles for the user you created.
  - (For SQL Server) Create a user, select the database that you created earlier as default, map the user to the database, and set the following permissions: CONNECT.SELECT, INSERT, DELETE, UPDATE, EXECUTE.

Install CA ControlMinder Enterprise Management on Windows

Installing CA ControlMinder Enterprise Management installs all the Enterprise Management Server components. You prepare the Enterprise Management Server before you install CA ControlMinder Enterprise Management.

We recommend that you use the Prerequisite Kit installer to initiate the CA ControlMinder Enterprise Management installation. This installer installs the prerequisite third-party software and then starts the CA ControlMinder Enterprise Management installation.

Follow these steps:

Stop JBoss Application Server if it is running.
Stop CA ControlMinder services if you are installing CA ControlMinder Enterprise Management on a computer that already has CA ControlMinder installed.
Insert the CA ControlMinder Server Components DVD for Windows into your optical disc drive.
Expand the Components folder in the Product Explorer, select CA ControlMinder Enterprise Management, then click Install.
The InstallAnywhere installation program starts.
1. (Optional) Specify the full pathname of a custom FIPS key to use during installation.
2. Open a Command Prompt window and navigate to the CA ControlMinder Enterprise Management installation executable on the CA ControlMinder Server Components DVD for Windows. This file is located under:
```
\EnterpriseMgmt\Disk1\InstData\NoVM
```
3. Run the CA ControlMinder Enterprise Management install executable with the following argument:
```
-DFIPS_KEY=full_pathname_to_FIPS_key
```
  For example, to install with a custom FIPS key located at C:\tmp\FIPS.key:
```
E:\EnterpriseMgmt\Dis1\InstData\NoVM\install_EntM_r125.exe -DFIPS_KEY=C:\tmp\FIPSkey.dat
```
Important! If you install CA ControlMinder Enterprise Management for High Availability, specify the same FIPS key on the primary and secondary Enterprise Management Servers. Specify a custom FIPS key if you install CA ControlMinder Enterprise Management for High Availability with FIPS support.

The InstallAnywhere installation program starts.
Complete the wizard as required. The following installation inputs are not self-explanatory:
Java Development Kit (JDK)

Defines the location of an existing JDK.

Note: If you launch the CA ControlMinder Enterprise Management installation immediately after you use the CA ControlMinder Third Party Component DVDs to install the prerequisite software, this wizard page does not appear. The installation utility configures the installation settings on this page based on the values you provided in the prerequisite software installation process.

JBoss Application Server Information
Defines the JBoss instance that you want to install the application on.

To do this, define the:
- JBoss folder, which is the top directory where you have JBoss installed.
  For example, C:\jboss-4.2.3.GA on Windows or /opt/jboss-4.2.3.GA on Solaris.
- URL, which is the IP address or host name of the computer you are installing on.
- Port JBoss uses.
- Port JBoss uses for secure communications (HTTPS).
- Naming port number.
Communication Password

(Primary Enterprise Management Server Only) Defines the password used for CA ControlMinder Enterprise Management Server inter-component communication.

Note: CA ControlMinder Enterprise Management uses the communication password to manage the Message Queue keystore and administrator account, handle communication between CA ControlMinder Enterprise Management and the endpoints and manage the Java Connection Server.

Database Information
Defines the connection details to the RDBMS:
- Database Type—Specifies a supported RDBMS.
- Host Name—Defines the name of the host where you have the RDBMS installed.
- Port Number—Defines the port used by the RDBMS you specified. The installation program provides the default port for your RDBMS.
- Service Name—(Oracle) Defines the name that identifies your RDBMS on the system. For example, for Oracle Database 10g this is orcl by default.
- Database Name—(MS SQL) Defines the name of the database you created.
- Username—Defines the name of the user that you created when you prepared the database.
  Note: You granted this user the appropriate database permissions when you prepared the database.
- Password—Defines the RDBMS password of the user that you created when you prepared the database.
The installation program checks the connection to the database before it continues.
User Store Type
Defines the user store type CA ControlMinder Enterprise Management uses. Select one of the following:
- Embedded User Store—CA ControlMinder Enterprise Management stores user information in the RDBMS.
- Active Directory—you specify the connection information details in the next screen.
- Other User Store—you specify the user store configuration information after the CA ControlMinder Enterprise Management installation completes.
Note: To deploy login authorization policies to UNAB, you must select either Active Directory or Other User Store as the user store. If you select Active Directory or Other User Store as the user store, you cannot create or delete users and groups in CA ControlMinder Enterprise Management. For more information about UNAB and Active Directory restrictions, see the Enterprise Administration Guide.
Active Directory Settings
Defines the Active Directory user store settings:
- Host—Defines the Domain Controller host name of Active Directory.
- Port—Defines the port used by default for LDAP queries against Active Directory, for example, 389.
- Search Root—Defines the search root, for example, ou=DomainName, DC=com.
  Note: Set the Search Root at least one node higher in the directory tree than the Distinguished Names (DNs) for the users specified for User DN and System User. Otherwise, Enterprise Management might launch without displaying any tabs.
- User DN—Defines the Active Directory user account name that is used to manage CA ControlMinder Enterprise Management. For example: CN=Administrator, cn=Users, DC=DomainName, DC=Com.
  Note: This user issues LDAP queries against Active Directory. You can choose to define a user with read-only privileges for this parameter. However, if you define a user with read-only privileges, you cannot assign admin roles or privileged access roles to users in CA ControlMinder Enterprise Management. Instead, you modify the member policy for each role to point to an Active Directory group.
- Password—Defines the password of the Active Directory user account that is used to manage CA ControlMinder Enterprise Management.
The installation program checks the connection to Active Directory before continuing.

Note: You can use the DSQUERY directory querying utility to discover the user Distinguished Name (User DN). You must run this query on the Active Directory server. For example:
```
dsquery user -name administrator
"CN=Administrator,CN=Users,DC=lab.DC=demo"
```
System User

(Active Directory only) Defines the DN of the Active Directory user who is assigned the System Manager admin role in CA ControlMinder Enterprise Management.

Example: CN=SystemUser, ou=OrganizationalUnit, DC=DomainName, DC=Com

Note: By default, a user with the System Manager admin role can perform, create, and manage all tasks in CA ControlMinder Enterprise Management. For more information about the System Manager admin role, see the Enterprise Administration Guide.

Administrator Password

(Embedded user store only) Defines the password of superadmin, the CA ControlMinder Enterprise Management administrator. Make a note of the password so you can log in to CA ControlMinder Enterprise Management when the installation is complete.

Note: In this step you create the superadmin user in the embedded user store. The superadmin user is assigned the System Manager admin role in CA ControlMinder Enterprise Management. You log in as superadmin the first time you log in to CA ControlMinder Enterprise Management. For more information about the System Manager admin role, see the Enterprise Administration Guide.
CA ControlMinder Enterprise Management is installed after you complete the wizard. Reboot the computer to complete the CA ControlMinder Enterprise Management installation.
Select Yes, restart my system and click Done.
You can now configure CA ControlMinder Enterprise Management for your enterprise.

More information:

Active Directory Restrictions

Install Using Product Explorer

The CA ControlMinder Product Explorer lets you select between different architecture installations of CA ControlMinder and install the Runtime SDK. The Product Explorer uses a graphical interface to install CA Access Control and provides interactive feedback.

Follow these steps:

Log into the Windows system as a user with Windows administrative privileges (that is, as the Windows administrator or a member of the Windows Administrators group).
Close any applications that are running on your Windows system.
Insert the CA ControlMinder Endpoint Components for Windows DVD into your optical disc drive.
If you have autorun enabled, the Product Explorer automatically appears. Otherwise, navigate to the optical disc drive directory and double-click the PRODUCTEXPLORERX86.EXE file.
From the Product Explorer main menu, expand the Components folder, select CA ControlMinder for Windows (my_architecture), then click Install.
You need to select the installation option that matches the architecture of the computer you are installing on (32-bit, 64-bit x64, or 64-bit Itanium).

The Choose Setup Language window appears.
Select the language you want to install CA ControlMinder with and click OK.
The CA ControlMinder installation program starts loading and, after a short while, the Introduction screen appears.

Note: If the installation program detects an existing installation of CA ControlMinder, you are prompted to select whether you want to upgrade CA ControlMinder.
Follow the instructions on the installation screens.
During the installation, the installation program prompts you to supply information. For the information that you need when installing CA ControlMinder, refer to the installation worksheets.

