How to Configure a Windows Server as an Endpoint with Symantec Identity Suite

This is a “how-to” guide for setting up a Windows Server as an endpoint in Symantec Identity Manager. By following this guide, Symantec IDM Administrators will be able to add Windows machines as endpoints to allow for the management of local user accounts and their privileges on the server. 

Prerequisites 

  • Provisioning Server is installed
  • Identity Manager is installed
  • Connector Server is installed
  • Remote Windows Server has an Administrator account that can be used to connect, install, and configure.
  • Java/C++ Connector Server (CCS) has an Administrator account that can be used to install and configure

Installation and Configuration Tasks and Steps

Task 1: Install the Provisioning Remote Agent as an Administrator

The CA Directory Management instances should startup automatically upon server startup.  Before starting the directory management instance manually, check the status of the management server by executing the following tasks.

1. Login to the target Windows server as a user with Local Administrator privileges.

2. Unzip the Identity Suite Components downloaded folder (if not already unzipped)

3. Copy the contents of *Remote_Components_Folder*/RemoteAgent/Windows200x to the local machine

4. Open the command line as Administrator and navigate to the
*Remote_Components_Folder*/RemoteAgent/Windows200x folder location

5. Execute the command “setup.exe

6. Click “OK” when the prompt appears

7. Click Next

8. Read the Terms in the License Agreement and click “Next

9. Specify the preferred install location and click “Next

10. Specify the preferred location for the Shared Components folder and click “Next

11. Click “Install” to begin installation

12. Click “Finish” when the prompt is done

13. Navigate to the Windows Services menu

14. There should be a running service called “CA Message Queuing Server

Task 2: Install CAPKI (CA Private Key Infrastructure) 4.3.5 on CCS

Note: This is to be done on each C++ Connector Server (CCS).

1. Download the CAPKI 4.3.5 from the FTP link in the Broadcom documentation

2. Unzip the redistributable

3. Open the Command Prompt as a user with Local Admin privileges

4. Navigate to the *4.3.5_Redistributable*/redistrib folder

5. Run the following command:
a. setup.exe install caller=<caller ID> verbose
b. Note: <caller id> should be the unique FQDN of the Provisioning Server

Task 3: Configure CAM/CAFT Service

Verify that the CAM/CAFT Service is running (Start it if it is not running)

To Configure via UI

1. Navigate to the Windows Menu and Launch the “Host to Caft Definition” program

2. In the field “Enter a server name”, enter the name (FQDN if using DNS, IP Address if not using DNS) of the CCS connector Server and click “Add”.
a. Note: If you have more than one connector server, you must add each one individually
b. Note: If the hostname cannot be resolved, there will be a “new host failed: Unknown host” error reported.

3. Delete the “localhost” entry

4. Click “OK” in the top right corner

To Configure via Command Line

1. Open the command line interface as an Administrator

2. Execute the following command:

Note: If the hostname cannot be resolved, there will be a “new host failed: Unknown host” error reported.

3. To verify that the host was properly accepted, execute the following command:

Note: The CCS entry that was entered in step 2 should return in the command prompt.

Task 4: Active the CAM/CAFT Encryption for Windows

Note: To Activate the CAM/CAFT encryption, the CCS Administrator will need to generate a public key on the CCS machine. Once that key is generated, the Windows Endpoint Administrator will need to receive the public key from the CCS Administrator and install it on the endpoint. 

If this is an initial installation of Provisioning Server, Provisioning Manager or C++ Connector Server (CCS), and you want to activate CAM/CAFT encryption for the communication between the Provisioning Server and other CA Identity Manager servers or system endpoints, you must generate a Public Key file by entering the following command in the Windows command prompt:

  • caftkey -g keyfile password

Once the file has been created, the Windows Administrator needs to install the public key on the CAFT Windows Endpoint using the following commands:

1. caftkey -policy_setting keyfile password

Note: keyfile and password must have the values that specified while generating the Public Key file. The *policy_setting* value must be -i, -m, or blank.

Need to know

The policy_setting value governs the communication between this computer (the local computer) and other computers that have the CAM and CAFT service installed, but may or may not have the CAM and CAFT encryption certificates installed. 

Policy -1 (caftkey -i keyfile password)   

The -i option specifies Policy -1. This policy lets computers running previous versions of the CAM and CAFT service execute commands on this computer and lets this computer execute commands on those computers. Policy -1 encrypts messages if the other computer has these certificates installed. This policy does not encrypt messages if the other computer does not have these certificates installed. 

Policy 1 (caftkey -m keyfile password)  

The -m option specifies Policy 1. This policy prohibits other computers from executing commands on this computer if they are running previous versions of the CAM and CAFT service without the encryption certificates. This policy also prohibits this computer from executing commands on those computers.      

If both computers have the CAM and CAFT encryption certificates installed, but have different Public Key Files installed when Policy 1 is set, the command requests between the two computers always fails.

Blank Option 

The blank option specifies Policy 0. This policy is set if no Public Key File is installed, the CAM and CAFT encryption certificates were not installed properly, or if you do not specify a policy setting when you enter the caftkey command. Policy 0 specifies no encryption.

Continuation from Step 1:

2. Restart the CAM Service

3. After restarting the CAM service, recycle the CAFT service by issuing the following command:

4. Check the CAFT service log file to confirm the policy setting:
a. Log File Location: “*CAM Installed Location*\CA\Shared Components\CAM\ftlogs\dg000
b. The result should look similar to:

Note: Repeat this process for every server that will be a Windows NT endpoint. The public key file that was generated on the CCS should be the same public key that is installed on each Windows Endpoint. 

Summary of Configuring a Windows Server As an Endpoint 

In conclusion, this guide helps configure both the CCS and the Windows endpoint for integration with Identity Manager. Please make sure to use accounts with Local Administrator privileges when configuring these machines. If there are any questions, please contact our Support team and your questions will be answered.

Looking for additional help with the configuration of a Windows Server? ISX Consulting is an elite IAM security firm that offers boundless expertise in a range of cybersecurity and business process services, including Symantec Identity Suite. Take your interoperability to the next level, and contact an ISX consultant today.

ISXHow to Configure a Windows Server as an Endpoint with Symantec Identity Suite

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *