UNIX Installation Parameter File-Customize UNIX Installation

Implementation Guide › Installing and Customizing a UNIX Endpoint › Before You Begin › UNIX Installation Parameter File-Customize UNIX Installation

UNIX Installation Parameter File-Customize UNIX Installation

The UNIX parameters file contains installation parameters that you can customize for your requirements. The parameters file contains customizable parameters for specific areas of the CA Control Minder package. For a particular parameter to take effect the corresponding shell variable must be set.

The parameter files conform to shell syntax and must contain key=value pairs. Use the parameter files from the package you want to install.

This file has the following format:

ADMIN_USERS

Defines users as security administrators.

Note: Security administrators can assign access rights to authorized users, manage privilege user passwords, and report on user activities.

Values: A space-separated list of user IDs, none

Default: none (Only root is defined as a security administrator)

API_INSTALL

Specifies whether to install the API package.

Values: yes, no

Default: no

APMS_ADMIN_USERS

Defines administrators for Advanced Policy Management Server components other than the local host.

Values: A space-separated list of users, none

Default: none

APMS_DESKTOP

Defines Advanced Policy Management Server components administration computers other than the local host.

Values: A space-separated list of computers, none

Default: none

APMS_DIST_MODE

Defines whether an advanced policy management server is running in the distribution mode.

Values: yes, no

Default: no

AUDIT_BK

Specifies whether to keep time-stamped backups of the audit file.

Notes:

Specify yes to send audit data to the Report Server.
CA Control Minder backs up the audit file when the specified size limit is reached.

Values: yes, no

Default: no

AUDIT_GROUP

Specifies the name of the group reading CA Control Minder audit files.

Values: Any existing group name, none.

Default: none (only root can read audit files)

Note: The root user can read the audit files unless you deny access using CA Control Minder access rules.

CLIENT_INSTALL

Specifies whether to install the client package.

Values: yes, no

Default: yes

DH_NAME

Defines the name of the Distribution Hosts (DH) on the endpoint Advanced Policy Management Server components host.

Values: A space-separated DH list in the format dh1@host1 dh2@host1, none

Default: none

DIST_SRV_HOST

Defines the message queue host names.

Values: A comma-separated list of valid host names, none

Default: none

DIST_SRV_PORT

Defines the message queue port.

Values: 7243 (for a ssl protocol), 7222 (for a non-ssl protocol)

Default: 7243

DIST_SRV_PROTOCOL

Defines the message queue communication protocol.

Values: ssl, tcp

Default: ssl

DRDH_NAME

Defines the names of the endpoint Disaster Recovery Distribution Hosts (DR DH).

Values: A space-separated DR DH list in the format dr_dh1@drhost dr_dh2@drhost, none

Default: none

ENABLE_ELM

Specifies whether CA Control Minder sends endpoint audit data to the report server.

Note: If you specify yes, set CA Control Minder to keep audit backups (AUDIT_BK=yes).

Values: yes, no

Default: no

ENABLE_KBL

Specifies whether CA Control Minder enables the KBL audit records manager.

Values: yes, no

Default: no

ENCRYPTION_METHOD_SET

Defines whether to use symmetric encryption, asymmetric encryption (public key), or both.

Values: 1 (Symmetric key), 2 (Public key), 3 (Public key and Symmetric key)

Default: 1

Notes:

For public key encryption, you need a root certificate.
For symmetric encryption, choose an encryption method (TRIPLEDES, DES, or AES).
To configure FIPS only encryption, set the FIPS_ONLY parameter to yes.

Important! The encryption method must be the same on all CA Control Minder hosts. Earlier CA Control Minder releases configured a simple symmetric encryption method by default.

ETC_SEOS_SYMLINK

Defines whether a link is created in the /etc directory that points to the CA Control Minder installation directory.

Values: yes, no

Default: yes

FIPS_ONLY

Specifies whether CA Control Minder works in the FIPS only mode.

