CA Client Automation - 14.0

English

New Features and Enhancements of 14.0.1

For a list of supported platforms and product integration, see Compatibility Matrix.
cla140
For a list of supported platforms and product integration, see Compatibility Matrix.
CA Client Automation
 Release 14.0.1 provides the following new features and enhancements:
2
ENC Exclude IP Address Support
The ENC Gateway Manager allocates a unique IP address to each ENC Client. The unique IP address is present in the Start IP and END IP address range specified in the policy. If any real addresses (sub range) on your network are within the Start IP and END IP address range, the unique IP addresses assigned to each ENC Client might conflict with real addresses. To avoid this conflict, a new configuration policy as the
ENC Exclusion IP address range list
is introduced. You can set this configuration policy under the
Control Panel
,
Configuration
,
Configuration Policy
, <
configuration policy name
>,
DSM
,
Common Components
,
ENC Gateway
, and
ENC Gateway Server
.
You can specify the real IP address ranges (sub ranges) to exclude from allocation (unique IP address allocation to ENC Client). Specify the real address range in <START IP Range>-<END IP Range>,<START IP Range>-<END IP Range> format. For example, 192.168.2.1-192.168.2.100, 172.143.2.1-172.143.2.100, 152.143.20.150-152.143.20.200.
TLS 1.2 Support
For the support of TLS 1.2 version, two configuration parameters are added under the
Control Panel
,
Configuration
,
Configuration Policy
, <
configuration policy name
>,
DSM
,
Common Components
,
Networking
, and
General
 path:
Before changing the settings to use a particular TLS version, analyze thoroughly and ensure that communication does not break after applying the policy partially.
  • Min TLS Version
    : This parameter specifies the minimal TLS version that can be used for communication between nodes. Application starts using the
    Max TLS Version
    , but in failure the TLS version falls back to the lower version until the
    Min TLS Version
     is reached. To use a particular TLS version, ensure that
    Min TLS Version
     and
    Max TLS Version
     are same.
    Default
    : 1.0
    Values
    : 1.0, 1.1, and 1.2
  • Max TLS Version
    : This parameter specifies the maximum TLS version that can be used for communication between nodes. Application starts using the
    Max TLS Version
    , but in failure the TLS version falls back to the lower version
    until the
    Min TLS Version
     is reached. To use a particular TLS version, ensure that
    Min TLS Version
     and
    Max TLS Version
     are same.
    Default
    : 0
    Values
    : 1.0, 1.1, and 1.2
    If
    Max TLS Version
     is set to 0, the highest supported TLS version is considered as
    Max TLS Version
    . For ENC, any system level setting to disable TLS overrides the configuration policy settings.
World Write Permissions
The world write permissions on some directories or files are canceled.
The mentioned
CA Client Automation
 folders get 755 instead of 777:
  • /opt/CA/DSM/Agent/AM/data
  • /opt/CA/DSM/Agent/AM/images
  • /opt/CA/DSM/HM
  • /opt/CA/DSM/HM/scriptoutputdir
  • /opt/CA/DSM/HM/scriptdir
  • /opt/CA/DSM/var
  • /opt/CA/DSM/URI
The mentioned common component folders get 775 instead of 777:
  • /opt/CA/SharedComponents/cai18n
  • /opt/CA/SharedComponents/csutils/log
  • /opt/CA/SharedComponents/tmp
The existing permissions are retained for the mentioned directories or files:
  • /opt/CA/SharedComponents/csutils/bin/casrvc
  • /opt/CA/DSM/sd/asm/tmp
  • /opt/CA/DSM/dts/dta/staging
SHA-2 and Higher RSA (2048 Bits) Key Support
ITCM Components
To support SHA-2 hashing standard and higher RSA (2048 Bits) key, the following configuration policy is added under the
Control Panel
,
Configuration
,
Configuration Policy
, <
configuration policy name
>,
DSM
,
Common Components
,
Security
, and
Certificates Options
path.
  • Certificate preference change action
    : This configuration parameter specifies the action to be taken when the
    Certificate preference order
     parameter is changed.
    Values
    :
    • Forcibly restart caf and all ITCM components
    • Ask user to restart ITCM
    Default Value
    : Ask user to restart ITCM
A configuration policy is added under the
Control Panel
,
Configuration
,
Configuration Policy
, <
configuration policy name
>,
DSM
,
Common Components
,
Security
,
Certificates Options
, and
Certificate Preference
 path.
  • Certificate preference order
    : This configuration parameter specifies the order of certificate usage for security negotiation. If the preference order is specified with only one value, the certificate is used for all negotiations. If the preference order contains two values and communication using the first certificate fails, the second certificate is used as a fall back.
