One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Renaming hosts

Note: You can only rename a host that has not been profiled.

To rename hosts

  1. Select a host on the All Hosts view and click Rename Host from the Host panel of the toolbar.
  2. In the Rename Host dialog, enter the FQDN, IP address or short name to use to connect to that host.
  3. Optionally, you can clear the Profile host now option.
  4. Click OK.

If the Profile host now option option was selected, the mangement console starts the Profile Host procedure. See Profiling hosts for details.

Profiling hosts

Profiling imports information about the host, including local users and groups, into the mangement console. It is a read-only operation and no changes are made to the host during the profiling operation. Profiling does not require elevated privileges.

To profile hosts

  1. Select one or more hosts on the All Hosts view and click Profile from the Prepare panel of the toolbar, or open the Profile menu and choose Profile.
  2. In the Profile Host dialog, enter user credentials to access the hosts.

    If you selected multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

  3. If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter the following information:
    1. Enter the user name and password to log onto the selected hosts.
    2. (Optional) Enter the SSH port to use. It uses port 22 by default.
    3. To save the credentials entered for the host, select the Save my credentials on the server option.

      Once saved, the mangement console uses these credentials to access the host during this and subsequent sessions.

    Note: If you do not save a password to the server, the user name and password fields will be blank the first time the mangement console needs credentials to complete a task on the host during a log on session. Once entered, the mangement console caches the user name and password and reuses these credentials during the current session, and pre-populates the user name and password fields in subsequent tasks during the current log on session.

    If you choose to save a host's credentials to the server, the mangement console encrypts the credentials and saves them in the database. Saved user names and passwords persist across log on sessions, and when needed, the mangement console pre-populates the user name and password fields the first and subsequent times it needs them to perform a task. See Caching Unix host credentials for more information.

  4. If you selected multiple hosts and the Enter different credentials for each selected host option, a grid displays allowing you to enter different credentials and specify different settings for each host.
    1. To enter different credentials, place your cursor in the Username and Password columns to the right of the Host column and enter the credentials to use.
    2. To change the SSH port for a host, place your cursor in the SSH Port column and enter the new SSH port number.
    3. To save the credentials entered for a host, select the check box in the Save column.
  5. If you want the mangement console to prompt you to review and accept new SSH keys for the selected hosts (that do not have previously cached SSH keys), clear the Automatically accept SSH keys option before you click OK.

    Note: When profiling one or more hosts, you must accept at least one key before continuing. The mangement console only profiles hosts with accepted keys.

    By default the Automatically accept SSH keys option is checked. This enables the mangement console to automatically accept SSH key for all selected hosts that do not have a previously cached key. When it accepts the key, the console adds it to the accepted-keys cache on the Management Console for Unix server. If you clear the Automatically accept SSH keys option, when the mangement console encounters a modified key, it opens the Validate Host SSH Keys dialog, allowing you to manually accept keys that are encountered. Once you have manually verified the fingerprint, the console adds the SSH host keys to the accepted-keys cache.

    Note: Once you profile a host, all future tasks that involve an SSH connection will verify the SSH host key against the accepted-keys cache. When profiling, if the console encounters a modified key, the profile task prompts you to accept new or changed keys. When performing any other SSH action, other than profile, if the console encounters a different SSH key, the task will fail. To update the accepted-keys cache for the host, you can either profile or re-profile the host, accept the new key, and try the task again. Or, you can import a new SSH host key from the host's properties or from the All Hosts view.

    See Importing SSH host key or Managing SSH host keys for more information.

A progress bar displays in the Task Progress pane. The final status of the task displays, including any failures or advisories encountered.

Profile Host dialog

The Profile Host dialog displays when you click the Profile toolbar button from the All Hosts view or right-click the host name and choose Profile from the context menu.

Table 11: Profile Host dialog
Option Description
Enter your credentials to log on to the host
User name Enter the user name to be used to log onto the selected hosts.
Password Enter the password associated with the user name entered above.
SSH Port Displays the port number to be used for communication. The default port for SSH is 22; however, you can enter a different port number.
Save my credentials on the server Select this check box to save the host's credentials and reuse them instead of having to enter them each time you need to access the host.

If you choose to save a host's credentials to the server, the credentials are saved encrypted in the mangement console database. Saved user names and passwords will persist across log-on sessions, and when needed, the user name and password fields will be pre-populated the first and subsequent times they are needed to perform a task. (See Caching Unix host credentials for more information.)

Automatically accept SSH keys

Before the profile process begins, Management Console for Unix checks the SSH key for the selected hosts. The mangement console selects Automatically accept SSH keys option by default so that new keys are automatically accepted and cached on the server.

NOTE: If you select the Automatically accept SSH keys option and the mangement console encounters a modified key, the profile task fails with an error message instructing you to upload the host's SSH key. If you receive this error, use the Import SSH Host Key option on the All Hosts view to upload a host's SSH key.

If you do not trust the selected hosts' SSH keys and want to be prompted to review and accept new SSH keys, clear this check box. If you clear the Automatically accept SSH keys option and the mangement console encounters a modified key, the Validate Host SSH Keys dialog displays, allowing you to manually accept keys that are encountered.

NOTE: When profiling a single host, you must accept the key before you can continue. When profiling multiple hosts, you must accept at least one key before continuing. If you do not accept the displayed keys for all of the hosts listed, only the hosts whose keys have been accepted will be profiled.

Note: If you selected multiple hosts, it asks you if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

  • If you selected the Use the same credentials for all selected hosts option, enter the user name and password to log on to the selected hosts, as you would if you selected only a single host.
  • If you selected the Enter different credentials for each selected host option, it displays a grid that allows you to enter a different user name and password for each host listed, as well as a different SSH Port for each host. Place your cursor in the cell in the grid to activate it and enter the data to use. In addition, if you want to save a host's credentials and reuse them instead of entering them each time, select the corresponding check box in the Save column.

Validate Host SSH Keys dialog

When you select a host for profiling and Management Console for Unix cannot find a cached SSH key or when it finds a new fingerprint that is different from the key that is cached on the server, the Validate Host SSH Keys dialog displays.

Note: When profiling a single host, you must accept the key before you continue. When profiling multiple hosts, you must accept at least one key before continuing. If you do not accept the keys for all the hosts listed, it only profiles the hosts with accepted keys.

Table 12: Validate Host SSH Keys dialog
Option Description

The first column contains a selection check box allowing you to select or deselect a host. If you trust the host, select the host to accept the new fingerprint and cache it on the server.

To select a host, select the check box. To select all hosts listed, select the check box in the heading.

To deselect a host, click on the selection check box. To deselect all hosts, clear the check box in the heading.

Host Address Displays the IP address of the hosts selected for profiling which do not have an SSH key cached on the server or have a different fingerprint than the one that is cached.
New Fingerprint Displays the new fingerprint found for host.
Cached Fingerprint

If a new fingerprint is found that is different than the one cached on the server, this column displays the cached fingerprint retrieved from the server.

NOTE: If a new fingerprint is found and a cached fingerprint exists, the cached fingerprint is overwritten if you accept the new fingerprint.

Note: When you select the Automatically accept SSH keys option on the Profile Host dialog, it does not display this dialog and new SSH keys are automatically accepted and stored on the server.

Related Documents