Note: In this mode, all non-FIPS functions are disabled and the encryption method is set to FIPS only.

Values: yes, no

Default: no

FORCE_ENCRYPT

Specifies whether the installation warns you about using a nondefault encryption key.

Note: After the upgrade, your encryption key is set to the default.

Values: yes, no

Default: no

FORCE_INSTALL

Specifies whether to force installation over an existing installation of the same CA Control Minder version. FORCE_INSTALL also specifies if the installation directory is different from the installation directory set in the new CA Control Minder package.

Values: yes, no

Default: no

FORCE_KERNEL

Specifies whether the installation warns you when the old kernel module cannot be unloaded.

Note: If you specify no, reboot the system after the upgrade is complete.

Values: yes, no

Default: no

INST_PHASE1

Specifies whether to install the baseline security pack.

Notes:

The baseline security pack defines basic rules that protect the operating system.
You can install the baseline security pack after the installation using the install_baseline.sh utility.
To activate the rule protection after an install test period (recommended), disable the warning mode.

Values: yes, no

Default: no

INSTALL_ACCOUNT_MNG

Specifies whether you want to configure endpoint JCS Management.

Note: To configure the AccountManager, set the Distribution Server parameters.

Values: yes, no

Default: no

INSTALL_APMC

Specifies whether to configure the endpoint for advanced policy management.

Note: Each CA Control Minder endpoint must be configured to receive updates from the advanced policy management server components.

Values: yes, no

Default: yes

INSTALL_APMS

Specifies whether to install the advanced policy management server components to centrally managed policy deployments.

Note: We recommend that you install advanced policy management server components on a central computer.

Values: yes, no

Default: no

INSTALL_PUPM

Specifies whether you want to configure the PUPM Agent.

Values: yes, no

Default: no

INSTALL_RA

Specifies whether you want to configure endpoint Message Queues.

Values: yes, no

Default: no

JAVA_HOME

Defines the path to the installed Java environment.

Note: The Java environment path depends on the version and the platform. For example, on IBM J2SE Version 5.0 installed on Linux390, JAVA_HOME=/opt/ibm/java2-s390-50/jre.

Values: path to the installed Java environment

Default: java_home (the value in accommon.ini is set during installation)

JCS_SERVER_DN

Specifies the JCS server Distinguished Name (DN).

Values: A valid DN format string

Default: dc=im,dc=etasa

JCS_SERVER_PORT

Specifies the JCS port.

Values: Port number

Default: 20411

JCS_SSL

Defines the JCS communication protocol.

Values: yes (for SSL connection), no

Default: yes

JCS_USER_DN

Specifies the JCS administrative user Distinguished Name (DN).

Values: Any valid DN format string

Default: cn=root,dc=etasa

JCS_USER_PSSWD

Specifies the JCS administrative user password.

Note: Wildcards (*)replace the JCS_USER_PSSWD after the installation.

Values: Any valid DN format string

Default: No default value

LANG

Defines the CA Control Minder installation language.

Example: To install CA Control Minder with Japanese EUC support, LANG=ja_JP. For a complete list of supported languages, use the command locale -a.

Notes:

To install a localized HP-UX package, set this token.
If you specify this parameter, the installer LANG environment variable is ignored.

Values: A supported language string

Default: English

LIB_ENCRYPTION

Defines the encryption method that is used to protect communication between <eCA> programs and CA Control Minder installed hosts.

Notes:

The encryption method must be the same on all CA Control Minder hosts that communicate with each other.
This option requires that SET_SYMMETRIC is set to yes.

Values: 99 (AES2526), 1 (SCRAMBLE), 2 (DES), 3 (TRIPLEDES), 4 (AES128), 5 (AES192)

Default: 99

LIC_CMD

Defines the command that accepts the license agreement.

