Symantec Privileged Access Management

 View Only

Tech Tip: Setting the JDK/JRE for Privileged Identity Manager 12.9SP1 on Windows

  • 1.  Tech Tip: Setting the JDK/JRE for Privileged Identity Manager 12.9SP1 on Windows

    Broadcom Employee
    Posted Dec 07, 2015 04:59 PM

    Lets sort out any potential problems with different JREs being installed on the system and force the various components of PIM 12.9SP1 on windows to use the JDK/JRE we installed from the 3rd party components media.


    I am making the assumption that PIM, the jdk and jboss have been installed in the default locations of:


    C:\Program Files\CA\AccessControlServer


    1. Apache Tomcat


    By default Tomcat will pick up and use the first java.exe in the system path. To fix this, navigate to C:\Program Files\CA\AccessControlServer\apache-tomcat-7.0.54\bin and execute tomcat7w.exe. Go to Java tab and set "Java Virtual Machine" to:







    Restart the "Apache Tomcat 7.0.54" service.



    2. GUACD


    GUACD will pickup and use the first java.exe in the system path. The easy way to sort this out is to change the system path to have the following at the front:






    However, this does put you at the mercy of other potentially path changing applications, so another, albeit unsupported (NOTE: unsupported, development and SE avert thyne eyes), way of doing this is to create a wrapper around guacd.exe which sets the path before starting guacd.exe.


    Stop the GUACD service.


    Create a file called C:\Program Files\CA\AccessControlServer\PupmProxy\bin\guacd_wrapper.bat with the following contents:


    @echo off
    "C:\Program Files\CA\AccessControlServer\PupmProxy\bin\guacd.exe" -S -l 4822


    Then, after backing up your registry of course, start regedit and go to:




    Change ImagePath from:


    C:\Program Files\CA\AccessControlServer\PupmProxy\bin\guacd.exe -S -l 4822



    C:\Program Files\CA\AccessControlServer\PupmProxy\bin\guacd_wrapper.bat


    Remember that the guacd_wrapper.bat is unsupported and might become an issue if patches are applied, upgrades etc. So, if you really do not need to do this just modifying the system path is a much better way. This example is just here for a scenario where there is no other choice.


    In either case, start or restart the GUACD service.



    3. Connector Server (JCS), ProxyManager and EventForwarder


    By default these should be set to point to the JDK that PIM was installed with.


    To confirm this there is a "Command line" parameter which contains the, you guessed it, command line in each of the following files:


    C:\Program Files\CA\AccessControlServer\Connector Server\bin\acjcswrap.ini
    C:\Program Files\CA\AccessControlServer\Services\EventForwarder\bin\acsiemwrap.ini
    C:\Program Files\CA\AccessControlServer\Services\ProxyManager\bin\acjavasrvwrap.ini


    In all of the files, this should begin with <path>\java.exe, make sure it points to c:\jdk1.8.0\bin\java.exe, e.g.


    Command line = "C:\jdk1.8.0\bin\java.exe" .... <rest of command> ...


    Restart the following services:


    CA ControlMinder Connector Server (Java)
    CA ControlMinder Event Forwarder (Java)
    CA ProxyManager


    4. JBoss


    Last but certainly not least, by default this should be set to point to the JDK that PIM was installed with.


    Near the top of both of the following files.




    There is the line below where <jdk> is the jdk to use:


    set JAVA_HOME=<jdk>

    This should be:


    set JAVA_HOME=C:\jdk1.8.0