To configure Privilege Manager to allow the use of Network Address Translation (NAT), you must add both the external and internal IP address of the firewall to tunnelrunhosts list in the /etc/opt/quest/qpm4u/pm.settings file.
See PM settings variables for more information about modifying the Privilege Manager configuration settings.
You can configure Privilege Manager to use Kerberos encryption to authenticate and to exchange encryption key information
To configure Privilege Manager to use Kerberos encryption, edit or insert the following line in the /etc/opt/quest/qpm4u/pm.settings file:
kerberos yes
Also, to use Kerberos with Privilege Manager, ensure that suitable Service Principal Names (SPNs) are registered. Using the generic host service-type, configure the SPNs like this:
host/sun17.quest.com
|
NOTE: Substitute your own host names. |
If the SPN has been registered using the fully qualified DNS name, you can abbreviate the SPNs to the service-type, such as:
host
Specify the service principal names using the mprincipal and lprincipal settings in the pm.settings file. For example, on an agent with a host name of sun17.quest.com, and a SPN registered as db_serve1.quest.com, specify:
mprincipal host lprincipal host/db_server1.quest.com
You may need to modify these other settings according to your Kerberos configuration:
Kerberos Setting | Description |
---|---|
keytab |
Location of the keytab file. Default: /etc/opt/quest/vas/host.keytab |
krb5rchache |
Location of the Kerberos cache. Default: /var/tmp |
krbconf |
Location of the Kerberos configuration file. Default: /etc/opt/quest/vas/vas.conf |
See PM settings variables for more information about modifying the Privilege Manager configuration settings.
You can enable configurable certification for use with Privilege Manager. Configurable certification is a method of proprietary certification based on the system hardware ID, MD5 checksums and DES encryption.
Use the pmkey command to generate and install certificates. For example, to generate a new certificate and put it into the specified file, enter:
# pmkey -a <filename>
To install the newly generated certificate from the specified file, enter:
# pmkey -i <filename>
To enable configurable certification
certificates YES
# pmkey –a <policy server filename>
When prompted, enter a phrase or keyword.
# pmkey -i <policy server filename>
|
NOTE: You must enter the same filename in both the -a and -i commands shown above. |
# pmkey –a <client filename>
When prompted, enter a phrase or keyword. Note: you must use the same phrase or keyword to generate the client and policy server certificates.
# pmkey -i <client filename>
|
NOTE: You must enter the same filename in both the -a and -i commands shown above. |
The keys are located in /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/<key filename>.
# pmkey -i <client filename>
# pmkey -i <policy server filename>
Configurable certification is now enabled.
|
NOTE: By default, pmkey certifies the pass phrase when installing the keyfile for other hosts. If you do not want pmkey to certify the pass phrase when installing the keyfile for other hosts, use -f in the pmkey -i command, like this: # pmkey -i <keyfile> -f |
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Conditions d’utilisation Confidentialité