    Values
    :
    • SHA256_2048,SHA1_1024
    • SHA256_2048
    Default Value
    : SHA256_2048,SHA1_1024
    SHA2_Certificate preference order
    SHA2_Certificate preference order
ENC Components
To support SHA-2 hashing standard and higher RSA (2048 Bits) key, the following configuration policy is added under the
Control Panel
,
Configuration
,
Configuration Policy
, <
configuration policy name
>,
DSM
,
Common Components
,
ENC Gateway
, and
General
path.
  • Certificate preference change action
    : This configuration parameter specifies the action to be taken when the
    Certificate preference order
     parameter is changed.
    Values
    :
    • Forcibly restart caf and all ITCM components
    • Ask user to restart ITCM
    Default Value
    : Ask user to restart ITCM
A configuration policy is added under the
Control Panel
,
Configuration
,
Configuration Policy
, <
configuration policy name
>,
DSM
,
Common Components
,
ENC Gateway
,
General
, and
Certificate Preference
 path.
  • Certificate preference order
    : This configuration parameter specifies the order of certificate usage for security negotiation. If the preference order is specified with only one value, the certificate is used for all negotiations. If two values are specified, the client loads the certificate that is based on this configuration policy and the communication is successful when the corresponding certificate is available in the server certificate store.
    Values
    :
    • SHA256_2048,SHA1_1024
    • SHA256_2048
    Default Value
    : SHA256_2048,SHA1_1024
Upgrade ENC components in the following hierarchical order:
  • ENC Gateway Server (Manager)
  • ENC Gateway Server (Routers connected to Manager)
  • ENC Gateway Server (Server)
  • ENC Gateway Server (Routers connected to Server)
  • ENC Client
When certificates are upgraded for ENC communication, import the new certificates in the following order:
  • ENC Gateway Server (Manager)
  • ENC Gateway Server (Routers connected to Manager)
  • ENC Gateway Server (Server)
  • ENC Gateway Server (Routers connected to Server)
  • ENC Client
The ENC Client uses the first available certificate that is based on the
Certificate Preference
 and there is no fallback in failures. Ensure that you have a corresponding certificate available on the ENC server and router.
If you provide any invalid value, the system gets isolated from
CA Client Automation
 infrastructure.
Removal of Older Certificates
cacertutil is enhanced to use the file name or thumbprint as a parameter to remove the certificates from the
CA Client Automation
 certificate store. For example, if you are using the default certificates, you can execute the following commands on Domain Manager to remove the older sha1 certificates. 
 
cacertutil remove -fn:B56C43967A4B780996CF8A5B05E1ACDB21D1B80A
cacertutil remove -fn:B695E30A5A89B927B01886DD2164930CF4551FF3
cacertutil remove -fn:CA5E6CF93366779070429B3B71CED27E5355B54A
cacertutil remove -fn:D2DC797FA94CFECC59A2681C318504DBAA8D202D
cacertutil remove -fn:D7964466C524C234D78ED417E64495384F5137C3
cacertutil remove -fn:2D912CE1B4477698BA9D411A1AD7A63F5D0CBCB0
cacertutil remove -fn:8D7AD5F2B45212C0B224D591B9561E5F2EE40FDB
cacertutil remove -fn:898E4023A315D4B73A673C944153FE5BED7886F8
cacertutil remove -fn:4274D20FB231B86CCDC18B289B7707B406674EBA
cacertutil remove -fn:A019160B0F5080C015999931CD9AF844E63CF605
cacertutil remove -fn:AFF2F244FAB2534148A8AB29F754F1A1B446C39D
Hardware Inventory Module Scheduling
Default scheduling is changed to each day for the default Hardware inventory module, by which users can configure according to the scaling of their environment. This change is applicable for both initial and upgrade installations.
CA Client Automation
 Agent Software Automatic Upgrade Support
CA Client Automation
 now supports automatic and unattended upgrade of
CA Client Automation
 Agent software. So now
CA Client Automation
 administrators can enable the Agents for automatic upgrade to the latest version.
Ensure that Software Delivery Agent plug-in is installed to support the Agent software automatic upgrade.
The agent software is upgraded to the version of Scalability Server.
When a new Agent software version is available, ensure all the new Software Delivery packages that are required for the Agent upgrade are staged to the Scalability Server. When the Agent connects to the Scalability Server next time, the Scalability Server recognizes the update and the new Agent software is installed automatically depending on the configuration settings.
Agent software automatic upgrade occurs only when Software Delivery Agent sends a list of DSM packages that are installed on the system. Software Delivery Agent sends these records only once in ten job checks through the
Job Check: SWD delta mode
configuration policy. For more information about this configuration, see Software Delivery Agent Policy Group.
To configure the Scalability Server for supporting the Agent software automatic upgrade, a configuration policy is added under the
Control Panel
,
Configuration
,
Configuration Policy
, <
configuration policy name
>,
DSM
,
Software Delivery
, and
Scalability Server
path.
