Using the Login Shell

After the initial CLI (text-based) configuration of the Virtual Appliance, the login shell for the config user is available for use.
144
After the initial CLI (text-based) configuration of the Virtual Appliance, the login shell for the
config
user is available for use.
In the Amazon Web Services (AWS) platform, the
config
user is used to log in to the web console only. The
ec2-user
user
is used to run commands in the Command Line Interface.
This document contains the following sections:
Switching Users
The config user can switch to the following users:
  • dsa
  • imps
  • oracle
To switch to a different user, run the following command:
su - <username>
Available Aliases
The following aliases (command shortcuts) are available in the Virtual Appliance login shell:
Run the alias on all the Virtual Appliance cluster nodes unless mentioned in the documentation to run on a single node.
  • addDisk
    Resize the root ("/") volume on Virtual Appliance by adding an additional virtual disk.
  • addJBossDatasource
    Adds a defined custom data source that is referenced as an argument pointing to a property file (normally at ”/opt/CA/VirtualAppliance/custom/<APP>/ dataSources”) across all nodes running either the Identity Portal or Identity Manager applications.
  • audit_disable
    Disables kernel auditing to the log files and to the machine console.
  • audit_enable
    Enables kernel auditing to the log files and to the machine console.
  • audit_show
    Shows if the kernel auditing is enabled or disabled.
  • backupVapp and
    and restoreVapp
    Backup and restore the Virtual Appliance configurations and data to a replacement server.
    The
    backupVapp
    and
    restoreVapp
    aliases do not restore Symantec Directory DSA data in a multiwrite-DISP recovery environment. One such example of a multiwrite-DISP environment is the deployment of User Store and Provisioning Store on multiple Virtual Appliance nodes.
    To backup data in a multiwrite-DISP environment, do the following:
    1. Shut down the deployed services (Identity Manager, Provisioning Store, Identity Governance, Identity Portal) on all nodes.
    2. Use the
      backupVapp
      alias to take a backup of all the Virtual Appliance nodes.
    3. Back up the external database.
    To restore data in a multiwrite-DISP environment, use the
    restoreVapp
    alias to restore backup files on all the Virtual Appliance nodes including the external database to maintain data integrity.
  • check_cluster_clock_sync
    [Run the alias on any single cluster node]
    Checks the clock synchronization across the cluster nodes. This test fails if there are servers with a clock offset of more than 15 seconds.
    The clock synchronization is mandatory for replication to work correctly for a cluster containing multiple User Store or Provisioning Server nodes.
  • check_oracle_db_size
    [Run the alias on any single cluster node]
    Displays the embedded Oracle 11g Express database data file size.
  • compressLogs
    Compresses all applications in the Virtual Appliance log files to a tar.gz archive file that resides in the home directory.
    The logs archive also includes the hosts file and Wildfly standalone.xml files for Identity Manager, Identity Governance, Identity Portal.
    Example:
    /home/config/vApp_logs_<hostname>_<date>.tgz
  • configureCustomHostRecords
    Adds custom records to the /etc/hosts file. The custom records are read from /opt/CA/VirtualAppliance/custom/hosts.
  • configure_im_jcs_logging_permissions
    Allows you to configure permissions for JCS log files for the "config" user that may be arbitrarily written during JCS runtime, without the need to restart JCS.
  • configureLoginPrompt
    Set the content of /opt/CA/VirtualAppliance/custom/login-prompt.pre and /opt/CA/VirtualAppliance/custom/login-prompt.post as pre-login and post-login messages accordingly.
  • CreateIDMAuthDir
    Creates the Identity Manager Authentication Directory, in case it failed to create automatically during the deployment, or in case an administrator deleted it from the Directories page in the Identity Manager Management Console.
  • createIDMTrustConfiguration
    [Run the alias on any single cluster node]
    Manually creates Identity Manager Web-Services object for Identity Portal Connector. Run this command only when it fails to run automatically during deployment.
  • dbutil
    Serves as a wrapper for Identity Governance
    dbutil
    utility. Normally, there is no need to invoke it manually as it is called by the
    populateIgDatabase
    command.
  • deleteIDMJMSqueue
    Deletes the Identity Manager JMS queue (/opt/CA/wildfly-idm/standalone/data/*).
  • DisableIdmAuthFilterSecurity
    /
    EnableIdmAuthFilterSecurity
    Disables or enables Identity Manager Management Console Security.
  • DisableIdmMgmtConsoleSecurity
    /
    EnableIdmMgmtConsoleSecurity
    Disables or enables Identity Manager User Console Authentication Filter Security.
