| Previous | Contents | Index |
This appendix contains information about using a POLYCENTER Security CM inspector to implement your security policy and distributing the inspector to remote nodes.
The appendix contains information about the following:
A.1 Implementing Your Security Policy
This section describes how to use a sample inspector to implement your security policy and how to distribute this inspector to remote nodes.
POLYCENTER Security CM includes a sample inspector, EXAMPLE_REQUIRED_INSPECTOR.DAT. This inspector contains test collections to test many areas of your system and is typical of the default inspector that you should use to implement your security policy. Use the POLYCENTER Security Console GUI to customize the inspector.
After you have customized the inspector so that it accurately reflects your security policy, you can distribute it to other machines as follows:
$ CREATE DUA2:[NEW_REQUIRED] /DIRECTORY $ MOUNT MUA5: INSPEC /FOREIGN $ BACKUP MUA5:INSPECT031.A DUA2:[NEW_REQUIRED] |
$ COPY INSPECT$DATABASE:INSPECT$xxx.DAT - _EXAMPLE_REQUIRED_INSPECTOR.DAT $ PURGE EXAMPLE_REQUIRED_INSPECTOR.DAT |
$ BACKUP *.*; MKA300:INSPECT031.A -
/REWIND /INTERCHANGE /IGNORE=LABEL /BLOCK=9000 /VERIFY
|
$ COPY MUA5:INSPECT031.B MKA300:INSPECT031.B |
After you create and install the customized inspector, report the policy file ID to your POLYCENTER SRF administrator. The POLYCENTER SRF administrator uses the policy file identifier (ID) to determine the validity of a token. Most changes to parameters change the policy file ID.
This appendix contains information to help troubleshoot POLYCENTER Security CM. It assumes that you are familiar with OpenVMS system management and have OpenVMS documentation available.
The appendix contains information about the following:
B.1 Solving System Startup Problems
This section describes problems that may occur at startup and how to solve them.
You may receive a mail on startup if you do not have sufficient resources (privileges, quotas, or identifiers) to start one of the POLYCENTER Security CM executable images. The mail indicates the resources that you must have to start the image. Update your account with these resources and then restart the image.
The POLYCENTER Security CM executor waits for a user-specified period of time after system startup before it runs inspectors. By default, this time is 40 minutes. You can customize the wait period by changing the value for the Executor Startup Delay to a value suitable for your site. See Section 3.4 in Chapter 3 for information on using the CLI to change the Executor Startup Delay.
If a scheduled inspection has been missed due to system failure or other problems, the POLYCENTER Security CM executor runs the inspector after startup if the resubmit interval is greater than one day and if the scheduled inspection time has not elapsed by more than a user-specified period of time. By default, this time is 30 minutes. You can customize this time period by changing the value of the Inspection Start Window to a value suitable for your site. See Section 3.4 in Chapter 3 for information on using the CLI to change the Inspection Start Window. If the inspection has been missed by more than the specified time period, the executor attempts to run the inspector on the following day at the originally scheduled time.
The INSPECT$LOGS:INSPECT$EXECUTOR.LOG file contains information on rescheduled inspections.
B.2 Solving Connection Problems
This section describes connection problems that may occur when connecting to POLYCENTER Security CM from POLYCENTER Security Console and how to solve them.
You may get an authentication error when you try to connect to POLYCENTER Security CM from POLYCENTER Security Console. If you do not know why you are getting this error, you can ensure that POLYCENTER Security CM logs the reason for the error in the INSPECT$LOGS:INSPECT$PORTAL.LOG file. To do this, use the CLI to change the Log Detail level to the value 2. See Section 3.3 in Chapter 3 for information on using the CLI to change the Log Detail value. By default, POLYCENTER Security CM does not log the reason for authentication errors.
You may get a timeout error when you try to connect to POLYCENTER Security CM from POLYCENTER Security Console. You can configure the time period during which the system waits before data transfers between remote processes will time out. See Section 3.5 in Chapter 3 for information on using the CLI to change the Remote Channel Timeout value.
This section explains where to find logs and how to use them.
POLYCENTER Security CM retains log files that can help you to identify problems. These log files exist in the INSPECT$LOGS directory, in the INSPECT$SCRATCH directory, and in the SYS$SYSROOT:[INSPECT$SERV] directory. If, for some reason, an inspector or the passthru server encounters a malfunction, you can edit the log files to learn more about the malfunction. These files are similar to batch log files in this respect.
The executor on each node generates the following log files:
The portal on each node generates the followings log files:
The passthru server generates the followings log file:
SYS$SYSROOT:[INSPECT$SERV]NET$SERVER.LOG |
This log file records all the activities of the passthru server. If the passthru server fails, examining the log file can help you to determine what the passthru server was doing when it failed.
The executor, portal, CLI, and passthru server can all generate error logs. The error log file name for the executor, the portal, and the CLI has the following format:
INSPECT$LOGS:INSPECT$process_name_ERROR.LOG |
The error log file name for the passthru server is:
SYS$SYSROOT:[INSPECT$SERV]INSPECT$ERROR_FILE |
These logs are in text format. If you are reporting an error to Digital Support, you must include the logs.
If an inspector contains one or more user-written programs, log files generated by these programs are placed in the following location:
INSPECT$SCRATCH:INSPECT$process_id.LOG |
If an error occurs while you are using POLYCENTER Security CM and you believe that there is a problem with the POLYCENTER Security CM software, you may need to contact your Customer Support Center. When providing details of the error to your Customer Support Center, you must include some or all of the following files depending on what POLYCENTER Security CM was doing when the error occurred:
Dump files are deleted when you restart POLYCENTER Security CM. |
See Section 3.9 in Chapter 3 for information on using the CLI to extract an inspector to a text file.
See the POLYCENTER Security Compliance Manager Installation Guide for more information on reporting errors.
This section provides information on possible problems with POLYCENTER Security CM output and how to solve them.
After an inspection, POLYCENTER Security CM may mail a report to one or more recipients specified when creating the inspector. If for any reason, POLYCENTER Security CM cannot send this mail, it generates the following log file:
INSPECT$SCRATCH:INSPECT$process_id.LOG |
If you do not receive the mail, examining the log file may help you to determine why it did not arrive.
When you choose to execute a lockdown file or an unlockdown file, a log file is generated in the INSPECT$LOGS directory. The name of the log file depends on whether it is for a lockdown file or an unlockdown file. The file name has one of the following formats:
If you have any problems running the files, examining the log files may help you to determine the cause of the problems.
POLYCENTER Security CM also generates a log file when you choose to have the product automatically execute a lockdown file for you. Use the CLI to view the autolockdown log file.
If tokens are not transmitted correctly, POLYCENTER Security CM continues to try to send the token up to the limit specified in the Token Retry Interval parameter. You can also resend the token from either the POLYCENTER Security CM CLI or the POLYCENTER Security Console GUI. Digital recommends that you do not resend tokens in normal circumstances.
The Token Status Memo provides information on the status of the transmission of the token for each node in the inspector's domain. See Appendix C for more information on the Token Status Memo.
Each inspector can send a token (security status message) to a POLYCENTER SRF collection node designated during the installation of POLYCENTER Security CM. POLYCENTER Security CM checks for the successful transmission of this token.
If test tokens are not being processed successfully, verify that you are meeting the following conditions:
The INSPECT$PROGRAM_OFFICE logical used by POLYCENTER Security CM Version 2.3 has been replaced by the POLYCENTER SRF Node parameter. |
If you have access to the POLYCENTER SRF collection node, examine the log files in the directory pointed to by the DSRF$LOGS logical.
B.5 Solving Disk Space and Privilege Problems
This section provides some guidelines to help solve diskspace and privilege problems.
Job files generated by each inspection are stored in the inspector database area (pointed to by the INSPECT$DATABASE logical). To avoid diskspace problems, these files must be purged regularly. POLYCENTER Security CM automatically purges the files using the value specified in the Purge Keep Time parameter and the Purge Keep Inspector Job Number parameter to determine which files to purge. See Section 3.3 in Chapter 3 for information on using the CLI to change the values of these parameters.
You can also use the CLI to manually purge the files. See Purging the Database in Chapter 3 for more information.
To avoid diskspace problems, purge the INSPECT$LOGS directory, the INSPECT$LOCKDOWNS directory, and the INSPECT$SCRATCH directory regularly. POLYCENTER Security CM does not automatically purge the INSPECT$LOGS directory and the INSPECT$LOCKDOWNS directory. POLYCENTER Security CM deletes logs in the INSPECT$SCRATCH directory only when you restart the product.
Each security manager's account must have the INSPECT$SECURITY_MANAGER identifier. The account must also have the privileges required to run each of the POLYCENTER Security CM executable images.
If the account does not have these privileges and resources, then you cannot run POLYCENTER Security CM and if you try to do so, you receive a mail specifying the privileges, quotas, or identifiers that you need.
See the POLYCENTER Security Compliance Manager for OpenVMS Installation Guide for information on required privileges and quotas.
B.6 Solving Database Problems
This section provides some guidelines to help solve database problems.
An inspector is automatically locked when it is executing to prevent users trying to modify or delete it. If the system fails during execution, the executor and portal should recover normally. In exceptional circumstances, you may need to release the inspector locks after system recovery. See Section 3.13 in Chapter 3 for information on using the CLI to release the inspector locks.
Releasing the inspector locks kills the executor and portal processes on all nodes in a cluster. |
In the unlikely event that the inspector database is corrupted, you can create a new database. To create a new database, enter the following command to invoke a utility that allows you to create the database:
$ @INSPECT$IMAGES:INSPECT$CONFIG.COM |
POLYCENTER Security CM displays the Main Menu of the utility.
Creating a new database stops the POLYCENTER Security CM executor on all nodes and deletes all existing history from the database area. Files in INSPECT$LOGS and INSPECT$SCRATCH are also deleted. You can choose whether to keep existing inspectors. |
| Previous | Next | Contents | Index |