beautypg.com

Security compliance manager client – IBM Tivoli and Cisco User Manual

Page 472

background image

454

Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Security Compliance Manager client

When the Security Compliance Manager client is started, the Security
Compliance Manager policy collector should listen for TCP connections on

port

40500

.

If a

netstat -an

command is run in a command window, you should see this line:

TCP 127.0.0.1:40500 0.0.0.0:0 LISTENING;

If this line does not appear in the list of connections, then the Security
Compliance Manager client policy collector is not running correctly.

If the client is listening on port 40500, you can

telnet

to the client and issue the

same commands that the Cisco Trust Agent would issue. This technique should
be used when you have to troubleshoot the interface between the Cisco Trust
Agent and the Security Compliance Manager policy collector.

In a command line window, issue the

telnet localhost 40500

command to

establish a connection with the client.

With the following commands, you can see what is being passed back to the
network, look at the complete posture cache, and test calls to the remediation
handler.

The commands

pquery

and

pstatuschange

have no arguments.

pquery

displays

the current value of all defined posture attributes.

The

print

and

runall

commands display and refresh the posture cache.

print

shows the complete contents of the posture cache and is useful to see what the
client sees as the state of your system.

Runall

runs all of the collectors again and

refreshes the posture cache with fresh information.

The

pnotify

command starts the remediation handler, with

being the URL of the remediation listener that can be called to
handle the remediation request.

Note: When you issue a

pquery

command, the next time the network issues a

pstatuschange

it will receive a

false

response. If you issue a

pquery

command,

you should clear

the client’s cache on the router or initiate a rescan of the

client on the router.

The

pstatuschange

command displays either true or false, reflecting how the

network determines whether the client’s status has changed since the last

pquery

.

See also other documents in the category IBM Hardware: