Agent configuration settings
The following table lists the pmjoin command options, the default settings, and alternatives. See PM settings variables for more information about the policy server configuration settings.
Table 5: Agent configuration settings
| Enable agent daemon command line options: |
none |
Enter:
- -e <logfile> to use the error log file identified by <logfile>.
- -m to only accept connections from the policy server daemon on the specified host. (Use multiple -m options to specify more than one host.)
- -s to send error messages to syslog. none to assign no options.
- These command-line options override the syslog and pmlocaldlog options configured in the pm.settings file.
|
| Enable client daemon? |
YES |
Enter No |
| Configure host components to communicate with remote hosts through firewall? |
NO |
Enter Yes |
| Enable Privilege Manager for Unix shells (pmksh, pmsh, pmcsh, pmbash)? |
YES
That is, you want to use a Privilege Manager for Unix shell to control or log Privilege Manager for Unix sessions, regardless of how the user logs in (telnet, ssh, rsh, rexec). |
Enter No if you do NOT want to add the Privilege Manager for Unix shells to the system. That is, you do not want to use the Privilege Manager for Unix shells as a login shell. |
| Add the entries to the /etc/services file? |
YES |
Enter No
You must add service entries to either the /etc/services file or the NIS services map. |
| Edit list of policy servers with which this agent can communicate? |
none |
Enter valid policy server names to add to the list. |
| Indicate if the list is correct |
YES |
Enter No |
| Policy Server daemon port # |
12345 |
Enter a port number |
| Specify the agent daemon port number: |
12346 |
Enter a port number for the agent to communicate with the policy server. |
| Specify a range of local port numbers for this host to connect to other defined Privilege Manager for Unix hosts across a firewall? |
NO |
Enter Yes, then enter:
- Minimum reserved port (600-1024). (Default is 600.)
- Maximum reserved port (600-1024). (Default is 1024.)
|
| Allow short host names? |
YES |
Enter No to use fully qualified host names instead. |
| Configure Kerberos on your network? |
NO |
Enter Yes, then enter:
- Policy server principal name. (Default is host.)
- Local principal name. (Default is host.)
- Directory for replay cache. (Default is /var/tmp.
- Path for the Kerberos configuration files. (Default is /etc/opt/quest/vas/vas.conf.)
- Full pathname of the Kerberos keytab file. (Default is /etc/opt/quest/vas/host.keytab.
|
| Specify encryption level:
See Encryption for details. |
AES |
Enter one of these encryption options:
|
| Enable certificates? |
NO |
Enter Yes, then answer:
Generate a certificate on this host? (Default is NO.)
Enter Yes and specify a passphrase for the certificate.
Once configuration of this agent is complete, swap and install keys for each host in your system that need to communicate with this host.
See Swap and install keys for details. |
| Activate the failover timeout? |
YES |
Enter No, then assign the failover timeout in seconds.
Default: 10 seconds |
| Assign the failover timeout |
10 |
Enter a timeout value in seconds |
| Select random policy server |
YES |
Enter No |
| Send errors reported by agent to syslog? |
YES |
|
| Store errors reported by the agent daemon in /var/log/pmlocald.log? |
YES |
Enter No, then enter a location. |
| Enter No, then enter a location. |
Swap and install keys
If certificates are enabled in the /etc/opt/quest/qpm4u/pm.settings file of the primary server, then you must exchange keys (swap certificates) prior to joining a client or secondary server to the primary server. Optionally, you can run the configuration or join with the -i option to interactively join and exchange keys.
One Identity recommends that you enable certificates for higher security.
The examples below use the keyfile paths that are created when using interactive configuration or join if certificates are enabled.
To swap certificate keys
- Copy Host2's key to Host1. For example:
# scp /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_localhost \
root@Host1:/etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_server2
- Copy Host1's certificate to Host2. For example:
# scp root@host1:/etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_localhost \
/etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_host1
- Install Host1's certificate on Host2. For example:
# /opt/quest/sbin/pmkey -i /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_host1
-
Log on to Host1 and install Host2's certificate. For example:
# /opt/quest/sbin/pmkey -i /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_host2
If you use the interactive configure or join, the script will exchange and install keyfiles automatically.
See Configuring certificates for more information.
Configure a secondary policy server
The primary policy server is always the first server configured in the policy server group; secondary servers are subsequent policy servers set up in the policy server group to help with load balancing. The "master" copy of the policy is kept on the primary policy server.
All policy servers (primary and secondary) maintain a production copy of the security policy stored locally. The initial production copy is initialized by means of a checkout from the repository when you configure the policy server. Following this, the policy servers automatically retrieve updates as required.
By adding one or more secondary policy servers, the work of validating policy is balanced across all of the policy servers in the group, and provides failover in the event a policy server becomes unavailable. Use pmsrvconfig with the –s option to configure the policy server as a secondary server.
Installing secondary servers
To install the secondary server
- From the command line of the host designated as your secondary policy server, log on as the root user.
- Change to the directory containing the qpm-server package for your specific platform.
For example, on a 64-bit Red Hat Linux, run:
# cd server/linux-x86_64
- Run the platform-specific installer. For example, run:
# rpm –-install qpm-server-*.rpm
The Solaris server has a filename that starts with QSFTpmsrv.
When you install the qpm-server package, it installs all three Privilege Manager for Unix components on that host:
- Privilege Manager for Unix Policy Server
- PM Agent (which is used by Privilege Manager for Unix)
- Sudo Plugin (which is used by Safeguard for Sudo)
You can only join a PM Agent host to a Privilege Manager for Unix policy server or a Sudo Plugin host to a sudo policy server. See Security policy types for more information about policy types.
