Tchater maintenant avec le support
Tchattez avec un ingénieur du support

One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration Reporting Setting preferences Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance

Security of credential caching

When using persistent caching, the mangement console encrypts host credentials, as follows:

  1. It generates a salt or retrieves it from the Java KeyStore, a storage facility for cryptographic keys and certificates, if it has previously been stored in the keystore.
  2. It uses the salt to generate a unique 128-bit encryption key for the authenticated user. The key generation algorithm is the PBKDF2 algorithm using HMAC with SHA1. This algorithm is designed to prevent brute force attacks on the password by ensuring that the same passwords will result in different keys and by increasing the work factor by iterating many times over the key generation function.
  3. It uses the generated key to encrypt the credentials (including user name, password, and any elevation credentials) using the AES algorithm in CBC mode. It then uses Message Authentication Code (MAC) using the HMAC with SHA-256 algorithm to verify the integrity of the saved data.

Database Security

The Management Console for Unix server communicates with a database on port 9001 over the loopback interface. The password used is randomly generated at install time. One Identity recommends that you configure a local firewall to exclude remote access to this port. For information on how to change the default port on which the database runs, see Database port number is already in use.

Summary of Security Recommendations

One Identity recommends that you implement the following to secure the data used by Management Console for Unix:

  • When authenticating Active Directory users for access to Management Console for Unix make sure that the server is installed on a machine that is joined to the Active Directory forest you wish to manage.
  • Install an SSL/TLS key pair and certificate that is signed by a Certification Authority that will be trusted by all users' browsers.
  • Directly import SSH host keys using a known_hosts file, or the Import SSH Host Key toolbar command; or manually verify the fingerprints by disabling the Automatically accept SSH keys option when profiling.
  • Configure a local firewall to restrict remote access to the database port (Default port is 9001).

Troubleshooting tips

To help you troubleshoot, One Identity recommends the following resolutions to some of the common problems you might encounter as you deploy and use Management Console for Unix.

Note: Simply re-profiling a host can resolve issues caused when the host is out of sync with the server.

Documents connexes