Saturday, April 10, 2010

CA Access Control R12.5 Quick Lab setup

If you are looking at upgrading your Access Control environment to take advantage of the Enterprise Management policy management, here is a quick guide doc to getting the management server installed and communicating with your Access Control endpoints. The install process is a lot easier than with previous versions. 

Follow this link to download the install guide. The text without screen shots is available here.

Quick Guide to CA Access Control R12.5 Enterprise Manager with Windows and Linux endpoints
Draft 1
This is a quick guide to getting a basic Access Manager R12.5 setup and configured. In this lab setup the following servers are used:

An Active Directory Environment for the AC R125 Enterprise Management Server to integrate with for console access.
An AD user that will be the Enterprise Manager Administrator
An SQL DB instance
It will be assumed that there is a basic understanding of Access Control and the new features that are available with R12.5. This guide will be focused on getting the basic setup up and running and the ability to manage a windows and linux endpoint. 
Part 1: Installing the Access Control Enterprise Management Server
Insert the 3rd party component DVD. This will have the pre-requisite installer which will setup java jdk 1.5.0-18 and jboss 4.2.3. 
Select the install location of Java and Jboss. Before Jboss is installed, you will have the option of selecting which ports you want jboss to use. By default, the installer will select 18080.
If you do not have any additional instance of jboss running on the host, select next and accept the defaults. If you need to change the ports, click on Advanced Configuration to have the option of changing all Jboss ports. 
After the Pre-installation Summary screen, click on Install. 
Once the installer is done, it will pause, giving you the opportunity to switch DVDs and insert the Enterprise Management DVD. Once you have inserted the DVD, click on Done and the EnterPrise Management installer will startup. 
Choose the location of the install and click on Next.
You will need to select a password that all components will use for communication. Enter the password and click Next. 
Specify the database you will be using. In this lab setup, it is a MS SQL 2005 instance. Select MS SQL and click Next. 

Enter the required information to connect to your DB instance and click Next.

Specify which user store you will use for controlling access to the Enterprise Management Server. For this lab environment, select Active Directory. 
Enter the required information to connect to your Active Directory environment. Click Next when complete.
Enter the AD user you have selected to be the system admin for the enterprise manager.  

Review your Pre-Installation summary and click Install. 
After Install, you will need to restart the server. Click Done to proceed. 
After the server reboot, all Access Control components will automatically startup. This includes the jboss application server. Don’t try and login to the Enterprise Manager application right away as it will fail since it will take a bit for the jboss application to load. 
Monitor the jboss server log at C:\jboss-4.2.3.GA\server\default\log\server.log to any errors or to validate the application is up and running. 
Validate the install
Open your browser and go to the url http://:18080/iam/ac
Enter the username / password for the AD user you selected as your system admin. 
Upon a successful login, you will be at  main screen. 
Click on the System tab. Expand the DMS section and click on View Connection. Do a search for any connections and you should have a default connection with the host. 
At this point, you have successfully installed the Enterprise Management UI. Next, validate that the Endpoint Management application was also successfully deployed. 
Go to the url http://:18080/acem
Enter the username of the ID you ran the installer under. If you installed it using a domain ID, make sure you use the domain\username. By default it will be the local Access Control admin ID. 

Upon a successful login you will be able to manage the local host via the Endpoint Management UI. 
At this point, you have validated the basic installation of the Access Control Enterprise Management and its supporting components. 
The next step is  to setup an endpoint to manage.
Part 2: Installing and managing an Access Control Endpoint on Windows 2003
Inset the Access Control for Windows DVD. Installer will auto startup. 

Expand the Components folder and select the Access Control appropriate for your OS. In this lab, using Windows 2003, select ‘CA Access Control for Windows (32-Bit)’. 
If not installed already, you will be prompted to install the MS Visual C++ 2005 Redistribution. You will need to install this. 
When it comes to selecting which components to install, the only additional component required for this lab, is to install is ‘Advanced Policy Management Client’. 

