Problem: 

Customer was facing issues to get their policies applied to ControlMinder endpoints, either when installing new endpoints or upgrading a policy. They were issuing the command "dmsmgr -sync self" to get the policies applied.

Environment:  

CA Privileged Identity Manager r12.8

Cause: 

Lost of sync in DMS__, missing fix B51S013, lack of recycle parameters for queue "queue/audit".

Resolution:

Steps taken:

1) Set up a new endpoint

2) Change the new endpoint cycle to 01 minute (seini -s policyfetcher.check_deployment_tasks 60)

3) tail -f policyfetcher.log

4) On ENTM server: sepmd -L DMS__

**Found a message of Out of Sync

5) tibemsadmin

connect ssl://localhost:7243

show queues

**The Tibco queues are large (specially queue/audit) - Customer does not use UAR

6) Checked accommon.ini file on both ENTM server and Endpoint

**audit_enabled was set to 1 on ENTM, and 0 on the Endpoint

secons -s (on the ENTM server to edit accommon.ini, to set audit_enabled to 0)

seload

7) tibemsadmin

connect ssl://localhost:7243

purge queue queue/audit

8) cat /opt/CA/AccessControlServer/MessageQueue/tibco/cfgmgmt/ems/data/bridges.conf

**This customer does not have the fix B51S013 applied

9) tibemsadmin

connect ssl://localhost:7243

purge queue ac_server_to_server_local

purge queue queue/DLQ

10) tibemsadmin

connect ssl://localhost:7243

show topics

11) sepmd -u DMS__ "Topic: ac_server_to_server_broadcast (DH)"

12) sepmd -L DMS__

**Subscription successfully removed

13) sepmd -smq DMS__ -predefined ServerToServerBroadcast -destination DH

14) sepmd -L DMS__

**Subscription successfully added

15) dmsmgr -sync self

16) Waited a couple minutes to let the server work

**Found the messages of successful deployments on policyfetcher.log of the test endpoint

17) sepmd -L DMS__

**Everything as expected

18) Checked on ENTM UI to see if the endpoints are getting updated

**OK

19) sepmd -L DH__WRITER

**Everything as expected

20) Steps to apply the fix (B51S013 – details in the end of this tecdoc):

a) Stop CM and Tibco

b) Apply the fix

c) Start CM and Tibco

21) Check the file "accommon.ini" of all endpoints to ensure that the parameter "audit_enabled" is set to "0" (without quotes) in all of them;

22) Execute "tibemsadmin" to run a purge on queue "ac_server_to_server_local" (only after applying the fix).

23) # tibemsadmin

> connect ssl://localhost:7243

> purge queue queue/audit

> setprop queue queue/audit maxmsgs=10, maxbytes=1MB, overflowPolicy=discardOld

Additional Information:

Follow the instructions below to apply the fix B51S013:

The fix is a configuration change and not any binary updates.

1) Stop Message Queue service AND ControlMinder

a) "CA ControlMinder Message Queue" from services panel in Windows

b) Linux : /etc/init.d/ca-acrptmq stop

c) To stop ControlMinder, run the command : secons -s

2) Please go to the below directories based on the type of Server and Operating System.

a) Windows: {AccessControlServer_HOME}\MessageQueue\tibco\cfgmgmt\ems\data

b) Linux: {AccessControlServer_HOME}/MessageQueue/tibco/cfgmgmt/ems/data

c) For Linux External DS: {AccessControlDistServer_HOME}/ACMQ/tibco/cfgmgmt/ems/data

d) For other type of servers, similar hierarchy exists.