Layer7 Identity Management

Expand all | Collapse all

Identity Manager CAM CAFT Process Troubleshooting

  • 1.  Identity Manager CAM CAFT Process Troubleshooting

    Posted 06-07-2016 08:28 PM
      |   view attached

    Team,

     

    You may still be using the older CAM/CAFT processes used by CA Identity Manager to manage endpoints that previously did not have an open API or alternative communication protocols. 

     

    CAM/CAFT is an older but stable process that still has some life.  

     

    If you find yourself still using this for MS Exchange or UNIX, you may find you have some challenges if placed on newer MS Window Servers with UAC and OS Firewalls.

     

    Challenge 1:  UAC & cafthost

    To address UAC error messages that will not allow you to edit "approved" hostnames via cafthost -a HOSTNAME or view with cafthost -l, recommend the use of an environmental variable:   CAI_Admin_Check=2

     

    Challenge 2:  OS F/W and TCP 4105 

    While one can disable the OS F/W, this is a "hammer" approach, to just opening the defined ports.   Below are examples using MS Windows CLI processes to allow any host to communicate to port 4104/4105.   You may wish to use TCP or UDP (not both)

    netsh advfirewall firewall add rule name="Open IMPS CAM TCP Ports" dir=in action=allow protocol=TCP localport="4104,4015"

    netsh advfirewall firewall add rule name="Open IMPS CAM UDP Ports" dir=in action=allow protocol=UDP localport="4104,4015"

     

    Challenge 3:  Missing DLL dependency  -  MSVCR71.DLL

    cam.exe, caft.exe, caftf.exe have a dependency on MSVCR71.DLL (32 bit) to be in the general OS PATH.

    If this file does not exist in the PATH, find a local copy and place in C:\Windows\SysWow64  folder.

    You may confirm this dependency with the tool  Dependency Walker.    Dependency Walker (depends.exe) Home Page

     

    Challenge 4:  Mis-configured CAM configurations files

    While the temptation is there, to edit what seems to be pure ASCII configurations file, please avoid, as the TAB and special characters are assumed to be in the correct locations.   It is possible to use CAM CLI tools to edit the configuration files.    If you find you have error message related to:

    CAM is running on endpoint but IMPS returns "No remote CAFT server running"   or  "No local CAFT server running"

    Please review tech note:    TEC526677

    http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec526677.aspx

     

     

    Useful CAM commands:

    camping    (ping over the CAM protocol - used to identify F/W issue)

    camstat     (should be NO DIS {disconnects} in the list)

    cafthost -l   (view the "approved" list of inbound hosts allowed to send files)

     

    cam.exe  is executed as a Windows NT service

    caft.exe is called by cam.exe when needed

    caftf.exe is called by caft.exe when sending and receiving files over the CAM protocol.

     

    Recommend using MS Sysinternals to monitor the following services:

    Process Monitor

     

    im_ccs.exe      -    CA IM C++ Connector - Used to manage Exchange and UNIX endpoints

    cam.exe          -    CAM Service   (aka CA Messaging Service)

    caft.exe           -    CAFT Service   (aka CA File Transfer Service)

    caftf.exe          -    CAFT sub-service (push/pull files across the CAM protocol)

     

     

    Enclosing a logical diagram of the CA IM AD + Exchange connectors (using both CAM and the newer process of WinRM) to manage Exchange; that I find useful for debugging and walking through with consultants and customers.

     

     

    Cheers,

     

    A.



  • 2.  Re: Identity Manager CAM CAFT Process Troubleshooting

    Posted 06-14-2016 10:26 AM

    Thanks Alan!

     

    Sagi