Syntax
pmless /<full_path_name>
Description
The pmless pager is similar to the less pager. It has been modified so that you can use it securely with the Privilege Manager for Unix programs. Because of this, you must specify a full pathname as a command line argument to pmless. Also, you will not be able to access any files other than the ones you specify at startup time. Nor will you be allowed to spawn any processes.
Using this program in conjunction with Privilege Manager for Unix allows you to access a specific file as root but not other root functions.
Syntax
pmlicense -h
[-c]
-v [-c]
-v <xmlfile> [-c]
-l|-x <xmlfile> [-c] [-f] [-e]
-u [s|f][-c][-d m|y][-o <outfile>][-s d|h][-t u|p|k]
-r [-e]
-R <host> [-c]
-z on |off[:<pid>]
Description
The pmlicense command allows you to display current license information, update a license (an expired one or a temporary one before it expires) or create a new one. If you do not supply an option, then pmlicense displays a summary of the combined licenses configured on this host.
Options
pmlicense has the following options.
Table 63: Options: pmlicense
-c |
Displays output in CSV, rather than human-readable format. |
-d |
Filters a license report; restricting the date to either:
|
-e |
Does not forward the license change to the other servers in the group. |
-f |
Does not prompt for confirmation in interactive mode. |
-h |
Displays usage. |
-l <xmlfile> |
Configures the selected XML license file, and forwards it to the other servers in the policy group.
This option must be run as the root user or a member of the pmpolicy group. |
-o <outfile> |
Sends report output to selected file rather than to the default. For csv output, the default is file: /tmp/pmlicense_report_<uid>.txt; for human-readable output, the default is stdout. |
-r |
Regenerates and configures the default trial license, removing any configured commercial licenses, and forwards this change to the other servers in the policy group. |
-R <host> |
Remove the specified from the local policy server's license database. Normally, the client is removed automatically when it is unjoined from the policy server group. This option can be used to remove a client that has been retired without being explicitly unjoined. |
-s |
Sort the report data by either:
|
-t |
Filters license report by client type:
|
-u |
Displays the current license utilization on the master policy server:
|
-v |
If you do not provide a file argument, it displays the details of the currently configured license. If you provide a file argument, it verifies the selected XML license file and displays the license details. |
-x <xmlfile> |
Configures the selected XML license file.
This option is deprecated, use the "-l" option instead. |
-z |
Enables or disables debug tracing.
Before using this option, see Enabling program-level tracing. |
License data is updated periodically by the pmloadcheck daemon. For more details, see pmloadcheck .
Examples
To display current license status information, enter the following:
# pmlicense
Privilege Manager for Unix displays the current license information, noting the status of the license. The output will be similar to the following:
*** One Identity Privilege Manager for Unix ***
*** Privilege Manager for Unix VERSION 6.n.n (nnn) ***
*** CHECKING LICENSE ON HOSTNAME:<host>, IP address: <IP>
*** SUMMARY OF ALL LICENSES CURRENTLY INSTALLED ***
*License Type PERMANENT
*Commercial/Freeware License COMMERCIAL
*Expiration Date NEVER
*Max QPM4U Client Licenses 1000
*Max Sudo Policy Plugin Licenses 0
*Max Sudo Keystroke Plugin Licenses 0
*Authorization Policy Type permitted ALL
*Total QPM4U Client Licenses In Use 2
*Total Sudo Policy Plugins Licenses in Use 0
*Total Sudo Keystroke Plugins Licenses in Use 0
*** LICENSE DETAILS FOR PRODUCT:QPM4U
*License Version 1.0
*Licensed to company Testing
*Licensed Product QPM4U(1)
*License Type PERMANENT
*Commercial/Freeware License COMMERCIAL
*License Status VALID
*License Key PSXG-GPRH-PIGF-QDYV
*License tied to IP Address NO
*License Creation Date Tue Feb 08 2012
*Expiration Date NEVER
*Number of Hosts 1000
To update or create a new a license, enter the following at the command line:
pmlicense -l <xmldoc>
Privilege Manager for Unix displays the current license information, noting the status of the license, and then validates the information in the selected .xml file, for example:
