Chat now with support
Chat with Support

Privilege Manager for Unix 7.2.1 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Join hosts to policy group

Once you have installed and configured the primary policy server, you are ready to join it to a policy group. When you join a policy server to a policy group, it enables that host to validate security privileges against a single common policy file located on the primary policy server, instead of on the host.

For Unix agents (qpm-agent), you must "join" your policy servers to the policy group using the pmjoin command.

Joining PM Agent to a Privilege Manager for Unix policy server

To join a PM Agent to a policy server

  1. Log on as the root user and change to the directory containing the qpm-agent package for your specific platform. For example, on a 64-bit Red HatLinux, enter:
    # cd agent/linux-x86_64
  2. Run:
    # pmjoin <primary_policy_server>

    where <primary_policy_server> is the hostname of the primary policy server.

    Running pmjoin performs the configuration of the PM Agent, including modifying the pm.settings file The pmjoin command supports many command line options. See pmjoin for details or run pmjoin with the -h option to display the help.

    • When you run pmjoin with no options, the configuration script automatically configures the agent with default settings. See Agent configuration settings for details about the default and alternate agent configuration settings.

      You can modify the /etc/opt/quest/qpm4u/pm.settings file later, if you want to change one of the settings. See PM settings variables for details.

    • When you run pmjoin with the -i (interactive) option, the configuration script gathers information from you by asking you a series of questions. During this interview, you are allowed to either accept a default setting or set an alternate setting.

      Once you have completed the configuration script interview, it configures the agent and joins it to the policy server.

  3. When you run pmjoin for the first time, it asks you to read and accept the End User License Agreement (EULA).

    Once you complete the agent configuration script (by running the pmjoin command), it:

    • Enables the pmlocald service
    • Updates the pm.settings file
    • Adds the Privilege Manager for Unix shells to the system's list of valid shells and creates wrappers for the installed (system) shells. The following shells are provided, based on standard shells:

      • pmksh, a Privilege Manager for Unix enabled version of the Korn shell
      • pmsh, a Privilege Manager for Unix enabled version of the Bourne shell
      • pmcsh, a Privilege Manager for Unix version of c shell
      • pmbash, a Privilege Manager for Unix version of the Bourne Again Shell

      Each shell provides command-control for every command entered by the user during a login session. You can configure each command the user enters to require authorization with the policy server for execution. This includes the shell built-in commands.

    • Updates /etc/shells
    • Reloads the pmserviced configuration
    • Checks the connection to the policy server host
  4. To verify that the agent installation has been successful, as an unprivileged user, run a command that is permitted by the default Privilege Manager for Unix security policy, demo.profile. For example, the default security policy allows any user to run the id command as the root user:
    # pmrun id

    This returns the root user id, not the user’s own id, to show that the command ran as root.

Agent configuration settings

The following table lists the pmjoin command options, the default settings, and alternatives. See PM settings variables for more information about the policy server configuration settings.

Table 5: Agent configuration settings
Option Default Alternate setting
Enable agent daemon command line options: none

Enter:

  • -e <logfile> to use the error log file identified by <logfile>.
  • -m to only accept connections from the policy server daemon on the specified host. (Use multiple -m options to specify more than one host.)
  • -s to send error messages to syslog. none to assign no options.
    • These command-line options override the syslog and pmlocaldlog options configured in the pm.settings file.
Enable client daemon? YES Enter No
Configure host components to communicate with remote hosts through firewall? NO Enter Yes
Enable Privilege Manager for Unix shells (pmksh, pmsh, pmcsh, pmbash)?

YES

That is, you want to use a Privilege Manager for Unix shell to control or log Privilege Manager for Unix sessions, regardless of how the user logs in (telnet, ssh, rsh, rexec).

Enter No if you do NOT want to add the Privilege Manager for Unix shells to the system. That is, you do not want to use the Privilege Manager for Unix shells as a login shell.

Add the entries to the /etc/services file? YES

Enter No

You must add service entries to either the /etc/services file or the NIS services map.

Edit list of policy servers with which this agent can communicate? none Enter valid policy server names to add to the list.
Indicate if the list is correct YES Enter No
Policy Server daemon port # 12345 Enter a port number
Specify the agent daemon port number: 12346 Enter a port number for the agent to communicate with the policy server.
Specify a range of local port numbers for this host to connect to other defined Privilege Manager for Unix hosts across a firewall? NO Enter Yes, then enter:
  1. Minimum reserved port (600-1024). (Default is 600.)
  2. Maximum reserved port (600-1024). (Default is 1024.)
Allow short host names? YES Enter No to use fully qualified host names instead.
Configure Kerberos on your network? NO Enter Yes, then enter:
  1. Policy server principal name. (Default is host.)
  2. Local principal name. (Default is host.)
  3. Directory for replay cache. (Default is /var/tmp.
  4. Path for the Kerberos configuration files. (Default is /etc/opt/quest/vas/vas.conf.)
  5. Full pathname of the Kerberos keytab file. (Default is /etc/opt/quest/vas/host.keytab.
Specify encryption level:

See Encryption for details.

AES Enter one of these encryption options:
  • DES
  • TRIPLEDES
  • AES
Enable certificates? NO

Enter Yes, then answer:

Generate a certificate on this host? (Default is NO.)

Enter Yes and specify a passphrase for the certificate.

Once configuration of this agent is complete, swap and install keys for each host in your system that need to communicate with this host.

See Swap and install keys for details.

Activate the failover timeout? YES

Enter No, then assign the failover timeout in seconds.

Default: 10 seconds

Assign the failover timeout 10 Enter a timeout value in seconds
Select random policy server YES Enter No
Send errors reported by agent to syslog? YES  
Store errors reported by the agent daemon in /var/log/pmlocald.log? YES Enter No, then enter a location.

Store errors reported by the run agent in /var/log/pmrun.log?

YES

Enter No, then enter a location.

Swap and install keys

If certificates are enabled in the /etc/opt/quest/qpm4u/pm.settings file of the primary server, then you must exchange keys (swap certificates) prior to joining a client or secondary server to the primary server. Optionally, you can run the configuration or join with the -i option to interactively join and exchange keys.

One Identity recommends that you enable certificates for higher security.

The examples below use the keyfile paths that are created when using interactive configuration or join if certificates are enabled.

To swap certificate keys

  1. Copy Host2's key to Host1. For example:
    # scp /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_localhost \
    root@Host1:/etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_server2
  2. Copy Host1's certificate to Host2. For example:
    # scp root@host1:/etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_localhost \
    /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_host1
  3. Install Host1's certificate on Host2. For example:
    # /opt/quest/sbin/pmkey -i /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_host1
  4. Log on to Host1 and install Host2's certificate. For example:

    # /opt/quest/sbin/pmkey -i /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/key_host2

If you use the interactive configure or join, the script will exchange and install keyfiles automatically.

See Configuring certificates for more information.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating