How to manually reset Autosys to Native EEM mode.

Products

CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) Workload Automation Agent

Issue/Introduction

The user is unable to access the options under autosys_secure - access is blocked with the following error:

$ autosys_secure

 CA WAAE Security Utility

 CAUAJM_W_10450 Only the CA WAAE EDIT superuser can activate external security.


 CAUAJM_W_60050 Insufficient privileges to execute options 1 through 4.
 CAUAJM_W_60045 Only an CA WAAE EDIT superuser has access to all options!


 Please select from the following options:
 [5] Manage user@host or user@domain users.
 [6] Get encrypted password.
 [0] Exit CA WAAE Security Utility.
 > 0
 $

Environment

Autosys 11.x 12.x
CA Workload Automation AE r11.3.5+

Cause

The user is in EEM mode and has swapped to Native Mode.
Now, they cannot launch options 1-4 as 'autosys' or 'root' to revert back to EEM security.

The security settings for Autosys need to be manually reset.

Resolution

To manually reset the security setting for autosys_secure, you will need to access the autosys database.

Stop the autosys services (scheduler, application server) on all the servers if the environment is configured in HA.

Run the following SQL queries:

(If the environment is running with a dual database setup the same queries has to be executed on both the servers)

ORACLE

delete from aedbadmin.ujo_keymaster where hostid = 'SECURITY'; 
update aedbadmin.ujo_alamode set int_val=0 where type = 'JOB';
update aedbadmin.ujo_alamode set int_val=0 where type = 'EVT'; 
delete from aedbadmin.ujo_alamode where type = 'SEC'; 
delete from aedbadmin.ujo_blobs where blob_id = 'SAFECERT';
commit;

SQL SERVER

BEGIN TRANSACTION;
delete from ujo_keymaster where hostid = 'SECURITY'; 
update ujo_alamode set int_val=0 where type = 'JOB'; 
update ujo_alamode set int_val=0 where type = 'EVT'; 
delete from ujo_alamode where type = 'SEC'; 
delete from ujo_blobs where blob_id = 'SAFECERT';
COMMIT TRANSACTION;

DISCLAIMER: The procedure documented herein bypasses the WAAE external security (Embedded Entitlements Manager a.k.a EEM) and hence all security authorization policies setup in EEM for the WAAE instance in question will NOT be available until external security is reactivated. Ensure the WAAE Application server(s) and Scheduler(s) are stopped before carrying out this procedure so that no unauthorized actions (autorep, sendevent, etc) are processed whilst the WAAE instance security is being reset.

Additional Information

Security Best Practices with CA EEM

https://techdocs.broadcom.com/us/en/ca-enterprise-software/intelligent-automation/autosys-workload-automation/12-0-01/Before-You-Begin/ca-workload-automation-ae-deployment-best-practices/security-best-practices-with-ca-eem.html