One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Working with host systems

Management Console for Unix simplifies local host management on Unix, Linux, and Mac systems.

All Hosts View

The All Hosts view on the Hosts tab contains a list of all the Unix host systems currently added to the mangement console. Use this view to manage access to host systems from a single location. From this view, you can:

  • Add hosts to the mangement console
  • Profile hosts, check for readiness, install software and join the host
  • Review a host's properties
  • SSH to a host using a terminal
  • Import an SSH host key
  • Unjoin hosts from the policy group or Active Directory
  • Remove hosts from the mangement console
  • Modify the console view
  • Filter the managed hosts displayed based on a character string or a host's preparation status

All Hosts tab toolbar

Use the toolbar buttons across the top of this view to perform individual tasks against managed host systems.

Note: When commands are disabled, this indicates that at least one of the selected hosts is not in a state where this task can be performed or you are not logged on with proper credentials.

Table 13: All Hosts tab: Toolbar
Option Description
Add
Add Hosts

Use the Add Hosts command to add one or more Unix hosts to the mangement console. When you select this command the mangement console displays the Add Hosts dialog which allows you to specify one or more hosts to manage through the mangement console.

See Adding hosts to the Management Console for details.

Prepare
Profile
  • Select Profile to rerun the profile task. The latest information displays on the Hosts tab.

    See Profiling hosts for details.

  • Select Profile Automatically to keep the profile information for this host up-to-date.

    See Automatically profiling hosts for details.

Install Software

Use the Install Software command to initiate the software installation operation for the selected hosts. The mangement console displays the Install Software dialog, which provides a list of the software components available for installation on a host.

See Installing Privilege Manager agent or plugin software or Installing Authentication Services software packages for details.

NOTE: You must install the Authentication Services Agent software on each host system to allow Active Directory user access to the host.

Check
  • Select the Check Policy Server Readiness command to determine if a server is ready to configure as a primary or secondary server.

    See Checking policy server readiness for details.

  • Select the Check Client for Policy Readiness command to determine if a host is ready to join a Policy group.

    NOTE: The mangement console prompts you to choose a policy group and enter host access user credentials. You must have at least one primary policy server added to the mangement console in System Settings.

    See Checking client for policy readiness for details.

  • Select Check AD readiness to check the host to determine if it is ready to join Active Directory.

    See Checking host for AD readiness for details.

  • Select the Check QAS agent status command to check the status of your Authentication Services Agent.

    NOTE: The "Check Authentication Services" commands are only available for hosts that have the Authentication Services Agent software installed and are joined to Active Directory.

    See Manually checking QAS agent status for details.

  • Select the Check QAS agent status automatically command to configure the mangement console to automatically check the QAS agent status and report any warnings or failures to the console periodically.

    NOTE: See Automatically checking QAS agent status for details.

NOTE: The results of these checks display on the Readiness Check Results tab of the host's properties.

Join or Configure
  • Choose the Join to Policy Group command to join the selected hosts to a policy group.

    See Joining the host to a policy group for details.

    NOTE: When using a sudo policy type, to join a policy group, the selected hosts must have Sudo 1.8.1 (or higher) and the Sudo Plugin agent software installed.

  • Choose the Join to Active Directory command to initiate the join operation on one or more hosts. The mangement console displays the Join Host to Active Directory dialog which prompts you to enter the domain to join and the user credentials to use to access Active Directory.

    See Joining host to Active Directory for details.

Host
Properties Select a profiled host and click Properties to open a context menu with these options:
  • Details
  • Users
  • Groups
  • Readiness Check Results
  • Software
  • Host Access Control (console must be configured for AD and host must be joined to AD)

When you choose an option, the mangement console opens a tab for the selected host containing system and status information, the local users and groups imported as part of the profiling process and the results of the AD Readiness Check.

See Reviewing host properties for details.

NOTE: This command is only available AFTER a host has been successfully profiled.

Unjoin
Rename Host

Use the Rename Host command to rename the selected host.

NOTE: This option is not available for a profiled host.

See Renaming hosts for details.

