Pages

Saturday, April 10, 2010

CA Access Control R12.5 Quick Lab setup

If you are looking at upgrading your Access Control environment to take advantage of the Enterprise Management policy management, here is a quick guide doc to getting the management server installed and communicating with your Access Control endpoints. The install process is a lot easier than with previous versions. 

Follow this link to download the install guide. The text without screen shots is available here.


Quick Guide to CA Access Control R12.5 Enterprise Manager with Windows and Linux endpoints
Draft 1
This is a quick guide to getting a basic Access Manager R12.5 setup and configured. In this lab setup the following servers are used:

Pre-requisites: 
An Active Directory Environment for the AC R125 Enterprise Management Server to integrate with for console access.
An AD user that will be the Enterprise Manager Administrator
An SQL DB instance
It will be assumed that there is a basic understanding of Access Control and the new features that are available with R12.5. This guide will be focused on getting the basic setup up and running and the ability to manage a windows and linux endpoint. 
Part 1: Installing the Access Control Enterprise Management Server
Insert the 3rd party component DVD. This will have the pre-requisite installer which will setup java jdk 1.5.0-18 and jboss 4.2.3. 
D:\PrereqInstaller\install_PRK.exe
Select the install location of Java and Jboss. Before Jboss is installed, you will have the option of selecting which ports you want jboss to use. By default, the installer will select 18080.
If you do not have any additional instance of jboss running on the host, select next and accept the defaults. If you need to change the ports, click on Advanced Configuration to have the option of changing all Jboss ports. 
After the Pre-installation Summary screen, click on Install. 
Once the installer is done, it will pause, giving you the opportunity to switch DVDs and insert the Enterprise Management DVD. Once you have inserted the DVD, click on Done and the EnterPrise Management installer will startup. 
Choose the location of the install and click on Next.
You will need to select a password that all components will use for communication. Enter the password and click Next. 
Specify the database you will be using. In this lab setup, it is a MS SQL 2005 instance. Select MS SQL and click Next. 

Enter the required information to connect to your DB instance and click Next.

Specify which user store you will use for controlling access to the Enterprise Management Server. For this lab environment, select Active Directory. 
Enter the required information to connect to your Active Directory environment. Click Next when complete.
Enter the AD user you have selected to be the system admin for the enterprise manager.  

Review your Pre-Installation summary and click Install. 
After Install, you will need to restart the server. Click Done to proceed. 
After the server reboot, all Access Control components will automatically startup. This includes the jboss application server. Don’t try and login to the Enterprise Manager application right away as it will fail since it will take a bit for the jboss application to load. 
Monitor the jboss server log at C:\jboss-4.2.3.GA\server\default\log\server.log to any errors or to validate the application is up and running. 
Validate the install
Open your browser and go to the url http://:18080/iam/ac
Enter the username / password for the AD user you selected as your system admin. 
Upon a successful login, you will be at  main screen. 
Click on the System tab. Expand the DMS section and click on View Connection. Do a search for any connections and you should have a default connection with the host. 
At this point, you have successfully installed the Enterprise Management UI. Next, validate that the Endpoint Management application was also successfully deployed. 
Go to the url http://:18080/acem
Enter the username of the ID you ran the installer under. If you installed it using a domain ID, make sure you use the domain\username. By default it will be the local Access Control admin ID. 

Upon a successful login you will be able to manage the local host via the Endpoint Management UI. 
At this point, you have validated the basic installation of the Access Control Enterprise Management and its supporting components. 
The next step is  to setup an endpoint to manage.
Part 2: Installing and managing an Access Control Endpoint on Windows 2003
Inset the Access Control for Windows DVD. Installer will auto startup. 

Expand the Components folder and select the Access Control appropriate for your OS. In this lab, using Windows 2003, select ‘CA Access Control for Windows (32-Bit)’. 
If not installed already, you will be prompted to install the MS Visual C++ 2005 Redistribution. You will need to install this. 
When it comes to selecting which components to install, the only additional component required for this lab, is to install is ‘Advanced Policy Management Client’. 

The Next screen has you add any additional Administrator and hosts you want to allow management from. The Administrators would allow admin level access over the this particular host. Defining additional hosts allow access to manage this host for machines other than the local host.  
Users and Group. Select Yes for ‘Support users and groups from primary stores’. Click Next. 
SSL Communication. For this lab setup, keep the default ‘No’ for using SSL communication. Click Next. 
Encryption settings. Unselect ‘Change the default encryption key’. CLick Next. 

Advanced Policy Management Client. Enter the Advanced Policy Management Server host name which in this lab is the Enterprise Management server. 

Review Settings and click Next and Install. 
After installation is complete, a reboot of the server is required. 
Validate you can access and manage the Access Control Endpoint from the Enterprise Management server. 
Open a browser and go to the CA Access Control Endpoint Management application. If, you added the Enterprise Management server which has the UI applications installed as one the hosts that has permissions to manage the endpoint, then you will be able to connect to your managed endpoint. If you had not done this, the permissions would not exist for external management of the end point. You can always add additional hosts using selang commands on the endpoint. 
Example selang commands will be included at end of document. 
Go to the URL http://:18080/acem

After successful login, you will be able to manage that remote end point. 
Validate you can access the endpoint via the Enterprise Management UI.
Go to the Enterprise Application URL at http://:18080/iam/ac
Login as the AD account you selected to be the Admin. 

