Host Group Pattern Syntax

Document ID : KB000028748
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue:

We identified an issue where AIX endpoints failed to automatically assign to the predefined OS host group (ghnode).
This document describes how to work around this issue.
Note, the issue is resolved in PIM r12.8 SP1 and newer.

Environment:

AIX 7.1 endpoints *only*

Cause:

1. Setup the AIX 7.1 endpoint to connect to the DH__ on the Enterprise Management:

bash-4.2# cd /opt/CA/AccessControl/bin/

bash-4.2# ./dmsmgr -config -endpoint -dhname DH__@ENTM_HOSTNAME

 

2. Verify the endpoint is registered with the Enterprise Management:

AC> so list

(localhost)

Data for CA ControlMinder options
-----------------------------------------------------------
Password rules    :
        Alpha             : 1
        Alphanumeric      : 1
        Gracelogins       : 6
        History           : 0
        Interval          : 40
        Password min life : 0
        Min length        : 5
        Max length        : 8
        Sub str length    : 0
        Lower             : 1
        Max rep           : 2
        Numeric           : 1
        Special           : 1
        Upper             : 1
        Old PW check      : Yes
        Name check        : Yes
        Dictionary format : db
        Bidirectional     : No
        Prohibited chars  :
Inactive days     : 0
Accum PACL & ACL  : Yes
ADMIN             : Yes
APPL              : Yes
AUTHHOST          : Yes
CALENDAR          : Yes
CATEGORY          : No
Admin pwd change  : Yes
Own passwd change : No
CONNECT           : No
DAYTIMERES        : Yes
DEPLOYMENT        : Yes
DICTIONARY        : Yes
FILE              : Yes
Accum grp rights  : Yes
HNODE             : Yes
HOLIDAY           : Yes
HOST              : No
ISDH              : No
ISDMS             : No
KMODULE           : Yes
LOGINAPPL         : Yes
MFTERMINAL        : Yes
PASSWORD          : No
POLICY            : Yes
PROCESS           : Yes
PROGRAM           : Yes
PWPOLICY          : Yes
REGKEY            : Yes
RULESET           : Yes
SECLABEL          : No
SECLEVEL          : No
SPECIALPGM        : Yes
SUDO              : Yes
SURROGATE         : Yes
TCP               : No
TERMINAL          : Yes
USER_DIR          : Yes
WEBSERVICE        : Yes
WINSERVICE        : Yes
Last startup      : 30-Oct-2014 00:00
Last shutdown     : 30-Oct-2014 00:00
Update time       : 30-Oct-2014 11:10
Updated by        : root          (USER   )
AC ID             : 8dca29d0-00f6-0001-53ee-28e4ca06095e
DH                :
    DH__@ENTM_HOSTNAME
Accessor audit mode : Login-Success, Failure, Login-Failure

 

3. Verify the heartbeat is seeing the HNODE:

bash-4.2# cat /opt/CA/AccessControl/policyfetcher.log

11:25:17@Oct 30 2014 - sending heartbeat to DH...(editres HNODE ("my_hostname") node_type+("ACU") latest_keep_alive("10/30/14@11:25") node_version+("ACU:IP_ADDRESS_HERE") node_ip+("IP_ADDRESS_HERE") node_info("AIX 7.1 00CE67034C00") node_type-("ACU-0001-53ee-28e4ca06095e"))

 

4. Go to the Enterprise Management server, open ‘selang’ and go to the DMS__:

AC> host DMS__@
(DMS__@localhost)
Successfully connected
INFO: Target host's version is 12.80.1562

Windows OS info: Windows NT Version:6.1, Service Pack 1
30 Oct 2014 11:26:21 Eastern Daylight Time

AC> sr ghnode AIX*
(DMS__@localhost)

Data for GHNODE 'AIX 7.1'
-----------------------------------------------------------
Defaccess         : R
Audit mode        : Failure
Owner             : my_hostname\Administrator (USER)
Create time       : 10-Jun-2014 10:51
Update time       : 10-Jun-2014 10:51
Updated by        : my_hostname\Administrator (USER)
Comment           : Default host group for all AIX 7.1 hosts.
Criteria          :
    HNODE_INFO=AIX 7 1*

We can see here that the ‘Criteria’ variable has the incorrect tag, ‘AIX 7 1*’, which we will need to fix this OOTB defect.
Note the missing '.' character

Resolution:

5. On the Enterprise Management server, go into ‘selang’ and remove the assigned critieria:

AC> editres GHNODE ("AIX 7.1") criteria-(HNODE_INFO=AIX 7 1*)

6. Then, add the assigned criteria:

AC> editres GHNODE ("AIX 7.1") criteria+(HNODE_INFO=AIX 7.1*)

If necessary modify these tokens in seos.ini to adjust the policyfetcher cycle to your needs.


check_deployment_tasks

Defines how often, in seconds, policyfetcher checks for new deployment tasks (DEPLOYMENT resources) on the Distribution Host.
Default: 3600 (every 10 minutes)
Limits: A minimum value of 60
 

endpoint_heartbeat
 
Defines the frequency at which policyfetcher sends a heartbeat to the Distribution Host (DH). The frequency is a factor of the check_deployment_task setting, and determines how many times policyfetcher checks deployment tasks before it sends a heartbeat. For example, if check_deployment_task is set to the default 600 seconds (10 minutes) and you set this to 6, policyfetcher sends a heartbeat every 3600 seconds (1 hour).

The policyfetcher runs the deviation calculator (start devcalc command) after sending the heartbeat, and then waits 60 seconds for the deviation calculation to complete. After 60 seconds, policyfetcher continues to check that local endpoint information is identical to DH information.
Default: 6
 

Submit these commands in a root shell on the AIX endpoint:

[root@mybox CM]# secons -s
[root@mybox CM]# seini -s policyfetcher.check_deployment_tasks 10
[root@mybox CM]# seini -s policyfetcher.endpoint_heartbeat 1
[root@mybox CM]# seload

In this case every 10 seconds policyfetcher will check for tasks and send the heartbeat.
Note that this might not be suitable settings in larger production environments.