Chat now with support
Chat mit Support

Privilege Manager for Unix 7.3 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Load balancing and policy updates

pmloadcheck is both a command and a background daemon (run with the -i flag). When run as a command, it checks, updates, and reports on the status of the policy server. You can use pmloadcheck from a policy server or PM Agent.

When run as a daemon process, it keeps track of the status of the policy servers for failover and load-balancing purposes. On policy servers, pmloadcheck is responsible for keeping the production policy file up to date.

For more information about the syntax and usage of this command, see pmloadcheck .

Policy servers are failing

The primary and secondary policy servers must be able to communicate with each other and the remote hosts must be able to communicate with the policy servers in the policy group.

For example, if you run the pmloadcheck command on a policy server or PM Agent to determine that it can communicate with other policy servers in the policy group, you may get output similar to the following:

++ Checking host:myhost.example.com (10.10.181.87) ... [FAIL]

There are several possible reasons for failure:

  • Policy server host is down

  • Network outage

  • Service not running on policy server host

These are some ways to verify that the Privilege Manager for Unix service is running properly on the policy server host:

  1. To verify the policy server configuration, run

    # pmsrvinfo
  2. To verify that the service is running, enter

    # ps -ef | grep pmserviced
  3. To verify that the pmmasterd port is in a listening state on the primary policy server, enter

    # netstat -na | grep 12345
  4. To verify the service is enabled, look for the following in the Privilege Manager for Unix configuration file (/etc/opt/quest/qpm4u/pm.settings)

    pmmasterdEnabled YES
  5. To restart the service (on a Linux host), enter on of the following:

    # /etc/init.d/pmserviced restart
    pmserviced -s
  6. Check for other communication issues, such as with your firewall, name resolution, dead network interface, and so forth.

pmgit Troubleshooting

This section describes common issues that may occur when using pmgit. Follow the instructions to troubleshoot pmgit operation.

Setting alert for syntactically incorrect policies

Since policy edits are not locally bound to the policy server when using Git policy management, syntactically incorrect policies can enter the Git repository. To address such cases, set an alert from the policy server to warn you if the policy is incorrect.

As an administrator, you can use your own alert script which pmgit tool can call if the policy syntax checking returns an error message after the synchronization between the Git policy repository and the SVN policy repository.

If an alert script is configured, the pmgit tool calls it with 2 parameters:

  • Email address from the last Git commit

  • Error message from the syntax check

Sample script

This is a sample script in bash which sends the error message to the user who initiated the last commit.

#!/bin/bash

email_address="$1"
shift
error_msg="$@"
				
/usr/sbin/sendmail -F "noreply" "${email_address}" <<EOF
subject:pmgit error
				
Syntax error occured in one of the policy files:
"${error_msg}"
EOF

To set pmgit tool to send alert messages based on your alert script, see pmgit Set.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen