ActiveMQ connections from UNAB setting from pesistent to ondemand
search cancel

ActiveMQ connections from UNAB setting from pesistent to ondemand

book

Article ID: 205124

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

We discussed internally what can be introduced in UNAB to eliminate the number of connections.

One suggestion is to have a configuration item to specify how often to check for the policies or even disable it.

Another suggestion is that the ActiveMQ connections from UNAB are on demand and not persistent so the number of connections decreases.

 

Environment

Release : 14.1 PAMSC / UNAB

Component : PAM SERVER CONTROL ENDPOINT WINDOWS

Cause

The idea is to have less traffic for activeMQ

Resolution

Created a new binary for unab communications to be on demand and not persistent

WE have added a dedicated token to uxauth.ini that allows one to completely turn off UNAB communication with the Distribution Server even when the Distribution_Server token in /etc/accommon.ini is set.    The token is called  ds_interaction_mode and lives in the [global] section.     Below is its description in /etc/uxauth.ini:

 

; ds_interaction_mode specifies desired mode for UNAB's interaction with the Distribution
; Server specified in /etc/accommon.ini file.  By default, if the Distribution_Server token
; is set, UNAB agent (uxauthd) will open a TCP connection to it and start sending its
; heartbeat and reading the ActiveMQ queue for policies intended for UNAB on the endpoint
; until UNAB is shut down.  These actions are performed periodically with intervals
; specified in the [agent] section below.
; Options are:
;    0 - connect to and interact with Distribution Server until UNAB is shut down;
;    1 - do not interact with Distribution Server at all;
;
; Default value: 0
ds_interaction_mode = 0

 

 

When the token is set to 1 and interaction with the DS is disabled, uxconsole -status -detail shows the following in the portion of its its output dedicated to the DS:

 

#  uxconsole -status -detail
CA Privileged Access Manager Server Control UNAB uxconsole v14.10.0.1531 - console utility
Unable to fetch error description. Error code is 0x7601

Client's site          - Default-First-Site-Name
.  .  .

Cached AD Unix users   - 9 (updated: Thu Dec  3 08:16:44 2020)
Cached AD Unix groups  - 5 (updated: Thu Dec  3 08:16:44 2020)
Cached Windows groups  - 16 (updated: Thu Dec  3 08:16:45 2020)
Migration              - not migrated
CA PAM server host     - ssl://:<server name>:61616
CA PAM server status   - interaction is disabled (in uxauth.ini)
UNAB Watchdog          - disabled
CA ControlMinder       - installed
.  .  .

 

This token can be customized in uxauth native package using our standard customization technique via parameters file.  After that UNAB will have DS interaction disabled out of the box