Chat now with support
Chat with Support

Privilege Manager for Unix 7.1 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Displaying profile-based policy debug information

To view debug information for profile-based policy, set the value for the pf_tracelevel variable either globally in global_profile.conf, or in an individual profile.

To set the pf_tracelevel variable in the profile

  1. Enable the pf_tracelevel option. For example:
    # Variable: pf_tracelevel: Enables tracing/debugging output at different levels: 
    # 1:show reason for reject, 2: verbose output, 3: show debug trace 
    pf_tracelevel=2;
  2. To view the trace output, run a command with pmrun, like this:
    $ pmrun id 
    ******************************************************************** 
    ** One Identity Privilege Manager for Unix Version 6.0.0 (006) ** 
    ** This request is being authorized on master :<HostName> 
    ** User "luser" has submitted a request from host "<HostName>" 
    ** to run the command "id" 
    ******************************************************************** 
       User : luser 
       Host : <HostName> 
       Command : id 
    * Check profile:profiles/admin.profile 
    ** Profile:admin does not match user 
    ** Profile:admin does not match UNIX group 
    ** Profile:admin does not match AD group list 
    * Check profile:profiles/demo.profile 
    ** Validate command:id 
    ** Profile:demo cmd[0] matches command:id Request accepted by the "demo" profile 
    
    All interactions with this command will be recorded in the file: 
       /var/opt/quest/qpm4u/iolog/demo/luser/id_20121023_1038_qu3zcf 
    
    Executing "id" as user "root" ... 
    ******************************************************************************** 
    
    uid=0(root) gid=0(root) groups=0(root)

Enabling program-level tracing

Technical Support may ask you to create a trace file when you run a program by using the -z option. The -z option enables tracing on a specific program or currently running process.

To display program-level tracing

  1. Run a program with the -z option, like this:
    # <CommandName> -z on

    The -z option creates a <CommandName>.ini file which then creates a <CommandName>.trc file when you run the command. The .trc file contains the debug information. Both the .ini and the .trc files are created in the /tmp directory.

  2. Once you have finished getting the trace output you need, run the program with the -z off option so the log will not continue to grow.

Load balancing and policy updates

pmloadcheck is both a command and a background daemon (run with the –i flag). When run as a command, it checks, updates, and reports on the status of the policy server. You can use pmloadcheck from a policy server or PM Agent.

When run as a daemon process, it keeps track of the status of the policy servers for failover and load-balancing purposes. On policy servers, pmloadcheck is responsible for keeping the production policy file up to date.

See pmloadcheck for more information about the syntax and usage of this command.

Policy servers are failing

The primary and secondary policy servers must be able to communicate with each other and the remote hosts must be able to communicate with the policy servers in the policy group.

For example, if you run the pmloadcheck command on a policy server or PM Agent to determine that it can communicate with other policy servers in the policy group, you may get output similar to the following:

++ Checking host:myhost.example.com (10.10.181.87) ... [FAIL]

There are several possible reasons for failure:

  • Policy server host is down
  • Network outage
  • Service not running on policy server host

These are some ways to verify that the Privilege Manager for Unix service is running properly on the policy server host:

  1. To verify the policy server configuration, run
    # pmsrvinfo
  2. To verify that the service is running, enter
    # ps –ef | grep pmserviced
  3. To verify that the pmmasterd port is in a listening state on the primary policy server, enter
    # netstat –na | grep 12345
  4. To verify the service is enabled, look for the following in the Privilege Manager for Unix configuration file (/etc/opt/quest/qpm4u/pm.settings)
    pmmasterdEnabled YES
  5. To restart the service (on a Linux host), enter
    # /etc/init.d/pmserviced restart

    -Or-

    pmserviced -s
  6. Check for other communication issues, such as with your firewall, name resolution, dead network interface, and so forth.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating