Previous Topic: UNAB ConsiderationsNext Topic: Known Issues


Server Components Considerations

This section describes items you should consider when using CA ControlMinder server components (CA ControlMinder Endpoint Management, CA ControlMinder Enterprise Management, and Enterprise Reporting).

Communication Issues between CA ControlMinder Components and CA ControlMinder Message Queue

The following CA ControlMinder components rely on communications with the CA ControlMinder Message Queue for some functionality:

These components may not be able to communicate with the Message Queue if it is not running, the configuration options are not set correctly for the Message Queue host or queue, or a generic network error is present.

If communication between any of these components and the Message Queue cannot be established or breaks down, the communication does not resume automatically when the problem is fixed. To work around this issue you must fix the communication issue and then restart the CA ControlMinder component.

Upgrade With Oracle

Before the upgrade is performed with an Oracle database, execute the following steps and run the noted commands on Oracle:

  1. Open SQLPLUS from a command line
  2. Connect to the database.
  3. Log in as a system or sysdba user.
  4. Run the following commands:
    GRANT EXECUTE ON SYS.DBMS_CRYPTO TO vpm20;
    GRANT UNLIMITED TABLESPACE TO vpm20;
    ALTER SYSTEM SET transactions=275 SCOPE=SPFILE;
    ALTER SYSTEM SET sessions=250 SCOPE=SPFILE;
    ALTER SYSTEM SET processes=200 SCOPE=SPFILE;
    

CA ControlMinder Host Name Limitation

The host name of the CA ControlMinder endpoint must be 15 characters or less. If the host name of the CA ControlMinder computer exceeds 15 characters, you cannot use CA ControlMinder Endpoint Management to log into the endpoint.

Automatic Generation of Policy Undeploy Script

When you undeploy a policy that does not have an associated undeploy script, CA ControlMinder automatically generates the required script to remove the policy. This script is based on the deployment script.

If you want to remove the policy but keep the policy rules (from the deployment script), provide an undeployment script with a rule that does not modify anything (for example, er GPOLICY policyName).

Specify the SAM Endpoint NETBIOS Name and Not the DNS Domain Name

When you create a SAM endpoint in CA ControlMinder Enterprise Management, the host name that you specify in the Name field must match the host name that appears in World View.

If the endpoint is an Active Directory endpoint, specify the NETBIOS domain name in the Host Domain field. If the endpoint is not an Active Directory endpoint, specify the NETBIOS host name in the Host Domain field, not the DNS domain name. For example, if an endpoint is not an Active Directory endpoint, specify the NETBIOS host name (ACSERVER) in the Host Domain field and not the endpoint DNS domain name (acserver.company.com).

If you specify the DNS domain name, advanced features, such as SAM Automatic Login, fail.

Using the Login Application Script to log on to a Member of a Domain

Symptom:

When I log in to a server that is a member of a domain using the CA ControlMinder Endpoint Management login application script, I can log in to FTP but the FTP user command indicates “Not connected”.

Solution:

FTP and PuTTY do not support domain users. You cannot use the automatic login application script to enable FTP and PuTTY automatic user logins to a server that is a domain member. To check out a password to log in to a domain member server using FTP or PuTTY, create a new automatic login script.

Follow these steps:

  1. Locate the FTP or PuTTY script on the server.
  2. Copy the FTP or PuTTY script.
  3. Create another login application script that is based on the existing script.
  4. Modify the script with the full user name and domain attributes as follows:
    userName = "#userName#"
    
    userDomain = "#userDomain#"
    
    password = "#password#"
    
    serverName = "#host#"
    
    fullUserName = userDomain & "\" & username
    
    Set pupmObj = CreateObject("ACLauncher.ACWebLauncher")
    
    hwnd = pupmObj.LaunchePUTTY(serverName, fullUserName, password)
    
  5. Assign the new login application to the endpoint.

For more information on the automatic login application script, see The SAM Automatic Login Application Visual Basic Script.

You Cannot Configure More Than a Single CA Identity Minder Provisioning Connector Server

Do not configure more than a single CA Identity Minder provisioning connector server in CA ControlMinder Enterprise Management.

Cannot Configure CA Identity Minder Provisioning Connector Server Using SSL Port

When you configure an CA Identity Minder provisioning connector server, do not specify the CA Identity Minder provisioning server SSL port (20390). If you specify the connector server SSL port, the connection to the connector server fails.

Cannot Use SAM to Change Password for the Expert Account

If you use a Check Point firewall on an SSH endpoint, you cannot use SAM to change the password for the expert account on the endpoint. This restriction means that the expert account must be a disconnected account in SAM.

SQLCMD Utility Does Not Support Blank Passwords

Valid on SQL Server

The SQL Server command utility sqlcmd does not support blank passwords. If you defined the SQL Server endpoint as a password consumer in CA ControlMinder Enterprise Management and check out a password from SAM, do not leave the password field empty. You can specify the account password or any other string as the password.

Oracle11g Server Certificate Required

To connect to an Oracle 11g server using auto login with ORACLE_11G_WEB.vbs, you must install a server certificate on the endpoint.

Note: To connect to the server without SSL, remove the SSL restriction from the Oracle server.

Special Characters in Installation Directory Paths

Special characters are not supported in the product installation directory paths.