search cancel

Symantec Directory : How to maintain/purge data from hostname-monitoring-management-ui DSA

book

Article ID: 244236

calendar_today

Updated On:

Products

CA Directory

Issue/Introduction

You may come across a situation where your hostname-monitoring-management-ui DSA keeps growing and come under size constraint. There are no built-in tools with product that you can use to maintain/purge the size of this DSA. The steps below will help you achieve the goal.

Environment

Release : 14.1

Component : CA Directory

Resolution

Basically the approach would be to find all those old entries (with dxsearch or ldapsearch command line tool) and delete them (with dxdelete or ldapdelete command line tool).

First review what you have in the DSA using any LDAP browser of your choice (e.g. JXplorer LDAP browser).

Connection parameters would be:

Host: Hostname_of_mgmt_ui_DSA
Port: 10389
Base DN: o=management-ui
Connection type/level: SSL + User + Password
User DN: cn=superuser,ou=users,o=management-ui
password: decrypted password

NOTE: The password here can be found in $DXUIHOME/config.js file on Linux OR %DXUIHOME%\config.js on Windows. Here is an example of how/where it is defined.

module.exports.ldapClientConfig = [
  {reconnect: true, url: 'ldaps://' + require("os").hostname() + ':10389', timeout: 100000, connectTimeout: 10000, bindDN: 'cn=superuser,ou=users,o=management-ui', bindCredentials: '{CADIR}mYNCguM/0e2EmsLmrtJgVoTkbPLX6KkQOAlW8aEp7/c0jdZiguEAzO4QLz4='}
];

In above, the password is encrypted with Symantec Directory's own algorithm called 'CADIR' which is a reversible obfuscation algorithm. Meaning it can be decrypted to clear-text value with use of 'dxpassword' command line tool along with -D parameter.

e.g. using above value of {CADIR}mYNCguM/0e2EmsLmrtJgVoTkbPLX6KkQOAlW8aEp7/c0jdZiguEAzO4QLz4= , you would run the following command at the system prompt.

dxpassword -D CADIR {CADIR}mYNCguM/0e2EmsLmrtJgVoTkbPLX6KkQOAlW8aEp7/c0jdZiguEAzO4QLz4=

which will result in: 0cLavI+fvR7QHSUKmOul9dpSFLVGwbCD4Gh6iTJV7SQ=

Use the above value as password with binding to this DSA via LDAP browser as well as for search and delete operations.

STEPS:

1) Review via LDAP browser.

Once you successfully connect to the DSA, see the entries/objects you have under 'stats' branch of each node that you have configured and note the 'time' attribute value.

e.g.

 

2) DXsearch command:

Taking an example of 'time' value from above, you can run the following search command to find all entries that is older in comparison and make a decision whether to delete them or not to reclaim the space, reducing the DSA size.

DXsearch query example:
dxsearch -LLL -Z -h <hostname>:10389 -b "ou=stats,ou=messages,o=management-ui" -D "cn=superuser,ou=users,o=management-ui" -w "your_decoded_password" "(time<=20220616130600.999Z)" dn > delete.ldif

3) DXdelete command:

Review the resulting 'delete.ldif' to confirm if you are good delete all those entries from this DSA. If yes, you need to modify this LDIF file to proper format that dxdelete command line tool can utilize as an input value.

Meaning, each "dn:" value should result in one line (instead of two lines) separated by on blank line "as well as" delete the preceding "dn:". See example below.

From:
dn: name=10:20220616130600.653Z,ou=democorp,ou=lvntest001782,ou=Monitoring Tes
 ting,ou=stats,ou=messages,o=management-ui

dn: name=11:20220616130600.761Z,ou=democorp,ou=lvntest001782,ou=Monitoring Tes
 ting,ou=stats,ou=messages,o=management-ui

dn: name=12:20220616130600.875Z,ou=democorp,ou=lvntest001782,ou=Monitoring Tes
 ting,ou=stats,ou=messages,o=management-ui

dn: name=13:20220616130600.973Z,ou=democorp,ou=lvntest001782,ou=Monitoring Tes
 ting,ou=stats,ou=messages,o=management-ui

To:
name=10:20220616130600.653Z,ou=democorp,ou=lvntest001782,ou=Monitoring Testing,ou=stats,ou=messages,o=management-ui

name=11:20220616130600.761Z,ou=democorp,ou=lvntest001782,ou=Monitoring Testing,ou=stats,ou=messages,o=management-ui

name=12:20220616130600.875Z,ou=democorp,ou=lvntest001782,ou=Monitoring Testing,ou=stats,ou=messages,o=management-ui

name=13:20220616130600.973Z,ou=democorp,ou=lvntest001782,ou=Monitoring Testing,ou=stats,ou=messages,o=management-ui

Once modified, save this file and use it with dxdelete command as an input.

DXdelete query example:
dxdelete -v -Z -h <hostname>:10389 -D "cn=superuser,ou=users,o=management-ui" -w "your_decoded_password" -f delete.ldif

The above should delete all those records that were part of delete.ldif file, reducing the size of monitoring-management-ui DSA.

NOTE: Depending on how much you want to delete, you can run the dxsearch command for different time stamp (i.e. 'time' attribute value) to delete more.

 

 

 

 

Additional Information

For DXtools, in this case dxsearch, to work over SSL (i.e. with -Z option), there is an extra step to configure 'dxldap.conf' (modify existing or create a new one, if doesn't exist) file along with defining environment variable LDAPCONF pointing to this file.

Reference:
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/directory/14-1/ca-directory-concepts/directory-ssl-encryption/configuring-the-dxtools-to-use-ssl.html

Attachments