  • eurekify-universemigration
    Export or import an Identity Governance universe from this solution.
  • import_wildfly_ssl_certificates
    Imports SSL certificates from all Wildfly-based products (Identity Manager, Identity Governance, Identity Portal) on all Virtual Appliance nodes to local Java key store. The SSL certificates are available at /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates.
  • install_vmware_tools
    Installs VMware tools from a mounted CDROM drive containing a VMware tools installation media or from an ISO file (supplied as an argument on the command line).
    To uninstall VMware tools, run:
    install_vmware_tools -u
  • listSSLCert
    Prints the SHA1 fingerprint of an SSL certificate that is retrieved from a remote server.
    • Usage for port 443: listSSLCert <Host name>
    • Usage for other ports: listSSLCert <Host name>:<Port
  • measure_io_performance
    Runs a disk throughput measurement test. This is identical to the prerequisite test executed the first time a Virtual Appliance node is installed and configured from the CLI.
  • MountNetworkShares
    Mounts network shares that are defined in /opt/CA/VirtualAppliance/custom/mounts.
  • patch_vapp
    Installs the Virtual Appliance patch file (supplied as an argument on the command line). This command can be used to install all patch types (Example: Hotfixes, Cumulative Patches, Service Packs). This is the only supported option to patch or upgrade a system.
  • patch_vapp_via_cdrom
    Installs the Virtual Appliance patch file from a CD-ROM attached to the virtual machine
  • populateIgDatabase
    Runs during the deployment and upgrade operations and normally there is no need to invoke it manually. This command populates the Identity Governance database with the default tables that are required by the application.A valid use case to run this command is when a customer wants to "reset" Identity Governance database by dropping and re-creating the databases/schemas, and wants to avoid re-deploying the solution.
  • pwdtools
    Runs the Identity Manager Password tools (normally, required when performing integration with Symantec Single Sign-On). Use this command to encrypt passwords that must be stored in the
    ra.xml
    configuration file.
  • reconfigure_ig
    Recreate the file-system configuration of Identity Governance.
  • reconfigure_im
    Recreate the file-system configuration of Identity Manager.
  • reconfigure_ip
    Recreate the file-system configuration of Identity Portal.
  • RegisterExternalConnectorServer
    Serves as a command-line substitute for the "Register Connector Server" functionality on the web-ui → External Tools page.
    Normally, there is no need to execute this command.
  • registerJavaConnectors
    Normally, there is no need to run this command.
    This command registers or re-registers Java Connector servers to the Provisioning Directory based on the latest Metadata in the locally installed Connector Server product (or the Connector Server install image, as fall back).
  • remove_failed_node_ssh_fingerprint
    Specifies circumstances where a Virtual Appliance node that crashed beyond recovery was replaced with another one having the same IP addresses.
  • removeJBossDatasource
    Removes a defined custom data source that is referenced as an argument pointing to a property file at ”/opt/CA/VirtualAppliance/custom/<APP>/ dataSources” across all nodes running either the Identity Portal or Identity Manager applications.
  • remove_service
    Removes a service from the file system.
  • repair_service
    Resets the file system part of a given service to factory defaults.
    WARNING
    : This command should only be used in extreme conditions of disk corruption leading to inability to start a service. You must take a backup of the custom content and configurations for the given service before executing this command.
  • resetInternalDB
    Resets the embedded (Oracle 11g Express) database state. It deletes all Identity Manager, Identity Portal, and Identity Governance environment data and configurations, while restoring them to the “clean” Virtual Appliance state.
  • resetVappServiceAccountPassword
    Allows resetting the password for the Virtual Appliance service account (named: "vapp-service") on the Provisioning Directory. Use this command only when the customer disabled the account or changed its password, or in case the password for the account has expired.
  • reset_vapp_to_factory_defaults
    Remove all data of previous deployments from the file-system.
  • resizeDisk
    Allows resizing the file-system size on the "/" volume after the Virtual Disk that is assigned to the Virtual Appliance Virtual Machine has been expanded in the host Virtualization platform.
    Example:
    VMware ESX
    The expansion operation in the host Virtualization platform typically requires shutting down the guest Virtual Machine.
  • restart_ig
    Restarts Identity Governance application.
  • restart_jcs
    Restarts the Connector Server.
  • restart_rs
    Restarts Report Server application.
  • restart_im
    Restarts Identity Manager application.
  • restart_ip
    Restarts Identity Portal application.
