Chat now with support
Chat with Support

One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Check QAS Agent Status

You can either check the health status of Authentication Services agents manually, or you can configure the mangement console to automatically check the QAS agent status and report any warnings or failures to the console.

Note: Running the Check QAS Agent Status commands requires:

  • you are logged on as an Active Directory account in the Manage Hosts role
  • the hosts have Authentication Services 4.0.3.78 (or later) Agent software installed

For more information, see Check QAS agent status commands not available.

Manually checking QAS agent status

To check QAS agent status

  1. Select one or more hosts on the All Hosts view, open the Check menu from the Prepare panel of the toolbar and choose Check QAS agent status.

  2. In the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.

    A progress bar displays in the task progress pane and the Host Notifications tab indicates the number of hosts with warnings or failures detected.

    Note: This task requires elevated credentials.

    If you select multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    • If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected hosts and click OK.
    • If you selected multiple hosts and the Enter different credentials for each selected host option, it displays a grid which allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.
  3. Select the Host Notifications tab to view the reported warnings or failures.

    See Viewing the QAS status errors for details.

Automatically checking QAS agent status

To have updated information about the status of Authentication Services agents, you can configure the mangement console to periodically check the QAS agent status automatically. If it detects a status change on the host, it reports the following warnings or failures to the Host Notifications tab:

  • Critical Failure
  • Failure
  • Warning

To configure the console to automatically check the QAS agent status

  1. Select one or more hosts on the All Hosts view, open the Check menu from the Prepare panel of the toolbar, and choose Check QAS agent status automatically...

    Note: This option is only available for multiple hosts if all hosts are in the same "Check QAS agent status" state; that is, they all have automatic status checking turned on, or they all have automatic status checking turned off.

  2. Select the Check status automatically option, set the frequency for the health status check, and click OK.

    Note: Use standard crontab syntax when entering Advanced schedule settings.

  3. On the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.

    Note: This task requires elevated credentials.

    When configured for automatic checking, the QAS state column on the All Hosts view displays the icon. Then, if the server does not receive a heartbeat in over 4 hours (by default), it displays the icon. No icon in the QAS state column indicates the host is not configured to check the QAS agent status automatically.

    If you select multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    • If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected hosts and click OK.
    • If you selected multiple hosts and the Enter different credentials for each selected host option, it displays a grid which allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.

    Note: If you receive a GID conflict error, see UID or GID conflicts.

  4. View the QAS Agent status for each host on the Host Notification tab.

    See Viewing the QAS status errors for details.

    When you configure a host to check the QAS agent status automatically, the mangement console,

    1. Creates "questusr" (the user service account), if it does not already exist, and, a corresponding "questgrp" group on the host that the mangement console uses for automatic QAS agent status checking.
    2. Adds questusr as an implicit member of questgrp.
    3. Adds the auto-check SSH key to questusr's authorized_keys, /var/opt/quest/home/questusr/.ssh/authorized_keys.
    4. Verifies the user service account can login to the host.
    5. Creates a Authentication Services cron job that runs QAS status according to the specified interval.

    Note: If you receive an error message saying you could not log in with the user service account, please refer to Service account login fails to troubleshooting this issue.

    The questusr account is a non-privileged account that does not require root-level permissions. This account is used by the console to gather information about existing users and groups in a read-only fashion, however, the mangement console does not use the questusr account to make changes to any configuration files.

    Note: If questusr is inadvertently deleted from the console, the console will not be updated. To recreate the "questusr" account, re-configure the host for automatic QAS agent status checking.

To disable automatic status checking

  1. Select one or more hosts on the All Hosts view and choose Check QAS agent status automatically....
  2. Clear the Check status automatically option on the Check QAS Agent Status Automatically dialog and click OK.
  3. On the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.

When you disable auto-status checking for a host, the mangement console

  1. Leaves the "questusr" and the corresponding "questgrp" accounts on the host.
  2. Leaves questusr as an implicit member of questgrp.
  3. Removes the auto-check SSH key from that user's authorized_keys file.
  4. Removes the cron job on the host.

Host Notifications tab

When the mangement console detects a host with warnings or failures, it updates the Host Notifications tab to indicate the number of hosts with issues.

The Host Notifications tab has four views:

  • QAS Status
  • QAS Status Heartbeat
  • Auto-Profile Status
  • Auto-Profile Heartbeat

NOTE: The Authentication Services views on this tab only display when you have a licensed version of Authentication Services installed.

Each column has a drop-down menu from which you can choose to show or hide columns on each Host Notifications view. Open the column drop-down menu, navigate to the Columns option, and deselect the columns you wish to hide.

In addition, you can choose to list only the hosts of one or more status levels. Open the QAS Status state column drop-down menu, navigate to the Filters option, and select the status levels you want to see.

Table 52: Status view: Toolbar commands
Toolbar Button Description
Select a warning or failure for a host and click the Check QAS agent status toolbar button to re-check the status.
Click the Show status properties toolbar icon to show or hide the Properties panel.
Click Expand all to see all warning or failure messages for all hosts.
Click Collapse all to see only a list of hosts with warning or failure messages.
Click the Clear column filters toolbar button, to clear filter settings.
Table 53: Status view: Columns
Column Description

The State column displays the status level of the listed Authentication Services hosts using these icons:

  • - Critical Failure
  • - Failure
  • - Warning
Host The Host column displays the value (FQDN, IP address or short name) entered when the host was added to the mangement console.
Date and Time Lists the date and time of the last status check.
Test ID The identification number of the test.
Description The name of the test.
Result A detailed explanation of the test results.
Table 54: Status Heartbeat view
Column Description

The State column displays the following alert for hosts that have failed to pass the heartbeat status test:

- No heartbeat received in over 4 hours

Host The Host column displays the value (FQDN, IP address or short name) entered when the host was added to the mangement console.
Date and Time Lists the date and time of the last heartbeat test.
Description An explanation of the test results.

The Authentication Services host sends a heartbeat every 24 hours. If the server does not receive a heartbeat in over 24 hours, it displays an alert on the QAS Heartbeat view. You can not manually re-check the heartbeat status.

Table 55: Auto-Profile Status view: Toolbar commands
Toolbar Button Description
Select one or more hosts, open the Profile menu to re-profile the selected hosts or modify the auto-profile settings.
Table 56: Auto-Profile Status view
Column Description

The State column displays the following alert for hosts where there has been a failure to auto-profile:

- Auto QAS status connection failure

Host The Host column displays the value (FQDN, IP address or short name) entered when the host was added to the mangement console.
Date and Time Lists the date and time of the last status check.
Description The name of the test.
Table 57: Auto-Profile Heartbeat view
Column Description

The State column displays the following alert for hosts where a heartbeat has not been reported in the last 24 hours:

- No Auto-Profile heartbeat

Host The Host column displays the value (FQDN, IP address or short name) entered when the host was added to the mangement console.
Date and Time Lists the date and time of the last heartbeat test.
Description An explanation of the test results.

The host sends a heartbeat every 24 hours. If the server does not receive a heartbeat in over 24 hours, it displays an alert on the Auto-Profile Heartbeat view. You can not manually re-check the heartbeat status.

Related Documents