Chat now with support
Chat with Support

Safeguard Authentication Services 5.0.2 - Installation Guide

Privileged Access Suite for Unix Introducing One Identity Safeguard Authentication Services Installing and configuring Safeguard Authentication Services Installing and joining from the Unix command line Getting started with Safeguard Authentication Services
Getting acquainted with the Control Center Learning the basics
Troubleshooting Enterprise package deployment

Profiling hosts

Profiling imports information about the host, including local users and groups, into the management console. It is a read-only operation and no changes are made to the host during the profiling operation. Profiling does not require elevated privileges.

To profile hosts

  1. Select one or more hosts in the All Hosts view and click Profile from the Prepare panel of the tool bar, or open the Profile menu and choose Profile.
  2. In the Profile Host dialog, enter user credentials to access the hosts.

    If you selected multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

  3. If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter the following information:
    1. Enter the user name and password to log onto the selected hosts.
    2. Optionally, enter the SSH port to use. It uses port 22 by default.
    3. To save the credentials entered for the host, select the Save my credentials on the server option.

      Once saved, the management console uses these credentials to access the host during this and subsequent sessions.

    Note: If you do not save a password to the server, the user name and password fields will be blank the first time the management console needs credentials to complete a task on the host during a logon session. Once entered, the management console caches the user name and password and reuses these credentials during the current session, and pre-populates the user name and password fields in subsequent tasks during the current log on session.

    If you choose to save a host's credentials to the server, the management console encrypts the credentials and saves them in the Java keystore. Saved user names and passwords persist across logon sessions, and when needed, the management console pre-populates the user name and password fields each subsequent time it needs them to perform a task. For more information, see Caching Unix Host Credentials in the online help.

  4. If you selected multiple hosts and the Enter different credentials for each selected host option, a grid displays allowing you to enter different credentials and specify different settings for each host.
    1. To enter different credentials, place your cursor in the Username and Password columns to the right of the Host column and enter the credentials to use.
    2. To change the SSH port for a host, place your cursor in the SSH Port column and enter the new SSH port number.
    3. To save the credentials entered for a host, select the check box in the Save column.
  5. If you want the management console to prompt you to review and accept new SSH keys for the selected hosts (which do not have previously cached SSH keys), clear the Automatically accept SSH keys option before you click OK.

    Note: When profiling one or more hosts, you must accept at least one key before continuing. The management console only profiles hosts with accepted keys.

    By default, the Automatically accept SSH keys option is selected. This enables the management console to automatically accept the SSH key for all selected hosts that do not have a previously cached key. When it accepts the key, the console adds it to the accepted-keys cache on the Management Console for Unix server. If you clear the Automatically accept SSH keys option, when the management console encounters a modified key, it opens the Validate Host SSH Keys dialog, allowing you to manually accept keys that are encountered. Once you have manually verified the fingerprint, the console adds the SSH host keys to the accepted-keys cache.

    Note: Once you profile a host, all future tasks that involve an SSH connection will verify the SSH host key against the accepted-keys cache. When profiling, if the console encounters a modified key, the profile task prompts you to accept and new or changed keys. When performing any other SSH action, other than profile, if the console encounters a different SSH key, the task will fail. To update the accepted-keys cache for the host, you can either profile or reprofile the host, accept the new key, and try the task again. Or, you can import a new SSH host key from the host's properties or from the All Hosts view. See Import SSH Host Key or Managing SSH Host Keys in the online help for more information.

A progress bar displays in the Task Progress pane. The final status of the task displays, including any failures or advisories encountered.

Configuring automatic profiling

To keep the Management Console for Unix database up to date with accurate information about users, groups, and One Identity products, you can configure the management console to profile hosts automatically.

BEST PRACTICE: Configure newly added hosts for auto-profiling before you perform any other actions so that the management console dynamically updates user and group information. See UID or GID Conflicts in the online help.

Configuring a host for auto-profiling sets up a cron job on the client that runs every five minutes. If it detects changes on the host, it triggers a profile operation.

The cron job detects changes to the following:

  • Local users, groups, or shells
  • Installed Safeguard Authentication Services or Privilege Manager software
  • Safeguard Authentication Services access control lists
  • Safeguard Authentication Services mapped user information
  • Privilege Manager configuration
  • Safeguard Authentication Services configuration
  • Privilege Manager licenses

The cron job also sends a heartbeat every day. This updates the Last profiled date displayed on the host properties. If the Last profiled date is more than 24 hours old, the host icon changes to to indicate no heartbeat.

To configure automatic profiling

  1. Select one or more hosts in the All Hosts view, open the Profile menu from the Prepare panel of the tool bar, and choose Profile Automatically.

    Note: The Profile Automatically option is only available for multiple hosts if all hosts are in the same "auto-profile" state; that is, they all have Auto-profiling turned on, or they all have Auto-profiling turned off.

  2. In the Profile Automatically dialog, select the Profile the host automatically option.
  3. Choose the user account you want to use for profiling:
    • Create a user service account on the host

      When you choose to create the user service account on the host, if it does not already exist, the management console, does the following:

      1. Creates "questusr," the user service account, and a corresponding "questgrp" group on the host that the management console uses for automatic profiling.
      2. Adds questusr as an implicit member of questgrp.

      -OR-

    • Use an existing user account (user must exist on all selected hosts)

      Click Select to browse for a user.

  4. Click OK in the Profile Automatically dialog.

    Whether you choose to create the user service account or use an existing user account, the management console:

    • Adds the user account (the "questusr" or your existing user account) to the cron.allow file, if necessary. For example, the console takes no action if the cron.allow file does not already exist, but there is a cron.deny file:

      cron.allow

      cron.deny

      Console’s action

      Resultant user access

      NO

      NO

      Creates cron.allow and adds root and questusr to it

      Both root and questusr have access.

