One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Menu commands

Use the top-level menus in the upper right-hand corner of the mangement console to specify global controls such as user preferences or system settings, view the online help or product documentation, check for client software updates, display the About box for Management Console for Unix, or log out of the mangement console.

Table 5: Menu commands
Command Description
User menu

The User menu is represented by the authenticated user's login name. Its menu displays sign in/sign out commands as well as user account options. Choose one of the following options from the User menu:

  • User preferences
  • Sign Out

User preferences are settings that only apply to the user that is currently logged on:

  • General

    Specify whether to always prompt for credentials when using SSH terminal to access hosts; and, set the default domain to use for Active Directory tasks.

  • Host Credentials

    Review and manage saved user credentials for managed hosts.

See User preferences for details.

Settings

The Settings menu is represented by gear icon . Its menu displays links to System settings and Software updates dialog where you can check for client software updates and access the Support Portal.

Choose one of the following options from the Settings drop-down menu:

  • System settings
  • Software updates

System Settings are global settings that apply to all users using the mangement console:

  • General

    Specify how to handle duplicate SSH host keys, set the session timeout period, and enable the console to automatically mark system users when profiling hosts.

    • Console Information

      View or modify the console URL, console name, contact and description, and register an Service Connection Point (SCP) with Active Directory to publish the mangement console.

    • Change Password

      Change the supervisor account password.

    • Custom Privilege Elevation

      Specify up to three custom privilege elevation commands to use when performing tasks on hosts that require elevated privileges.

  • Console Roles and Permissions

    Set permissions for each role and add members to roles.

  • Active Directory

    Configure the console for Active Directory, specify which sites, domains, domain controllers, and global catalogs the mangement console may access, and to define the default domain you want the console to use when authenticating a user account.

  • Privilege Manager

    Specify the policy groups that you want to use for checking policy and keystroke logging.

    NOTE: A "policy group" is a uniquely identified group of one or more policy servers -- one primary server and any number of secondary servers -- that share a common policy.

    • Software and Licenses

      Specify the path to the Privilege Manager software packages and check for updated Privilege Manager product licenses.

  • Authentication Services

    Specify the path to the Authentication Services software packages and check for updated Authentication Services product licenses.

Software updates allows you to check for client software updates and link to a web page to download any available updates. See System settings for details.

Help

Help is represented by the question mark . When you click on the icon, it gives you access to context-sensitive help for the active view.

NOTE: Dialogs also provide context-sensitive help. If the dialog has multiple views (tabs), when you click the Help icon in the upper-right corner, the console opens the help topic for the active tab.

When you open the Help drop-down menu, it gives you access to the user guides, as well as the Getting Started view and the About box. Choose one of the following options from the Help menu:

  • Help contents
  • Administration Guide
  • Evaluation Guide
  • Getting Started
  • About

Help contents opens a browser displaying the on-line help .

Administration Guide allows you to view a PDF version of theAdministration Guide.

Evaluation Guide allows you to view a PDF version of Evaluation Guide.

Getting Started opens the Getting Started tab which describes the new features in Management Console for Unix and tells you how to get started quickly based on how you plan to use the mangement console and other One Identity products.

About allows you to display the About One Identity Management Console for Unix box, which contains version, copyright and patent information.

Tabs and views

The mangement console consists of the following tabbed views:

Table 6: Tabs and views
Tab | View Description
Getting Started

The Getting Started tab describes the new features in mangement console and provides you with a self-directed introduction to the basics of managing your hosts within the mangement console. (See Getting Started tab for details.)

NOTE: If the Getting Started view does not open, you can access it from the Help drop-down menu located in the upper-right corner of the console.

