Each row or line in the endpoint CSV file, after the header row or line, represents a task to create, modify, or delete an endpoint in CA ControlMinder Enterprise Management.
Important! When you create the CSV file, verify that no other application uses the file and that the file can be renamed. The SAM feeder processes only CSV files that can be renamed.
Follow these steps:
Note: We recommend that you create a copy of a sample endpoint CSV file. The sample files are located in the following directory, where ACServer is the directory in which you installed the Enterprise Management Server:
ACServer/IAM Suite/Access Control/tools/samples/feeder
The names of the endpoint attributes are as follows. Some endpoint attributes are valid only for certain endpoint types:
Specifies the type of the object to import.
Value: ENDPOINT
Specifies the type of action to perform
Value: CREATE, MODIFY, DELETE
Defines the name that you refer to this endpoint by in CA ControlMinder Enterprise Management.
Defines any information that you want to record for this endpoint.
Specifies the type of the endpoint.
Note: You can view the available endpoint types in CA ControlMinder Enterprise Management. Before you create endpoints of type CA Identity Minder Provisioning, create an Identity Manager Provisioning type Connector Server in CA ControlMinder Enterprise Management.
Defines the host name of the endpoint.
Defines the name of an administrative user of the endpoint. This attribute is not valid for any of the CA Identity Minder Provisioning endpoint types, but is valid for all other endpoint types.
For all valid endpoint types except SSH Device:
For SSH Device endpoints:
Defines the password of LOGIN_USER. This attribute is not valid for the CA Identity Minder Provisioning endpoint type, but is valid for all other endpoint types.
Defines the URL that CA ControlMinder Enterprise Management uses to connect to the endpoint. This attribute is valid for the MS SQL Server and Oracle Server endpoint types.
Format: (MS SQL Server) jdbc:sqlserver://servername:port
Format: (Oracle Server) jdbc:oracle:drivertype:@hostname:port:service
Specifies the name of the domain of which this endpoint is a member. This attribute is valid for the Access Control for SAM and Windows Agentless endpoint types.
Specifies whether the user account is an Active Directory account. This attribute is valid for the Windows Agentless endpoint type only.
Limits: TRUE, FALSE
Specifies the name of the domain of which the LOGIN_USER is a member. This attribute is valid for the Windows Agentless endpoint type.
Specifies the name of the SSH Device XML configuration file that you are defining. This attribute is valid for the SSH Device endpoint type.
Note: If you do not specify a value for this attribute, CA ControlMinder Enterprise Management uses the default configuration file (ssh_connector_conf.xml).
(Optional) Defines the name of the operation administrator user of the endpoint. SAM uses this account to perform administrative tasks on the endpoint, for example, discovering and changing the password of privileged accounts. This attribute is valid for the SSH Device endpoint type, as follows:
If you specify an operation administrator for an SSH endpoint that uses a Check Point firewall, specify the expert user. However, you cannot use SAM to change the password for the expert account on the endpoint. This restriction means that the expert account must be a disconnected account in SAM.
(Optional) Defines the password for the operation administrator user of the endpoint. This attribute is valid for the SSH Device endpoint type.
Defines the name of the endpoint, exactly as it is defined in CA Identity Minder Provisioning Server. This attribute is valid for the CA Identity Minder Provisioning endpoint type.
(Optional) Specifies whether you want to use a privileged administrative account to connect to the endpoint and to perform administrative tasks on the endpoint, for example, to discover accounts and change passwords. This attribute is valid for all endpoint types.
For all valid endpoint types except SSH Device, if you specify a privileged administrative account (IS_ADVANCE is TRUE), SAM uses the privileged administrative account to connect to the endpoint and to perform administrative tasks on the endpoint.
For SSH Device endpoints:
Limits: TRUE, FALSE
Note: If you set the value of this attribute to TRUE, do not specify a value for LOGIN_USER. However, specify PROPERTY_ADMIN_ACCOUNT_ENDPOINT_TYPE, PROPERTY_ADMIN_ACCOUNT_ENDPOINT_NAME, PROPERTY_ADMIN_ACCOUNT_CONTAINER, and PROPERTY_ADMIN_ACCOUNT_NAME.
(Optional) Defines the type of endpoint on which the privileged administrative account is defined.
Note: To use a privileged administrative account, you must specify that IS_ADVANCE is TRUE.
(Optional) Defines the name of the endpoint on which the privileged administrative account is defined. The endpoint must exist in CA ControlMinder Enterprise Management.
Note: To use a privileged administrative account, you must specify that IS_ADVANCE is TRUE.
(Optional) Defines the container in which the privileged administrative account is defined. A container is a class whose instances are collections of other objects.
Values: (Windows Agentless and Oracle Server): Accounts
(SSH Device): SSH Accounts
(MS SQL Server): MS SQL Logins
Note: To use a privileged administrative account, you must specify that IS_ADVANCE is TRUE.
(Optional) Defines the name of the privileged administrative account that SAM uses to perform administrative tasks on the endpoint, for example, to discover accounts and change passwords. The privileged account must exist in CA ControlMinder Enterprise Management.
Note: To use a privileged administrative account, you must specify that IS_ADVANCE is TRUE.
Specify the name of the login application to associate with the endpoint.
Specifies the name of the endpoint owner.
(Optional) Specifies the type of the endpoint owner.
