An endpoint's seosdb was corrupt and needed to be rebuilt. After rebuilding the seosdb, some rules were missing, so the policy was redeployed in Enterprise Manager. However, the policy status is stuck in queued. The message queue was healthy, no queues were getting backed up.
Privileged Identity Manager 12.8
PAM Server Control 14.x
In this instance, there was an issue rebuilding the database and the policy information stored in seosdb was incomplete, so policyfetcher could not redeploy it. There were errors in /opt/CA/AccessControl/log/policyfetcher.log which indicated there was an error deleting the policy because it was either missing a gpolicy or ruleset association.
To resolve the issue, use the steps below to create a default seosdb and manually reset the hnode in the DMS.
First go to the endpoint and run the following:
1- Stop the endpoint
# secons -S
2- Backup seosdb
# /opt/CA/AccessControl/bin/dbmgr -e -r -f ~/seosb.exp.`date +"%m-%d-%y"`
3- Create a new, default seosdb
# cd /opt/CA/AccessControl/seosdb
# /opt/CA/AccessControl/bin/dbmgr –create –cq –u root –t <terminalname>
4- Configure the endpoint to communicate with the Enterprise Management server. Replace entmservername with the hostname of the Enterprise Management server.
# selang -l
AC> so dh+([email protected])
5- Keep PIM stopped for now
Second, go to the Enterprise Management server, open the command prompt and perform the following steps, replacing <endpointname> with the hostname for the problem endpoint.
AC> host [email protected]
AC> rr hnode <endpointname>
AC> sr deployment * gen_prop(HNODE_NAME) gen_val(HNODE.<endpointname>)
((There should be 0 deployments listed here))
# dmsmgr -sync self
After that is done, the hnode and all related deployments will be removed from the management server. Go back to the endpoint and start PIM daemons. Give it a few minutes for policyfetcher to start and register with the management server.
Finally, log into the management GUI and deploy the two policies to the endpoint. Wait for policyfetcher to re-run or restart the endpoint and it will now get the policies.