Chat now with support
Chat with Support

One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Automatically profiling hosts

To keep the Management Console for Unix database up to date with accurate information about users, groups, and One Identity products, you can configure the mangement console to profile hosts automatically.

best practice: As a best practice, configure newly added hosts for auto-profiling before you perform any other actions so that the mangement console dynamically updates user and group information. See UID or GID conflicts.

Configuring a host for auto-profiling sets up a cron job on the client that runs every five minutes. If it detects changes on the host, it triggers a profile operation.

The cron job detects changes to the following:

  • local users, groups, or shells
  • installed Authentication Services or Privilege Manager software
  • Authentication Services access control lists
  • Authentication Services mapped user information
  • Privilege Manager configuration
  • Authentication Services configuration
  • Privilege Manager licenses

The cron job also sends a heartbeat every day. This updates the Last profiled date displayed on the host properties. If the Last profiled date is more than 24 hours old, the host icon changes to to indicate no heartbeat.

To configure automatic profiling

  1. Select one or more hosts on the All Hosts view, open the Profile menu from the Prepare panel of the toolbar, and choose Profile Automatically

    Note: The Profile Automatically option is only available for multiple hosts if all hosts are in the same ‘Auto-profile’ state; that is, they all have ‘Auto-profile’ turned on, or they all have ‘Auto-profile’ turned off.

  2. In the Profile Automatically dialog, select the Profile the host automatically option.
  3. Choose the user account you want to use for profiling, either:
    1. Create a user service account on the host

      When you choose to create the user service account on the host, if it does not already exist, the mangement console, does the following:

      1. Creates "questusr", the user service account, and a corresponding "questgrp" group on the host that the mangement console uses for automatic profiling.
      2. Adds questusr as an implicit member of questgrp.

      -OR-

    2. Use an existing user account (user must exist on all selected hosts)

      (Click Select to browse for a user.)

  4. Click OK on the Profile Automatically dialog.

    Whether you choose to create the user service account or use an existing user account, the mangement console,

    • Adds the user account (the "questusr" or your existing user account) to the cron.allow file, if necessary. For example, the console takes no action if the cron.allow file does not already exist, but there is a cron.deny file:

      When the user is added to the cron.allow file

      cron.allow cron.deny Console’s action Resultant User Access
      NO NO Creates cron.allow and adds root and questusr to it Both root and questusr have access.
      NO YES No action All users have access except those in cron.deny; questusr has access unless explicitly denied.
      YES NO Adds questusr to cron.allow Users in cron.allow have access.
      YES YES Adds questusr to cron.allow Users in cron.allow have access unless in cron.deny.
    • Adds a cron job to the questusr account to execute chgfmon utility that monitors changes. chgfmon logs change events to syslog.
    • Creates a second cron job to monitor the host connectivity to the server.
    • Adds the auto-profile SSH key to questusr's authorized_keys, /var/opt/quest/home/questusr/.ssh/authorized_keys.
    • Verifies the user service account can login to the host.

    Note: If you receive an error message saying you could not log in with the user service account, please refer to Service account login fails to troubleshooting this issue.

    The questusr account is a non-privileged account that does not require root-level permissions. This account is used by the console to gather information about existing user and groups in a read-only fashion, however, the mangement console does not use questusr account to make changes to any configuration files.

    If questusr is inadvertently deleted from the console, the console turns ‘Auto-profiling’ off.

    To recreate the "questusr" account,

    1. Re-profile the host.
    2. Reconfigure the host for automatic profiling.
  5. On the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.

    Note: This task requires elevated credentials.

    If you select multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    1. If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected hosts and click OK.
    2. selected host option, it displays a grid which allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.

To disable automatic profiling

  1. Select one or more hosts on the All Hosts view and choose Profile Automatically
  2. Clear the Profile the host automatically option and click OK.
  3. On the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.

When you disable auto-profiling for a host, the mangement console,

  1. leaves the "questusr" and the corresponding "questgrp" accounts on the host, if they were previously created.
  2. leaves questusr as an implicit member of questgrp, if it exists.
  3. removes the user account (the "questusr" or your existing user account) from the cron.allow file.
  4. removes the auto-profile SSH key from that user's authorized_keys file.

Viewing the auto-profile status

You can view the automatic profile failures or warnings on the Host Notification tab.

To view the auto-profile status

  1. From the Host Notifications tab, select the Auto-Profile Status tab.

    Note: If the Host Notifications tab is not currently available on the mangement console, open the Open views menu from the Tab bar (represented by a "tab" icon ) and choose the Host Notifications option.

    The Auto-Profile Status tab displays the following alert for hosts where there has been a failure to auto-profile:

    - Auto-profile failed

  2. To re-profile or re-set the auto-profile settings for one or more hosts, select the hosts on the Auto-Profile Status tab, open the Profile menu from the toolbar, and choose either Profile or Profile Automatically.

    Note: The Profile Automatically option is only available for multiple hosts if all hosts are in the same ‘Auto-profile’ state; that is, they all have ‘Auto-profile’ turned on, or they all have ‘Auto-profile’ turned off.

Viewing the auto-profile heartbeat errors

When configured for automatic profiling, the host sends a heartbeat every 24 hours. If the server does not receive a heartbeat in over 24 hours, it displays an alert on the Auto-Profile Heartbeat tab.

To view auto-profile heartbeat notifications

  1. From the Host Notifications tab, select the Auto-Profile Heartbeat tab.

    The Auto-Profile Heartbeat tab displays alerts for hosts where a auto-profile heartbeat has not been reported in the last 24 hours using this icon:

    - Profiled, but no heartbeat in last 24 hours

Checking readiness

Once you add and profile hosts, the mangement console allows you to perform a series of tests to verify that a host meets the minimum requirements to configure a policy server or join a remote host to either a Privilege Manager policy group or an Active Directory domain. Running the readiness checks does NOT require elevated privileges.

To check readiness

  1. Select one or more hosts on the All Hosts view of the Hosts tab.

  2. Open the Check menu from the Prepare panel of the task bar and choose

    1. Check Policy Server Readiness
    2. Check Client for Policy Readiness
    3. Check Host for AD readiness
    4. Check QAS agent status
    5. Check QAS agent status automatically

    Note: You must add and profile a Privilege Manager Policy Server to the mangement console and set it as Active before the Check Client for Policy Readiness option is available on the Check menu.

    You must be logged on as the supervisor or an Active Directory account in the Manage Hosts Role to perform any task on the Check menu.

    See the following topics for more information about these options:

Related Documents