지금 지원 담당자와 채팅
지원 담당자와 채팅

Privilege Manager for Unix 6.1 Common Documents - Administration Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager programs Installation Packages

Configure a Primary Policy Server

The first thing you must do is install and configure the host you want to use as your primary policy server.

Checking the server for installation readiness

Privilege Manager comes with a Preflight program that checks to see if your system meets the install requirements.

To check for installation readiness

  1. Log on as the root user.
  2. Change to the directory containing the qpm-server package for your specific platform.

    For example, on a 64-bit Red Hat Linux, run:

    # cd server/linux-x86_64
  3. To ensure that the pmpreflight command is executable, run:
    # chmod 755 pmpreflight
  4. To verify your primary policy server host meets installation requirements, run:
    # sh pmpreflight.sh –-server

    NOTE: Running pmpreflight.sh –-server performs these tests:

    • Basic Network Conditions:
      • Hostname is configured
      • Hostname can be resolved
      • Reverse lookup returns its own IP
    • Privilege Manager Server Network Requirements:
      • Policy server port is available (TCP/IP port 12345)
    • Privilege Manager Prerequisites:
      • SSH keyscan is available
  5. Resolve any reported issues and rerun pmpreflight until all tests pass.

TCP/IP configuration

Privilege Manager uses TCP/IP to communicate with networked computers, so it is essential that you have TCP/IP correctly configured. If you cannot use programs such as ssh and ping to communicate between your computers, then TCP/IP is not working properly; consult your system administrator to find out why and make appropriate changes.

Ensure that your host has a statically assigned IP address and that your host name is not configured to the loopback IP address 127.0.0.1 in the /etc/hosts file.

Firewalls

When the agent and policy server are on different sides of a firewall, Privilege Manager needs a number of ports to be kept open. By default, Privilege Manager can use ports in the 600 to 31024 range, but when using a firewall, you may want to limit the ports that can be used.

You can restrict Privilege Manager to using a range of ports in the reserved ports range (600 to 1023) and the non-reserved ports range (1024 to 65535). We recommend that a minimum of six ports are assigned to Privilege Manager in the reserved ports range and twice that number of ports are assigned in the non-reserved ports range.

Use the setreserveportrange and setnonreserveportrange settings in the /etc/opt/quest/qpm4u/pm.settings file to open the ports in the required ranges. See PM settings variables for details.

If configuring Privilege Manager for Unix to use NAT (Network Address Translation), you may need to configure the pmtunneld component. See Configuring firewalls for more information about using Privilege Manager for Unix with NAT and restricting port numbers.

관련 문서