Previous Topic: sepmd UtilityNext Topic: sepmd Utility—Administer Dual Control


sepmd Utility—Administer Subscribers and the Update File

The sepmd utility creates, removes, and assigns subscribers.

This command has the following format:

sepmd {-C|-de|-l|-L|-p|-R} pmd
sepmd {-n|-r|-u} pmd subscriber
sepmd -s pmd subscriber offset
sepmd -sm pmd mf_subscriber mf_type mf_sysid mf_admin offset
sepmd -smq pmd <-predefined> <ACMQ queue> [-destination <destination>}
sepmd -t pmd {auto|offset}
‑C

Displays all commands in the update file, and their offsets. The offset indicates the location of the update inside the file, which, you may want to specify when you subscribe another database or PMDB.

‑de

(UNIX only) Decrypts the information in the encrypted updates.dat file. Data encryption for this file occurs when you set the UseEncryption PMDB configuration setting to yes.

‑l

Lists the subscribers of the Policy Model.

‑L

Lists the Policy Model and its status, including number of errors, availability, offset, synchronization mode, and the next command to be propagated. The update file contains all updates that must be, or have been, propagated by the Policy Model. The offset indicates the location of the next update that must be sent to a subscriber. Both initial and latest offsets also appear.

‑n

Creates a new subscriber and then updates it retroactively to the Policy Model. For general rules that apply for updating a subscriber, see the description for the -s option.

Note: This option sends the contents of the entire PMDB-including the LOGINAPPL (UNIX only) and SPECIALPGM objects-to the new subscriber. You may want to filter out these objects if the subscriber's objects differ from those of the parent.

The -n option does not replace the Policy Model database definitions on the target subscriber database definition, rather it is added to the existing Policy Model. If the target database contains additional resources or attributes, the new Policy Model does not remove them after subscription is complete.

A subscriber added with -n is marked as sync, indicating that it is now in synchronization mode and receives all of the PMDB rules. When the subscriber has received all the rules, it is released from synchronization mode and becomes a regular subscriber. The -n option may take some time to process. If there are multiple or contradictory updates, the last one is used.

Important! When you subscribe a CA ControlMinder endpoint or a PMDB to another PMDB using sepmd -n, the new parent PMDB should not contain any policies (POLICY object names) that already exist in the new subscriber. Undeploy each existing policy from the subscriber and then delete the POLICY object and linked RULESET object from the subscriber before you subscribe it to the new parent PMDB.

On UNIX, if the send_unix_env token in the seos.ini file is set to yes, the -n option also sends the contents of Policy Model password and group files. We recommended that you view the database, by using dbmgr ‑export ‑l, to ascertain the commands being forwarded.

‑p

Lists the resident Policy Models and their status.

‑r

Removes the subscriber from the list of unavailable subscribers maintained by sepmdd, making the subscriber available for immediate updates. Normally, if a subscriber is down and cannot receive updates from the Policy Model, sepmdd tries to send updates to that subscriber only after a certain period of time. However, if you specify this option, sepmdd skips the waiting period and tries to send updates to the subscriber immediately.

-R

Update all subscribers with their real offset.

‑s

Subscribes another database or PMDB to the Policy Model. When you subscribe a host to a Policy Model, the host must be up, and CA ControlMinder must be running on that host. Additionally, the PMDB must be the parent PMDB of the subscribed host. You establish this relationship with the parent_pmd subscriber's configuration setting, which must contain the name of the PMDB to which the host is being subscribed.

When you subscribe a Policy Model to another Policy Model,

A PMDB should have only one parent. If you decide to establish a Policy Model with more than one parent give the parent_pmd token the name of a file containing a list of the parent Policy Models. However, establishing more than one parent is not recommended because you risk inundating your database with unreliable instructions from multiple sources.

‑sm

Assigns a mainframe subscriber to the Policy Model.

-smq

Subscribes a pre-defined message queue subscriber to a policy model.

<ACMQ queue>

Specifies the following pre-defined Message Queue queues:

  • ServerToServer
  • ServerToServerBroadcast
  • ServerToEndpointBroadcast
  • EndpointToServer
  • ServeryoEndpoint
-destination

Specifies the destination of the CA ControlMinder component that receives messages from the subscriber.

‑t

Truncates the update file by deleting entries from it.

Note: On UNIX, if the force_auto_truncate PMDB configuration setting is set to no, sepmd ‑t does not truncate the update file. If the token is set to yes, the command truncates the update file even if there are no subscribers to the Policy Model.

If a subscriber received fewer than all updates before the specified offset, sepmd displays an error message and does not truncate the file. If you want to truncate the file anyway, do the following:

If you do this, the subscriber fails to receive one or more updates from the Policy Model. The subscriber's offset changes to the last offset of the updates file.

‑u

Removes a subscriber from the Policy Model subscription list.

auto

Instructs sepmd to calculate the offset of the first unpropagated entry and to delete all the entries before it.

offset

Used with the -s or -sm options, specifies the point within the update file from where the newly added subscriber starts receiving updates.

Used with the -t option, specifies the distance from the beginning of the update file to the position of a particular subscriber.

Use the ‑C option to see the valid update offsets. If you specify an offset that is in the middle of an update, the offset is moved forward to the beginning of the next update. If you specify an invalid offset (smaller than the first offset or larger than the last), an error message appears.

pmd

Specifies the name of the Policy Model.

-predefined

Specifies to use pre-defined message queue subscribers

subscriber

Specifies the subscriber station or the host of the subscriber PMDB.