Notes:

This command can be found inside the license agreement in square brackets.
The license agreement file is: eACLicenseAgreementUNIX_english_cp1252.txt

Important! The LIC_CMD command is required to install CA Control Minder.

LIC_INTALL_DIR

Defines the CA license installation location.

Values: Any absolute path name.

Default: /opt/CA/SharedComponents (Same as lic98 default)

LOG_FILE_NAME

Defines the installation log file name that is created in the $SEOSDIR.

Values: Any valid file name.

Default: AccessControl_install.log

MFSD_INSTALL

Specifies whether to install the Mainframe Synchronization Support Daemon.

Values: yes, no

Default: no

NO_TNG_INT

Specifies whether to set up the selogrd/TNG integration.

Values: yes (attempts to set up selogrd/TNG integration), no (selogrd/TNG integration does not take place)

Default: no

OS_USERS

Specifies OS database administrators.

Values: A space-separated list of users, none

Default: none

PARENT_PMD

Defines a list of Policy Model Databases (PMDBs) from which the computer accepts updates.

Note: The local CA Control Minder database rejects updates from any PMDB that is not specified in this list.

Values: _NO_MASTER_ (The local database accepts updated from any PMDB), A comma-separated list of PMDBs in the format pmd1@host1, pmdb2@host1, A path to a file that contains a line-separated list of PMDBs, none (The local database does not accept updates from any PMDBs).

Default: none

PASSWD_PMD

Specifies the Policy Model Database (PMDB) where sepass sends password updates.

Values: A PMDB in the format pmd_name@hostname, none

Default: none

Notes:

Password updates support the password history checking.
If you do not set the PASSWD_PMD, the value of the PARENT_PMD is inherited.
The PARENT_PMD and PASSWORD_PMD tokens can have the same value.
If the values of the PARENT_PMD and the PASSWORD_PMD are not the same, the PARENT_PMD database must be a child (subscriber) of the PASSWORD_PMD database.

POSTEXIT

Defines the full program or script path name that is executed after you run the post install script.

Values: yes, pathname

Default: no

PREINSTALL

Defines the full program or script path name that is executed before you run the post install script.

Values: yes, pathname

Default: no

PRIMARY_ENTM_NAME

Defines the Primary Enterprise Management server host name.

Values: string, none

Default: none

PROVIDE_OR_GEN_CERT

Specifies whether you generate a new subject certificate and key or provide an existing subject certificate and key.

Notes:

To set up SSL, provide a subject certificate and key and a root certificate.
The root certificate must be common among all computers using SSL communication.
You can generate a subject certificate and key automatically from a default certificate or from a certificate you provide. You can also point CA Control Minder to an existing certificate.

Values: 1 (Generate a subject certificate and key), 2 (Provide an existing certificate and key)

Default: 1

PWFORCE

Defines the upgrade behavior when a PMDB update is in progress.

Notes:

If you upgrade CA Control Minder, also upgrade the Policy Model Update files.
If a sepmd -n command is running, the package installation aborts to let the sempd finish processing. You can set this parameter to yes to force the installation to proceed but the sepmd in progress may not complete properly.

Values: yes, no

Default: no

REPORT_SHARED_SECRET

Defines the shared secret for Message Queue SSL authentication.

Note: Wildcards(*) replace the shared secret after the installation.

Values: Any string

Default: Empty value

REPORT_SRV_QNAME

Defines the name of the queue where reports are sent.

Values: A string representing a queue name

Default: queue/snapshots

REPORT_SRV_SCHEDULE

Defines when reports are generated and sent to the report server.

Values: A string representing time and date in the format time@day, day

Example:19:22@Sun, Mon. (This example generates reports every Sunday and Monday at 19:22).

Default: 00:00@Sun, Mon, Tue, Wed, Thu, Fri, Sat

ROOT_CERT_KEY

Specifies the public key that is used for the subject key generation.

