サポートと今すぐチャット
サポートとのチャット

Privilege Manager for Unix 7.3 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Configuring the primary policy server for Privilege Manager for Unix

Once you install the Privilege Manager for Unix server packages, the next task is to configure the primary policy server. The first policy server you setup is the primary policy server.

To configure the primary policy server for a pmpolicy type

  1. From the command line of the primary policy server host, run:

    # /opt/quest/sbin/pmsrvconfig -m pmpolicy

    The command supports many command-line options. For more details, see pmsrvconfig or run pmsrvconfigpmsrvconfig with the -h option to display the help.

    When you run pmsrvconfig with the -i (interactive) option, the configuration script gathers information from you by asking you a series of questions. During this interview, you are allowed to either accept a default setting or set an alternate setting.

    Once you have completed the policy server configuration script interview, it configures the policy server.

  2. When you run pmsrvconfig for the first time, it asks you to read and accept the End User License Agreement (EULA).

  3. Enter a password for the new pmpolicy service account and confirm it. This password is also called the Join password. You will use this password when you add secondary policy servers or join remote hosts to this policy group.

    The configuration process:

    • Creates the /etc/opt/quest/qpm4u/pm.settings file, which contains various parameters and settings

    • Installs service entries in the /etc/services file, which contains unique port numbers for pmmasterd and pmlocald

    • Generates a SSH key for log access

    • Generates the master policy, a profile-based policy

    • Creates the SVN database repository for the master policy

    • Checks out a production copy of the master policy

    • Performs a syntax check of the master policy

    • Starts the Privilege Manager for Unix service (pmserviced). For more details, see pmserviced.

    • Reloads the pmloadcheck configuration. For more details, see pmloadcheck .

pmpolicy server configuration settings

When you run pmsrvconfig with the -i (interactive) option, the configuration script gathers information from you by asking you a series of questions. During this interview, you are allowed to either accept a default setting or set an alternate setting.

The configuration script first asks you to read and accept the End User License Agreement (EULA). The second question asks if you want to configure the server as a sudo or a pmpolicy type server; the default is sudo. For more information about policy types, see Security policy types. Depending on which type of server you are configuring the interview asks different questions.

The following table lists the default and alternative configuration settings when configuring a pmpolicy server. For more information about the policy server configuration settings, see PM settings variables.

Table 4: pmpolicy server configuration settings
Configuration setting Default Alternate

Configure Privilege Manager for Unix Policy Mode

Configure host as primary or secondary policy group server:

primary

Enter secondary, then supply the primary server host name.

Set Policy Group Name:

<FQDN name of policy server>

Enter Policy Group Name of your choice.

Policy mode:

For more information about policy types, see Security policy types.

Sets policymode in pm.settings. (Policy "modes" are the same as policy "types" in the console.)

sudo

Enter pmpolicy

Configure Security Policy

Initialize the security policy?

YES

Enter No

Configure Privilege Manager for Unix Daemon Settings

Policy server command line options:

Sets pmmasterdopts in pm.settings.

-ar

Enter:

  • -a to send job acceptance messages to syslog.

  • -e <logfile> to use the error log file identified by <logfile>.

  • -r to send job rejection messages to syslog.

  • -s to send error messages to syslog. none to assign no options.

    -a, -r, and -s override syslog no option; -e <logfile> overrides the pmmasterdlog <logfile> option.

Enable remote access functions?

Sets clients in pm.settings.

NO

Does not make system information on this host available to policy servers located on other hosts.

Enter Yes to allow remote policy servers to connect to this primary policy server for remote I/O logging, or to access functions in the policy file.

Entering Yes allows you to list remote hosts.

If Yes, list of remote hosts allowed to connect to this policy server?

NO

Enter Yes, then add remote hosts to list.

Configure host as a PM Agent?

NO

Enter Yes, then configure command line options.

If Yes, configure command line options for the agent daemon?

pmlocaldopts is not set

Enter:

  • -s to send error messages to syslog.

  • -e <logfile> to use the error log file identified by <logfile>.

  • -m to only accept connections from the policy server daemon on the specified host. (Use Multiple -m options to specify more than one host.)

  • none to assign no options.

These command-line options override the syslog and pmmasterdlog options configured in the pm.settings file.

Configure pmlocald on this host?

NO

Enter Yes

Configure policy server host components to communicate with remote hosts through firewall?

NO

Enter Yes

Configure pmtunneld on this host?

NO

Enter Yes

Define host services?

You must add service entries to either the /etc/services file or the NIS services map.

YES

Adds services entries to the /etc/services file.

Enter No

Communications Settings for Privilege Manager for Unix

Policy server daemon port number:

Sets masterport in pm.settings.

12345

Enter a port number for the policy server to communicate with agents and clients.

Specify a range of reserved port numbers for this host to connect to other defined Privilege Manager for Unix hosts across a firewall?

Sets setreserveportrange in pm.settings.

NO

Enter Yes, then enter a value between 600 and 1023:

  1. Minimum reserved port. (Default is 600.)

  2. Maximum reserved port. (Default is 1023.)

Specify a range of non-reserved port numbers for this host to connect to other defined Privilege Manager for Unix hosts across a firewall?

Sets setnonreserveportrange in pm.settings.

NO

Enter Yes, then enter a value between 1024 and 65535:

  1. Minimum non-reserved port. (Default is 1024.)

  2. Maximum non-reserved port. (Default is 31024.)

Allow short host names?

Sets shortnames in pm.settings.

YES

Enter No to use fully-qualified host names instead.

Configure Kerberos on you

Sets kerberos in pm.settings.r network?

NO

Enter Yes, then enter:

  1. Policy server principal name. (Default is host.)

  2. Local principal name. (Default is host.)

  3. Directory for replay cache. (Default is /var/tmp.)

  4. Path for the Kerberos configuration files [krbconf setting]. (Default is /etc/opt/quest/vas/vas.conf.)

  5. Full pathname of the Kerberos keytab file [keytab setting]. (Default is /etc/opt/quest/vas/host.keytab.)

Encryption level:

For more details, see Encryption.

Sets encryption in pm.settings.

AES

Enter one of these encryption options:

  • DES

  • TRIPLEDES

  • AES

Enable certificates?

Sets certificates in pm.settings.

NO

Enter Yes, then answer:

Generate a certificate on this host? (Default is NO.)

Enter Yes and specify a passphrase for the certificate.

Once configuration of this host is complete, swap and install keys for each host in your system that need to communicate with this host. For more details, see Swap and install keys.

Activate the failover timeout?

YES

Enter Yes, then assign the failover timeout in seconds: (Default is 10.)

Failover timeout in seconds:

Sets failovertimeout in pm.settings.

10

Enter timeout interval.

Configure Privilege Manager for Unix Logging Settings

Send errors reported by the policy server and local daemons to syslog?

YES

Enter No

Policy server log location:

Sets pmmasterdlog in pm.settings.

/var/log/pmmasterd.log

Enter a location.

Install Privilege Manager for Unix Licenses

XML license file to apply:

(use the freeware product license)

Enter enter location of the .xml license file.

Enter Done when finished.

Password for pmpolicy user:

For more information about pmpolicy service account, see Configuring the primary policy server for Privilege Manager for Unix.

 

Enter <password>

NOTE:: This password is also called the "Join" password. You will use this password when you add secondary policy servers or join remote hosts to this policy group.

NOTE:: You can find an installation log file at: /opt/quest/qpm4u/install/pmsrvconfig_output_<Date>.log

Verifying the primary policy server configuration

To verify the policy server configuration

  1. From the command line of the primary policy server, run:

    # pmsrvinfo

    The pmsrvinfo command displays the current configuration settings. For example:

    Policy Server Configuration: 
    ---------------------------- 
    Privilege Manager for Unix version                     : 6.0.0 
    Listening port for pmmasterd daemon           : 12345 
    Comms failover method                         : random 
    Comms timeout(in seconds)                     : 10 
    Policy type in use                            : pmpolicy 
    Group ownership of logs                       : pmlog 
    Group ownership of policy repository          : pmpolicy 
    Policy server type                            : primary 
    Primary policy server for this group          : <polsrv>.example.com 
    Group name for this group                     : <polsrv>.example.com 
    Location of the repository
     : file:////var/opt/quest/<polsrv>/.<polsrv>/.repository/pmpolicy_repos/trunk 
    Hosts in the group                            : <polsrv>.example.com

    Note the entries for policy type (pmpolicy) and policy server type (primary). For more information about security policy types, see Security policy types.

Recompile the whatis database

If you are using the whatis database and you chose to install the man pages, you may wish to recompile the database to allow users to search the documentation using keywords.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択