[ CA ControlMinder ENTM on windows ]
1. DB install (Oracle or MSSQL)
---------------------------------
1.1 MSSQL (Required: .NET Framework 3.5, Collation: Latin1_General)
DBName=ENTM, DB_Owner=entmadm, Collation: SQL_Latin1_General_CP1_CI_AS
1.2 Oracle
a. connect / as sysdba
b. show parameter processes
c. alter system set processes=200 scope=spfile;
d. shutdown immediate
e. startup
---------------------------------
2. JDK and JBOSS install (CA Premium Edition 3rd Party for DVD - Installing Pre-Requisite Kit)
---------------------------------
2.1 JDK=d:\jdk1.6.0
2.2 JBOSS=d:\jboss-4.2.3.GA
---------------------------------
3. (Optional) Access Control install/configure (advanced policy management server comptestnts included)
---------------------------------
(*) ENTM 설치 작업에 AC 설치 포함되어 있음
3.1. Access Control 설치 with advanced policy management server comptestnts
- Access Control 설치 시 또는
- Access Control 설치 후
INSTALL_PATH/bin/dmsmgr -create -auto (DMS and a DH 생성 with default names (DMS__, DH__, and DH__WRITER))
3.2. (Optional) Configure a proxy user for CA Access Control Enterprise Management with selang
host DMS__@ENTM01
eu dmsproxy admin auditor
er TERMINAL (ENTM01) owner(nobody)
authorize TERMINAL (ENTM01) uid(dmsproxy) access(a)
host ENTM01
env native
eu dmsproxy password("test!2345")
host DMS__@ENTM01 uid(dmsproxy) password("test!2345") logical
3.3 Stop Access Control
---------------------------------
4. ENTM install/configure
---------------------------------
4.1 설치 시작
a. Communication Password
entm123
b. Database Information
– Database Type : oracle
– Database Host Name : testap03
– Database Port : 1521
– Database Service Name : XE
– Database Name —Defines the name of the database you created on your RDBMS.
– Database User Name : system
– Database User Password : sys123
c. User Store Type
- Embedded User Store
d. installing ....
e. Admin Password
superadmin/admin123
4.2 Start CA Access Control services.
a. cmd> seosd -start and services
b. 서비스> CA Access Control Web Service
4.3 Start JBoss Application Server.
Start -> Programs -> CA -> Access Control -> Start Task Engine.
(*) Important! If you set JBoss to start as a Windows service, make sure you start it using run_idm.bat instead of run.bat.
---------------------------------
5. Open a web browser and enter the following URL, for your host: (Log in : superadmin/admin123)
---------------------------------
http://192.168.88.201:18080/iam/ac
---------------------------------
6. configure after installing
---------------------------------
6.1 Install Advanced Policy Management Server Comptestnts on ENTM Server
cmd> dmsmgr -create -auto
6.2 Configure an Endpoint for Advanced Policy Management after installing AC without configuring it
a. sh> dmsmgr -config -dhname DH__@ENTM01 or AC> so dh+(DH__@ENTM01)
b. sh> dmsmgr -config -endpoint or seos.ini> policyfetcher_enabled = 1
c. AC> eu ("+policyfetcher") admin auditor logical ; auth terminal testap01 id("+policyfetcher") acc(w)
d. AC> auth terminal ENTM01 id(secadm) acc(r w)
6.3 Configure an Endpoint for PUPM (Privileged User Password Management)
a. sh> seini -s PUPMAgent.OperationMode 1 or seos.ini> OperationMode = 1
b. sh> seini -s SEOS_syscall.exec_read_enabled 1 or seos.ini> exec_read_enabled = 1
c. (Optional) accommon.ini> Distribution_Server = ssl://ENTM01:7243 or
AC(config)> er config accommon.ini section(communication) token(Distribution_Server) value(ssl://ENTM01:7243)
6.4 Save the file to the polling folder for processing by the SAM feeder
