We discussed internally what can be introduced in UNAB to eliminate the number of connections.
One suggestion is to have a configuration item to specify how often to check for the policies or even disable it.
Another suggestion is that the ActiveMQ connections from UNAB are on demand and not persistent so the number of connections decreases.
Release : 14.1
Component : PAM SERVER CONTROL ENDPOINT WINDOWS
The idea is to have less traffic for activeMQ
Created a new binary for unab communications to be on demand and not persistent
WE have added a dedicated token to uxauth.ini that allows one to completely turn off UNAB communication with the Distribution Server even when the Distribution_Server token in /etc/accommon.ini is set. The token is called ds_interaction_mode and lives in the [global] section. Below is its description in /etc/uxauth.ini:
; ds_interaction_mode specifies desired mode for UNAB's interaction with the Distribution
; Server specified in /etc/accommon.ini file. By default, if the Distribution_Server token
; is set, UNAB agent (uxauthd) will open a TCP connection to it and start sending its
; heartbeat and reading the ActiveMQ queue for policies intended for UNAB on the endpoint
; until UNAB is shut down. These actions are performed periodically with intervals
; specified in the [agent] section below.
; Options are:
; 0 - connect to and interact with Distribution Server until UNAB is shut down;
; 1 - do not interact with Distribution Server at all;
; Default value: 0
ds_interaction_mode = 0
When the token is set to 1 and interaction with the DS is disabled, uxconsole -status -detail shows the following in the portion of its its output dedicated to the DS:
# uxconsole -status -detail
CA Privileged Access Manager Server Control UNAB uxconsole v188.8.131.521 - console utility
Unable to fetch error description. Error code is 0x7601
Client's site - Default-First-Site-Name
. . .
Cached AD Unix users - 9 (updated: Thu Dec 3 08:16:44 2020)
Cached AD Unix groups - 5 (updated: Thu Dec 3 08:16:44 2020)
Cached Windows groups - 16 (updated: Thu Dec 3 08:16:45 2020)
Migration - not migrated
CA PAM server host - ssl://lvndev002691.bpc.broadcom.net:61616
CA PAM server status - interaction is disabled (in uxauth.ini)
UNAB Watchdog - disabled
CA ControlMinder - installed
. . .
This token can be customized in uxauth native package using our standard customization technique via parameters file. After that UNAB will have DS interaction disabled out of the box