  • restart_oracle
    Restarts the internal Oracle 11g Express database (if deployed).
  • restart_ps
    Restarts the Provisioning Server.
  • rollback_vapp
    Rolls back a previously installed patch.
  • s
    Performs a solution health status check and displays the console-based output.
    Note:
    The output is immediately set as the login banner.
  • setEntropyWatermark
    Sets the watermark value of the Linux random-number generator (RNGD). The default is 3000.
  • selectTimeZone
    Allows configuring the server time-zone.
  • setDeploymentName
    [Run the alias on any single cluster node]
    Sets the deployment name of a Virtual Appliance deployment across the cluster, if not already set. The deployment name is used in the DSA names and to set the replication-group in the directory configuration that are required for setting up asynchronous replication. For Disaster Recovery setup information, click here.
    • The command works only on a cluster where all the nodes are of type Platform v2 (CentOS Stream 8 or Amazon Linux 2).
    • Use the command if you have migrated from CentOS 6 to Platform v2 (CentOS Stream 8 or Amazon Linux 2) and would like to use a two cluster Disaster Recovery setup.
  • set_log_level_cs
    Sets the application log level of the JCS.
  • set_log_level_ig
    Sets the application log level of Identity Governance.
  • set_log_level_ip
    Sets the application log level of Identity Portal.
  • setOOTBCustomConfig
    [Run the alias on any single cluster node]
    Allows customization of the WildFly OOTB datasource connection pool parameters of Identity Manager, Identity Governance and Identity Portal. Follow the given screenshot to configure OOTB datasource parameters using the
    setOOTBCustomConfig
    command.
    Customize WildFly OOTB Datasource Parameters
    • You can locate the customized OOTB datasource parameter values at:
      /opt/CA/VirtualAppliance/custom/<Symantec IGA Point-products>/config/ootb_datasource.conf
      Example:
      /opt/CA/VirtualAppliance/custom/IdentityGovernance/config/ootb_datasource.conf
    • Virtual Appliance cascades OOTB datasource parameter configuration to all the applicable nodes in a cluster.
    • Restart of the application server on a node triggers application server restart on all the applicable nodes in a cluster.
  • setPublicIp
    Applicable to the Virtual Appliance instances deployed on AWS or Azure.
    This command attempts to determine the public IP address of the node. It is used in the Web-UI dashboard which exposes links to the applications.
  • setTimeAndDate
    Allows configuring the server date and time.
  • setVappUserPassword
    Sets the Virtual Appliance user password (normally the "config" user).
    This is equivalent to running the "passwd" command.
  • set_vApp_webui_session_timeout
    Displays or configures the session inactivity timeout (in minutes) for the Virtual Appliance Web Console (listening on port 10443).
  • start_dxserver
    Starts all Symantec Directory DSAs.
    Note:
    If all Symantec Directory DSAs are started, the monitor will not display per-DSA status. Instead, it displays "[OK] All DSAs are started".
  • start_ig
    Starts Identity Governance application.
  • start_im
    Starts Identity Manager application.
  • start_ip
    Starts Identity Portal application.
  • start_jcs
    Starts the Connector Server.
  • start_oracle
    Starts the internal Oracle 11g Express database (if deployed).
  • start_ps
    Starts the Provisioning Server.
  • stopDeploymentProcess
    Stops an ongoing deployment process.
    This command must be invoked on the node from whose web-ui the current deployment operation started. This command should only be executed in extreme conditions where a deployment operation is halted and does not finish.
  • stop_dxserver
    Stops all Symantec Directory DSAs.
  • stop_ig
    Stops Identity Governance application.
  • stop_im
    Stops Identity Manager application.
  • stop_ip
    Stops Identity Portal application.
  • stop_jcs
    Stops the Connector Server.
  • stop_oracle
    Stops the internal Oracle 11g Express database (if deployed).
  • stop_ps
    Stops the Provisioning Server.
  • swapManager
    Adds extra swap volume in Virtual Appliance. This alias enables the following functionalities:
    • Adds a separate disk as swap space to the system.
    • Removes the added disk from the server swap space.
    Note:
    The disk must not be a partition, a logical volume, or a member of the system volume group.
  • sync_vapp_custom_content
    [Run the alias on any single cluster node]
    Synchronizes content across all nodes for custom content under
    /opt/CA/VirtualAppliance/custom
    directory.
  • tail_cs_log
    Monitors the Connector Server log.
  • tail_ig_log
    Monitors the Identity Governance application log.
