PIM: Expected behavior of endpoint agent if Server infrastructure is down
search cancel

PIM: Expected behavior of endpoint agent if Server infrastructure is down


Article ID: 95701


Updated On:


CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)


I would like to confirm what would happen to agents (version 12.80 and 12.81) if the Enterprise Management servers and DH__ servers are not available. The purpose of this is that Control Minder is being decommissioned in our environment and we would like to be sure that there is no chance that an endpoint with an agent installed would act up if the servers were turned off. Particularly would the agent crash the box, or would log files be generated to the point of filling up disk space.


Component: SEOSU


If the Enterprise Management servers and Distribution Servers are being decommissioned, then the endpoints don’t have much responsibility anymore besides locking down local resources on that box and providing authority as to which users can access which resources. 

The DH is responsible for distributing policy deployments, made on the DMS, to endpoints, and for receiving deployment status from endpoints to send to the DMS. 

The Message Queue manages inbound and outbound messages between the Enterprise Management Server and other components. The Message Queue has a dedicated queue for each client component that communicates with the Enterprise Management Server, as follows: 

1.    Report queueReceives scheduled snapshots of the endpoint databases. 
a.    The reporting service uses the snapshots to generate CA ControlMinder reports. 

2.    Audit queueReceives audit events that occur on the endpoints. 
a.    You can configure CA User Activity Reporting Module to collect and report on the audit events. 

3.    Server to endpoint queueReceives data from the DMS that is collected by endpoints. 
a.    For example, when you deploy a UNAB config policy the DMS sends the config policy to this queue. The UNAB agent then collects the policy from the queue and deploys the policy on the UNAB endpoint. 

4.    Endpoint to server queueReceives information from endpoints that is collected by the DMS. 
a.    For example, a UNAB endpoint sends a heartbeat notification to this queue. The DMS then collects the heartbeat notification from the queue and updates the endpoint status in its database. 

The Java Connector Server (JCS) communicates with Java supported managed devices, such as Windows operating systems and SQL servers, and manages privileged accounts on SAM endpoints. 

5.    When removing the Enterprise Management server, you also cannot: 
6.    View your implementation of CA Privileged Identity Manager throughout the enterprise 
7.    Configure hosts and host groups and assign policies to CA Privileged Identity Manager and UNAB endpoints 
8.    Check out and check in shared account passwords (with and without Proxy) 
9.    Configure privileged accounts, endpoints, password policies and password consumers 
10.    Display reports, manage snapshot definitions and capture snapshot data 
11.    Manage users, groups, roles and tasks 
12.    Manage system wide connection settings 
13.    View audit records


If audit is enabled from the ReportAgent configuration which may cause the reportagent service to core because it is trying to connect to the Message Queue (but that is a maybe scenario and not a definite). 

Check your /etc/accommon.ini and check underneath the Reporting side.

; Specifies whether reporting is enabled on local machine. 
; values: 
; 1 Reporting is enabled 
; 0 Reporting is Disabled 
; Default: 0 
reportagent_enabled = 0 

; Specifies whether you want to send database snapshot data to the Distribution Server 
; Values: 0- no, 1- yes 
; Default: 1 
snapshot_enabled = 0