One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Console Information settings

Both users and remote hosts use the information on the Console Information settings to find and identify this mangement console on the network.

Note: The Control Center also uses the console information to find and identify this mangement console, as well as perform automatic profile and automatic QAS status tasks.

During the post-installation configuration steps, the console information was set on the Identify Console dialog of the setup wizard. You can modify these settings from System settings | General | Console Information.

Table 81: Console Information settings
Option Description

Console host address

Enter the DNS name or IP address to access this mangement console.

NOTE: This is a critical setting needed by the Profile Automatically and Check QAS Agent Status Automatically features; thus, it is important to use a name that other computers on the network can use to resolve to this host.

Console name

Enter the name of the computer where this mangement console was installed. The mangement console pre-populates this with the computer's DNS name, but you can modify this to identify the computer.

Contact

(Optional) Enter the user name of the contact person responsible for installing/maintaining this mangement console.

Description

(Optional) Enter a brief description to identify this mangement console on the network.

Publishing console to Active Directory

A Service Connection Point (SCP) enables a service to publish service-specific data in Active Directory which can then be used by network clients to locate, connect, and authenticate to an instance of the service. Management Console for Unix can create and register an SCP with Active Directory so that client applications (such as Control Center) can locate and browse to instances of the mangement console running on the network.

To publish an SCP with Active Directory, enable the setting in Console Information settings. When you enable this setting, Management Console for Unix creates an SCP as a child of the Active Directory computer object of the computer where Management Console for Unix server is running. Once created, the SCP contains the keywords and service binding information that allows clients to browse to the initial screen of the mangement console. That is, a client application searches the Global Catalog (GC) for the SCP containing the Management Console for Unix keywords and then uses the service URL to browse to the mangement console. Please keep in mind, that the ServiceConnectionPoint object will appear in the GC based on the replication policy (usually every 5 minutes); therefore, the client application (such as, Control Center) may not find it immediately after the SCP is published to Active Directory.

Note: You can only register an SCP if the mangement console is installed on a computer that is joined to Active Directory.

To publish the mangement console to Active Directory

  1. Log onto the mangement console using the supervisor account or an Active Directory account with rights to change System Settings; that is, an account in the Console Administration role.
  2. From the top-level Settings menu, navigate to System settings | General | Console Information.

    The Management Console for Unix service uses the information displayed on this dialog to create and register the SCP with Active Directory.

  3. Under Publish console to Active Directory, select the Register a Service Connection Point with Active Directory option to publish the mangement console to Active Directory.

Note: If the Register a Service Connection Point with Active Directory option is disabled, see Cannot create a service connection point.

Changing supervisor account password

You can change your supervisor account password in System settings when you are logged in as supervisor.

To change supervisor account password

  1. Log onto the mangement console using the supervisor account.

  2. From the top-level Settings menu, navigate to System settings | General | Change Password.

  3. Enter your current supervisor account password and the new password.

  4. Click OK to save your changes and close System Settings.

Note: If you have forgotten the current supervisor account see Reset the supervisor password for more information on resetting your supervisor password.

Setting custom privilege elevation commands

You can specify up to three custom privilege elevation commands to use when performing tasks on hosts that require elevated privileges.

To set custom privilege elevation commands

  1. From the top-level Settings menu, navigate to System Settings | General | Custom Privilege Elevation.

  2. In the Custom Elevation box, enter the elevation command and any optional parameters required by the command. For example:

    /opt/quest/bin/pmrun

    Note: Enter the full path to the command if the command is not in the system's path.

  3. Optionally, select the Use single quotes for command arguments option if the command requires arguments in quotes.

    For example, the sudo command does not require arguments in quotes, like this:

    # sudo echo bob

    Whereas the su command does require arguments in quotes, like this:

    # su root -c "echo bob"
  4. To specify another user instead of root when performing tasks on hosts that require elevated privileges, replace root with "%s" as in:

    # su %s -c "echo bob"

    Enter "%s" to specify a user name other than root to use elevated credentials. In the Log On To Host dialog, when you select the Use elevated credentials option, you can replace root with another account in the User name field.

  5. Optionally, click Test to validate that the command works.

    On the Test Privileged Elevation Command dialog,

    1. Enter or select a host where the command exists.

    2. Enter user credentials and click Test.

      A message displays to explain whether the test was successful or not.

  6. Click OK to save the changes.

When a test for a command completes successfully, it becomes available on the Log On To Host dialog. (Search for Log On To Host in the online help for details.)

Documents connexes