One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Installing a production certificate

SSL/TLS encryption of HTTP traffic between the server and web browser, and integrity checking of data received from the Management Console for Unix server is required to ensure that:

  • The web browser application is using code and data coming from a trusted source
  • Information about the Unix hosts managed by Management Console for Unix is not exposed in clear text on a network
  • Authentication information, such as Active Directory passwords and Unix logon and root passwords, are kept secure

For this reason, Management Console for Unix is configured to require all connections to the browser be secured with the SSL/TLS protocol. See Disabling SSL/TLS encryption.

When installed, Management Console for Unix will initially be configured with a newly generated self-signed certificate. Because the authenticity of this certificate cannot be verified, your browser will usually display a warning message whenever you launch the mangement console. To rectify this situation, you can install a custom key pair for SSL/TLS.

Generating a custom SSL/TLS certificate and key pair for Management Console for Unix

You can obtain a trusted certificate from a third-party Certificate Authority. Each authority has its own instructions, but all require you to generate a Certificate Signing Request (CSR). See Exporting Data using the -certreq command for details about generating a CSR using the PKCS#10 format.

Optionally you can use a tool (such as, keytool or OpenSSL) to manually generate the public/private key pair and the certificate you need. You can also obtain a certificate and key pair from your Enterprise Certificate Authority.

Note: See Generating Keys and Certificates with OpenSSL for details about using OpenSSL to generate a certificate.

To install a custom SSL/TLS certificate and key pair using keytool

Note: See keytool - Key and Certificate Management Tool for more information about using keytool.

  1. Generate a private key in the keystore file using the keytool command:

    keytool -genkeypair -storetype JKS -alias <aliasName> -keyalg RSA 
    -keysize 2048 -validity <numberOfDaysForCertificateToBeValid>
    -keystore <keystoreName>

    NOTE: See step 3 below for the final keystoreName value.

    1. Enter the keystore password and provide the other specifications it asks for (or click enter to accept the default). When it asks, "what is your first and last name?" enter the Management Console for Unix server's resolvable host name, such as

      computer.test.com

      Note: Optionally, you can include this option in the above keytool command:

      -dname "CN=<hostName>"

      where < hostName> is the Management Console for Unix server's resolvable host name.

      If the host name does not match the Management Console for Unix server's resolvable host name, your browser might indicate a security problem with the certificate that states the presented certificate was issued for a different web site's address.

    2. Verify the newly created keystore file:

      keytool -list -v -keystore <keystoreName>

      Enter the keystore password when prompted.

    3. Export the certificate from the keystore:

      keytool -export -alias <aliasName> -keystore <keystoreName> -rfc -file
      <certificateName>.cer

      Enter the keystore password when prompted.

  2. Stop the Management Console for Unix service.

    See Start/stop/restart Management Console for Unix service for details.

  3. Jetty and the Management Console for Unix expect the keystore file to be in a standard location:

    • On Windows platforms: %SystemDrive%:\ProgramData\Quest Software\Management Console for Unix\jetty-base\etc\keystore
    • One Unix/Linux platforms: /var/opt/quest/mcu/jetty-base/etc/keystore

    If the keystore file from Step 1 is not already in this location, copy or move it to this location and ensure it has read permissions that will allow the Management Console for Unix service to read it.

  4. Open the custom.cfg file for editing.

    See Setting custom configuration settings for general information about customizing configuration settings for the mangement console.

  5. Modify the following Jetty Settings:

    -Djetty.sslContext.keyStorePassword=<password>
    -Djetty.sslContext.keyManagerPassword=<password>
    -Djetty.sslContext.trustStorePassword=<password>

    where <password> is your plain text password or, if obfuscated (as explained below), is something similar to:

    OBF:1tvp1saj1y7z1sar1tvd

    Note: Optionally you can obfuscate your SSL keystore password so it is not stored in plain text by running the following command from your installation directory:

    • On Windows platforms:

      %SystemDrive%:\Program Files\Quest Software\Management Console for Unix\gen_secure_password.exe [<username>] <password>

    • On Unix and Linux platforms:

      /opt/quest/mcu/gen_secure_password [<username>] <password>

    The output of gen_secure_password.exe lists

    • your password in plain text
    • an "MD5:" checksum
    • an encrypted version of the password using UnixCrypt (if a user name was supplied.)
    • the obfuscated password pre-pended with "OBF:"

    Jetty only supports obfuscation (OBF) of SSL keystore passwords; the others can be ignored.

  6. Save the custom.cfg file.

  7. Start the Management Console for Unix service.

For more information, see the Jetty documentation at: Configuring SSL/TLS.

Importing certificate to trusted domains on Windows

To import certificates to trusted domains on Windows platforms

  1. Copy the certificate to the Windows computer on which the mangement console is running.
  2. Double-click the certificate to open the certificate details.
  3. On the General tab, click the Install Certificate and click Next.

    The certificate import wizard starts.

  4. Select Place all certificates in the following store and click Browse.
  5. Select Trusted Root Certification Authorities and click OK.
  6. Click Next.
  7. Click Finish.
  8. Click OK when a message says the import was successful.

Note: You can also import certificates into a trusted domain by means of your browser.

Importing certificate to trusted domains on Unix or Linux

To import certificates to trusted domains on Unix or Linux platforms

  1. As root, run the following commands:
    cp server.crt /etc/ssl/certs
    cp server.key /etc/ssl/private
Documents connexes