Hosts | All Hosts

The All Hosts view on the Hosts tab displays the Unix host systems you can manage from the mangement console. From this view, you can perform the following tasks:

  • add hosts to the mangement console
  • profile a host to gather system information
  • verify a host's readiness to join to Active Directory
  • install software on a host
  • join a host to Active Directory
  • view the properties of a managed host
  • filter the content of the All Hosts tab
  • unjoin a host from Active Directory
  • remove hosts from the mangement console
  • SSH to a host using a terminal
  • import a SSH host key
Hosts | host properties

A new host properties tab is added whenever you open a host's Properties. A host's properties consists of the following tabbed views of information:

  • Details

    Review the host's properties and Active Directory preparation status. (See Details view for details.)

  • Users

    View a list of the users on the selected host. From this view you can add, modify, or delete local Unix users, associate members to a group, assign (map) users to Active Directory users (requires Active Directory log on), and mark users as system users. (See Users view for details.)

  • Groups

    View a list of local groups on the selected host. From this view you can add, modify, or delete local Unix groups on the selected host, and associate members to a group. (See Groups view for details.)

  • Readiness Check Results

    Review the checks performed and the results of each check. (See Readiness Check Results view for details.)

  • Software

    View a list of the One Identity products currently installed on this host. Click Install software to remotely deploy software products to this host.

  • Host Access Control (only available if console is configured for AD and the host is joined to AD)

    View a list of Active Directory uses and groups that are currently allowed to access this host. Click Manage Access to modify Authentication Services access settings.

Policy

The Policy tab has the following views:

  • Sudo Policy Editor

    Edit the sudo policy file.

  • PM Policy Editor

    Edit the Privilege Manager Policy file.

  • Event Logs

    Find and view keystroke logs located on the Privilege Manager master server.

NOTE: To edit a policy file, you must log in either as the supervisor or an Active Directory account with rights to edit the policy file; that is, an account in the Manage Sudo Policy or Manage PM Policy role.

To view events and replay keystroke logs, you must log in either as the supervisor or an Active Directory account with rights to audit the policy file; that is, an account in the Audit Sudo Policy or Audit PM Policy role.

All Local Users

The All Local Users tab provides a consolidated view of all the users on all of the hosts you manage from the mangement console. From this view, you can manage the entire collection of users associated with the managed hosts from a single location, including:

  • mark users as system users
  • assign (map) users to Active Directory users (that is, require Active Directory logon). (See All Local Users tab for details.)
Active Directory

The Active Directory tab provides a means for browsing Active Directory for users, groups and computers. In addition, you can perform the following tasks from this view:

  • View and modify the properties of Active Directory users and groups
  • Enable Unix access for Active Directory users
  • View and modify Unix parameters of Active Directory users and groups

NOTE: This view is only available when you are logged on as an Active Directory user. (See Active Directory configuration for details.)

The default supervisor account is blocked from accessing the Active Directory tab because the supervisor does not have Active Directory credentials.

See Active Directory tab for details.

Reporting | Reports

Reports lists the reports that you can create through the mangement console.

NOTE: Report availability depends on several factors:

  • User Log-on Credentials: While some reports are available when you are logged in as supervisor, there are some reports that are only available when you are logged on as an Active Directory user. (See Active Directory configuration for details.)
  • Roles and Permissions: Reports are hidden if they are not applicable to the user's console role. For example, you must have an activated policy server to activate the sudo-related reports. (See Console Roles and Permissions system settings for details.)
  • Active Directory Configuration: Some reports are not available if the mangement console is not configured for Active Directory. (See Active Directory configuration for details.)
Reports | report A new tab is added when you select a report. From this view, you can perform the following tasks:
  • generate key Host, User, Group and Access & Privileges, or License Usage reports
  • specify the details to included in each report
  • view reports
  • save or print reports
Host Notifications

The Host Notifications tab lists the following types of notifications:

  • Authentication Services Status
  • QAS Status Heartbeat
  • Auto-Profile Status
  • Auto-Profile Heartbeat

See Host Notifications tab for details.

Open views

The Open views menu, located on the far right of the tabs bar, is represented by a "tab" icon . You can click the in the right-hand corner of a tab to close that view. To re-open the tab, choose one of the options from the Open views drop-down menu.