  • Agent Auto Upgrade: Agent auto upgrade mode
    If Scalability Server runs in Agent auto upgrade mode, the Agent versions that are listed in
    Agent Auto Upgrade: Agent versions allowed for upgrade
     configuration policy are upgraded automatically.
    Values
    : True or False
    Default Value
    : False
If you want to upgrade specific versions of the Agent software, a configuration policy is added under the
Control Panel
,
Configuration
,
Configuration Policy
, <
configuration policy name
>,
DSM
,
Software Delivery
, and
Scalability Server
path.
  • Agent Auto Upgrade: Agent versions allowed for upgrade
    This configuration parameter specifies semicolon separated Agent versions that are allowed for automatic upgrade.
    Allowed Versions
    : 12.8.0.690;12.8.1.110;12.9.0.338;12.9.1.70;12.9.2.14;14.0.0.199
If an Agent package is missing from the Software Delivery Library, a configuration policy is added under the
Control Panel
,
Configuration
,
Configuration Policy
, <
configuration policy name
>,
DSM
,
Software Delivery
, and
Scalability Server
path that lists down the actions that the Scalability Server has to perform.
  • Agent Auto Upgrade: Package missing Action
    This configuration parameter specifies the list of actions for a Scalability Server to perform when an Agent package is missing from the Software Delivery Library.
    Values
    : 1, 2
    • 1: Ignore the Agent upgrade
    • 2: Raise an event
    Default Value
    : 1
To configure the Agent for supporting the software automatic upgrade, a configuration policy is added under the
Control Panel
,
Configuration
,
Configuration Policy
, <
configuration policy name
>,
DSM
,
Software Delivery
, and
Agent
path.
  • Agent Auto Upgrade: Enable auto upgrade
    This configuration parameter enables the Agent for upgrading automatically to the Scalability Server version.
    Values
    : True or False
    Default Value
    : False
To support automatic upgrade retry when an Agent upgrade fails, a configuration policy is added under the
Control Panel
,
Configuration
,
Configuration Policy
, <
configuration policy name
>,
DSM
,
Software Delivery
, and
Agent
path.
  • Agent Auto Upgrade: Enable auto upgrade retry
    This configuration parameter enables automatic upgrade retry when an Agent installation fails. If this parameter is set to True, Scalability Server retries the upgrade.
    Values
    : True or False
    Default Value
    : True
    For partial upgrade success from previous 14.0 SP1 release to later versions, automatic upgrade retry works when
    Agent Auto Upgrade: Enable auto upgrade
     is enabled.
  • Agent Auto Upgrade: Auto upgrade retry count
    This configuration parameter specifies the number of times an automatic upgrade is attempted, when an attempt to upgrade fails.
    Values
    : 3
    Default Value
    : False
To enable Agent automatic upgrade support, set both the Agent configuration policy
Agent Auto Upgrade: Agent auto upgrade mode
 and Scalability Server configuration policy
Agent Auto Upgrade: Enable auto upgrade
 configuration policies to
True
.
For the 14.0.1 prior Agent versions, Scalability Server decides on the automatic upgrade of Agent software as the
Agent Auto Upgrade: Enable auto upgrade
policy is not available.
The automatic upgrade of Agent software is initiated only when all the software packages of Agent installed plug-ins are available in the Scalability Server staging library.
The automatic upgrade of Agent software is attempted only when the Agent sends a full list of installed DSM software on every tenth job check, and is controlled through the
Job Check: SWD delta mode
configuration policy.
To enable the automatic upgrade of Agent software on non-enu platforms with the language pack installed, ensure to register and stage the packages for all plug-ins in the following format. Follow the similar approach for other platforms by passing an argument -P <Language> to the dsmpush dmscript.
Windows:
  • CA DSM Agent + Basic Inventory plug-in (ENU, DEU)
  • CA DSM Agent + Asset Management plug-in (ENU, DEU)
  • CA DSM Agent + Remote Control plug-in (ENU, DEU)
  • CA DSM Agent + Software Delivery plug-in (ENU, DEU)
  • CA DSM Agent language pack DEU
Linux:
  • CA DSM Agent + Basic Inventory plug-in Linux(intel) (ENU, DEU)
  • CA DSM Agent + Asset Management plug-in Linux(intel) (ENU, DEU)
  • CA DSM Agent + Remote Control plug-in Linux(intel) (ENU, DEU)
  • CA DSM Agent + Software Delivery plug-in Linux(intel) (ENU, DEU)
  • CA DSM Agent language pack DEU Linux(intel)
Whenever a new DSM package is registered in the Software Library, run the stage check on the Scalability Server to obtain a full list of DSM packages. By default, stage check is run on Scalability Server every day. If Agent download method is set to DTS-NOS-less, the automatic upgrade of Agent software does not occur.