One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Detecting multiple hosts with the same key

By default, Management Console for Unix prevents you from adding hosts with the same SSH host key to the mangement console. This is to ensure uniqueness of hosts since a host can have more than one resolvable DNS name and multiple IP addresses. There should only be one SSH host key returned for whichever DNS name or IP address you use to access the host. However, if you want to enable the mangement console to add hosts that share the same SSH key, enable the Duplicate SSH Host Keys setting in System Settings. See Duplicate SSH Host Keys for details.

Note: When you enable the Duplicate SSH Host Keys option, it is possible to add the same host more than once, each with a unique name. In this case the reported data will be duplicated for that host.

Caching Unix host credentials

Management Console for Unix caches both standard and elevated credentials:

  • Session caching: User names and passwords are cached for the duration of the browser session (that is, until the session expires upon log out or you close your browser page). The mangement console uses the cached credentials any time during the current session. That is, if persistent credentials are not already cached, the user name and password fields will be blank the first time it needs credentials to complete a task on the host during a browser session. Once entered, it caches these fields and reuses them during the current session; therefore, these fields are pre-populated for subsequent tasks with the previously entered credentials.
  • Persistent caching: When you select the option to save your credentials on the server, the mangement console encrypts the user name and password and stores the encryption key on the Management Console for Unix server. When persistent credentials are available, the mangement console uses them any time you access the service. That is, saved user names and passwords persist across browser sessions, and when needed, it pre-populates these fields the first and subsequent times it needs them to complete a task on a host.

You can remove the persistent credentials from the cache. See Removing saved host credentials. Once removed, the mangement console uses the session-cached credentials.

Note: The option to create persistent credentials is available through several actions such as Profile Host where you can select the Save my credentials on the server option. If you are profiling multiple hosts and select the Enter different credentials for each selected host option, you can select the Save option for individual hosts or click the Save all credentials button to save credentials for all hosts.

See Modifying saved host credentials for more information about managing Unix host credentials.

Security of credential caching

When using persistent caching, the mangement console encrypts host credentials, as follows:

  1. It generates a salt or retrieves it from the Java KeyStore, a storage facility for cryptographic keys and certificates, if it has previously been stored in the keystore.
  2. It uses the salt to generate a unique 128-bit encryption key for the authenticated user. The key generation algorithm is the PBKDF2 algorithm using HMAC with SHA1. This algorithm is designed to prevent brute force attacks on the password by ensuring that the same passwords will result in different keys and by increasing the work factor by iterating many times over the key generation function.
  3. It uses the generated key to encrypt the credentials (including user name, password, and any elevation credentials) using the AES algorithm in CBC mode. It then uses Message Authentication Code (MAC) using the HMAC with SHA-256 algorithm to verify the integrity of the saved data.

Database Security

The Management Console for Unix server communicates with a database on port 9001 over the loopback interface. The password used is randomly generated at install time. One Identity recommends that you configure a local firewall to exclude remote access to this port. For information on how to change the default port on which the database runs, see Database port number is already in use.

Documents connexes