Symantec Privileged Access Management

Expand all | Collapse all

PIM: Proxy Recording "It's not recording!" Checklist

  • 1.  PIM: Proxy Recording "It's not recording!" Checklist

    Broadcom Employee
    Posted 05-10-2015 09:54 PM

    I thought I would get the ball rolling with a checklist for what to check if the new to 12.9 proxy recording does not work. So, without further ado...


    Proxy Recording "It's not recording!" Checklist.

     

    First things first, to restart ProxyManager:

     

    /etc/rc.d/init.d/proxymanager restart

     

    The above is used during several steps below.

     

     

    1. In ENTM, check that "Enable Proxy Session Recording" is checked in System -> Connection Management -> Session Recording -> Proxy Session Recording

    proxy_recording1a.png

     

    2. In ENTM, check that "Enable Proxy Session Recording" is checked on the Endpoint, Privileged Accounts -> Modify Endpoint, Search for and select Endpoint.

    proxy_recording2a.png

     

    3. Make sure you have installed the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files, buy running Unlimited_JCE_Jar_Replace.sh in the UnlimitedJCEPolicy folder/directory of the 3rd party installation DVD.

     

    Note: it appears to be necessary to run this after installation of PIM in at least some cases. Restart the proxymanager after doing this.

     

     

    4. Make sure the settings in $AccessControlServer/Services/ProxyManager/conf/proxymanager.properties are set correctly:

     

    By default, these should be:

    # One hour in milliseconds heartbeat_sched=3600000  # One hour in milliseconds recording_sched=3600000  # Location of the recording files in the file system ecording_files_folder=/var/log/samproxy  JBOSS_HOME=/opt/jboss-4.2.3.GA SERVER_MODE=true TOMCAT_HOME=/opt/CA/AccessControlServer/apache-tomcat-7.0.54

     

    Make sure that there is plenty of disk space on the drive where recording_files_folder in proxymanager.properties is located. If not, point recording_files_folder to a location which has plenty of disk space and restart the proxymanager.

     

     

    5. If using SQL Server, make sure FILESTREAM is enabled on SQL Server. Was it enabled when you created the database and installed PIM? If not:

     

    Enable FILESTREAM for the db server https://msdn.microsoft.com/en-us/library/cc645923.aspx

     

    Then either:

     

    A) Enable FILESTREAM on the RECORDING_FILE table, replace <dbname> and <filestreamgroupname>, you can call <filestreamgroupname> almost anything you want:

     

    ALTER DATABASE <dbname> ADD FILEGROUP <filestreamgroupname>   CONTAINS FILESTREAM GO  USE <dbname> ALTER Table RECORDING_FILE SET (filestream_on=<filestreamgroupname>) GO

     

    Or

     

    B) Create a new database just for use with recordings (on a side note, this can be on a different server). Copy the following scripts from the Schema folder/directory on the install media to the database server and execute them against the database you have just created for the

     

    recordings:

     

    mssql_recording_database_deployment_script1.sql

    mssql_recording_database_deployment_script2.sql

     

    Edit $AccessControlServer/Services/ProxyManager/conf/database.properties to point to the database you have just created for the recordings:

     

    recording_database_user_name=<database_login> recording_database_user_password=<encrypted_password> recording_database_url=jdbc:sqlserver://<database_server>:1433;selectMethod=cursor;DatabaseName=<database_name>

     

    To encrypt the password for encrypted_password above run the following replacing <password> with the password used for database_login:

     

    cd "$AccessControlServer/IAM_Suite/Access Control/tools/PasswordTool/" ./pwdtools.sh -FIPS -p <password> -k $JBOSS_HOME/server/default/deploy/IdentityMinder.ear/config/com/netegrity/config/keys/FIPSkey.dat

     

    This will return something like:

     

    -------------------------------------------------- Your JAVA_HOME is currently set to /usr/java/jdk1.7.0_71 -------------------------------------------------- Encrypting your password ... ******************************************  Key File location=/opt/jboss-4.2.3.GA/server/default/deploy/IdentityMinder.ear/config/com/netegrity/config/keys/FIPSkey.dat  Plain Text: <password> Encrypted value: {AES}:+VY4CnKjBTsN6FDiYsIdgw== ******************************************

    Copy the "Encrypted value:" above into recording_database_user_password, e.g.

     

    recording_database_user_password={AES}:+VY4CnKjBTsN6FDiYsIdgw==

     

    Restart proxymanager.