      NO

      YES

      No action

      All users have access except those in cron.deny; questusr has access unless explicitly denied.

      YES

      NO

      Adds questusr to cron.allow

      Users in cron.allow have access.

      YES

      YES

      Adds questusr to cron.allow

      Users in cron.allow have access unless in cron.deny.

    • Adds the auto-profile SSH key to questusr's authorized_keys, /var/opt/quest/home/questusr/.ssh/authorized_keys.
    • Verifies the service account user can log in to the host.

    Note: If you receive an error message saying you could not log in with the user service account, please refer to Service Account Login Fails in the online help to troubleshooting this issue.

    The questusr account is a non-privileged account that does not require root-level permissions. This account is used by the console to gather information about existing user and groups in a read-only fashion; however, the management console does not use questusr account to make changes to any configuration files.

    If questusr is inadvertently deleted from the console, the console turns auto-profiling off.

    To re-create the "questusr" account

    1. Re-profile the host.
    2. Reconfigure the host for automatic profiling.
  5. In the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.

    Note: This task requires elevated credentials.

    If you select multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    1. If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected hosts and click OK.
    2. If you selected multiple hosts and the Enter different credentials for each selected host option, a grid is displayed that allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.

To disable automatic profiling

  1. Select one or more hosts on the All Hosts view and choose Profile Automatically.
  2. Clear the Profile the host automatically option and click OK.
  3. In the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.

When you disable auto-profiling for a host, the management console:

  1. Leaves the "questusr" and the corresponding "questgrp" accounts on the host, if they were previously created.
  2. Leaves questusr as an implicit member of questgrp, if it exists.
  3. Removes the user account (the "questusr" or your existing user account) from the cron.allow file.
  4. Removes the auto-profile SSH key from that user's authorized_keys file.

Installing software on hosts

Once you have successfully added and profiled one or more hosts, and checked them for AD Readiness, you can remotely deploy software products to them from the management console.

To install Safeguard Authentication Services software on hosts

  1. Select one or more profiled hosts on the All Hosts view and click the Install Software tool bar button.

    Note: The Install Software tool bar menu is enabled when you select hosts that are profiled.

    The tool bar button will not be active if:

    • You have not selected any hosts.
    • You have selected multiple hosts with different states (added, profiled, or joined).

  2. In the Install Software dialog, select the Safeguard Authentication Services software products you want to install and click OK.
    • Safeguard Authentication Services Agent (Required): Select to allow Active Directory users access to selected host. Safeguard Authentication Services provides centralized user and authentication management. It uses Kerberos and LDAP to provide secure data transport and an authentication framework that works with Microsoft Active Directory. Components include vasd, nss_vas, pam_vas, and vastool.
    • Safeguard Authentication Services for Group Policy (Required): Select to install the Group Policy component that provides Active Directory Group Policy support for Unix, Linux, and macOS platforms.
    • Safeguard Authentication Services for NIS: Select to install the NIS Proxy component that provides the NIS compatibility features for Safeguard Authentication Services. vasyp is a NIS daemon that acts as a ypserv replacement on each host.
    • Safeguard Authentication Services for LDAP: Select to install the LDAP Proxy component that provides a way for applications that use LDAP bind to authenticate users to Active Directory without using secure LDAP (LDAPS). Instead of sending LDAP traffic directly to Active Directory domain controllers, you can configure applications to send plain text LDAP traffic to vasldapd by means of the loopback interface. vasldapd proxies these requests to Active Directory using Kerberos as the security mechanism.
    • Dynamic DNS Updater: Select to install the Dynamic DNS Updater component that provides a way to dynamically update host records in DNS and can be triggered by DHCP updates.
    • Defender PAM Module: Select to install the Defender authentication components for PAM based Unix/Linux systems. Includes PAM module, documentation, and utilities to appropriately configure the PAM subsystem for Active Directory/Defender OTP authentication.

    Note: You must install the Safeguard Authentication Services Agent and the Group Policy packages.

    Note: If you do not see all of these software packages, verify the path to the software packages is correctly set in System Settings. Refer to Set the Safeguard Authentication Services Client Software Location on the Server in the management console online help for details.

  3. In the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.

    Note: This task requires elevated credentials.

    If you selected multiple hosts, it asks whether you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    1. If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected hosts and click OK.
    2. If you selected multiple hosts and the Enter different credentials for each selected host option, a grid displays that allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.

Checking readiness

Once you install the software on your remote hosts, the management console allows you to perform a series of tests to verify that a host meets the minimum requirements to join an Active Directory domain. Running the readiness checks does NOT require elevated privileges.

Note: This task is only available when you are logged on as supervisor or an Active Directory account in the Manage Hosts role. See Roles and Permissions System Settings in the management console online help for more information.

To check hosts for Active Directory Readiness

  1. Select one or more hosts on the All Hosts view of the Hosts tab, open the Check menu from the Prepare panel of the tool bar, and choose Check for AD Readiness.
  2. In the Check AD Readiness view, enter the Active Directory domain to use for the readiness check.
  3. Enter Active Directory user credentials, and click OK.
  4. In the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.

    If you selected multiple hosts, it asks whether you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    1. If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected hosts and click OK.
    2. If you selected multiple hosts and the Enter different credentials for each selected host option, a grid displays that allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.

A progress bar displays in the Task Progress pane on the All Hosts page. The final status of the task displays, including any failures or advisories encountered. To see the AD Readiness check results, open the host's property page and select the Readiness Check Results tab.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating