One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Resizing columns

To resize columns

  1. Place your cursor on the boundary between column headings.

    Your cursor changes to a double-arrow.

  2. Click and hold the left mouse button, dragging the column boundary to the desired size.

Getting Started Tab

The first time you start Management Console for Unix, it opens the Getting Started tab which describes the new features in mangement console and provides you with a self-directed introduction to the basics of managing your hosts within the mangement console.

Note: If the Getting Started tab does not open, you can access it from the Help drop-down menu located in the upper-right corner of the console.

It's simple. Just follow the tasks on the left, in order. As you complete each task your progress is tracked. The right panel explains the procedures that you would do on the mangement console. Click Next to go to the next step within a task. Click the help icon in the upper right-hand corner of the mangement console to access context-sensitive help. For more information, open the help drop-down menu to access the user documentation.

Note: It's important to understand that this is not just a "test drive". You will be adding and configuring a remote host in your environment and adding real data to the database. The only way to restart the Getting Started session to repeat the procedures is to stop the service, delete the database, and restart Management Console for Unix.

There are three main tasks: General, Authentication Services, and Privilege Manager.

The General task introduces you to the new features of the mangement console since the last release, shows you an overview of the basic console functions, and then directs you to perform these tasks:

  1. Add a Host.
  2. Profile a Host.
  3. Configure Active Directory for Authentication Services; that is, prepare Active Directory to store the configuration settings that it uses.

The Authentication Services task introduces you to Authentication Services, and then directs you to perform these tasks:

  1. Verify the path to the Authentication Services software on your server.
  2. Install the Authentication Services software on the host you set up in the General task.

The Privilege Manager task introduces you to Privilege Manager for Unix, and then directs you to perform these tasks:

  1. Verify the path to the Privilege Manager software on your server.
  2. Install the Privilege Manager Policy Server software on the host you set up in the General task.
  3. Configure the host as a primary policy server.
  4. Join a PM Agent or Sudo Plugin host to the policy group,

We hope this experience gives you a quick start to using Management Console for Unix.

Upgrade Quest Identity Manager for Unix

The process for upgrading Identity Manager for Unix to Management Console for Unix is similar to installing it for the first time. The installer detects an older version of the console and automatically upgrades the components.

Note: The procedures in this topic assume you have Quest Identity Manager for Unix 1.0.1 or greater installed. If you are upgrading a previous version of Identity Manager for Unix, you must uninstall the web console and do a fresh install of Management Console for Unix; you can not upgrade 1.0.0.

Before you begin the upgrade procedure,

  • Delete your browser's cached Temporary Internet Files and Cookies.
  • Close the console and make a backup of your database, as explained in step 1.

To upgrade Identity Manager for Unix to Management Console for Unix

  1. Backup the 1.0.x database files:
    1. Shutdown the service. See Start/stop/restart Management Console for Unix service for details.

      Note: The mcu_service was called the imu_service in the Identity Manager for Unix 1.0.x console.

      Management Console for Unix uses a HSQLDB (Hyper Structured Query Language Database) to store its data such as information about the hosts, settings, users, groups, and so forth.

    2. Copy the /var/opt/quest/imu data directory to a backup location.

      Note: Refer to Database maintenance for more information about the database locations and filenames.

    3. After backup is complete restart the service. See Start/stop/restart Management Console for Unix service for details.

      Once you backup the database files, you are ready to start the upgrade.

  2. To start the upgrade, follow the instructions for a first-time installation. See the Installing and Uninstalling topic for your platform under Installing the Management Console to start the installation procedure.

    When the installer detects a previous version of the mangement console is already installed, it asks if you want to continue.

  3. Click Yes at the Install Management Console for Unix dialog.

    The Install Management Console for Unix dialog displays.

  4. Accept the terms of the license agreement and click Next.
  5. Modify the installation directory path, if necessary, and click Next.
  6. Modify the default SSL (https) and Non-SSL (http) port numbers, if necessary, and click Install.

    The installation wizard installs Management Console for Unix 2.x and upgrades the database.

  7. When the installer asks if you want to uninstall the previous version of the console, you can opt to leave the older version installed and continue the 2.x installation.

    Once you are satisfied with the upgrade, you can uninstall the previous version at a later time. See the Installing and Uninstalling topic for your platform under Installing the Management Console for details about the uninstall procedure.

    Note: While you can have both the older and the newer versions of the mangement console installed, you can not run both at the same time.

  8. On the Complete dialog, select the Launch the Management Console option and click Finish.
  9. Log into the mangement console as supervisor to complete the post-upgrade configuration.

    You can not login as an Active Directory user until you log in as supervisor and reassign your Active Directory accounts to specific roles.

  10. On the Complete Upgrade dialog, enter your Active Directory credentials and click Continue to perform the post-upgrade configuration.

    After upgrading from 1.0.x, Active Directory accounts are assigned to the Manage Host role. To assign Active Directory users to other roles, log in to the console as supervisor and go to Settings | System Settings | Console Roles and Permissions. See Adding (or Removing) role members for details.

  11. On the Summary dialog, click Logout to log back in using an Active Directory account or click Close to open the mangement console with the supervisor account.

Note: After an upgrade from version 1.0.x to 2.x, please note the following:

  • Passwords cached by the supervisor account or AD users with console access were not migrated during the upgrade process due to changes in encryption. Users will have to re-enter their passwords for hosts they manage the next time they perform tasks on the hosts, and choose to cache their credentials again on the server.
  • It is important to re-profile all hosts after an upgrade of any version of Management Console for Unix.
  • Existing Active Directory users and groups granted access to the mangement console are added to the Manage Hosts role, giving them access to the features they had before the upgrade.
  • Because the encryption mechanism was changed, cached host credentials (that is, passwords cached by the supervisor account or Active Directory users with console access) are not migrated when you upgrade from 1.0.x to 2.x. Users will have to re-enter their passwords for hosts they manage the next time they perform tasks on the hosts and choose to cache them again on the server.
  • The host address in the Console host address box on the Console Information settings may have been entered as a simple address in version 1.0.x. To perform some tasks in without error, such as auto-profiling, the Console host address must be a Fully Qualified Domain Name.

Reset custom configuration settings

When upgrading from version 1.0.x to 2.x or higher, there are some steps you must take to reset any custom configuration settings you had in the previous version.

The upgrade procedure makes a .bak copy of your configuration file (jvmargs.cfg.bak) at the root of your installation directory. After you upgrade the mangement console from version 1.0.x, to reset any custom configuration settings you may have made in the previous version, compare the jvmargs.cfg.bak file with the new jvmargs.cfg file to see if you had any custom settings. For example, if you had increased the JVM Memory size in the previous version, you must add the JVM Memory setting argument to the custom.cfg file. See Setting custom configuration settings for more information about customizing configuration settings for the mangement console.

Note: Do not change the jvmargs.cfg directly; the settings in the custom.cfg file always take precedence over the default settings in jvmargs.cfg. And, next time you upgrade Management Console for Unix, changes in the jvmargs.cfg file will be overwritten.

Documents connexes