PIM Endpoints not getting the policy deployments
search cancel

PIM Endpoints not getting the policy deployments


Article ID: 45836


Updated On:


CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)



Customer was facing issues to get their policies applied to ControlMinder endpoints, either when installing new endpoints or upgrading a policy. They were issuing the command "dmsmgr -sync self" to get the policies applied.


CA Privileged Identity Manager r12.8


Lost of sync in DMS__, missing fix B51S013, lack of recycle parameters for queue "queue/audit".


Steps taken:

1) Set up a new endpoint

2) Change the new endpoint cycle to 01 minute (seini -s policyfetcher.check_deployment_tasks 60)

3) tail -f policyfetcher.log

4) On ENTM server: sepmd -L DMS__

**Found a message of Out of Sync

5) tibemsadmin

connect ssl://localhost:7243

show queues

**The Tibco queues are large (specially queue/audit) - Customer does not use UAR

6) Checked accommon.ini file on both ENTM server and Endpoint

**audit_enabled was set to 1 on ENTM, and 0 on the Endpoint

secons -s (on the ENTM server to edit accommon.ini, to set audit_enabled to 0)


7) tibemsadmin

connect ssl://localhost:7243

purge queue queue/audit

8) cat /opt/CA/AccessControlServer/MessageQueue/tibco/cfgmgmt/ems/data/bridges.conf

**This customer does not have the fix B51S013 applied

9) tibemsadmin

connect ssl://localhost:7243

purge queue ac_server_to_server_local

purge queue queue/DLQ

10) tibemsadmin

connect ssl://localhost:7243

show topics

11) sepmd -u DMS__ "Topic: ac_server_to_server_broadcast (DH)"

12) sepmd -L DMS__

**Subscription successfully removed

13) sepmd -smq DMS__ -predefined ServerToServerBroadcast -destination DH

14) sepmd -L DMS__

**Subscription successfully added

15) dmsmgr -sync self

16) Waited a couple minutes to let the server work

**Found the messages of successful deployments on policyfetcher.log of the test endpoint

17) sepmd -L DMS__

**Everything as expected

18) Checked on ENTM UI to see if the endpoints are getting updated


19) sepmd -L DH__WRITER

**Everything as expected

20) Steps to apply the fix (B51S013 – details in the end of this tecdoc):

a) Stop CM and Tibco

b) Apply the fix

c) Start CM and Tibco

21) Check the file "accommon.ini" of all endpoints to ensure that the parameter "audit_enabled" is set to "0" (without quotes) in all of them;

22) Execute "tibemsadmin" to run a purge on queue "ac_server_to_server_local" (only after applying the fix).

23) # tibemsadmin

> connect ssl://localhost:7243

> purge queue queue/audit

> setprop queue queue/audit maxmsgs=10, maxbytes=1MB, overflowPolicy=discardOld

Additional Information:

Follow the instructions below to apply the fix B51S013:

The fix is a configuration change and not any binary updates.

1) Stop Message Queue service AND ControlMinder

a) "CA ControlMinder Message Queue" from services panel in Windows

b) Linux : /etc/init.d/ca-acrptmq stop

c) To stop ControlMinder, run the command : secons -s

2) Please go to the below directories based on the type of Server and Operating System.

a) Windows: {AccessControlServer_HOME}\MessageQueue\tibco\cfgmgmt\ems\data

b) Linux: {AccessControlServer_HOME}/MessageQueue/tibco/cfgmgmt/ems/data

c) For Linux External DS: {AccessControlDistServer_HOME}/ACMQ/tibco/cfgmgmt/ems/data

d) For other type of servers, similar hierarchy exists.

3) Open bridges.conf in simple editor, at the last line of file, you will find below text queue=ac_server_to_server_local

4) Append the below text. Please note space before keyword 'selector'.


After making changes , it should appear as below

queue=ac_server_to_server_local selector="AC_SOURCE_COMPONENT='DMS' AND AC_DESTINATION_COMPONENT='DH'"

5) Start Message Queue service AND ControlMinder

a) "CA ControlMinder Message Queue" from services panel in Windows

b) Linux : /etc/init.d/ca-acrptmq start

c) To start ControlMinder : seload


Release: ACP1M005900-12.8-Privileged Identity Manager