After you make sure your primary policy server host meets the system requirements, you are ready to install the Privilege Manager for Unix packages.
To install the Privilege Manager for Unix packages
# rpm –-install qpm-server-*.rpm
The Solaris server has a filename that starts with QSFTpmsrv.
When you install the qpm-server package, it installs all three Privilege Manager for Unix components on that host: the Privilege Manager for Unix Policy Server, the PM Agent, and the Sudo Plugin.
For details instructions on installing and configuring Safeguard for Sudo, see the One Identity Safeguard for Sudo Administration Guide.
After you install the primary policy server, you may want to update your PATH to include the Privilege Manager for Unix commands.
To modify the user's PATH environment variable
/opt/quest/bin:/opt/quest/sbin
/opt/quest/bin
Once you install the Privilege Manager for Unix server packages, the next task is to configure the primary policy server. The first policy server you setup is the primary policy server.
To configure the primary policy server for a pmpolicy type
# /opt/quest/sbin/pmsrvconfig -m pmpolicy
The pmsrvconfig command supports many command-line options; see pmsrvconfig for details or run pmsrvconfig with the -h option to display the help.
When you run pmsrvconfig with the -i (interactive) option, the configuration script gathers information from you by asking you a series of questions. During this interview, you are allowed to either accept a default setting or set an alternate setting.
Once you have completed the policy server configuration script interview, it configures the policy server.
The configuration process:
When you run pmsrvconfig with the -i (interactive) option, the configuration script gathers information from you by asking you a series of questions. During this interview, you are allowed to either accept a default setting or set an alternate setting.
The configuration script first asks you to read and accept the End User License Agreement (EULA). The second question asks if you want to configure the server as a sudo or a pmpolicy type server; the default is sudo. See Security policy types for more information about policy types. Depending on which type of server you are configuring the interview asks different questions.
The following table lists the default and alternative configuration settings when configuring a pmpolicy server. See PM settings variables for more information about the policy server configuration settings.
Configuration setting | Default | Alternate |
---|---|---|
Configure Privilege Manager for Unix Policy Mode | ||
Configure host as primary or secondary policy group server: | primary |
Enter secondary, then supply the primary server host name. |
Set Policy Group Name: | <FQDN name of policy server> | Enter Policy Group Name of your choice. |
Policy mode:
See Security policy types for more information about policy types. Sets policymode in pm.settings. (Policy "modes" are the same as policy "types" in the console.) |
sudo |
Enter pmpolicy |
Configure Security Policy | ||
Initialize the security policy? | YES |
Enter No |
Configure Privilege Manager for Unix Daemon Settings | ||
Policy server command line options: Sets pmmasterdopts in pm.settings. |
-ar |
Enter:
|
Enable remote access functions? Sets clients in pm.settings. |
NO
Does not make system information on this host available to policy servers located on other hosts. |
Enter Yes to allow remote policy servers to connect to this primary policy server for remote I/O logging, or to access functions in the policy file. Entering Yes allows you to list remote hosts. |
If Yes, list of remote hosts allowed to connect to this policy server? | NO | Enter Yes, then add remote hosts to list. |
Configure host as a PM Agent? | NO | Enter Yes, then configure command line options. |
If Yes, configure command line options for the agent daemon? | pmlocaldopts is not set |
Enter:
These command-line options override the syslog and pmmasterdlog options configured in the pm.settings file. |
Configure pmlocald on this host? | NO | Enter Yes |
Configure policy server host components to communicate with remote hosts through firewall? | NO | Enter Yes |
Configure pmtunneld on this host? | NO | Enter Yes |
Define host services? You must add service entries to either the /etc/services file or the NIS services map. |
YES
Adds services entries to the /etc/services file. |
Enter No |
Communications Settings for Privilege Manager for Unix | ||
Policy server daemon port number: Sets masterport in pm.settings. |
12345 | Enter a port number for the policy server to communicate with agents and clients. |
Specify a range of reserved port numbers for this host to connect to other defined Privilege Manager for Unix hosts across a firewall? Sets setreserveportrange in pm.settings. |
NO | Enter Yes, then enter a value between 600 and 1023:
|
Specify a range of non-reserved port numbers for this host to connect to other defined Privilege Manager for Unix hosts across a firewall? Sets setnonreserveportrange in pm.settings. |
NO | Enter Yes, then enter a value between 1024 and 65535:
|
Allow short host names? Sets shortnames in pm.settings. |
YES | Enter No to use fully-qualified host names instead. |
Configure Kerberos on you Sets kerberos in pm.settings.r network? |
NO | Enter Yes, then enter:
|
Encryption level:
See Encryption for details. Sets encryption in pm.settings. |
AES | Enter one of these encryption options:
|
Enable certificates? Sets certificates in pm.settings. |
NO |
Enter Yes, then answer: Generate a certificate on this host? (Default is NO.) Enter Yes and specify a passphrase for the certificate. Once configuration of this host is complete, swap and install keys for each host in your system that need to communicate with this host. See Swap and install keys for details. |
Activate the failover timeout? | YES | Enter Yes, then assign the failover timeout in seconds: (Default is 10.) |
Failover timeout in seconds: Sets failovertimeout in pm.settings. |
10 | Enter timeout interval. |
Configure Privilege Manager for Unix Logging Settings | ||
Send errors reported by the policy server and local daemons to syslog? | YES | Enter No |
Policy server log location: Sets pmmasterdlog in pm.settings. |
/var/log/pmmasterd.log | Enter a location. |
Install Privilege Manager for Unix Licenses | ||
XML license file to apply: | (use the freeware product license) |
Enter enter location of the .xml license file. Enter Done when finished. |
Enter <password> This password is also called the "Join" password. You will use this password when you add secondary policy servers or join remote hosts to this policy group. |
You can find an installation log file at: /opt/quest/qpm4u/install/pmsrvconfig_output_<Date>.log
© 2024 One Identity LLC. ALL RIGHTS RESERVED. 이용 약관 개인정보 보호정책 Cookie Preference Center