JBoss_home/server/default/deploy/IdentityMinder.ear/custom/ppm/feeder/waitingToBeProcessed
ex) D:\jboss-4.2.3.GA/server/default/deploy/IdentityMinder.ear/custom/ppm/feeder/waitingToBeProcessed
6.5 seos.ini / accommon.ini modify on remote
selang -s -c "host testap01 ; env config ; er config seos.ini section(pam_seos) token(serevu_use_pam_seos) value(yes)" >> config.log
---------------------------------
7. Password Consumer configure
---------------------------------
7.1 Create a Password Consumer on ENTM
a. Windows (NT_ACPWD)
가. 일반 (General tab)
Name: NT_ACPWD
Description: acpwd
Consumer Type: 소프트웨어 개발 키트(SDK/CLI)
Application Path: <!AC_ROOT_PATH>\bin\acpwd.exe
Enabled: True
나. 권한있는 계정 (Privileged Accounts tab)
weblogic testap01 AC Accounts Access Control for PUPM
secadm testap01 AC Accounts Access Control for PUPM
다. 호스트 (Hosts tab)
testap01
라. 사용자 (Users tab)
*
b. Unix (UX_ACPWD)
가. 일반 (General tab)
Name: UX_ACPWD
Description: acpwd
Consumer Type: 소프트웨어 개발 키트(SDK/CLI)
Application Path: <!AC_ROOT_PATH>/bin/acpwd
Enabled: True
나. 권한있는 계정 (Privileged Accounts tab)
weblogic testap01 AC Accounts Access Control for PUPM
secadm testap01 AC Accounts Access Control for PUPM
다. 호스트 (Hosts tab)
testap01
라. 사용자 (Users tab)
root
7.2 Configure an Endpoint to use a Password Consumer
a. Windows (pw_consumer.cmd)
@echo off
REM acpwd -checkout -account secadm -ep entm01 -eptype windows -container accounts
REM acpwd -get -account secadm -ep entm01 -eptype windows -container accounts
REM FOR /F "tokens=*" %%i IN ('"C:\Program Files\AccessControl\bin\acpwd.exe" -get -account PowerUser -ep comp1_123 -eptype "Windows Agentless" -container "Windows Accounts" -nologo') DO SET AdminPassword=%%i
FOR /F "tokens=*" %%i IN ('acpwd -get -account secadm -ep entm01 -eptype "Access Control for PUPM" -container accounts -nologo') DO SET AdminPassword=%%i
echo.
echo AdminPassword = [%AdminPassword%]
echo.
b. Unix (pw_consumer.sh)
#!/bin/bash
#AdminPassword=`acpwd -get -account weblogic -ep testap01 -eptype "Access Control for PUPM" -container "AC Accounts" -nologo`
AdminPassword=`INSTALL_PATH/bin/acpwd -get -account weblogic -ep testap01 -eptype "Access Control for PUPM" -container "AC Accounts" -nologo`
echo
echo "AdminPassword = [${AdminPassword}]"
echo
7.3 Configure /etc/accommon.ini section(communication)/token(Distribution_Server)
accommon.ini> Distribution_Server = ssl://ENTM01:7243
---------------------------------
8. MessageQ TCP port configure
---------------------------------
- CA ControlMinder 엔터프라이즈 관리를 설치할 때 기본적으로 SSL 포트(7243)를 사용하도록 메시지 큐가 구성됩니다.
이 기본 설정을 변경하여 메시지 큐가 TCP 포트(7222)를 사용하도록 구성할 수 있습니다.
8.1 엔터프라이즈 관리 서버에서 메시지 큐와 JBoss 서버를 중지
8.2 tibemsd.conf 파일을 엽니다. 파일 위치는 C:\Program Files\CA\Access Control/MessageQueue/tibco/tibco/cfgmgmt/ems/data
listen= 항목을 찾아 값을 제거한 다음 값 tcp://7222를 입력합니다.
authorization= 항목을 찾아 값을 제거한 다음 disabled를 입력합니다.
파일을 저장한 후 닫습니다.
8.3 factories.conf 파일을 열고 [SSLXAQueueConnectionFactory] 태그를 찾습니다.
url= 항목을 찾아 값을 제거한 다음 tcp://7222를 입력합니다.
(오류1 - 변경해야함) [SSLTopicConnectionFactory] 태그의 url= 항목을 찾아 값을 제거한 다음 tcp://7222를 입력합니다.
파일을 저장한 후 닫습니다.
8.4 tibco-jms-ds.xml 파일을 엽니다. 파일 위치는 JBoss_HOME/server/default/deploy/jms
SSL 포트 번호(7243)가 표시된 값을 모두 검색하여 TCP 포트 번호 7222로 바꿉니다. (ssl -> tcp 로 변경)
(오류2 - 변경하면 안됨) 값 SSLXA를 표시하는 모든 항목을 검색하여 XA로 바꿉니다.
다음 두 항목을 주석(<!--) 처리합니다.
com.tibco.tibjms.naming.security_protocol=ssl
com.tibco.tibjms.naming.ssl_enable_verify_host=false
파일을 저장한 후 닫습니다.
8.5 메시지 큐 및 JBoss 서버 시작
No comments:
Post a Comment