  • tail_im_log
    Monitors the Identity Manager application log.
  • tail_ip_log
    Monitors the Identity Portal application log.
  • tail_ps_log
    Monitors the Provisioning Server log.
  • tdl
    Monitors the Virtual Appliance deployment log.
  • tvl
    Monitors the Virtual Appliance main log.
  • tvcl
    Monitors the Central Logging log.
  • twl
    Monitors the Virtual Appliance web server log.
  • updateManager
    Provides Amazon Web Services (AWS) security updates.
  • vapp_jstack
    Allows you to collect Java stack dumps of Identity Manager, Identity Governance and Identity Portal.
    Collect Java Stack Dumps
  • vapp_sync
    [Run the alias on any single cluster node]
    Synchronizes custom files of deployed applications, which are at /opt/CA/VirtualAppliance/custom/<application name>.
    This command is required in the following cases where,
    • there are multiple nodes of the same application type in the solution (Example, Identity Manager)
    • the application nodes are not configured with a shared network location for storing common shared files.
    Note
    : This command performs in a uni-directional fashion, overwriting files on remote nodes with files from the current node (from where the command has been executed).
  • vAppUserPortalShowAllServices
    Disables or enables a flag which controls whether a system with Identity Portal installed will show only Identity in the User Portal web-ui (the default behavior) or shows Identity Portal and also other installed products (if applicable) - Identity Manager and Identity Governance.
  • vcl / view_vapp_central_log
    Lets you view the Central Logging log.
  • vdl
    Lets you view the Virtual Appliance deployment log.
  • view_cs_log
    Lets you view the Connector Server log.
  • view_ig_log
    Lets you view the Identity Governance application log.
  • view_im_log
    Lets you view the Identity Manager application log.
  • view_ip_log
    Lets you view the Identity Portal application log.
  • view_ps_log
    Lets you view the Provisioning Server log.
  • vvl
    Lets you view the Virtual Appliance main log.
  • vwl
    Lets you view the Virtual Appliance web server log.
  • wildfly_admin_console
    Allows you to enable/disable the WildFly Management Console.
    WildFly Management Console
    Note that the
    Set -Djboss.bind.address.management
    configuration is needed only for Identity Portal and Identity Governance.
  • wildfly-ssh-keymgr
    Manage SSH key-pairs under the ownership of user
    wildfly
    for purposes of automated execution of code on a remote server.
Available Privileged Commands (sudo)
The config user can execute the following commands as user dsa or imps with elevated privileges using "sudo" (by prefixing them with the "sudo" command):
[Platform v1 - running on CentOS 6 or Amazon Linux v1]
  • halt
  • shutdown
  • reboot
  • All init scripts in /etc/init.d/
  • /opt/CA/wildfly-portal/bin/add-user.sh
  • /opt/CA/wildfly-idm/bin/add-user.sh
  • /opt/CA/wildfly-ig/bin/add-user.sh
  • date
  • mount
  • unmount
  • ps
  • netstat
  • service
  • net-snmp-create-v3-user
  • sysctl
    For custom changes to persist, ensure that you add the custom configurations after the CA Technologies - END marker in the
    /etc/sysctl.conf
    file.
  • chkconfig
  • route
  • ethtool
  • iptables
  • iptables-save / iptables-restore
  • top
  • kill
  • killall
  • traceroute
  • ntpdate
  • ntpq
  • loadkeys
    Usage: To change the keyboard layout on the CLI console, run the loadkeys command followed by the language code (Example: us, fr, de, it).
[Platform v2 - running on CentOS Stream 8 or Amazon Linux v2]
  • /opt/CA/wildfly-portal/bin/add-user.sh
  • /opt/CA/wildfly-idm/bin/add-user.sh
  • /opt/CA/wildfly-ig/bin/add-user.sh
  • halt
  • shutdown
  • reboot
  • poweroff
  • date
  • mount
  • unmount
  • netstat
  • ps
  • service
  • systemctl
  • journalctl
  • chkconfig
  • sysctl
    For custom changes to persist, ensure that you add the custom configurations after the CA Technologies - END marker in the
    /etc/sysctl.conf
    file.
  • net-snmp-create-v3-user
  • chronyd
  • top
  • iotop
  • killall
  • kill
  • route
  • traceroute
  • tcpdump
  • ethtool
  • firewall-cmd
  • apachectl
  • loadkeys
    Usage: To change the keyboard layout on the CLI console, run the loadkeys command followed by the language code (Example: us, fr, de, it).
  • grubby
  • oscap
  • localectl