  • Sudo
  • Reporting
  • All Local Users
  • Active Directory
  • Host Notifications

NOTE: Access the Getting Started tab from the Help menu.

Task progress pane

The Task Progress pane is located across the bottom of each tab and displays what is happening in the mangement console. It provides feedback on the progress of the tasks that have been initiated. This pane displays active tasks, completed tasks and any errors encountered during the current console session.

  • Active tasks show a progress bar and provide a description of the steps being performed.
  • Completed tasks are represented by a green check mark ().
  • Errors encountered during the task are represented by a symbol.

Note: If an individual a readiness check does not pass successfully during the Readiness Check task, the status description states that the task completed with failures or advisories. To view the results of the checks performed, select the host and click the Properties toolbar button or double-click the selected host. Then open the Readiness Check Results tab on the host's properties.

Use the toolbar buttons in the top right-hand corner of the Task Progress pane to filter the tasks displayed and to clear tasks from the pane.

Table 7: Task progress pane
Button Description

Displays all tasks. (Default)

Displays active tasks only.

Displays completed tasks only.

Displays errors only.

Use the Clear button to define when you want tasks removed from the Task Progress pane. This setting is set to Never by default, but you can change it by clicking the arrow control and selecting a different value. Valid entries are:

  • All completed - clear all completed tasks
  • All errors - clear all errors
  • After 5 seconds - clear completed tasks after 5 seconds
  • After 30 seconds - clear completed tasks after 30 seconds
  • After 1 minute - clear completed tasks after 1 minute
  • After 15 minutes - clear completed tasks after 15 minutes
  • Never (default) - don't clear completed tasks for this console session

NOTE: When you change this setting, existing tasks will not be removed from the pane based on the new interval. It will only be used to clear tasks that are initiated after the setting was changed. You can, however, clear individual tasks by selecting to the far right of the task.

Closes (minimizes) the Task Progress pane. If you explicitly close the task pane, it remains minimized until you explicitly re-open it, using the button in the status bar.

Note: The Task Progress pane is automatically minimized on some tabs (such as, the All Local Users and Reporting tabs) to free up space to display pertinent information on the screen.

Status bar

The status bar across the bottom of the view indicates if client software updates are available and provides a summary of the uncleared tasks' status for the current mangement console session:

Table 8: Status bar
Button Description
Connection State

Displays one of the following states indicating the connection status between the client (mangement console) and the server (URL to which you connected):

  • Not Connected

    Not yet connected; no action required

  • Connected

    Normal operating state; no action required

  • Connection Lost

    Temporarily lost connection, retrying to reconnect; no action required

  • Fatal Error

    Connection has failed; log out of mangement console, refresh web browser and log back on

This button displays in the status bar when client software updates are available. Select this button to open the Software Updates dialog to get a list of client software updates that are available for download from the One Identity website.

If you do not want to automatically check for software updates, clear the Automatically check for updates option on the Software Updates dialog.

NOTE: When you download updated client software, be sure to copy these files (client directory) to the location where the client software is located on the server. You can find this location in System Settings.

Select this button to show or hide the Task Progress pane. (Displayed by default.) If you explicitly close the task pane, it remains minimized until you explicitly re-open it.

Displays the number of tasks still in progress.

Displays the number of tasks that completed successfully.

NOTE: These tasks are removed from the Task Progress pane based on the option you set in the Clear menu. The default is Never. To remove an individual task from the Task Progress pane, click the button. To remove all completed tasks from the Task Progress pane, click the Clear | All completed option. The counter resets to zero when there are no tasks in the task progress pane.

Displays the number of tasks that failed due to an error.

NOTE: These tasks are NOT removed from the Task Progress pane for the current session. Use the corresponding button to remove an individual task or use the Clear | All errors option to remove all the errors from the Task Progress pane and this counter.

Documents connexes