Symantec Privileged Access Management

  • Private Community

  • 1.  Re-Register Windows Pupm-Endpoint

    Posted May 19, 2017 04:08 AM

    Hello community,

     

    we are using AccessControl/ControlMinder/PIM/PAM for some time already, our Mgmt-Server is running on 12.61. The windows server which we want to re-register/autodiscover is also 12.61. I've checked the registry if AutoRegister is set to 1 an if OperationMode also set to 1. I did also remove the privileged Endpoint by deleting it through the WebInterface. I found an article for Linux where the PupmAgent.dat just needs to be deleted. is there any similar procedure on a windows system? At the moment we are not able to upgrade to 12.8 hence this is a production system and at the moment every password change task fails.

     

    many thx in advance.

     

    oliver



  • 2.  Re: Re-Register Windows Pupm-Endpoint
    Best Answer

    Broadcom Employee
    Posted May 19, 2017 05:15 AM

    Hello Oliver,

     

    If this is only a single box which is showing the problem then maybe it is easiest if you uninstalled / reinstalled ENTM from scratch on this Endpoint.

    The installer wizard, in which you select "PUPM Integration”, will ask you for the Distribution Server and communication password and will set all the relevant Registry Values for you.

     

     

     

     

    Else you can do

     

    1)      secons -s

    2)      If file exists, delete PupmAgent.dat from

    C:\Program Files\CA\AccessControl\Data\AgentManager

    3)      In Registry (run regedit.exe in run box)

    Go to 

    HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\Common\communication

    Set  Distribution_Server to ssl://<ds-servername>:7243

    Replace ds-servername with host name or IP address(make sure Distribution Server IP address is static else give hostname

     

    1. Then go to  HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\Common\AgentManager\Plugins\PupmAgent

    Set OperationMode to 1

     

     

     

     

     

    5)      HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\PUPMAgent

    set OperationMode to 1

     

     

     

     

    6)      At command prompt sechkey -t  -pwd <communication password>

    7)      Restart selang (seosd -start)

     

    Once these steps are done, check endpoint list in ENTM GUI. It should get listed.

    Then account discovery and other tasks can be performed as usual.

    Best Regards.

    Andreas



  • 3.  Re: Re-Register Windows Pupm-Endpoint

    Broadcom Employee
    Posted May 19, 2017 05:25 AM

    Hello

    Yes indeed there is a similar file.

     

    Some things: 

     

    * Confirm you have set (besides AutoRegister)

     

    HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\PUPMAgent
    OperationMode = 1

     

    HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\Common\AgentManager\Plugins\PupmAgent
    OperationMode = 1

     

    HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\Common\communication
    Distribution_Server = ssl://<ENTM-servername>:7243

     

     

    * run  secons -s 
    * If file exists, delete PupmAgent.dat from  C:\Program Files\CA\AccessControl\Data\AgentManager 
    * Restart selang (seosd -start)

     

     

    Should the issue remain, please set in
    HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\Common\AgentManager
    TraceEnabled = 3
    Restart AC (secons -s ; seosd -start) and get the


    AgentManager.log, AgentManager.PupmAgent.log and Jboss server.log for analysis.
    (found in ..\AccessControl\Data\AgentManager) 

     

    In this case I'd recommend a case to be open