Symantec Access Management

  • 1.  Using CA UIM with CA Identity Suite - Single NAT and Double NAT

    Posted Dec 13, 2018 09:47 PM

    Team,

     

    I had an interesting challenge where I wished to have a centralized CA UIM management server (with a hub), active in Amazon Cloud (AWS), to be used for various servers I have running or to allow me to demonstrate with adhoc-servers.

     

     

    One challenge I experience was configuring for a NAT environment; and addressing when there is a security authentication challenge when adding a new UIM robot (or probe) when using NAT; since the HUB IP is used as part of the seed for the authentication credential.

     

     

    Example(s) below:

     

    Double NAT data path:

        -  The token key  "ignore_ip = yes" was needed for both examples to avoid the challenge due to the private HUB IP seed that was impacting (auth error messages) use of the CA UIM solution, when the public HUB IP was required (in the robot.cfg file) to communicate to AWS (where CA UIM was installed).   

           -   Note:  If the AWS instance is not behind an AWS load-balancer configuration, the public IP will change upon every reboot.

        -   If there are double NICs on the Vmware Guest, then ensure the default Gateway route is correct for the return path that will be used.

       -   For the Vmware NAT configuration, ensure that port forwarding is enabled as well.

      -    For Vmware Network Bridge, ensure that ONLY the LAN NIC &/or Wireless NIC are defined.

      -    For the Gateway Router at your office/home is configured for both port forwarding and a static route to the Vmware NAT IP range on the VMware Host.

     

     

     

    Single NAT data path:    [Very similar to double NAT but less complex; used strike-out to showcase delta]

        -  The token key  "ignore_ip = yes" was needed for both examples to avoid the challenge due to the private HUB IP seed that was impacting (auth error messages) use of the CA UIM solution, when the public HUB IP was required (in the robot.cfg file) to communicate to AWS (where CA UIM was installed).   

           -   Note:  If the AWS instance is not behind an AWS load-balancer configuration, the public IP will change upon every reboot.

        -   If there are double NICs on the Vmware Guest, then ensure the default Gateway route is correct for the return path that will be used.

       -   For Vmware Network Bridge, ensure that ONLY the LAN NIC &/or Wireless NIC are defined.

      -    For the Gateway Router at your office/home is configured for port forwarding ONLY to the bridged NIC for the Vmware Guest.

     

     

     

    To assist during testing, I built the following script to remove prior configurations and allow a clean start.

       -  This script is a work-in-progress, and others may have additional update(s) to recommend.

       -   I would like to understand how the SID is generated for the /ca/uim/niscache/.robot_device_id 

       -   Using loglevel = 5 for all logs to help identify any gaps.

     

     

     

    /ca/uim/robot > nim-clean-up.sh

     

    #!/bin/bash

    echo "# Process to force a re-validation of the linux UIM robot agent,"
    echo "# when copied to a new system."
    echo " "
    echo " "


    echo "# Step 1 Stop UIM"
    /etc/init.d/nimbus stop
    sleep 5
    echo "# Check if any running processes need to be killed"
    kill -9 `ps -ef | grep nim | grep -v grep | grep -v nim-clean-up | awk '{print $2}'` > /dev/null 2>&1

    echo " "
    echo "# Step 2a Move controller.cfg to ./changes/ folder"
    mv -f /ca/uim/robot/controller.cfg /ca/uim/robot/changes/controller.cfg
    echo " "
    echo "# Step 2b Remove robot device ID file that will be unique to each agent"
    cat /ca/uim/niscache/.robot_device_id
    mv /ca/uim/niscache/.robot_device_id /ca/uim/niscache/old.robot_device_id
    rm -rf /ca/uim/niscache/*.met

    #ls -lart /ca/uim/robot/controller.cfg

    echo " "
    echo "# Step 3a - Review any 'magic_key' line(s)"
    grep -i "magic_key" /ca/uim/robot/changes/controller.cfg | grep -v grep
    echo "###############################################################"
    echo "# Step 3b Remove all magic_key line(s) from controller config"
    sed -i '/magic_key/d' /ca/uim/robot/changes/controller.cfg

    echo " "
    echo "# Step 3d Confirm no magic_key lines"
    echo " Validate there is no magic_key text below, before the ####"
    echo " "
    echo " "
    grep -i "magic_key" /ca/uim/robot/changes/controller.cfg | grep -v grep
    echo "###############################################################"
    echo " "
    echo "# Step 4 Restart UIM"
    /etc/init.d/nimbus start
    echo "###############################################################"
    echo "###############################################################"
    echo "###############################################################"
    sleep 10
    echo " Step 4b Check Robot ID is different"
    cat /ca/uim/niscache/.robot_device_id
    echo "Determine if there is any difference: `diff /ca/uim/niscache/.robot_device_id /ca/uim/niscache/old.robot_device_id`"

    echo "###############################################################"

    echo " "
    echo "# Step 5 Validate running LISTENING ports; at least three (3) ports"
    echo " "
    netstat -anp | grep 480 | grep -v grep
    echo "###############################################################"
    echo " "
    echo "# Step 6 Validate running processes; at least three (3) processes:"
    echo " "
    ps -ef | grep nim | grep -v grep
    echo "###############################################################"
    echo "# Step 7a Validate no errors in spooler logs; increase to loglevel = 5 to trace"
    echo " "
    echo ""
    tail -20 /ca/uim/robot/spooler.log
    echo "###############################################################"
    echo "# Step 7b Validate no errors in controller logs; increase to loglevel = 5 to trace"
    echo " "
    echo ""
    tail -F /ca/uim/robot/controller.log
    echo ""
    echo ""

     

     

     

     

    P.S.    Testing CA Identity Suite with the packages that konpa01  Paul Kong developed for me during the beginning of this year; to assist with performance management of the CA Identity Suite solution (with many of its components).

     

    Monitoring the Identity Suite components with CA UIM 

     

     

     

     

     

    - Alan



  • 2.  Re: Using CA UIM with CA Identity Suite - Single NAT and Double NAT

     
    Posted Dec 14, 2018 11:21 AM

    Thank you for sharing this with the community Alan!

    Using CA UIM with CA Identity Suite - Single NAT and Double NAT