One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Summary of Security Recommendations

One Identity recommends that you implement the following to secure the data used by Management Console for Unix:

  • When authenticating Active Directory users for access to Management Console for Unix make sure that the server is installed on a machine that is joined to the Active Directory forest you wish to manage.
  • Install an SSL/TLS key pair and certificate that is signed by a Certification Authority that will be trusted by all users' browsers.
  • Directly import SSH host keys using a known_hosts file, or the Import SSH Host Key toolbar command; or manually verify the fingerprints by disabling the Automatically accept SSH keys option when profiling.
  • Configure a local firewall to restrict remote access to the database port (Default port is 9001).

Troubleshooting tips

To help you troubleshoot, One Identity recommends the following resolutions to some of the common problems you might encounter as you deploy and use Management Console for Unix.

Note: Simply re-profiling a host can resolve issues caused when the host is out of sync with the server.

Auto profiling issues

The following topics may help you resolve some problems related to Auto Profiling.

Auto profiling takes a long time

If auto-profiling multiple hosts does not complete within a reasonable amount of time and the host is configured for multiple consoles, make sure each console address is valid and available.

To validate the console addresses

  1. On the unresponsive host, open the <Service Account Home Dir>/.quest_autoprofile/notify.rc configuration file.

  2. Remove the entry for the unresponsive server.

Note: If the host continues to be unresponsive, here are some other things you can try:

  • Verify the network connection.
  • Verify the console address is correct in Settings | System Settings | General | Console information.

    If this has changed, re-configure the host for auto-profile.

  • Check the firewall settings. Make sure the non-SSL port is not blocked for incoming traffic on the host that has the Management Console for Unix software installation.

    The default is 9080.

    Note: If you have customized your HTTP or SSL/TLS ports, see Customizing HTTP and SSL/TLS ports for more information.

There could be any number of things that would prevent the host from communicating with the console.

Documents connexes