Tchater maintenant avec le support
Tchattez avec un ingénieur du support

One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration Reporting Setting preferences Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance

Authenticating Active Directory users using Windows Integrated Authentication

Windows Integrated Authentication (WIA) allows a user to securely reuse their desktop credentials to log onto the mangement console when using a browser that supports WIA. Using WIA requires that the console server is installed and running on a Windows machine that is joined to the forest which you have chosen to manage, or is installed and running on a Unix machine that is running Authentication Services and is joined to the forest which you have chosen to manage. The client browser must also be joined to the same forest.

Authenticating Active Directory users using a username and password

When authenticating Active Directory users using a username and password, the credentials are used to obtain a Kerberos Ticket Granting Ticket (TGT) from Active Directory. If the Management Console for Unix server is running on a machine that is joined to a domain in a managed Active Directory forest (either on Windows or using Authentication Services on Unix or Linux), a Kerberos service ticket is also obtained for the host account. This second step is necessary to ensure that the TGT has not been falsified and to map any Domain Local Groups to the server's domain.

If the server has not been joined, or is joined to a different forest than the one being managed, an attacker could subvert the logon security by spoofing fake responses from Active Directory (for example, by hijacking DNS to point to a rogue Active Directory service). This is because the security guarantees of the Kerberos protocol require proof of a shared key between Active Directory and the server, before it can be proven that a given TGT is valid; and this proof requires obtaining a service ticket encrypted in the server's key.

Note: While you can run the Management Console for Unix server on a computer that is not joined to the forest, One Identity recommends that you run the Management Console for Unix server on a machine joined to the Active Directory forest you are managing to ensure that Active Directory users can be securely authenticated

Installing a production certificate

SSL/TLS encryption of HTTP traffic between the server and web browser, and integrity checking of data received from the Management Console for Unix server is required to ensure that:

  • The web browser application is using code and data coming from a trusted source
  • Information about the Unix hosts managed by Management Console for Unix is not exposed in clear text on a network
  • Authentication information, such as Active Directory passwords and Unix logon and root passwords, are kept secure

For this reason, Management Console for Unix is configured to require all connections to the browser be secured with the SSL/TLS protocol. See Disabling SSL/TLS encryption.

When installed, Management Console for Unix will initially be configured with a newly generated self-signed certificate. Because the authenticity of this certificate cannot be verified, your browser will usually display a warning message whenever you launch the mangement console. To rectify this situation, you can install a custom key pair for SSL/TLS.

Generating a custom SSL/TLS certificate and key pair for Management Console for Unix

You can obtain a trusted certificate from a third-party Certificate Authority. Each authority has its own instructions, but all require you to generate a Certificate Signing Request (CSR). See Exporting Data using the -certreq command for details about generating a CSR using the PKCS#10 format.

Optionally you can use a tool (such as, keytool or OpenSSL) to manually generate the public/private key pair and the certificate you need. You can also obtain a certificate and key pair from your Enterprise Certificate Authority.

Note: See Generating Keys and Certificates with OpenSSL for details about using OpenSSL to generate a certificate.

To install a custom SSL/TLS certificate and key pair using keytool

Note: See keytool - Key and Certificate Management Tool for more information about using keytool.

  1. Generate a private key in the keystore file using the keytool command:

    keytool -genkeypair -storetype JKS -alias <aliasName> -keyalg RSA 
    -keysize 2048 -validity <numberOfDaysForCertificateToBeValid>
    -keystore <keystoreName>

    NOTE: See step 3 below for the final keystoreName value.

    1. Enter the keystore password and provide the other specifications it asks for (or click enter to accept the default). When it asks, "what is your first and last name?" enter the Management Console for Unix server's resolvable host name, such as

      computer.test.com

      Note: Optionally, you can include this option in the above keytool command:

      -dname "CN=<hostName>"

      where < hostName> is the Management Console for Unix server's resolvable host name.

      If the host name does not match the Management Console for Unix server's resolvable host name, your browser might indicate a security problem with the certificate that states the presented certificate was issued for a different web site's address.

    2. Verify the newly created keystore file:

      keytool -list -v -keystore <keystoreName>

      Enter the keystore password when prompted.

    3. Export the certificate from the keystore:

      keytool -export -alias <aliasName> -keystore <keystoreName> -rfc -file
      <certificateName>.cer

      Enter the keystore password when prompted.

  2. Stop the Management Console for Unix service.

    See Start/stop/restart Management Console for Unix service for details.

  3. Jetty and the Management Console for Unix expect the keystore file to be in a standard location:

    • On Windows platforms: %SystemDrive%:\ProgramData\Quest Software\Management Console for Unix\jetty-base\etc\keystore
    • One Unix/Linux platforms: /var/opt/quest/mcu/jetty-base/etc/keystore

    If the keystore file from Step 1 is not already in this location, copy or move it to this location and ensure it has read permissions that will allow the Management Console for Unix service to read it.

  4. Open the custom.cfg file for editing.

    See Setting custom configuration settings for general information about customizing configuration settings for the mangement console.

  5. Modify the following Jetty Settings:

    -Djetty.sslContext.keyStorePassword=<password>
    -Djetty.sslContext.keyManagerPassword=<password>
    -Djetty.sslContext.trustStorePassword=<password>

    where <password> is your plain text password or, if obfuscated (as explained below), is something similar to:

    OBF:1tvp1saj1y7z1sar1tvd

    Note: Optionally you can obfuscate your SSL keystore password so it is not stored in plain text by running the following command from your installation directory:

    • On Windows platforms:

      %SystemDrive%:\Program Files\Quest Software\Management Console for Unix\gen_secure_password.exe [<username>] <password>

    • On Unix and Linux platforms:

      /opt/quest/mcu/gen_secure_password [<username>] <password>

    The output of gen_secure_password.exe lists

    • your password in plain text
    • an "MD5:" checksum
    • an encrypted version of the password using UnixCrypt (if a user name was supplied.)
    • the obfuscated password pre-pended with "OBF:"

    Jetty only supports obfuscation (OBF) of SSL keystore passwords; the others can be ignored.

  6. Save the custom.cfg file.

  7. Start the Management Console for Unix service.

For more information, see the Jetty documentation at: Configuring SSL/TLS.

Documents connexes