The installation program installs CA ControlMinder. When the installation is complete, you are given the choice of restarting Windows now or later.
Select Yes, I want to restart my computer now, and then click OK.
After your system reboots, you can check that CA ControlMinder was installed properly.

Note: If you choose to restart your computer later, an additional warning cautions you that the installation is not complete until your computer is rebooted. Some CA ControlMinder functionality, such as logon interception, does not work until after you restart your computer.

Install Using install_base Script

You can install CA ControlMinder on any supported OS using the install_base script. This is an interactive script but you can also run it silently.

Note: Before you run the install_base script, make sure you decide which functionality you want to install and review the install_base command so you know how to initiate the installation of this functionality. You may also want to learn first how the install_base script works.

Follow these steps:

If you already have CA ControlMinder installed and it is running, shut it down by logging in as an administrator and entering the following commands:
```
ACInstallDir/bin/secons ‑sk
ACInstallDir/bin/SEOS_load -u
```
Log in as root.
To install CA ControlMinder, you need to have root permissions.
Mount the optical disc drive with the CA ControlMinder Endpoint Components for UNIX DVD.
Important! If you are installing on HP from an optical disk drive, you need to ensure the proper reading of file names from the DVD. To prevent the file names from being forced into a shortened and all‑uppercase format, enter the pfs_mountd & and the pfsd & commands and make sure that the following four daemons are invoked: pfs_mountd, pfsd.rpc, pfs_mountd.rpc, and pfsd. For more information, see the man pages of the particular pfs* daemons and commands.
Read the license agreement.
To run the install_base script you need to accept the End User License Agreement. After you have read the license agreement, you can continue the installation by entering the command found at the end of that file. To get the license file name and location, run install_base -h.
Run the install_base script.
The install_base script starts and, based on your choices, prompts you for the appropriate installation questions.

Note: The installation script finds the appropriate compressed tar file, so typing the name the tar file for your platform is optional.

Now the CA ControlMinder installation is complete; however, it is not yet running.

Example: Upgrade to CA ControlMinder r12.6SP1 for UNIX Using Silent Install

This example shows you how to upgrade an existing CA ControlMinder r8.0SP1 endpoint to CA ControlMinder r12.6SP1 for UNIX. In this example, you install CA ControlMinder using the parameters file that enables you to install new features on the endpoint.

Review the install_base script command.
You use the install_base script to install CA ControlMinder r12.6SP1 in silent mode. For more information, refer to the Implementation Guide.
Extract the parameters file from the tar compressed file from the CA ControlMinder Endpoint Components for UNIX media. The file is located in the following directory:
```
\Unix\Access-Control\
```
Install CA ControlMinder using the install_base script.
Use the -autocfg command and specify to use the parameters file you customized.

CA ControlMinder r12.6SP1 is installed with the options you specified.

Example: The parameters file

The parameters file lets you select the software components to add to the endpoint. If you install CA ControlMinder in native installation mode, you customize the file before you begin the installation. If you install CA ControlMinder in interactive mode, you can extract the installation parameters into a file and then customize the installation parameters.

The following is a snippet from the parameters file:

#  Specifies whether you want to configure PUPM Agent 
#  Values: "yes", "no"
#  Default: "no"
INSTALL_PUPM="yes"

# Specifies whether  enables KBL audit records management
# Values: yes, no
# Default: no
ENABLE_KBL=yes

In this example, you specified to install the SAM Integration on, (INSTALL_PUPM=yes). and enabled keyboard logging on the endpoint, (ENABLE_KBL=yes).

Example: Install the Client and Server Packages with Default Features

The following command shows how to initiate the install_base interactive script to install the client and server packages with all default CA ControlMinder features. During the installation you are asked to answer questions related to installing the client and server packages of CA ControlMinder.

/dvdrom/Unix/Access‑Control/install_base

Note: As we did not specify a package to install, the install_base command installs both client and server packages.

Example: Install the Client Package with STOP Enabled to a Custom Directory

The following command shows how to initiate the install_base interactive script to install the client package to the /opt/CA/AC directory, and enable the Stack Overflow Protection option.

/dvdrom/Unix/Access‑Control/install_base -client -stop  -d /opt/CA/AC