sepmd Utility Administer Subscribers and the Update File
The sepmd utility creates, removes, and assigns subscribers.
capamsc141
The sepmd utility creates, removes, and assigns subscribers.
This command has the following format:
sepmd {-C|-de|-l|-L|-p|-R} pmd sepmd {-n|-r|-u} <pmd> <subscriber> sepmd -s <pmd> <subscriber> <offset> sepmd -sm pmdmf_subscribermf_typemf_sysidmf_adminoffset sepmd -smq pmd <-predefined> <ACMQ queue> [-destination <destination>} sepmd -t pmd {auto|offset}
- -CThis parameter displays all commands and their offsets in the update file. The offset indicates the location of the update inside the file, which you might want to specify when you subscribe another database or PMDB.
- -de(UNIX only) Decrypts the information in the encrypted updates.dat file. Data encryption for this file occurs when you set the UseEncryption PMDB configuration setting to yes.
- -lLists the subscribers of the Policy Model.
- -LLists the Policy Model and its status, including number of errors, availability, offset, synchronization mode, and the next command to be propagated. The update file contains all updates that must be, or have been, propagated by the Policy Model. The offset indicates the location of the next update that must be sent to a subscriber. Both initial and latest offsets also appear.
- -nCreates a new subscriber and then updates it retroactively to the Policy Model. For general rules that apply for updating a subscriber, see the description for the -s option.This option sends the contents of the entire PMDB-including the LOGINAPPL (UNIX only) and SPECIALPGM objects-to the new subscriber. You might want to filter out these objects if the subscriber's objects differ from those of the parent.The -n option does not replace the Policy Model database definitions on the target subscriber database definition, rather it is added to the existing Policy Model. If the target database contains additional resources or attributes, the new Policy Model does not remove them after subscription is complete.A subscriber added with -n is marked assync, indicating that it is now in synchronization mode and receives all of the PMDB rules. When the subscriber has received all the rules, it is released from synchronization mode and becomes a regular subscriber. The -n option might take some time to process. If there are multiple or contradictory updates, the last one is used.When you subscribe aPrivileged Access Managerendpoint or a PMDB to another PMDB usingsepmd -n, the new parent PMDB should not contain any policies (POLICY object names) that already exist in the new subscriber. Undeploy each existing policy from the subscriber and then delete the POLICY object and linked RULESET object from the subscriber before you subscribe it to the new parent PMDB.On UNIX, if the send_unix_env token in the seos.ini file is set to yes, the -n option also sends the contents of Policy Model password and group files. We recommended that you view the database, by using dbmgr -export -l, to ascertain the commands being forwarded.
- -pLists the resident Policy Models and their status.
- -rRemoves the subscriber from the list of unavailable subscribers maintained by sepmdd, making the subscriber available for immediate updates. Normally, if a subscriber is down and cannot receive updates from the Policy Model, sepmdd tries to send updates to that subscriber only after a certain period of time. However, if you specify this option, sepmdd skips the waiting period and tries to send updates to the subscriber immediately.
- -RUpdate all subscribers with their real offset.
- -sSubscribes another database or PMDB to the Policy Model. When you subscribe a host to a Policy Model, the host must be up, andPrivileged Access Managermust be running on that host. Additionally, the PMDB must be the parent PMDB of the subscribed host. You establish this relationship with the parent_pmd subscriber configuration setting, which must contain the name of the PMDB to which the host is being subscribed.When you subscribe a Policy Model to another Policy Model,
- the token parent_pmd in the pmd.ini file of the subscribed Policy Model must contain the name of the Policy Model to which it is subscribing (its parent Policy Model).
- Privileged Access Managermust be running on the host in which the subscribed policy resides.
- -smAssigns a mainframe subscriber to the Policy Model.
- -smqSubscribes a pre-defined message queue subscriber to a policy model.
- <ACMQ queue>Specifies the following pre-defined Message Queue queues:
- ServerToServer
- ServerToServerBroadcast
- ServerToEndpointBroadcast
- EndpointToServer
- ServeryoEndpoint
- -destinationSpecifies the destination of thePrivileged Access Managercomponent that receives messages from the subscriber.
- -tTruncates the update file by deleting entries from it.On UNIX, if the force_auto_truncate PMDB configuration setting is set to no, sepmd -t does not truncate the update file. If the token is set to yes, the command truncates the update file even if there are no subscribers to the Policy Model.
- If you are usingoffset(manual cutting), you can find the offset by running sepmd with the -L option.Use the true offset from the -L parameter to truncate the file, and not an offset derived by subtracting from the start offset.
- If you are using auto, sepmd calculates the offset of the first unpropagated entry and deletes all the entries before it. Using auto saves the step of running the utility with the -L parameter.
- Unsubscribe the host that was not updated
- Truncate the file
- Resubscribe the host to the Policy Model
- -uRemoves a subscriber from the Policy Model subscription list.
- autoInstructs sepmd to calculate the offset of the first unpropagated entry and to delete all the entries before it.
- offsetUsed with the -s or -sm options, specifies the point within the update file from where the newly added subscriber starts receiving updates.Used with the -t option, specifies the distance from the beginning of the update file to the position of a particular subscriber.Use the -C option to see the valid update offsets. If you specify an offset that is in the middle of an update, the offset is moved forward to the beginning of the next update. If you specify an invalid offset (smaller than the first offset or larger than the last), an error message appears.
- pmdSpecifies the name of the Policy Model.
- -predefinedSpecifies to use pre-defined message queue subscribers
- subscriberSpecifies the subscriber station or the host of the subscriber PMDB.