     

     

    6. If using Oracle,.... sorry, still TODO.

     

     

    Turning on debugging for ProxyManager

     

    On a side note. Before logging a case related to proxy recording with CA Technical Support, please enable debugging for the ProxyManager:

     

    1) edit $AccessControlServer/Services/ProxyManager/conf/log4j2.xml

     

    Find:

                    <root level="debug">

    And change to:

                    <root level="info">

    2) Restart proxymanager

     

    3) Note the time of day on the server

     

    4) Reproduce the problem

     

    5) Include the time of day from step 3 and $AccessControlServer/Services/ProxyManager/log/ProxyManager.log when logging the case

     

    6) Revert the change made in step 1 and restart proxymanager



  • 2.  Re: PIM: Proxy Recording "It's not recording!" Checklist

    Broadcom Employee
    Posted 05-10-2015 10:21 PM

    Note that the correct links for enabling FILESTREAM on SQL Server are:

    2008

    2008R2

    2012



  • 3.  Re: PIM: Proxy Recording "It's not recording!" Checklist

    Broadcom Employee
    Posted 05-10-2015 11:25 PM

    Hi Simon,

     

    This is very good.

     

    One thing that I've encountered was the Proxy Server public URL showing as localhost.localdomain after install:

     

    localhostproxy.jpg

     

    And then when one try and start a recording session - they might get an error:

     

    proxyerror.jpg

    So set the correct Proxy Server hostname or IP in the Public URL to avoid such a problem.

     

    Hope this helps,

     

    Regards,

     

    Amit.



  • 4.  Re: PIM: Proxy Recording "It's not recording!" Checklist

    Broadcom Employee
    Posted 05-10-2015 11:49 PM

    Hi Amit,

     

    I think the localhost.local problem is caused by not setting the hostname before installing PIM. To set the host name in RHEL6 (and Centos6) set the HOSTNAME parameter in /etc/sysconfig/networking and reboot (there might be a better way than rebooting, but...).

     

    Of course, if you have already installed PIM, your solution is the way to go.

     

    Cheers, Simon.



  • 5.  Re: PIM: Proxy Recording "It's not recording!" Checklist

    Broadcom Employee
    Posted 06-17-2015 07:56 PM

    Another thing I came across with a customer, not a PIM thing per se, but it will affect it.

     

    Customer had pointed ENTM to the proxy using an IP address rather than host name. The recording was working ok and we could see the recordings in the RECORDING_FILE table. However, on play back we got "The webpage cannot be found" (in ie6) and "HTTP 400 Bad Request" for the tab title.

     

    We determine that port 8443 had been bound to all ports but only using ipv6, not ipv4, but using:

     

    netstat -an | grep 8443

     

     

    Which returned only:

     

    tcp        0      0 :::8443                    :::*                        LISTEN

     

    Not:

     

    tcp        0      0 0.0.0.0:8443                0.0.0.0:*                  LISTEN
    tcp        0      0 :::8443                    :::*                        LISTEN
    

     

    To work around this, edit:

     

    /opt/CA/AccessControlServer/apache-tomcat-7.0.54/conf/server.xml

     

    Find:

     

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    keystoreFile="/opt/CA/AccessControlServer/apache-tomcat-7.0.54/.keystore" keystorePass="changeit"
    clientAuth="false" sslProtocol="TLS" />
    

     

    And add the address parameter like so:

     

    <Connector port="8443" address="0.0.0.0" protocol="org.apache.coyote.http11.Http11Protocol"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    keystoreFile="/opt/CA/AccessControlServer/apache-tomcat-7.0.54/.keystore" keystorePass="changeit"
    clientAuth="false" sslProtocol="TLS" />
    

     

    This should force tomcat to bind to all ipv4 address on the server after restarting.

     

    It is also worth considering disabling ipv6.

     

     

    To do this on a running system run the following as root:

     

    echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
    echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
    

     

    To make permanent, edit:

     

    /etc/sysctl.conf

     

     

    And add the following lines at the end.

     

    net.ipv6.conf.default.disable_ipv6=1
    net.ipv6.conf.all.disable_ipv6=1
    

     

    Which will take effect after rebooting.



  • 6.  Re: PIM: Proxy Recording "It's not recording!" Checklist

    Posted 06-18-2015 05:10 AM

    Hi Simon,

    Impressive content on a new component.

    Thanks for sharing!!

     

    --

    Vinay Reddy