Chat now with support
Tchattez avec un ingénieur du support

Authentication Services 4.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting

Trigger machine-based Certificate Autoenrollment

Normally Group Policy triggers Certificate Autoenrollment. If you are not using Group Policy, use the vascert command line utility to manually trigger Certificate Autoenrollment processing for the machine. This will result in certificates being added to the System.keychain according to enrollment policy. You can schedule this command to run periodically if desired.

To manually trigger Certificate Autoenrollment

  • As root (or using sudo), run the following command to manually trigger Certificate Autoenrollment:

    /opt/quest/bin/vascert trigger

Certificate Autoenrollment will proceed in the background. When complete, newly enrolled certificates will be installed in the System.keychain automatically. To troubleshoot Certificate Autoenrollment, run the vascert pulse command as root.

Troubleshooting

To help you troubleshoot Certificate Autoenrollment, One Identity recommends the following resolutions to some of the common errors, and methods for finding and correcting configuration problems.

Enable full debug logging

You can enable full debug logging for all Certificate Autoenrollment components using the vascert command line utility.

Mac OS X/macOS: If debug logging is configured, Group Policy extensions, the vascert tool, and launchd write log files in /Library/Preferences/com.quest.X509Enrollment/log for machine enrollment and ~/Library/Preferences/com.quest.X509Enrollment/log for user enrollment. You can enable debug logging for all of these components.

UNIX/Linux: If debug logging is configured, the vascert tool writes files in /var/opt/quest/vascert/.com.quest.X509Enrollment/log for machine enrollment and ~/.com.quest.X509Enrollment/log for user enrollment. You can enable debug logging for all of these components.

To enable debug logging

  1. As root, run the following command to configure debug logging for all users:

    /opt/quest/bin/vascert configure debug

  2. To configure debug logging for a specific user, log in as that user and run the same command.

    NOTE: Enabling debug logging causes the vascert command to write debug messages to a file in addition to stdout. Even after you enable debug logging, you must set the debug level using the -d command line option when running vascert commands manually.

  3. When you are finished debugging, run the following command as root to turn off debug logging for all users. One Identity recommends that you turn off debug logging to improve performance and conserve disk space.

    /opt/quest/bin/vascert unconfigure debug

  4. To turn off debug logging for a specific user, log in as that user and run the same command.

Pulse Certificate Autoenrollment Processing

Use the vascert command line utility to manually perform Certificate Autoenrollment.

To perform Certificate Autoenrollment processing manually

  1. Decide whether you want to pulse Certificate Autoenrollment for the machine or a specific user.
  2. To pulse Certificate Autoenrollment for the machine, run the following command as root (or using sudo):

    /opt/quest/bin/vascert pulse

    NOTE: Mac OS X/macOS: To pulse certificate enrollment for the machine, you must run the command with root privileges. This is mostly useful for troubleshooting. In some cases (such as when logging in by means of SSH), this will not result in successful certificate enrollment because the System.keychain cannot export existing private keys required for certificate renewal processing. If you just want to run Certificate Autoenrollment processing for the machine and you are not interested in the output, use vascert trigger instead.

  3. To pulse Certificate Autoenrollment for a specific user, log in as that user and run the following command:

    /opt/quest/bin/vascert pulse

    NOTE: Mac OS X/macOS: Use the GUI to log in as the user. This ensures that the user's keychain is unlocked so that enrolled certificates can be exported and imported. Logging in by other means, such as SSH, is generally not sufficient and may lead to errors when the certstore-mac.sh script invokes the /usr/bin/security tool.

Documents connexes