The Next screen has you add any additional Administrator and hosts you want to allow management from. The Administrators would allow admin level access over the this particular host. Defining additional hosts allow access to manage this host for machines other than the local host.  
Users and Group. Select Yes for ‘Support users and groups from primary stores’. Click Next. 
SSL Communication. For this lab setup, keep the default ‘No’ for using SSL communication. Click Next. 
Encryption settings. Unselect ‘Change the default encryption key’. CLick Next. 

Advanced Policy Management Client. Enter the Advanced Policy Management Server host name which in this lab is the Enterprise Management server. 

Review Settings and click Next and Install. 
After installation is complete, a reboot of the server is required. 
Validate you can access and manage the Access Control Endpoint from the Enterprise Management server. 
Open a browser and go to the CA Access Control Endpoint Management application. If, you added the Enterprise Management server which has the UI applications installed as one the hosts that has permissions to manage the endpoint, then you will be able to connect to your managed endpoint. If you had not done this, the permissions would not exist for external management of the end point. You can always add additional hosts using selang commands on the endpoint. 
Example selang commands will be included at end of document. 
Go to the URL http://:18080/acem

After successful login, you will be able to manage that remote end point. 
Validate you can access the endpoint via the Enterprise Management UI.
Go to the Enterprise Application URL at http://:18080/iam/ac
Login as the AD account you selected to be the Admin. 

For this lab it is ‘superadmin’. 

Once you successfully login, you will be at the home view of the Enterprise 
Management UI. 

Click on Policy Management->Host->View Host
Click on Search.
The management server and the new windows endpoint should show up. 
This concludes basic validation of communication from the Enterprise Management server and the new windows Access Control end point. 
Part 3: Installing and managing an Access Control Endpoint on a Linux Endpoint 
Insert the Access Control for Unix DVD. Mount the DVD if not automatically mounted. Navigate to /media/CA_AC_P_E_12_5_U/ using RedHat as an example. Copy the Unix directory to /tmp or some similar temporary space. Chmod -R the Unix directory 755. If you try to run the installer from the DVD, you will get permission errors. 
Navigate to /tmp/Unix/Access-Control. To start the install, run ./install_base
Enter the command required to install the software
Next choose the install path or hit enter to accept the default.
Enter the path for installing CA Access Control
Installing the following CA Access Control package(s):
  - Client package
  - Server package
For installation options, please use 'install_base -h'.
Select 'Y' to install, 'N' to exit the script:Y
Select Y to proceed. 
Unless you already have a local(nis-ldap) group defined, you can leave this as none. 
Specify the audit group name [none]:
Do not Import users or groups. 
Import users, groups and hosts now? [N/y]: N
PMDB model is legacy Access Control. It is being replaced by the Advanced Policy Management that comes with R12.x. For the lab, enter none for parent policy model.
Enter parent policy model name [none]
The case is the same for a password policy model. Enter none for this lab setup. The idea is that you would use something like IdM to better manage your users and passwords instead of replicating the data via a pmdb model. 
Enter passwords policy model name [none]
-------------------[ Set up security administrators ]-------------------
  You may define users as security administrators and auditors.
  Specify user IDs separated by space, other than root.
  If you do not want to define administrators now, hit ENTER.
Please enter administrator names [none]:
If you have additional local users defined, you can add them as administrators for Access Control on this end point. 
Yes, you would like to support OS users. 
Do you want CA Access Control to support OS users? [N/y]: Y
Defining DB Admins. You can add additional admins later. For now, using root will be fine. 
No need to change the encryption method.
Do you want to change the default encryption method  [N/y]: N
You can install the Baseline Security setting later on. As part of the install, skip adding them. 
Do you want to install Baseline Security Pack now? [N/y]: N
Starting Access Control remotely can be useful so accept the default of Yes.
Do you want to be able to start CA Access Control from a remote host? [Y/n]: Y
Do you want to install Report Agent? [N/y]: N
Do you want to install PUPM Agent? [N/y]: N
Do you want to configure this end point for advanced policy management  [N/y]:Y
Specify the advanced policy management server components DH full name list separated by space [none]:DH__@w2k3acmgr

Once install has completed, cd to /opt/CA/AccessControl/bin
Start Access Control by running ./seload
[root@rh52acep bin]# ./seload
CA Access Control seload v12.50.00.1861 - Loader Utility        
Copyright (c) 2009 CA. All rights reserved.
08 Apr 2010 23:25:37> WAKE_UP : Server going up
08 Apr 2010 23:25:37> INFO    : Filter mask: 'WATCHDOG*' is registered
08 Apr 2010 23:25:37> INFO    : Filter mask: 'INFO    : Setting PV*' is registered
08 Apr 2010 23:25:37> INFO    : Filter mask: 'INFO    : DB*' is registered
08 Apr 2010 23:25:37> INFO    : Filter mask: '*seosd.trace*' is registered
08 Apr 2010 23:25:37> INFO    : Filter mask: '*FILE*secons*(*/log/*)*' is registered
Starting seosd. PID = 15604.
Checking database ...
Starting seagent. PID = 15607
seagent: Loading database image...
seagent: Initialization phase completed
Starting seoswd. PID = 15611
[root@rh52acep bin]# 
Authorizing remote management of the host. 
With Access Control Running, the next step will be to start the selang command line interface to setup permissions to allow remote administration from the Enterprise Management server. While you can manage this host locally using the command line tools, by authorizing the management server, you are allowing the ability to manage policies using the End Point management UI application. 
This is not a tutorial on the selang command tool. Again, it is assumed you have some knowledge of Access Control. 
start selang utility
[root@rh52acep bin]# ./selang
CA Access Control selang v12.50.00.1861 - CA Access Control command line interpreter
Copyright (c) 2009 CA. All rights reserved.
Create a terminal resource
AC> nr TERMINAL defacc(none) ow(nobody)
Successfully created TERMINAL
Now create a rule to authorize access to that terminal
AC> nr TERMINAL defacc(none) ow(nobody)
Successfully created TERMINAL
AC> auth TERMINAL uid(*) acc(r,w)
Successfully added * to's ACL
Repeat the validation tests you ran prior for the windows Access Control endpoint via the Enterprise management server. 


  1. Hi
    I have installed Access controller without using AD please help me to work in the Access Controller and how do I connect the client system to the Access controller server


  2. Hi
    I have installed the Access Controller using the embedded user


  3. Not sure I follow. You installed the management server and now want to connect an endpoint machine with access control on it as well? Keep in mind each server you install access control on is a full installation. The benefit of the Enterprise Manager is simply to manage multiple endpoints policies from a single interface.

    Are you referring to UNAB or PUPM functionality?

  4. Hi
    You want me to install the full access controller in each server or the end point


  5. Hi
    When I install the access controller without using the AD is there anything we have to change or modify in the SQL


  6. Hi please tell me how do I connect client to the Access controller server.
    And I have deployed the agent in the client computer how do I make a communication between the client and the server

  7. What OS is your client on? This blog post covers how to connect the Windows and Linux clients to the enterprise manager. Check Part2 for windows and part3 for linux. It has step by step on what you need to do to communicate with the endpoints from the Enterprise manager.

  8. Hi
    In client system I am using windows server 2008 32bit
    I have referred to the part 2 but I am not able to understand how to connect the client to the AC server because when I install the agent in the client system its asking for the AD details but I don’t have AD

  9. when is it asking you for AD details? During the Access Control install when it asks for administrators? If yes, you don't have to use AD, you can use local machine admin account.

  10. Hi

    when I install agent in the client system it is asking for fully domain name so I don’t have domain please help me


  11. Hi
    I installed agent in the client system but the problem is the domain name I am not using the AD
    When it asks for the domain name what do I do?

  12. just use localmachine\username format instead.

