Previous Topic: Create and Configure the Master PMDBNext Topic: Define Parent PMDBs for Subscribing Computers

Endpoint Administration Guide for UNIXManaging Policy ModelsAutomatic Rule-based Policy UpdatesHow You Can Set Up a HierarchyCreate and Configure Subscriber PMDBs

Create and Configure Subscriber PMDBs

Once you have a master PMDB configured, if you want to extend your hierarchy, create and configure subscriber PMDBs. On a local host, you can use the sepmdadm command.

Note: The following procedure shows the interactive form of the sepmdadm command. For information about using the command‑line parameters for all input, see the Reference Guide.

Follow these steps:

  1. In a command line, enter the following command: 
    sepmdadm ‑i

    CA ControlMinder starts the Policy Model database administration script (sepmdadm) and displays a menu with options for you to choose from.

  2. Enter 2, to select the second option (create a subsidiary PMDB and define its subscribers and parent.).

    The script is configured to ask you the relevant questions.

  3. Press Enter to continue.

    The script continues to ask you the first question.

    Note: If CA ControlMinder is not running, the script issues a warning and to let you start CA ControlMinder before the script is rerun.

  4. Enter a name for the Policy Model you want to create.

    The script registers the Policy Model name and continues.

    Note: The first character for a PMDB name should consist of the alphanumeric characters '-' and '_'.

  5. Enter the name of the first subscriber computer you want to specify.

    The script registers the name of the first subscriber and then asks you to enter the name of the next subscriber.

  6. Continue to enter subscriber names as necessary, then press Enter without entering a subscriber name.

    The script registers all subscriber names and continues.

    Note: You still must point each subscriber computer to its parent PMDB.

  7. Enter the name of the parent PMDB.

    The script registers the parent PMDB name and continues.

    Note: sepmdadm only lets you enter one parent for each subscribing database. You can, however, define multiple parents for each database. To do this, modify the parent_pmd token of the pmd.ini configuration file. For more information about using this token, see the Reference Guide.

  8. If you are running NIS, NIS+, or DNS, choose whether you want to update the NIS/DNS tables with PMDB changes.

    Updates are made to users and groups in the PMDB. The tables provide information on users and their characteristics. If you choose yes, a UNIX user or UNIX group that is updated through the Policy Model is also updated in the NIS passwd and group files.

    1. Enter y if you want to update the NIS/DNS tables.

      The script now asks you for the location of the NIS passwd and group files.

      1. Enter the full path of the NIS password file.

        The script registers the full path and continues.

      2. Enter the full path of the NIS group file.

        The script registers the full path and continues.

    2. Enter n or press Enter if you want to update the NIS/DNS tables.

      The script registers your answer and continues.

  9. Enter the users that you want to give special attributes for the PMDB:
    1. Enter CA ControlMinder administrator names as necessary, then press Enter without entering an administrator name.

      Administrators are authorized to change the properties of the PMDB.

      Note: At least one administrator must be defined in a PMDB (root is the default).

    2. Enter enterprise administrator names as necessary, then press Enter without entering an administrator name.
    3. Enter CA ControlMinder auditor names as necessary, then press Enter without entering an auditor name.

      Auditors are authorized to view the PMDB audit log files.

    4. Enter enterprise user auditor names as necessary, then press Enter without entering an auditor name.
    5. Enter CA ControlMinder password manager names as necessary, then press Enter without entering a password manager name.

      Password managers are authorized to change passwords in the PMDB.

    6. Enter enterprise user password manager names as necessary, then press Enter without entering a password manager name.

    The script registers your answer and continues.

  10. Enter administration terminals as necessary, then press Enter without entering an administration terminal.

    The script registers all administration terminals and then reports the selections that you have made and asks you to confirm them.

  11. Press Enter to confirm the selections you have made, or enter n to rerun the script with new inputs.

    If you confirm your selections, a new PMDB is created using the answers that you supplied.