Values: USER, GROUP
Specifies the name of the department.
Specifies up to five customer-specific attributes.
Specifies if the endpoint administrator account is disconnected.
Values: TRUE, FALSE
Default: TRUE
Specifies whether to disable the exclusive sessions option on this endpoint.
Values: TRUE, FALSE
Default: FALSE
Specifies whether to prevent access to exclusive accounts who are in operation using break glass.
Values: TRUE, FALSE
Default: FALSE
(Optional) Specifies to disable the Advanced Login option for this endpoint.
Values: TRUE, FALSE
Default: FALSE
(Optional) Specifies to use CA ControlMinder on the endpoint to manage privileged and services accounts.
Note: Applied for The Access Control for SAM endpoint type only. Supported on CA ControlMinder r12.6.01 and above only.
Values: TRUE, FALSE
Default: FALSE
Specifies the authentication mode to set the device to enable mode.
Note: Applied for The network device endpoint type.
Values:
Specifies the user authentication mode on login.
Note: Applied for The network device endpoint type.
Values:
(Optional) Specifies the server listening port number.
Each line represents a task to create or modify an endpoint, and must have the same attributes as the header. The attributes must be in the same order as the header. If a line does not have a value for an attribute, leave the field empty.
The endpoint CSV file is ready for processing by the SAM feeder.
Note: The default polling folder is located as follows, where JBoss_home is the directory in which you installed JBoss:
JBoss_home/server/default/deploy/IdentityMinder.ear/custom/ppm/feeder/waitingToBeProcessed
Example: An Endpoint CSV File
The following is a sample endpoint CSV file. You can find more sample endpoint CSV files in the ACServer/IAM Suite/Access Control/tools/samples/feeder directory.
OBJECT_TYPE,ACTION_TYPE,%FRIENDLY_NAME%,DESCRIPTION,ENDPOINT_TYPE,HOST,LOGIN_USER,PASSWORD,URL,CONFIGURATION_FILE,DOMAIN,IS_ACTIVE_DIRECTORY,USER_DOMAIN,ENDPOINT ENDPOINT,Oracle1,oracle 10g,Oracle Server,TEST10, ORAADMIN1,ORAADMIN1,jdbc:oracle:thin:@TEST10:1521:RNDSRV,,,,, ENDPOINT,local MSSQL1,local SQL server,MS SQL Server, localhost,testAdmin,Password1@,jdbc:sqlserver://localhost:1433,,,,, ENDPOINT,SSH_Device2,unix machine,SSH Device,TEST84,root,Password1@,,,,,, ENDPOINT,IM_Access Control,Access Control via provisioning,Access Control,TEST1,,,,,,,,TEST1
Mandatory Attributes for Creating or Modifying an Endpoint
Following are the mandatory attributes that you must include in the CSV file to create or modify and endpoint:
OBJECT_TYPE,ACTION_TYPE,%FRIENDLY_NAME%,ENDPOINT_TYPE
The minimum required mandatory fields may vary according to the endpoint type that you create or modify. Refer to the following table for details:
Endpoint Type |
LOGIN_USER |
PASSWORD |
HOST |
DOMAIN |
URL |
ENDPOINT |
---|---|---|---|---|---|---|
SSH Device* |
+ |
+ |
+ |
|
|
|
Windows Agentless* |
+ |
+ |
+ |
+ |
|
|
Sybase Server* |
+ |
+ |
+ |
|
+ |
|
OS400* |
+ |
+ |
+ |
|
|
|
ACF2* |
+ |
+ |
+ |
|
+ |
|
MS SQL Server* |
+ |
+ |
+ |
|
+ |
|
Oracle Server* |
+ |
+ |
+ |
|
+ |
|
Network Device |
|
|
+ |
|
|
|
RACF* |
+ |
+ |
+ |
|
+ |
|
Access Control for PUPM |
|
|
+ |
|
|
|
Disconnected |
|
|
+ |
|
|
|
ActiveDirectory via Provisioning |
|
|
+ |
|
|
+ |
OS400 via Provisioning |
|
|
+ |
|
|
+ |
NDS Servers via Provisioning |
|
|
+ |
|
|
+ |
CA-ACF2 via Provisioning |
|
|
+ |
|
|
+ |
Access Control for Provisioning |
|
|
+ |
|
|
+ |
CA-Top Secret via Provisioning |
|
|
+ |
|
|
+ |
RACF via Provisioning |
|
|
+ |
|
|
+ |
SAP R3 via Provisioning |
|
|
+ |
|
|
+ |
Windows NT via Provisioning |
|
|
+ |
|
|
+ |
*If you define the IS_ADVANCED attribute you do not specify the LOGIN_USER and PASSWORD attributes.
Mandatory Attributes for Deleting an Endpoint
Following are the mandatory attributes that you must define to delete an endpoint:
OBJECT_TYPE,ACTION_TYPE,%FRIENDLY_NAME,ENDPOINT_TYPE,HOST
Mandatory Attributed for Creating or Modifying a Shared Account
Following are the mandatory attributes that you must define to create or modify a shared account:
OBJECT_TYPE,ACTION_TYPE,ACCOUNT_NAME,ENDPOINT_NAME,NAMESPACE,CONTAINER,PASSWORD_POLICY,ACCOUNT_PASSWORD
Copyright © 2013 CA Technologies.
All rights reserved.
|
|