How to reconfigure SDM/SDC setup to enable fault-isolation and to save currently existing SDM/SDC tunnel discovered device configuration in CA Spectrum. 

DX NetOps Spectrum all releases

Spectrum Secure Domain Connector reconfiguration with existing SDC Host configuration.

The CA Spectrum Secure Domain Connector logic will, by default, create a SDConnector process application model which could not be used for "connection" setup in the VNM. By this then, the Spectrum Fault Isolation may not work as expected. To enable the full CA Spectrum Fault Isolation logic, the SDConnector logic must be hosted by a device model (i.e. Host-Model/Workstation or IP-device/pingable) by reconfiguring this while keeping the set of SDM managed devices still available.

CA Spectrum Secure Domain manager setup is triggered by SDM configuration file import (see Secure Domain Manager - Information tab - Subview "Import"). The folllowing procedure will remove the SDConnector process application model, discover then the SDC Host device model and re-import by SDM - and will then re-use the existing "DMZ" device configurations. Means - this allows to change the SDC representing model (from SDConnector process application model to a SDC Host device model) which then allows to enable the fault isolation without affecting the existing device models for this SDM/SDC logic.

Procedure:

1. stop the SDC-service/task on the SDC_host system
   
   
2. reconfigure the ./SDM/sdm.config (saved current config and remove the current sdm.config file off - so having "no import file")
   
   
3. re-import SDM config via OC-Console / Secure Domain Manager "Information" tab - that will read "empty/non_existing" config
   
   
4. delete the SDConnectorProcess application model
   
   
5. create a pingable model for the SDC_Host system / discovery - wait until pingable model is "green" and available
   
   
6. copy in the ./SDM/sdm.config again
   
   
7. re-import via OC-Console / Secure Domain Manager "Information" tab - the "valid sdm.config file"
   
   
8. start the SDC-service/task on the SDC_host system
   
   
9. verify by running netstat -an | grep 6844 (default port for SDC/SDM is 6844) that SDM/SDC tunnel comes up
   
   
10. wait until all "sdc_managed" devices are showing correct status (i.e. poll-interval +60 seconds)
    
    
11. use Locater search for the SDM/SDC to verify all device under control of one SDC.

Now you can enable the "connection" setup to enable Spectrum Secure Domain manager SDM/SDC fault isolation logic (RCA). 

When running the SDM import while the "SDC Host" device model way created before this import, then the SDM import logfile will show the re-use for the device/host-model (in this example here, the "pingable" for x.x.x.x);

[<userName>@<hostName>Logs]$ more SDMConfigImportLog.20160108180232 
Importing new SDM configuration into SPECTRUM... 
Parsing SDM configuration in sdm.config file... 
Done parsing SDM configuration 
Modeling new SDM configuration in SPECTRUM database... 
Found model x.x.x.x of type Pingable for SDConnector x.x.x.x 
Done modeling new SDM configuration in SPECTRUM database 
Done importing new SDM configuration into SPECTRUM