Import SSH Host Key

Use the Import SSH Host Key command to import an SSH host key file (such as, 127.0.0.1.pub) for the selected host. By importing an SSH host key, you are uploading a new SSH key which will replace the one cached on the server.

See Importing SSH host key for details.

Remove Host

Use the Remove Host command to remove the selected host systems from the mangement console. It prompts you to confirm that you intend to remove the selected hosts. Click Remove or Don’t Remove.

NOTE: Once removed you will no longer be able to access information about the host.

See Removing hosts from Management Console for details.

View Use the View controls to filter the hosts displayed on the All Hosts tab.

Click the Refresh button to refresh the current view.

NOTE: Refresh does not re-profile the hosts, it simply synchronizes the information displayed on the All Hosts view with the information in the database. Profiling queries a host and imports information about it into the database.

Use the Columns menu options to hide columns from the All Hosts console view. You can choose to see information related to Authentication Services or Privilege Manager or both.

  • Choose Authentication Services to display the Version and Joined to Domain columns.
  • Choose Privilege Manager to view the Installed, Version, and Status columns.

Once you have opened (or closed) a column group, the mangement console remembers the setting from session to session. However, if you reinstall Management Console for Unix, it reverts back to the default of showing all columns.

To filter the hosts by "profiled" state

  1. Open the Host state column drop-down menu.

    (The Host state column is indicated with the icon.

  2. Navigate to the Filters option.
  3. Choose one or more of the profile status options.

To filter the hosts by "joined" state

  1. Open the drop-down menu of the Joined to Domain or Status column.
  2. Navigate to the Filters option.
  3. Choose one or more of the filter options.

NOTE: The mangement console does not preserve the filter settings across log-on sessions.

Click the Clear Column Filters button to clear all filters set on any column.

Rows to show Use the settings on this drop-down menu to select the number of rows you want to display.

Management Console for Unix provides both basic and advanced search options to help you find and select hosts. Use the Basic Search options to find hosts by host name or IP address; use the Advanced Search options to specify which properties to search.

Table 14: Search options
Option Description

Basic Searching: Use the Search for hosts box to filter the managed hosts based on the entries in the Host and IP Address columns. As you enter characters into the Search for hosts box, the mangement console lists only the hosts that match (contain) the criteria entered. To clear the search, click the 'X'.

Advanced Searching: Click the arrow to display four text boxes to use for advanced host searching. You can identify the text boxes as search criteria for any four of the mangement console columns:

  • Host
  • IP Address
  • OS
  • Version

Each search field has a drop-down menu that allows you to change the search criteria to search for information in another available column:

  • Joined to Domain
  • QPM Version
  • Status

NOTES:

The advanced search button toggles to expand or collapse based on its current state.

As you type search criteria into the text boxes, the top-level Search box reflects the values you specify for searching.

If you know the search criteria, you can type it directly into the Search box.

You can save your Basic or Advanced search options to use again later. See Saving search criteria for details.

All Hosts tab search options

Management Console for Unix provides both basic and advanced search options to help you find and select hosts. Use the Basic Search options to find hosts by host name or IP address; use the Advanced Search options to specify which properties to search.

Table 15: All Hosts tab: Search options
Option Description

Basic Searching: Use the Search for hosts box to filter the managed hosts based on the entries in the Host and IP Address columns. As you enter characters into the Search for host box, the mangement console lists only the hosts that match (contain) the criteria entered. To clear the search, click the X.

Advanced Searching: Click the down arrow to display four text boxes to use for advanced host searching. You can identify the text boxes as search criteria for any four of the mangement console columns:

  • Host
  • IP Address
  • OS
  • QAS Version

Each search field has a drop-down menu that allows you to change the search criteria to search for information in another available column:

  • Joined to Domain
  • QPM Version
  • Joined to Policy Group

NOTEs:

The advanced search button toggles to expand or collapse based on its current state.

As you type search criteria into the text boxes, the top-level Search box reflects the values you specify for searching.

If you know the search criteria, you can type it directly into the Search box.

You can save your Basic or Advanced search options to use again later. See Saving search criteria for details.

Documents connexes