Introduction/Summary: 

How to reconfigure SDM/SDC setup to enable fault-isolation and to save currently existing SDM/SDC tunnel discovered device configuration in CA Spectrum. 

Background:  

The CA Spectrum Secure Domain Connector logic will by default create a SDConnector process application model which could not be used for "connection" setup in the VNM. By this then the CA Spectrum Fault Isolation may not work as expected. To enable the full CA Spectrum Fault Isolation logic, the SDConnector logic must be hosted by a device model (i.e. Host-Model/Workstation or IP-device/pingable). How to reconfigure this and to keep the set of SDM managed devices still available?

Environment:  

CA Spectrum Secure Domain Connector reconfiguration with existing SDC Host configuration.

Instructions: 

CA Spectrum Secure Domain manager setup is triggered by SDM configuration file import (see Secure Domain Manager - Information tab - Subview "Import"). The folllowing procedure will remove the SDConnector process application model, discover then the SDC Host device model and re-import by SDM - and will then re-use the existing "DMZ" device configurations. Means - this allows to change the SDC representing model (from SDConnector process application model to a SDC Host device model) which then allows to enable the fault isolation without affecting the existing device models for this SDM/SDC logic.

Procedure:

- stop the SDC-service/task on the SDC_host system 
- reconfigure the ./SDM/sdm.config (saved current config and remove the current sdm.config file off - so having "no import file") 
- re-import SDM config via OC-Console / Secure Domain Manager "Information" tab - that will read "empty/non_existing" config 
- delete the SDConnectorProcess application model 
- create a pingable model for the SDC_Host system / discovery - wait until pingable model is "green" and available
- copy in the ./SDM/sdm.config again 
- re-import via OC-Console / Secure Domain Manager "Information" tab - the "valid sdm.config file" 
- start the SDC-service/task on the SDC_host system 
- verify via netstat -an | grep 6844 that SDM/SDC tunnel comes up 
- wait until all "sdc_managed" devices are showing correct status (i.e. poll-interval +60 seconds) 
- use Locater search for the SDM/SDC to verify all device under control of one SDC.

Now you can enable the "connection" setup to enable Spectrum Secure Domain manager SDM/SDC fault isolation logic (RCA). 

Additional Information:

When running the SDM import while the "SDC Host" device model way created before this import, then the SDM import logfile will show the re-use for the device/host-model (in this case here the "pingable" for 192.168.121.31: 

[[email protected] Logs]$ more SDMConfigImportLog.20160108180232 
Importing new SDM configuration into SPECTRUM... 
Parsing SDM configuration in sdm.config file... 
Done parsing SDM configuration 
Modeling new SDM configuration in SPECTRUM database... 
Found model 192.168.121.31 of type Pingable for SDConnector 192.168.121.31 
Done modeling new SDM configuration in SPECTRUM database 
Done importing new SDM configuration into SPECTRUM 
[[email protected] Logs]$