This section describes items you should consider when using CA ControlMinder server components (CA ControlMinder Endpoint Management, CA ControlMinder Enterprise Management, and Enterprise Reporting).
The following CA ControlMinder components rely on communications with the CA ControlMinder Message Queue for some functionality:
These components may not be able to communicate with the Message Queue if it is not running, the configuration options are not set correctly for the Message Queue host or queue, or a generic network error is present.
If communication between any of these components and the Message Queue cannot be established or breaks down, the communication does not resume automatically when the problem is fixed. To work around this issue you must fix the communication issue and then restart the CA ControlMinder component.
Before the upgrade is performed with an Oracle database, execute the following steps and run the noted commands on Oracle:
GRANT EXECUTE ON SYS.DBMS_CRYPTO TO vpm20; GRANT UNLIMITED TABLESPACE TO vpm20; ALTER SYSTEM SET transactions=275 SCOPE=SPFILE; ALTER SYSTEM SET sessions=250 SCOPE=SPFILE; ALTER SYSTEM SET processes=200 SCOPE=SPFILE;
The host name of the CA ControlMinder endpoint must be 15 characters or less. If the host name of the CA ControlMinder computer exceeds 15 characters, you cannot use CA ControlMinder Endpoint Management to log into the endpoint.
When you undeploy a policy that does not have an associated undeploy script, CA ControlMinder automatically generates the required script to remove the policy. This script is based on the deployment script.
If you want to remove the policy but keep the policy rules (from the deployment script), provide an undeployment script with a rule that does not modify anything (for example, er GPOLICY policyName).
When you create a SAM endpoint in CA ControlMinder Enterprise Management, the host name that you specify in the Name field must match the host name that appears in World View.
If the endpoint is an Active Directory endpoint, specify the NETBIOS domain name in the Host Domain field. If the endpoint is not an Active Directory endpoint, specify the NETBIOS host name in the Host Domain field, not the DNS domain name. For example, if an endpoint is not an Active Directory endpoint, specify the NETBIOS host name (ACSERVER) in the Host Domain field and not the endpoint DNS domain name (acserver.company.com).
If you specify the DNS domain name, advanced features, such as SAM Automatic Login, fail.
Symptom:
When I log in to a server that is a member of a domain using the CA ControlMinder Endpoint Management login application script, I can log in to FTP but the FTP user command indicates “Not connected”.
Solution:
FTP and PuTTY do not support domain users. You cannot use the automatic login application script to enable FTP and PuTTY automatic user logins to a server that is a domain member. To check out a password to log in to a domain member server using FTP or PuTTY, create a new automatic login script.
Follow these steps:
userName = "#userName#"
userDomain = "#userDomain#"
password = "#password#"
serverName = "#host#"
fullUserName = userDomain & "\" & username
Set pupmObj = CreateObject("ACLauncher.ACWebLauncher")
hwnd = pupmObj.LaunchePUTTY(serverName, fullUserName, password)
For more information on the automatic login application script, see The SAM Automatic Login Application Visual Basic Script.
Do not configure more than a single CA Identity Minder provisioning connector server in CA ControlMinder Enterprise Management.
When you configure an CA Identity Minder provisioning connector server, do not specify the CA Identity Minder provisioning server SSL port (20390). If you specify the connector server SSL port, the connection to the connector server fails.
If you use a Check Point firewall on an SSH endpoint, you cannot use SAM to change the password for the expert account on the endpoint. This restriction means that the expert account must be a disconnected account in SAM.
Valid on SQL Server
The SQL Server command utility sqlcmd does not support blank passwords. If you defined the SQL Server endpoint as a password consumer in CA ControlMinder Enterprise Management and check out a password from SAM, do not leave the password field empty. You can specify the account password or any other string as the password.
To connect to an Oracle 11g server using auto login with ORACLE_11G_WEB.vbs, you must install a server certificate on the endpoint.
Note: To connect to the server without SSL, remove the SSL restriction from the Oracle server.
Special characters are not supported in the product installation directory paths.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|