Symantec Privileged Access Management

Tech Tip: Setting the JDK/JRE for Privileged Identity Manager 12.9SP1 on Windows

  • 1.  Tech Tip: Setting the JDK/JRE for Privileged Identity Manager 12.9SP1 on Windows

    Broadcom Employee
    Posted 12-07-2015 04:59 PM

    Lets sort out any potential problems with different JREs being installed on the system and force the various components of PIM 12.9SP1 on windows to use the JDK/JRE we installed from the 3rd party components media.

     

    I am making the assumption that PIM, the jdk and jboss have been installed in the default locations of:

     

    C:\Program Files\CA\AccessControlServer
    C:\jdk1.8.0
    C:\jboss-4.2.3.GA

     

    1. Apache Tomcat

     

    By default Tomcat will pick up and use the first java.exe in the system path. To fix this, navigate to C:\Program Files\CA\AccessControlServer\apache-tomcat-7.0.54\bin and execute tomcat7w.exe. Go to Java tab and set "Java Virtual Machine" to:

     

     

    C:\jdk1.8.0\jre\bin\server\jvm.dll

     

    jvm.png

     

    Restart the "Apache Tomcat 7.0.54" service.

     

     

    2. GUACD

     

    GUACD will pickup and use the first java.exe in the system path. The easy way to sort this out is to change the system path to have the following at the front:

     

     

    C:\jdk1.8.0\jre\bin

     

     

    However, this does put you at the mercy of other potentially path changing applications, so another, albeit unsupported (NOTE: unsupported, development and SE avert thyne eyes), way of doing this is to create a wrapper around guacd.exe which sets the path before starting guacd.exe.

     

    Stop the GUACD service.

     

    Create a file called C:\Program Files\CA\AccessControlServer\PupmProxy\bin\guacd_wrapper.bat with the following contents:

     

    @echo off
    path=c:\jdk1.8.0\jre\bin;%PATH%
    "C:\Program Files\CA\AccessControlServer\PupmProxy\bin\guacd.exe" -S -l 4822

     

    Then, after backing up your registry of course, start regedit and go to:

     

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GUACD

     

    Change ImagePath from:

     

    C:\Program Files\CA\AccessControlServer\PupmProxy\bin\guacd.exe -S -l 4822

     

    To:


    C:\Program Files\CA\AccessControlServer\PupmProxy\bin\guacd_wrapper.bat

    Regedit.png

    Remember that the guacd_wrapper.bat is unsupported and might become an issue if patches are applied, upgrades etc. So, if you really do not need to do this just modifying the system path is a much better way. This example is just here for a scenario where there is no other choice.

     

    In either case, start or restart the GUACD service.

     

     

    3. Connector Server (JCS), ProxyManager and EventForwarder

     

    By default these should be set to point to the JDK that PIM was installed with.

     

    To confirm this there is a "Command line" parameter which contains the, you guessed it, command line in each of the following files:

     

    C:\Program Files\CA\AccessControlServer\Connector Server\bin\acjcswrap.ini
    C:\Program Files\CA\AccessControlServer\Services\EventForwarder\bin\acsiemwrap.ini
    C:\Program Files\CA\AccessControlServer\Services\ProxyManager\bin\acjavasrvwrap.ini

     

    In all of the files, this should begin with <path>\java.exe, make sure it points to c:\jdk1.8.0\bin\java.exe, e.g.

     

    Command line = "C:\jdk1.8.0\bin\java.exe" .... <rest of command> ...

     

    Restart the following services:

     

    CA ControlMinder Connector Server (Java)
    CA ControlMinder Event Forwarder (Java)
    CA ProxyManager

     

    4. JBoss

     

    Last but certainly not least, by default this should be set to point to the JDK that PIM was installed with.

     

    Near the top of both of the following files.

     

    C:\jboss-4.2.3.GA\bin\compile_jsp.bat
    C:\jboss-4.2.3.GA\bin\rum_idm.bat

     

    There is the line below where <jdk> is the jdk to use:

     

    set JAVA_HOME=<jdk>

    This should be:

     

    set JAVA_HOME=C:\jdk1.8.0