CA PIM r12.8 SP1: Network class does not work in non-global Zone on Solaris 10

Document ID : KB000073867
Last Modified Date : 08/06/2018
Show Technical Document Details
Issue:

Customer configure to use TCP class as following but it does not work in non-global zone on Solaris 10.
When he get trace, network interception does not work.

1. enable TCP class via selang command.
  AC> so class+(TCP) 
2. add his TCP class rules via selang command.

3. Stop PIM all zone and unloading kernel in global zone.
  secons -s:  non-global zone
  secons -sk: global zone
  SEOS_load -u: global zone

4. Edit seos.ini as following at [SEOS_syscall] section to enable network interception.
  SEOS_use_streams = yes

5. Restart PIM in global zone and non-global zone.
 

Environment:
The problem is reported
OS: Solaris 10 (kernel Generic_150400-xx)
  configure global zone and non-global zone.
Products: CA Privileged Identity Manager r12.8 SP1 
 SEOS_use_ioctl  should set  1 in all zone to work PIM.
Cause:
The network interception on Privileged Identity Manager is enhanced from r12.8 SP1 and it does not need to push STREAMS module on Solaris or HP.
Then it does not need change SEOS_use_streams=yes to enable network interception.
And he does not change SEOS_network_intercept_type as default.
So, he set following inconsistent network interception setting.
  SEOS_use_streams = yes
  SEOS_network_intercept_type=2 ( this is default value) 
 
Resolution:
Please do not change network interception setting as default to enable network interception.

Correct Setting for network interception is here:
  SEOS_use_streams = no
  SEOS_network_intercept_type=2 ( this is default value) 

If OS supports STREAMS module and user wants to use it, SEOS_use_streams change to yes and SEOS_network_intercept_type change to 0 or 1.
Additional Information:
Description of these token at SEOS_syscall section in seos.ini is very confused.
SEOS_syscall section:
https://docops.ca.com/ca-privileged-identity-management/12-8-01/en/reference/configuration-files/the-seos-ini-initialization-file/seos_syscall/

SEOS_network_intercept_type :
 ...
"Important! You must also configure SEOS_use_streams = yes. Do not modify the SEOS_network_intercept_type token yourself. For assistance, contact CA Support at http://ca.com/support."

However it need to change only if network interception requires STREAMS module.
If user needs change SEOS_use_streams = yes, SEOS_network_intercept_type should be change from 2 as default to 0 or 1 as description.