Chat now with support
Chat mit Support

Privilege Manager for Unix 7.0 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Installing a PM Agent on a remote host

To install an agent on a remote host

  1. Log on as the root user.
  2. Change to the directory containing the qpm-agent package for your specific platform. For example, on a 64-bit Red Hat Linux, enter:
    # cd agent/linux-x86_64
  3. Run the platform-specific installer. For example, on Red Hat Linux run:
    # rpm --install qpm-agent-*.rpm

    Once you install the Privilege Manager for Unix agent package, the next task is to join the agent to the policy server.

Joining the PM Agent to the primary policy server

Once you have installed a Privilege Manager for Unix agent on a remote host you are ready to join it to the primary policy server.

To join a PM Agent to the primary policy server

  1. From the command line of the remote host, run:
    # /opt/quest/sbin/pmjoin <primary_policy_server>.example.com

    where <primary_policy_server> is the name of the primary policy server host.

    If you are not running the pmjoin command on a policy server, it requires that you specify the name of a policy server within a policy group.

     

    The pmjoin command supports many command line options. See pmjoin for details or run pmjoin with the -h option to display the help.

    • When you run pmjoin with no options, the configuration script automatically configures the agent with default settings. See Agent configuration settings for details about the default and alternate agent configuration settings.

      You can modify the /etc/opt/quest/qpm4u/pm.settings file later, if you want to change one of the settings. See PM settings variables for details.

    • When you run pmjoin with the -i (interactive) option, the configuration script gathers information from you by asking you a series of questions. During this interview, you are allowed to either accept a default setting or set an alternate setting.

      Once you have completed the configuration script interview, it configures the agent and joins it to the policy server.

    Running pmjoin performs the configuration of the Privilege Manager for Unix agent, including modifying the pm.settings file and starting up the pmserviced daemon.

  2. When you run pmjoin for the first time, it asks you to read and accept the End User License Agreement (EULA).

    Once you complete the agent configuration script (by running the pmjoin command), it:

    • Enables the pmlocald service
    • Updates the pm.settings file
    • Creates wrappers for the installed shells
    • Updates /etc/shells
    • Reloads the pmserviced configuration
    • Checks the connection to the policy server host
  3. To verify that the agent installation has been successful, run
    # pmclientinfo

    This returns displays configuration information about a client host. See pmclientinfo for details.

Verifying PM Agent configuration

To verify the PM Agent configuration

  1. From the command line, run:
    # pmclientinfo

    The pmclientinfo command displays the current configuration settings. For example:

    [0][root@host1 /]# pmclientinfo
       - Joined to a policy group                 : YES
       - Name of policy group                     : polsrv1.example.com
       - Hostname of primary policy server        : polsrv1.example.com
       - Policy type configured on policy group   : pmpolicy
    [0][root@host1 /]#
    

    The secondary server PM Agent will be joined to the secondary server. This is unique because all other PM Agent hosts must join to the primary server.

Load balancing on the client

Load balancing is handled on each client, using information that is returned from the policy server each time a session is established.

If a session cannot be established because the policy server is unavailable (or offline) that policy server is marked as unavailable, and no further pmrun sessions are sent to it until the next retry interval.

pmloadcheck runs transparently on each host to check the availability and loading of the policy server. When a policy server is marked as unavailable, pmloadcheck attempts to connect to it at intervals. If it succeeds, the policy server is marked as available and able to run Privilege Manager for Unix sessions.

To view the current status of the policy server

  • Run the following command:

    # pmloadcheck [-f]

If the policy server cannot be contacted, the last known information for this host is reported.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen