Symantec Privileged Access Management

I thought I would get the ball rolling with a checklist for what to check if the new to 12.9 proxy recording does not work. So, without further ado...

Proxy Recording "It's not recording!" Checklist.

First things first, to restart ProxyManager:

/etc/rc.d/init.d/proxymanager restart

The above is used during several steps below.

1. In ENTM, check that "Enable Proxy Session Recording" is checked in System -> Connection Management -> Session Recording -> Proxy Session Recording

2. In ENTM, check that "Enable Proxy Session Recording" is checked on the Endpoint, Privileged Accounts -> Modify Endpoint, Search for and select Endpoint.

3. Make sure you have installed the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files, buy running Unlimited_JCE_Jar_Replace.sh in the UnlimitedJCEPolicy folder/directory of the 3rd party installation DVD.

Note: it appears to be necessary to run this after installation of PIM in at least some cases. Restart the proxymanager after doing this.

4. Make sure the settings in $AccessControlServer/Services/ProxyManager/conf/proxymanager.properties are set correctly:

By default, these should be:

# One hour in milliseconds heartbeat_sched=3600000  # One hour in milliseconds recording_sched=3600000  # Location of the recording files in the file system ecording_files_folder=/var/log/samproxy  JBOSS_HOME=/opt/jboss-4.2.3.GA SERVER_MODE=true TOMCAT_HOME=/opt/CA/AccessControlServer/apache-tomcat-7.0.54

Make sure that there is plenty of disk space on the drive where recording_files_folder in proxymanager.properties is located. If not, point recording_files_folder to a location which has plenty of disk space and restart the proxymanager.

5. If using SQL Server, make sure FILESTREAM is enabled on SQL Server. Was it enabled when you created the database and installed PIM? If not:

Enable FILESTREAM for the db server https://msdn.microsoft.com/en-us/library/cc645923.aspx

Then either:

A) Enable FILESTREAM on the RECORDING_FILE table, replace <dbname> and <filestreamgroupname>, you can call <filestreamgroupname> almost anything you want:

ALTER DATABASE <dbname> ADD FILEGROUP <filestreamgroupname>   CONTAINS FILESTREAM GO  USE <dbname> ALTER Table RECORDING_FILE SET (filestream_on=<filestreamgroupname>) GO

Or

B) Create a new database just for use with recordings (on a side note, this can be on a different server). Copy the following scripts from the Schema folder/directory on the install media to the database server and execute them against the database you have just created for the

recordings:

mssql_recording_database_deployment_script1.sql

mssql_recording_database_deployment_script2.sql

Edit $AccessControlServer/Services/ProxyManager/conf/database.properties to point to the database you have just created for the recordings:

recording_database_user_name=<database_login> recording_database_user_password=<encrypted_password> recording_database_url=jdbc:sqlserver://<database_server>:1433;selectMethod=cursor;DatabaseName=<database_name>

To encrypt the password for encrypted_password above run the following replacing <password> with the password used for database_login:

cd "$AccessControlServer/IAM_Suite/Access Control/tools/PasswordTool/" ./pwdtools.sh -FIPS -p <password> -k $JBOSS_HOME/server/default/deploy/IdentityMinder.ear/config/com/netegrity/config/keys/FIPSkey.dat

This will return something like:

-------------------------------------------------- Your JAVA_HOME is currently set to /usr/java/jdk1.7.0_71 -------------------------------------------------- Encrypting your password ... ******************************************  Key File location=/opt/jboss-4.2.3.GA/server/default/deploy/IdentityMinder.ear/config/com/netegrity/config/keys/FIPSkey.dat  Plain Text: <password> Encrypted value: {AES}:+VY4CnKjBTsN6FDiYsIdgw== ******************************************

Copy the "Encrypted value:" above into recording_database_user_password, e.g.

recording_database_user_password={AES}:+VY4CnKjBTsN6FDiYsIdgw==

Restart proxymanager.

6. If using Oracle,.... sorry, still TODO.

Turning on debugging for ProxyManager

On a side note. Before logging a case related to proxy recording with CA Technical Support, please enable debugging for the ProxyManager:

1) edit $AccessControlServer/Services/ProxyManager/conf/log4j2.xml

Find:

                <root level="debug">

And change to:

                <root level="info">

2) Restart proxymanager

3) Note the time of day on the server

4) Reproduce the problem

5) Include the time of day from step 3 and $AccessControlServer/Services/ProxyManager/log/ProxyManager.log when logging the case

6) Revert the change made in step 1 and restart proxymanager

Note that the correct links for enabling FILESTREAM on SQL Server are:

2008

2008R2

2012

Hi Simon,

This is very good.

One thing that I've encountered was the Proxy Server public URL showing as localhost.localdomain after install:

And then when one try and start a recording session - they might get an error:

So set the correct Proxy Server hostname or IP in the Public URL to avoid such a problem.

Hope this helps,

Regards,

Amit.

Hi Amit,

I think the localhost.local problem is caused by not setting the hostname before installing PIM. To set the host name in RHEL6 (and Centos6) set the HOSTNAME parameter in /etc/sysconfig/networking and reboot (there might be a better way than rebooting, but...).

Of course, if you have already installed PIM, your solution is the way to go.

Cheers, Simon.

Another thing I came across with a customer, not a PIM thing per se, but it will affect it.

Customer had pointed ENTM to the proxy using an IP address rather than host name. The recording was working ok and we could see the recordings in the RECORDING_FILE table. However, on play back we got "The webpage cannot be found" (in ie6) and "HTTP 400 Bad Request" for the tab title.

We determine that port 8443 had been bound to all ports but only using ipv6, not ipv4, but using:

netstat -an | grep 8443

Which returned only:

tcp        0      0 :::8443                    :::*                        LISTEN

Not:

tcp        0      0 0.0.0.0:8443                0.0.0.0:*                  LISTEN
tcp        0      0 :::8443                    :::*                        LISTEN

To work around this, edit:

/opt/CA/AccessControlServer/apache-tomcat-7.0.54/conf/server.xml

Find:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="/opt/CA/AccessControlServer/apache-tomcat-7.0.54/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS" />

And add the address parameter like so:

<Connector port="8443" address="0.0.0.0" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="/opt/CA/AccessControlServer/apache-tomcat-7.0.54/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS" />

This should force tomcat to bind to all ipv4 address on the server after restarting.

It is also worth considering disabling ipv6.

To do this on a running system run the following as root:

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6

To make permanent, edit:

/etc/sysctl.conf

And add the following lines at the end.

net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.all.disable_ipv6=1

Which will take effect after rebooting.

Hi Simon,

Impressive content on a new component.

Thanks for sharing!!

--

Vinay Reddy