Chat now with support
Chat with Support

One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration Reporting Setting preferences Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance

One Identity Privileged Access Suite for Unix

Unix Security Simplified

One Identity Privileged Access Suite for Unix solves the inherent security and administration issues of Unix-based systems (including Linux and Mac) while making satisfying compliance requirements a breeze. It unifies and consolidates identities, assigns individual accountability and enables centralized reporting for user and administrator access to Unix. The Privileged Access Suite for Unix is a one-stop shop for Unix security that combines an Active Directory bridge and root delegation solutions under a unified console that grants organizations centralized visibility and streamlined administration of identities and access rights across their entire Unix environment.

Active Directory Bridge

Achieve unified access control, authentication, authorization and identity administration for Unix, Linux, and Mac systems by extending them into Active Directory (AD) and taking advantage of AD’s inherent benefits. Patented technology allows non-Windows resources to become part of the AD trusted realm, and extends AD’s security, compliance and Kerberos-based authentication capabilities to Unix, Linux, and Mac. See Authentication Services for more information about the Active Directory Bridge product.

Root Delegation

The Privileged Access Suite for Unix offers two different approaches to delegating the Unix root account. The suite either enhances or replaces sudo, depending on your needs.

  • By choosing to enhance sudo, you will keep everything you know and love about sudo while enhancing it with features like a central sudo policy server, centralized keystroke logs, a sudo event log, and compliance reports for who can do what with Sudo.

    See One Identity Privilege Manager for Sudo for more information about enhancing sudo.

  • By choosing to replace sudo, you will still be able to delegate the Unix root privilege based on centralized policy reporting on access rights, but with a more granular permission and the ability to log keystrokes on all activities from the time a user logs in, not just the commands that are prefixed with "sudo". In addition, this option implements several additional security features like restricted shells, remote host command execution, and hardened binaries that remove the ability to escape out of commands and gain undetected elevated access.

    See Privilege Manager for Unix for more information about replacing sudo.

Privileged Access Suite for Unix

Privileged Access Suite for Unix offers two editions - Standard edition and Advanced edition. Both editions include: One Identity Management Console for Unix, a common management console that provides a consolidated view and centralized point of management for local Unix users and groups; and Authentication Services, patented technology that enables organizations to extend the security and compliance of Active Directory to Unix, Linux, and Mac platforms and enterprise applications. In addition

  • The Standard edition licenses you for Privilege Manager for Sudo.
  • The Advanced edition licenses you for Privilege Manager for Unix.

One Identity recommends that you follow these steps:

  1. Install Authentication Services on one machine, so you can set up your Active Directory Forest.
  2. Install One Identity Management Console for Unix, so you can perform all the other installation steps from the mangement console.
  3. Add and profile hosts using the mangement console.
  4. Configure the console to use Active Directory.
  5. Deploy client software to remote hosts.

    Depending on which Privileged Access Suite for Unix edition you have purchased, deploy either:

    • Privilege Manager for Unix software (that is, Privilege Manager Agent packages)

      -OR-

    • Privilege Manager for Sudo software (that is, Sudo Plugin packages)

See Installing Privilege Manager agent or plugin software for more information about the two Privilege Manager client software packages available to install onto remote hosts.

Note: Refer to Getting Started tab for a better understanding of the steps to take to be up and running quickly.

Introducing One Identity Management Console for Unix

One Identity Management Console for Unix is a web-based console that delivers a consolidated view and centralized point of management for local Unix users and groups, including:

  • Local Unix user and group management
  • Centralized reporting
  • Pre-migration readiness assessment for integrating with Active Directory
  • Remote client-agent deployment
  • Secure local Unix accounts with Active Directory authentication

Key features and capabilities of the mangement console:

Local Unix User and Group Management

Management Console for Unix enables administrators to use the same tool to manage all Unix account information regardless of its location (within Active Directory or locally on Unix systems). With the mangement console, administrators can remotely manage local users and groups on Unix, Linux, and Mac systems. This functionality is shipped with Authentication Services, Privilege Manager for Unix, and Privilege Manager for Sudo.

Active Directory Integration

Management Console for Unix provides the quickest path to compliance by enabling organizations to quickly, easily, and inexpensively implement Active Directory-based authentication for Unix, Linux, and Mac systems. The mangement console allows remote Unix systems to be profiled and assessed to check their readiness for integration with Active Directory. Once deployed, Management Console for Unix even enables Unix accounts to remain where they are and yet use Active Directory for centralized authentication.

Privilege Manager Integration

Management Console for Unix provides advanced management and reporting capabilities when used with One Identity Privilege Manager. You can install and configure the Policy Server as well as the PM Agent and the Sudo Plugin software to remote hosts. You can also join hosts to a policy group if you have activated it in the Privilege Manager settings. This gives you the ability to centrally manage policy and create comprehensive "keystroke logs" that capture forensic-level auditing.

