Previous Topic: Verify the PrerequisitesNext Topic: Modify Services to Start Manually


Configure the Primary Enterprise Management Server

The primary Enterprise Management Server is the central management server and contains components and tools that let you deploy policies to endpoints, manage privileged accounts, and define resources, accessors, and access levels.

Note: This procedure assumes that you have installed the primary Enterprise Management server and all the web-based applications, the Distribution Server, and the DMS.

Follow these steps:

  1. Verify that CA ControlMinder services are started.

    CA ControlMinder Enterprise Management requires that CA ControlMinder is running.

  2. Verify that JBoss Application Server service is started. If the JBoss Application Server services are not started, enter the following command:
    ./JBOSS_DIR/bin/run.sh -b 0.0.0.0
    

    When the JBoss Application Server completes loading, you can log in to the CA ControlMinder Enterprise Management web-based interface.

  3. Configure the DMS to authorize the secondary Enterprise Management Server, as follows:
    1. On the primary Enterprise Management Server, start the JCS, JBoss Application Server, CA ControlMinder, and Message Queue daemons.
    2. Open a selang Command Prompt window and enter the following command:
      host DMS__@
      

      A message appears informing you that you are connected to the local host.

    3. Enter the following command to display the list of authorized terminals:
      sr TERMINAL *
      

      CA ControlMinder displays the details of the authorized terminals.

    4. Enter the following commands to add the secondary Enterprise Management Server to the authorized terminals list:
      newres TERMINAL <secondary_enterprise_management_server_full_DN> audit (f) owner(nobody)defacc(r)
      authorize TERMINAL <secondary_enterprise_management_server_full_DN> uid(+reportagent) access(write)
      authorize TERMINAL <secondary_enterprise_management_server_full_DN> uid(DOMAIN\Administrator) access(write,read)
      authorize TERMINAL <secondary_enterprise_management_server_full_DN> uid(ac_entm_pers) access(write,read)
      
  4. Run the following commands to modify the host name that CA ControlMinder uses to distribute policies:
    sepmd -u DH__WRITER DMS__@<node1 host name>
    
    sepmd -s DH__WRITER DMS__@<cluster shared DNS NAME>
    
    sepmd -u DMS__ DH__@<node1 host name>
    
    sepmd -s DMS__ DH__@<cluster shared DNS NAME>
    
  5. Stop all CA ControlMinder daemons.
  6. Modify the services to start up manually and not automatically.
  7. Copy the DMS and the DH to the shared storage as follows:
    1. Copy the DMS directory to the shared storage, for example: /shared/AccessControlServer/. The directory is located in the following location:
      ACServerInstallDir/APMS/AccessControl/policies/DMS__
      
      ACServerInstallDir

      Defines the name of the directory where you installed the Enterprise Management Server.

    2. Copy the DH directory and to the shared storage. The directory is located in the following location:
      ACServerInstallDir/APMS/AccessControl/policies/DH__
      
    3. Copy the DH__WRITER directory to the shared storage. The directory is located in the following location:
      ACServerInstallDir/APMS/AccessControl/policies/DH__WRITER
      
    4. Open the seos.ini file for editing. This file is located in the following location:
      ACServerInstallDir/APMS/AccessControl
      
    5. Set the _pmd directory_ token configuration setting to the full pathname of the shared storage directory you copied the DMS and the DH to. For example: /shared/AccessControlServer/

    The primary server is configured to use the DMS and DH on the shared storage.

  8. Configure the Message Queue to use the shared storage as follows:
    1. Move the Message Queue datastore files to the shared storage. These files are located under the following directory:
      ACServerInstallDir/MessageQueue/tibco/cfgmgmt/ems/data/datastore
      

      The following is an example to copy Message Queue datastore files:

      # cp -r /opt/CA/AccessControlServer/MessageQueue/tibco/cfgmgmt/ems/data /shared/MessageQueue/data/
      
    2. Open the tibemsd.conf file for editing. This file is located by default in the following directory:
      ACServerInstallDir/MessageQueue/tibco/cfgmgmt/ems/data
      
      1. Set the location of the routes.conf, user.conf, groups.conf, and queues.conf to the shared storage. For example: /shared/MessageQueue/data/users.conf
      2. Set the value of the store token to point to the directory on the shared storage where you copied the datastore files to. For example: /shared/MessageQueue/data/datastore.
      3. Set the value of the server token to the cluster logical name in upper case without the suffix. For example: server=ENTMCLUSTER.
      4. Save and close the file.
    3. Open the queues.conf file for editing.
      1. Append a comma and add the word store=$sys.failsafe at the end of every queue definition line.
      2. Save and close the file.
    4. Open the routes.conf file for editing and comment the following:
      # vi shared/MessageQueue/data/routes.conf
      
      #[EMS-SERVER2]
      
      # url=tcp://7022
      
    5. Modify the Tibco folders so that Tibco users have read and write access.
      1. Create the Tibco group with gid 65534. The following is an example to create the Tibco folder:
        # groupadd -g 65534 tibco
        
      2. Create the Tibco user with uid 65534. The following is an example to create the Tibco user:
        # useradd -g 65534 -u 65534 tibco
        
      3. Change ownership of MessageQueue directory and all subdirectories. The following is an example to change ownership of MessageQueue directory and all subdirectories:
        #chown -R tibco /shared/MessageQueue
        
      4. Change permissions of MessageQueue directory and all subdirectories. The following is an example to change permissions of MessageQueue directory and all subdirectories:
        #chmod -R u=rwx,go= /shared/MessageQueue
        
      5. Change Default Tibco directory permissions to allow rwx access only to the Tibco user. The following is an example to change the directory permissions to allow rwx access only to the Tibco user:
        #chown -R tibco /opt/CA/AccessControlServer/MessageQueue/
        
        #chmod -R u=rwx,go= /opt/CA/AccessControlServer/MessageQueue/
        
  9. Modify the base URL to the cluster name in the CA Identity Minder Management Console.
  10. Create a batch file to stop all CA ControlMinder services when the primary Enterprise Management Server fails.
  11. Create a batch file to start all CA ControlMinder services when the primary Enterprise Management Server resumes operation.
  12. Create a batch file to check the status of CA ControlMinder services.
  13. Configure the cluster software to run the scripts on failure.
  14. Start all CA ControlMinder services.

You have configured the primary Enterprise Management Server. Proceed to configure the secondary Enterprise Management Server.