Attempting to Redeploy a Policy Results in a Queued State
search cancel

Attempting to Redeploy a Policy Results in a Queued State

book

Article ID: 230694

calendar_today

Updated On:

Products

CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

An endpoint's seosdb was corrupt and needed to be rebuilt. After rebuilding the seosdb, some rules were missing, so the policy was redeployed in Enterprise Manager. However, the policy status is stuck in queued. The message queue was healthy, no queues were getting backed up.

Environment

Privileged Identity Manager 12.8
PAM Server Control 14.x

Cause

In this instance, there was an issue rebuilding the database and the policy information stored in seosdb was incomplete, so policyfetcher could not redeploy it. There were errors in /opt/CA/AccessControl/log/policyfetcher.log which indicated there was an error deleting the policy because it was either missing a gpolicy or ruleset association.

Resolution

To resolve the issue, use the steps below to create a default seosdb and manually reset the hnode in the DMS.

First go to the endpoint and run the following:
1- Stop the endpoint
# secons -S
2- Backup seosdb
# /opt/CA/AccessControl/bin/dbmgr -e -r -f ~/seosb.exp.`date +"%m-%d-%y"`
3- Create a new, default seosdb
# cd /opt/CA/AccessControl/seosdb
# /opt/CA/AccessControl/bin/dbmgr –create –cq –u root –t <terminalname>
4- Configure the endpoint to communicate with the Enterprise Management server. Replace entmservername with the hostname of the Enterprise Management server.
# selang -l
AC> so dh+(DH__@entmservername)
AC> exit
5- Keep PIM stopped for now

Second, go to the Enterprise Management server, open the command prompt and perform the following steps, replacing <endpointname> with the hostname for the problem endpoint.
# selang
AC> host DMS__@
AC> rr hnode <endpointname>
AC> sr deployment * gen_prop(HNODE_NAME) gen_val(HNODE.<endpointname>)
((There should be 0 deployments listed here))
AC> exit
# dmsmgr -sync self

After that is done, the hnode and all related deployments will be removed from the management server. Go back to the endpoint and start PIM daemons. Give it a few minutes for policyfetcher to start and register with the management server. 

Finally, log into the management GUI and deploy the two policies to the endpoint. Wait for policyfetcher to re-run or restart the endpoint and it will now get the policies.

Powered by Wolken Software