Remote Agent Deployment

Management Console for Unix streamlines deployment of client agent software by empowering administrators to remotely install the software packages and join systems either to Active Directory or a Privilege Manager policy group. The mangement console allows non-Unix administrators to administer and deploy the solution without ever touching the Unix command line.

Role-Based Access Control

Active Directory users and groups can now be granted access to the mangement console and given limited use of console features by means of roles. This means you can configure separation of duties for specific tasks.

Basic Roles:

  • Manage Hosts
  • Console Administration
  • Manage Console Access
  • Reporting

Additional Privilege Manager Roles:

  • Manage Sudo Policy
  • Audit Sudo Policy
  • Manage PM Policy
  • Audit PM Policy
Reporting

Management Console for Unix enables administrators to quickly and easily provide auditors with granular reports on Unix identity information, including the highly desirable access and privilege reports. By consolidating the generation and viewing of reports within the mangement console, Management Console for Unix reduces the time and effort required to generate key reports that traditionally required multiple data collation and manual processes across multiple Unix systems.

Securing Local Unix Accounts with Active Directory Authentication

Management Console for Unix eases deployments of Authentication Services by providing a birds-eye view of all local Unix accounts and Active Directory accounts with Unix account information. When viewing local Unix accounts, administrators can determine which accounts to configure for Active Directory authentication.

Web Services

Management Console for Unix allows you to access the server by means of Web Services, including Unix command line utilities and Windows Powershell cmdlets that enable you to script common local Unix user and group management tasks. For example, you can write a script to reset a local Unix user's password across multiple Unix systems.

What's new in Management Console for Unix 2.5

Management Console for Unix has continued to add powerful configuration, administration, management, and migration capabilities through a Web-based console. The following is a list of the new features for One Identity Management Console for Unix 2.5.

One Identity Privilege Manager for Unix integration

Support for advanced, centralized Privilege Manager for Unix policy management, remote agent plugin installation and configuration, keystroke logging and replay, and reporting.

  • New roles for managing Privilege Manager for Unix
  • Remote installation of the Privilege Manager software
  • Readiness checks for both server configuration and host joins to policy groups
  • Ability to configure both primary and secondary policy servers
  • Centralized pmpolicy profile management with reporting and auditing
  • Support for the PMRUN elevation credential
One Identity Privilege Manager for Sudo
  • Support for Mac OS X
Authentication Services Access Control Management

Support for limiting Active Directory user access to host systems by managing which Active Directory users and groups can access the host systems.

  • Manage access control on a single host system
  • Add and remove Active Directory users or groups across multiple hosts

Other new Management Console for Unix features
  • Reset or change passwords for multiple local accounts across multiple hosts
  • Modify certain user properties across multiple hosts
  • Support for Tectia SSH
  • Context-sensitive help is now available
  • New console role for access to all reports
  • Product License Usage report
Upgrading from Identity Manager for Unix 1.0

If you are upgrading from Quest Identity Manager for Unix 1.0 to Management Console for Unix 2.x, be aware of the following:

  • Passwords cached by the supervisor account or AD users with console access were not migrated during the upgrade process due to changes in encryption. Users will have to re-enter their passwords for hosts they manage the next time they perform tasks on the hosts, and choose to cache their credentials again on the server.
  • It is important to re-profile all hosts after an upgrade of any version of Management Console for Unix.
  • Existing Active Directory users and groups granted access to the mangement console are added to the Manage Hosts role, giving them access to the features they had before the upgrade.

What are the core features of the console

The following summarizes the differences between the core version of Management Console for Unix and what is available when it is used in conjunction with Privilege Manager or Authentication Services.

Core features of Management Console for Unix:
  • Provides a central management and reporting console for local Unix hosts.
  • Provides up-to-date synchronization between the host and the console.
  • Ability to create, delete, and modify local user and group accounts.
  • Ability to browse Active Directory
  • Ability to assign users to console roles
  • Ability to perform console tasks using Windows Powershell and Unix command line tools.
When used with Privilege Manager
  • Ability to remotely install Privilege Manager software on a remote host.
  • Ability to configure both primary and secondary policy servers.
  • Ability to join remote hosts to policy groups.
  • Ability to centrally manage the policy file.
  • Ability to enable keystroke logging and view captured keystroke logs.
  • Ability to provide access and privileges reports to determine which actions users are permitted to perform on Unix hosts.
  • Ability to report which commands were executed using sudo on Unix hosts.
When used with Authentication Services:
  • Ability to remotely install Authentication Services agents, join systems to Active Directory, and implement AD-based authentication for Unix, Linux, and Mac systems.
  • Ability to manage access control on a single host system or across multiple hosts.
  • Ability to create reports about Unix-enabled Active Directory users and groups.
  • Ability to create access control reports that show which user is permitted to log into which Unix host.
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating