I thought I would get the ball rolling with a checklist for what to check if the new to 12.9 proxy recording does not work. So, without further ado...
Proxy Recording "It's not recording!" Checklist.
First things first, to restart ProxyManager:
/etc/rc.d/init.d/proxymanager restart
The above is used during several steps below.
1. In ENTM, check that "Enable Proxy Session Recording" is checked in System -> Connection Management -> Session Recording -> Proxy Session Recording
2. In ENTM, check that "Enable Proxy Session Recording" is checked on the Endpoint, Privileged Accounts -> Modify Endpoint, Search for and select Endpoint.
3. Make sure you have installed the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files, buy running Unlimited_JCE_Jar_Replace.sh in the UnlimitedJCEPolicy folder/directory of the 3rd party installation DVD.
Note: it appears to be necessary to run this after installation of PIM in at least some cases. Restart the proxymanager after doing this.
4. Make sure the settings in $AccessControlServer/Services/ProxyManager/conf/proxymanager.properties are set correctly:
By default, these should be:
# One hour in milliseconds heartbeat_sched=3600000 # One hour in milliseconds recording_sched=3600000 # Location of the recording files in the file system ecording_files_folder=/var/log/samproxy JBOSS_HOME=/opt/jboss-4.2.3.GA SERVER_MODE=true TOMCAT_HOME=/opt/CA/AccessControlServer/apache-tomcat-7.0.54
Make sure that there is plenty of disk space on the drive where recording_files_folder in proxymanager.properties is located. If not, point recording_files_folder to a location which has plenty of disk space and restart the proxymanager.
5. If using SQL Server, make sure FILESTREAM is enabled on SQL Server. Was it enabled when you created the database and installed PIM? If not:
Enable FILESTREAM for the db server https://msdn.microsoft.com/en-us/library/cc645923.aspx
Then either:
A) Enable FILESTREAM on the RECORDING_FILE table, replace <dbname> and <filestreamgroupname>, you can call <filestreamgroupname> almost anything you want:
ALTER DATABASE <dbname> ADD FILEGROUP <filestreamgroupname> CONTAINS FILESTREAM GO USE <dbname> ALTER Table RECORDING_FILE SET (filestream_on=<filestreamgroupname>) GO
Or
B) Create a new database just for use with recordings (on a side note, this can be on a different server). Copy the following scripts from the Schema folder/directory on the install media to the database server and execute them against the database you have just created for the
recordings:
mssql_recording_database_deployment_script1.sql
mssql_recording_database_deployment_script2.sql
Edit $AccessControlServer/Services/ProxyManager/conf/database.properties to point to the database you have just created for the recordings:
recording_database_user_name=<database_login> recording_database_user_password=<encrypted_password> recording_database_url=jdbc:sqlserver://<database_server>:1433;selectMethod=cursor;DatabaseName=<database_name>
To encrypt the password for encrypted_password above run the following replacing <password> with the password used for database_login:
cd "$AccessControlServer/IAM_Suite/Access Control/tools/PasswordTool/" ./pwdtools.sh -FIPS -p <password> -k $JBOSS_HOME/server/default/deploy/IdentityMinder.ear/config/com/netegrity/config/keys/FIPSkey.dat
This will return something like:
-------------------------------------------------- Your JAVA_HOME is currently set to /usr/java/jdk1.7.0_71 -------------------------------------------------- Encrypting your password ... ****************************************** Key File location=/opt/jboss-4.2.3.GA/server/default/deploy/IdentityMinder.ear/config/com/netegrity/config/keys/FIPSkey.dat Plain Text: <password> Encrypted value: {AES}:+VY4CnKjBTsN6FDiYsIdgw== ******************************************
Copy the "Encrypted value:" above into recording_database_user_password, e.g.
recording_database_user_password={AES}:+VY4CnKjBTsN6FDiYsIdgw==
Restart proxymanager.
6. If using Oracle,.... sorry, still TODO.
Turning on debugging for ProxyManager
On a side note. Before logging a case related to proxy recording with CA Technical Support, please enable debugging for the ProxyManager:
1) edit $AccessControlServer/Services/ProxyManager/conf/log4j2.xml
Find:
<root level="debug">
And change to:
<root level="info">
2) Restart proxymanager
3) Note the time of day on the server
4) Reproduce the problem
5) Include the time of day from step 3 and $AccessControlServer/Services/ProxyManager/log/ProxyManager.log when logging the case
6) Revert the change made in step 1 and restart proxymanager