Values: The full path name to the subject certificate file, default

Default:default (the key that is provided with the installation package)

ROOT_CERT_PATH

Specifies the root certificate that is used for the subject certificate generation.

Values: The full path name to the subject certificate file, default

Default: default (The root certificate that is provided with the installation package)

SELINUX_POLICY

Specifies whether UNIX Authentication Broker activates the SELinux policy during installation.

Values: yes, no

Default: no

SEOS_GROUP

Defines the name of the group that owns the CA Control Minder files.

Values: Any existing group name.

Default: root

SERIAL_NUM

Defines the subject certificate serial number.

Note: To define a subject certificate serial number, CA Control Minder uses default values or accepts your input.

Values: A valid serial number, 0003ba39cc23

Limits: 3-247 characters

Default: 0003ba39cc23

SERVER_INSTALL

Specifies whether to install the server package.

Values: no, yes

Default: yes

SET_SYMMETRIC

Specifies whether to change the default symmetric encryption method.

Notes:

Encryption protects communication between CA Control Minder programs and CA Control Minder installed hosts.
The recommended (default) encryption method is a combination of public key and symmetric methods.
In order to configure the symmetric encryption set the LIB ENCRYPTION.

Values: yes, no

Default: yes

SUBJECT_CERT_KEY_PATH

Specifies the public key location.

Values: The full path name to the subject certificate file

Default: SEOSDIR>/data/crypto/sub.key

SUBJECT_CERT_PATH

Specifies the subject certification location.

Note: To generate a subject certificate, specify the file location.

Values: The full path name to the subject certificate file

Default: SEOSDIR>/data/crypto/sub.pem

SUBJECT_EXP_DATE

Defines the subject certificate expiration date.

Note: To define a subject certificate expiration date, CA Control Minder uses default values or accepts your input.

Values: A date in the format mm/dd/yy

Default: 12/31/35

SUBJECT_NAME

Defines the subject certificate name.

Note: To define a subject certificate name, CA Control Minder uses default values or accepts your input.

Values: An LDAP format name, cn=any.string

Limits: 3-63 characters

Default: c=any.string

TNG_INSTALL

Specifies whether to install the Unicenter Integration and Migration packages.

Note: This package supports CA Control Minder integration and migration with CAUTIL, Workload Management, and Event Management components of Unicenter.

Values: yes, no

Default: no

UPDATE_ENCRYPT

Specifies whether to change the default encryption method which protects communication between CA Control Minder programs and CA Control Minder installed hosts.

Values: yes, no

Default: yes

UPDATE_PROFILE

Defines whether the CA_LIC updates the file /etc/profile with profile.ca loading.

Values: yes, no

Default: yes

UPGRADE_KERNEL_UNLOAD

Specifies whether the installer will attempt to stop and unload the existing version of CA Control Minder when installing a different version.

Values: yes, no

Default: yes

USE_OSUSER

Enables OS user support.

Note: OS users are defined in the OS repository but not in the CA Control Minder database. If you enable OS users support, you can reference users not defined in the CA Control Minder database.

Values: yes, no

Default: yes

USE_STOP

Specifies whether to enable the STOP (Stack Overflow Protection) feature of CA Control Minder.

Values: yes, no

Default: no

USE_UXIMPORT

Specifies whether CA Control Minder imports native users and groups into the database.

Values: yes, no

Default: no

Note: The import process uses local host files or the local NIS maps as information sources. The time that is required to import users and groups depends on the number of users, groups, and hosts defined. You can also import this data into the CA Control Minder database after the installation using the UxImport utility.

UserBrandZone

(Solaris 10 only) Specifies that CA Control Minder is installed on a branded zone or that a branded zone with CA Control Minder installed is configured.

Note: If you set this value to yes, the installation changes the kernel communication mode to use iotcl instead of a sysscall.

Values: yes, no

Default: no

WITH_DNS

Specifies whether to use DNS to create the host look-alike database during installation.

Values: yes, no

Default: yes