  13. Hi
    After installing the end point I browsed the url http://:18080/acem and I am able to view the end point screen when I login in to the screen from the client system using the server admin rites I can see only the server details not the client system details

    And in even browse the enterprises management from the client system using url http://:18080/iam/ac through ie

    But the main thing is I not able to see the endpoint details in the enterprises management


  14. Hi
    I have successfully installed access control server and the end point and I am, able to view the client system from the server that is from the world view

    But the problem is I am not able to access the endpoint because It is asking for the user name and password when I give the details of the client it shows user name and password incorrect or the hostname in correct

    Please help me out


  15. Hi
    When I try to connect to the access control end point with the client system details I am getting this error

    Connection to host WIN-94CX8EZR5RE using user name: WIN-94CX8EZR5RE\Administrator has failed with the returned error: (WIN-94CX8EZR5RE) ERROR: Login procedure failed ERROR: You are not allowed to administer this site from terminal


  16. "You are not allowed to administer this site from terminal" is the error you get when you have not setup the terminal permissions for a remote connection. You have to explicitly create a selang rule to allow a remote host to connect to the endpoint server.

    Look at the end of the blog post after the section:
    Authorizing remote management of the host. Follow those steps running selang on your windows endpoint.

  17. Hi
    Thank you for supporting me so many days I have finished the installation successfully


  18. This comment has been removed by the author.

  19. Hi
    This is abinesh how r u.Now i am looking after ITAM can u help me in this with some installation doc and configuration doc

  20. Hi
    I required your help in the access control because I have created the users in the end point but I am unable to login in the end point computer it shows the access denied wile login


  21. Hi
    I am login to the client using mstsc


  22. Hi, I have installed CA Access Control 12.5 on my Windows 2003 server. The installation was all successful. However when I restarted my machine to access the access control link(http://localhost:18081/iam/ac/) it doesn't open.
    1)It gives me a error HTTP Status-404, The requested resource (/iam/ac/) is not available.
    2)Jboss is started
    3)I checked the log file and noticed that the server task has not completely started and last line in the server log reads - Setting Access Control Web Service URL to:
    4) There are few java exception errors as well in the log file.
    5)If I check the services, the CA Access Control Web Service is started

    I have uninstalled and reinstalled the access control to ensure the installation is done properly.

    Kindly advice what am missing so that I can troubleshoot this issue. Looking forward to you reply.

  23. Hi Need a help with Access Control. I have installed CA Access Control r12.5. The installation was successful and after restarting the machine..Jboss and all acccess control related services are started successfully. However when I try to access the application using http://:18080/iam/ac, it gives me an error which read "Requested Resource(/iam/ac) is not available .
    Please help

    1. Check whether the connection b/w ENTM and DB is fine.Check the services of DB and check the process count as well.

  24. Check the jboss server.log for your error. Make sure there are no other processes running using the same port you selected for jboss.

  25. Thanks for your reply Carlos..I checked the logs; there are few error..but am unable to troubleshoot that.. and I am sure there are no port conflicts because acem and acpwd open up fine..What I noticed is there is no war file (under deploy folder) for access control(/iam/ac)..Am I missing something or is it the way it appears..

    Now I tried a different thing I uninstalled my premium version and installed just CA access control on windows 2003 server (CA Access Control for Multiplatform). The installation went fine. Now am able to log into endpoint management console but if I click on any links say users/resources or even log out nothing happens..I am just able to see the Home page..after login...
    Is there any step that I am missing...I am new to Access Control and its taking some time for trying to troubleshoot at my end..but since I saw your reply thought of asking you... Thanks..Sandhya

  26. To add to my previous note..I am assuming there is some error wrt to gives error in policyfetcher.log which reads failed to connect to host DH_@hostname..Thanks

  27. Wow, i would need to see all your logs and better understand what components were installed. Honestly, for the amount of time I have to work on this blog outside my normal job, I would not be very good at helping you as much as you need help. If I may suggest, try posting your issues at:

    They have a handful of experts who focus on helping folks out with issues such as these. Sorry I can't help, but I wish you luck.