Chat now with support
지원 담당자와 채팅

Privilege Manager for Sudo 6.1 Common Documents - Administration Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration Upgrade Privilege Manager for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Troubleshooting Privilege Manager Variables Privilege Manager programs Installation Packages Unsupported Sudo Options Privilege Manager for Sudo Policy Evaluation

Configure a Primary Policy Server

The first thing you must do is install and configure the host you want to use as your primary policy server.

Checking the server for installation readiness

Privilege Manager comes with a Preflight program that checks to see if your system meets the install requirements.

To check for installation readiness

  1. Log on as the root user.
  2. Change to the directory containing the qpm-server package for your specific platform.

    For example, on a 64-bit Red Hat Linux, run:

    # cd server/linux-x86_64
  3. To ensure that the pmpreflight command is executable, run:
    # chmod 755 pmpreflight
  4. To verify your primary policy server host meets installation requirements, run:
    # sh pmpreflight.sh –-server

    NOTE: Running pmpreflight.sh –-server performs these tests:

    • Basic Network Conditions:
      • Hostname is configured
      • Hostname can be resolved
      • Reverse lookup returns its own IP
    • Privilege Manager Server Network Requirements:
      • Policy server port is available (TCP/IP port 12345)
    • Privilege Manager Prerequisites:
      • SSH keyscan is available
  5. Resolve any reported issues and rerun pmpreflight until all tests pass.

TCP/IP configuration

Privilege Manager uses TCP/IP to communicate with networked computers, so it is essential that you have TCP/IP correctly configured. If you cannot use programs such as ssh and ping to communicate between your computers, then TCP/IP is not working properly; consult your system administrator to find out why and make appropriate changes.

Ensure that your host has a statically assigned IP address and that your host name is not configured to the loopback IP address 127.0.0.1 in the /etc/hosts file.

Firewalls

When the agent and policy server are on different sides of a firewall, Privilege Manager needs a number of ports to be kept open. By default, Privilege Manager can use ports in the 600 to 31024 range, but when using a firewall, you may want to limit the ports that can be used.

You can restrict Privilege Manager to using a range of ports in the reserved ports range (600 to 1023) and the non-reserved ports range (1024 to 65535). We recommend that a minimum of six ports are assigned to Privilege Manager in the reserved ports range and twice that number of ports are assigned in the non-reserved ports range.

Use the setreserveportrange and setnonreserveportrange settings in the /etc/opt/quest/qpm4u/pm.settings file to open the ports in the required ranges. See PM settings variables for details.

관련 문서