For this lab it is ‘superadmin’. 

Once you successfully login, you will be at the home view of the Enterprise 
Management UI. 

Click on Policy Management->Host->View Host
Click on Search.
The management server and the new windows endpoint should show up. 
This concludes basic validation of communication from the Enterprise Management server and the new windows Access Control end point. 
Part 3: Installing and managing an Access Control Endpoint on a Linux Endpoint 
Insert the Access Control for Unix DVD. Mount the DVD if not automatically mounted. Navigate to /media/CA_AC_P_E_12_5_U/ using RedHat as an example. Copy the Unix directory to /tmp or some similar temporary space. Chmod -R the Unix directory 755. If you try to run the installer from the DVD, you will get permission errors. 
Navigate to /tmp/Unix/Access-Control. To start the install, run ./install_base
Enter the command required to install the software
Next choose the install path or hit enter to accept the default.
Enter the path for installing CA Access Control
[/opt/CA/AccessControl]:
Installing the following CA Access Control package(s):
  - Client package
  - Server package
For installation options, please use 'install_base -h'.
Select 'Y' to install, 'N' to exit the script:Y
Select Y to proceed. 
Unless you already have a local(nis-ldap) group defined, you can leave this as none. 
Specify the audit group name [none]:
Do not Import users or groups. 
Import users, groups and hosts now? [N/y]: N
PMDB model is legacy Access Control. It is being replaced by the Advanced Policy Management that comes with R12.x. For the lab, enter none for parent policy model.
Enter parent policy model name [none]
The case is the same for a password policy model. Enter none for this lab setup. The idea is that you would use something like IdM to better manage your users and passwords instead of replicating the data via a pmdb model. 
Enter passwords policy model name [none]
-------------------[ Set up security administrators ]-------------------
  You may define users as security administrators and auditors.
  Specify user IDs separated by space, other than root.
  If you do not want to define administrators now, hit ENTER.
Please enter administrator names [none]:
If you have additional local users defined, you can add them as administrators for Access Control on this end point. 
Yes, you would like to support OS users. 
Do you want CA Access Control to support OS users? [N/y]: Y
Defining DB Admins. You can add additional admins later. For now, using root will be fine. 
No need to change the encryption method.
Do you want to change the default encryption method  [N/y]: N
You can install the Baseline Security setting later on. As part of the install, skip adding them. 
Do you want to install Baseline Security Pack now? [N/y]: N
Starting Access Control remotely can be useful so accept the default of Yes.
Do you want to be able to start CA Access Control from a remote host? [Y/n]: Y
Do you want to install Report Agent? [N/y]: N
Do you want to install PUPM Agent? [N/y]: N
Do you want to configure this end point for advanced policy management  [N/y]:Y
Specify the advanced policy management server components DH full name list separated by space [none]:DH__@w2k3acmgr

Once install has completed, cd to /opt/CA/AccessControl/bin
Start Access Control by running ./seload
[root@rh52acep bin]# ./seload
CA Access Control seload v12.50.00.1861 - Loader Utility        
Copyright (c) 2009 CA. All rights reserved.
08 Apr 2010 23:25:37> WAKE_UP : Server going up
08 Apr 2010 23:25:37> INFO    : Filter mask: 'WATCHDOG*' is registered
08 Apr 2010 23:25:37> INFO    : Filter mask: 'INFO    : Setting PV*' is registered
08 Apr 2010 23:25:37> INFO    : Filter mask: 'INFO    : DB*' is registered
08 Apr 2010 23:25:37> INFO    : Filter mask: '*seosd.trace*' is registered
08 Apr 2010 23:25:37> INFO    : Filter mask: '*FILE*secons*(*/log/*)*' is registered
Starting seosd. PID = 15604.
Checking database ...
Starting seagent. PID = 15607
seagent: Loading database image...
seagent: Initialization phase completed
Starting seoswd. PID = 15611
[root@rh52acep bin]# 
Authorizing remote management of the host. 
With Access Control Running, the next step will be to start the selang command line interface to setup permissions to allow remote administration from the Enterprise Management server. While you can manage this host locally using the command line tools, by authorizing the management server, you are allowing the ability to manage policies using the End Point management UI application. 
This is not a tutorial on the selang command tool. Again, it is assumed you have some knowledge of Access Control. 
start selang utility
[root@rh52acep bin]# ./selang
CA Access Control selang v12.50.00.1861 - CA Access Control command line interpreter
Copyright (c) 2009 CA. All rights reserved.
AC> 
Create a terminal resource
AC> nr TERMINAL w2k3acmgr.cglab.com defacc(none) ow(nobody)
(localhost)
Successfully created TERMINAL w2k3acmgr.cglab.com
AC> 
Now create a rule to authorize access to that terminal
AC> nr TERMINAL w2k3acmgr.cglab.com defacc(none) ow(nobody)
(localhost)
Successfully created TERMINAL w2k3acmgr.cglab.com
AC> auth TERMINAL w2k3acmgr.cglab.com uid(*) acc(r,w)
(localhost)
Successfully added * to w2k3acmgr.cglab.com's ACL
AC> 
Repeat the validation tests you ran prior for the windows Access Control endpoint via the Enterprise management server.