Chat now with support
Chat with Support

One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration Reporting Setting preferences Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance

Configuring host access control

The mangement console allows you to modify Authentication Services access settings. You can add Active Directory users or groups to the users.allow file for a single host or a selected group of hosts. This allows you to control Active Directory user access on Authentication Services hosts.

Note: The mangement console does not allow you to view or modify the users.deny file.

To view the users.allow file for a single host

  1. From the All Hosts view, right-click a host that is joined to an Active Directory domain.
  2. Select the Host Access Control option from the context menu.

    The Host Access Control tab lists the content of the users.allow file.

    Note: Users and Groups displayed in red text indicate that Authentication Services could not resolve the user/group in Active Directory.

To allow additional Active Directory users or groups to access a single host

  1. From the Host Access Control tab, click Manage Access.
  2. On the Host Access Control dialog, specify the names you want to allow access to the selected host.

    You can either:

    • Type a name into the text box and click Add.

      -OR-

    • Click Select to browse for the Active Directory user or group name.

      Clicking Select opens the Select AD Object dialog.

    Once you have the names listed on the Host Access Control dialog, click OK.

  3. On the Log on to Host dialog, enter the user credentials to access the selected host and click OK.

    The console updates the users.allow file and the database accordingly.

To add or remove access for Active Directory users or groups on multiple hosts

  1. From the All Hosts view, select and right-click multiple hosts that are joined to an Active Directory domain.
  2. Select the Host Access Control option from the context menu.

    The Host Access Control dialog displays two list boxes: one in which to add users or groups, the other to specify users and groups to remove from the users.allow file.

  3. Specify or select names to add or remove and click OK.
  4. On the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.

    The console updates the users.allow file and the database accordingly.

Check QAS Agent Status

You can either check the health status of Authentication Services agents manually, or you can configure the mangement console to automatically check the QAS agent status and report any warnings or failures to the console.

Note: Running the Check QAS Agent Status commands requires:

  • you are logged on as an Active Directory account in the Manage Hosts role
  • the hosts have Authentication Services 4.0.3.78 (or later) Agent software installed

For more information, see Check QAS agent status commands not available.

Manually checking QAS agent status

To check QAS agent status

  1. Select one or more hosts on the All Hosts view, open the Check menu from the Prepare panel of the toolbar and choose Check QAS agent status.

  2. In the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.

    A progress bar displays in the task progress pane and the Host Notifications tab indicates the number of hosts with warnings or failures detected.

    Note: This task requires elevated credentials.

    If you select multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    • If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected hosts and click OK.
    • If you selected multiple hosts and the Enter different credentials for each selected host option, it displays a grid which allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.
  3. Select the Host Notifications tab to view the reported warnings or failures.

    See Viewing the QAS status errors for details.

Automatically checking QAS agent status

To have updated information about the status of Authentication Services agents, you can configure the mangement console to periodically check the QAS agent status automatically. If it detects a status change on the host, it reports the following warnings or failures to the Host Notifications tab:

  • Critical Failure
  • Failure
  • Warning

To configure the console to automatically check the QAS agent status

  1. Select one or more hosts on the All Hosts view, open the Check menu from the Prepare panel of the toolbar, and choose Check QAS agent status automatically...

    Note: This option is only available for multiple hosts if all hosts are in the same "Check QAS agent status" state; that is, they all have automatic status checking turned on, or they all have automatic status checking turned off.

  2. Select the Check status automatically option, set the frequency for the health status check, and click OK.

    Note: Use standard crontab syntax when entering Advanced schedule settings.

  3. On the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.

    Note: This task requires elevated credentials.

    When configured for automatic checking, the QAS state column on the All Hosts view displays the icon. Then, if the server does not receive a heartbeat in over 4 hours (by default), it displays the icon. No icon in the QAS state column indicates the host is not configured to check the QAS agent status automatically.

    If you select multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    • If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected hosts and click OK.
    • If you selected multiple hosts and the Enter different credentials for each selected host option, it displays a grid which allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.

    Note: If you receive a GID conflict error, see UID or GID conflicts.

  4. View the QAS Agent status for each host on the Host Notification tab.

    See Viewing the QAS status errors for details.

    When you configure a host to check the QAS agent status automatically, the mangement console,

    1. Creates "questusr" (the user service account), if it does not already exist, and, a corresponding "questgrp" group on the host that the mangement console uses for automatic QAS agent status checking.
    2. Adds questusr as an implicit member of questgrp.
    3. Adds the auto-check SSH key to questusr's authorized_keys, /var/opt/quest/home/questusr/.ssh/authorized_keys.
    4. Verifies the user service account can login to the host.
    5. Creates a Authentication Services cron job that runs QAS status according to the specified interval.

    Note: If you receive an error message saying you could not log in with the user service account, please refer to Service account login fails to troubleshooting this issue.

    The questusr account is a non-privileged account that does not require root-level permissions. This account is used by the console to gather information about existing users and groups in a read-only fashion, however, the mangement console does not use the questusr account to make changes to any configuration files.

    Note: If questusr is inadvertently deleted from the console, the console will not be updated. To recreate the "questusr" account, re-configure the host for automatic QAS agent status checking.

To disable automatic status checking

  1. Select one or more hosts on the All Hosts view and choose Check QAS agent status automatically....
  2. Clear the Check status automatically option on the Check QAS Agent Status Automatically dialog and click OK.
  3. On the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.

When you disable auto-status checking for a host, the mangement console

  1. Leaves the "questusr" and the corresponding "questgrp" accounts on the host.
  2. Leaves questusr as an implicit member of questgrp.
  3. Removes the auto-check SSH key from that user's authorized_keys file.
  4. Removes the cron job on the host.
Related Documents