One Identity recommends that you install One Identity Management Console for Unix, a separate One Identity product that provides a management console that is a powerful and easy-to-use tool that dramatically simplifies deployment of Safeguard Authentication Services agents to your clients. The management console streamlines the overall management of your Unix, Linux, and macOS hosts by enabling centralized management of local Unix users and groups and providing granular reports on key data and attributes.
Prior to installing Management Console for Unix, ensure your system meets the minimum hardware and software requirements for your platform.
Table 8: Management Console for Unix: Hardware and software requirements
Supported platforms |
Can be installed on the following configurations:
- Windows x86 (32-bit)
- Windows x86-64 (64-bit)
- Unix/Linux systems for which Java 8 is available
|
Server requirements |
The Management Console for Unix server requires Java 8 (also referred to as JRE 8, JDK 8, JRE 1.8, and JDK 1.8). |
Managed Host Requirements |
Click www.oneidentity.com/products/safeguard-authentication-services/ to view a list of Unix, Linux, and Mac platforms that support Safeguard Authentication Services.
Click www.oneidentity.com/products/privilege-manager-for-unix/ to review a list of Unix and Linux platforms that support Privilege Manager for Unix.
Click www.oneidentity.com/products/privilege-manager-for-sudo/ to review a list of Unix, Linux, and Mac platforms that support Safeguard for Sudo.
Considerations:
- To enable the Management Console for Unix server to interact with the host, you must install both an SSH server (that is, sshd) and an SSH client on each managed host. Both OpenSSH 2.5 (and higher) and Tectia SSH 5.0 (and higher) are supported.
- Management Console for Unix does not support Security-Enhanced Linux (SELinux)
- When you install Safeguard Authentication Services on Oracle Solaris 11, the Oracle Solaris 10 packages are installed.
|
Default memory requirement |
1024 MB
NOTE: See JVM memory tuning suggestions in the One Identity Management Console for Unix Administration Guide for information about changing the default memory allocation setting in the configuration file. |
Safeguard Authentication Services must be able to communicate with Active Directory, including domain controllers, global catalogs, and DNS servers using Kerberos, LDAP, and DNS protocols. The following table summarizes the network ports that must be open and their function.
Table 9: Network ports
389 |
Used for LDAP searches against Active Directory Domain Controllers. TCP is normally used, but UDP is used when detecting Active Directory site membership. |
3268 |
Used for LDAP searches against Active Directory Global Catalogs. TCP is always used when searching against the Global Catalog. |
88 |
Used for Kerberos authentication and Kerberos service ticket requests against Active Directory Domain Controllers. TCP is used by default. |
464 |
Used for changing and setting passwords against Active Directory using the Kerberos change password protocol. Safeguard Authentication Services always uses TCP for password operations. |
53 |
Used for DNS. Since Safeguard Authentication Services uses DNS to locate domain controllers, DNS servers used by the Unix hosts must serve Active Directory DNS SRV records. Both UDP and TCP are used. |
123 |
UDP only. Used for time-synchronization with Active Directory. |
445 |
CIFS port used to enable the client to retrieve configured group policy. |
Note: Safeguard Authentication Services, by default, operates as a client, initiating connections. It does not require any firewall exceptions for incoming traffic.
Installing and configuring Safeguard Authentication Services
To extend the authentication, authorization, and administration infrastructure of Active Directory to the rest of your enterprise, allowing Unix, Linux, and macOS systems to act as full citizens within Active Directory, you must install and configure Safeguard Authentication Services:
- Install Management Console for Unix.
- Install Safeguard Authentication ServicesWindows components.
- Configure Active Directory for Safeguard Authentication Services (one time only).
- Configure Unix Agent Components
- Configure the management console for Active Directory.
- Prepare the Unix hosts for Active Directory user access:
- Add and profile a host.
- Check the host for readiness to join Active Directory.
- Install Safeguard Authentication Services agent software packages on the host to allow Active Directory user access.
Note: For users to authenticate on Unix, Linux, and macOS hosts with Active Directory credentials, your Unix hosts must have the Safeguard Authentication Services agent installed.
- Join the host to Active Directory.
In preparing for your Safeguard Authentication Services installation, One Identity recommends that you install Management Console for Unix. This provides a management console that is a powerful and easy-to-use tool that dramatically simplifies deployment, enables management of local Unix users and groups, provides granular reports on key data and attributes, and streamlines the overall management of your Unix, Linux, and macOS hosts.
You can install the management console on Windows, Unix, or Linux computers. Each hosting platform prompts for similar information.
The following install files are located on the Safeguard Authentication Services distribution media under console | server:
- ManagementConsoleForUnix_unix_2_n_n.sh - for Unix and Linux
- ManagementConsoleForUnix_windows_2_n_n.exe - for Windows
- ManagementConsoleForUnix_windows-x64_2_n_n.exe - for Windows
where "n.n" indicates the product version number.
The Management Console for Unix Administration Guide contains detailed instructions for installing the management console on all of these platforms. Use the following procedure to install the console on a supported Windows platform from the Safeguard Authentication Services 5.0.1 distribution media.
Of course, you can install Safeguard Authentication Services without using Management Console for Unix. You can find those instructions in the Installing and joining from the Unix command line section of the Safeguard Authentication Services Installation Guide, which can be found on the Safeguard Authentication Services - Technical Documentation page on the One Identity support site. However, for the purposes of the examples in this guide, it is assumed that you will install and configure Safeguard Authentication Services Unix agent components by means of Management Console for Unix.