*** One Identity Privilege Manager for Unix ***
*** Privilege Manager for Unix VERSION 7.n.n (nnn) ***
*** CHECKING LICENSE ON HOSTNAME:<host>, IP address:<IP> ***
*** SUMMARY OF ALL LICENSES CURRENTLY INSTALLED ***
*License Type PERMANENT
*Commercial/Freeware License COMMERCIAL
*Expiration Date NEVER
*Max QPM4U Client Licenses 1000
*Max Sudo Policy Plugin Licenses 0
*Max Sudo Keystroke Plugin Licenses 0
*Authorization Policy Type permitted ALL
*Total QPM4U Client Licenses In Use 2
*Total Sudo Policy Plugins Licenses in Use 0
*Total Sudo Keystroke Plugins Licenses in Use 0
*** Validating license file: <xmldoc> ***
*** LICENSE DETAILS FOR PRODUCT:QPM4U
*License Version 1.0
*Licensed to company Testing
*Licensed Product QPM4U(1)
*License Type PERMANENT
*Commercial/Freeware License COMMERCIAL
*License Status VALID
*License Key PNFT-FDIO-YSLX-JBBH
*License tied to IP Address NO
*License Creation Date Tue Feb 08 2012
*Expiration Date NEVER
*Number of Hosts 100
*** The selected license file (<xmldoc>) contains a valid license ***
Would you like to install the new license? y
Type y to update the current license.
Archiving current license… [OK]
*** Successfully installed new license ***
Description
The pmlist command displays a list of commands the current user is permitted to run. It is only valid when using the profile-based policy.
If the server is configured to use the default profile policy, use the pmlist command to list the commands that you are permitted to run. The server evaluates all configured profiles in the policy; for those that match the submit user and host, it prints out the commands that are permitted by the profile.
Syntax
pmloadcheck -v
-z on | off[:<pid>]
-s|-p|-i [-e <interval>][-t <sec>]
[-c|-f][-b][ -h <master>][-t <sec>] [-a][-r]
Description
The pmloadcheck daemon runs on each host and the Privilege Manager for Unix policy servers. By default, the daemon verifies the status of the configured policy servers every 60 minutes. It controls load balancing and failover for connections made from the host to the configured policy servers, and on secondary servers, it sends license data to the primary server.
When the pmloadcheck daemon runs, it attempts to establish a connection with the policy servers to determine their current status. If pmloadcheck successfully establishes a session with a policy server, it is marked online and is made available for normal client sessions. If pmloadcheck does not successfully establish a session with a policy server, it is marked offline.
Information is gathered from a policy server each time a normal client session connects to the policy server. This information is used to determine which policy server to use the next time a session is requested. If an agent cannot establish a connection to a policy server because, for example, the policy server is offline, then this policy server is marked as offline and no more connections are submitted to this policy server until it is marked available again.
To check the current status of all configured policy servers, and display a brief summary of their status, run pmloadcheck with no options. To show the full details of each policy server status, add the -f option.
Options
pmloadcheck has the following options.
Table 64: Options: pmloadcheck
-a |
Verifies the connection as if certificates were configured. |
-b |
Runs in batch mode. |
-c |
Displays output in CSV format. |
-e <interval> |
Sets the refresh interval (in minutes) to determine how often the pmloadcheck daemon checks the policy server status. The default value is 60. |
-f |
Shows full details of the policy server status when verifying and displaying policy server status. |
-h <master> |
Selects a policy server to verify. |
-i |
Starts up the pmloadcheck daemon, or prompts an immediate recheck of the policy server status if it is already running. |
-P |
Sends SIGNUP to a running daemon. |
-p |
Pauses a running daemon by sending SIGUSR1. |
-r |
Reports last cached data for selected servers instead of connecting to each one. |
-s |
Stops the pmloadcheck daemon if it is running. |
-t <sec> |
Specifies a timeout (in seconds) to use for each connection. |
-v |
Displays the version string and exits. |
-z |
Enables or disables debug tracing.
Before using this option, see Enabling program-level tracing. |