One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Checking policy server readiness

Check Policy Server Readiness performs a series of tests to verify that the specified hosts meet the minimum requirements to be configured as a policy server.

Note: This command is only available, if no Privilege Manager software is installed on the selected hosts.

For the readiness check to finish successfully, the path to the Privilege Manager software packages must be correctly set in System Settings. See Setting the Privilege Manager software path for details.

To check for policy server readiness

  1. Select one or more hosts on the All Hosts view of the Hosts tab, open the Check menu from the Prepare panel of the toolbar, and choose Check Policy Server Readiness.

  2. In the Check Policy Server Readiness dialog, enter user credentials to access the hosts and click OK.

    Note: This task does not require elevated credentials.

    If you select multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    1. If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected hosts and click OK.

    2. If you selected multiple hosts and the Enter different credentials for each selected host option, it displays a grid which allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.

  3. To check the results of the readiness check,

    1. Right-click the host on the All Hosts view of the Hosts tab, and choose Readiness Check Results.

    2. Choose Policy Readiness from the drop-down menu, if necessary.

    Running the readiness check on a policy server performs these tests:

    • Basic Network Conditions:
      • Hostname is configured
      • Hostname can be resolved
      • Reverse lookup returns it own IP
    • Privilege Manager for Unix Server Network Requirements
      • Policy server port is available (TCP/IP port 12345)
    • Privilege Manager for Unix Prerequisites
      • SSH keyscan is available

    A progress bar displays in the Task Progress pane. The final status of the task displays, including any failures or advisories encountered.

  4. If the readiness check completed with failures or advisories, correct the issues and run the policy server readiness check again.

    After you make sure your primary policy server host meets the system requirements, you are ready to install the Privilege Manager packages.

Installing the Privilege Manager packages

The mangement console allows you to install three Privilege Manager software components which provide central policy management, granular access control reporting, as well as the ability to enable, gather, store and playback keystroke logs.

Note: Centralized policy management and keystroke logging are licensed separately. See Software & Licenses settings for details.

To install the Privilege Manager packages

  1. Select one or more profiled hosts on the All Hosts view.
  2. Click Install Software from the Prepare panel on the All Hosts view.

    Note: The Install Software toolbar menu is enabled when you select hosts that are profiled.

    The toolbar button will not be active if

    • You have not selected any hosts.
    • You have selected hosts that are not profiled.
  3. On the Install Software dialog, select a Privilege Manager package and click OK.

    1. Sudo Plugin
    2. Privilege Manager Agent
    3. Privilege Manager Policy Server

    Note: If you do not see these software packages, verify the path to the software packages is correctly set in System Settings. Refer to Setting the Privilege Manager software path for details.

  4. On the Log on to Host dialog, enter your host credentials and click OK to start the installation process.

    Note: This task requires elevated credentials.

Configuring the primary policy server

The first policy server you configure is the primary policy server which holds the master copy of the policy file. Additional policy servers configured in the policy group are secondary policy servers. The primary policy server and any number of additional secondary policy servers share a common policy. Adding secondary policy servers to a policy group allows you to load-balance the authorization requests on the policy servers.

To configure a primary policy server

  1. From the All Hosts view, open the Join or Configure toolbar menu and navigate to Configure Policy Server | As Primary Policy Server....

  2. On the Configure Primary Policy Server dialog,

    1. Enter a policy group name in the text box.

      Note: When the configuration is complete, this new policy group will be automatically configured and activated in the Privilege Manager system settings. See Configuring a service account for details.

    2. Choose the policy type: either sudo policy type (Privilege Manager for Sudo) or pmpolicy type (Privilege Manager for Unix).

      See Security policy management for more information about the policy types.

  3. Click Advanced to import an existing policy or a license file.

    If you configure Privilege Manager for Sudo using the default sudo policy type, Privilege Manager uses a copy of the /etc/sudoers file as its initial security policy if the file exists, otherwise it creates a generic sudoers file.

    Note: When you join a Sudo Plugin to a policy server, Privilege Manager for Sudo adds the following lines to the current local sudoers file, generally found in /etc/sudoers.

    ##
    ## WARNING: Sudoers rules are being managed by QPM4Sudo
    ## WARNING: Do not edit this file, it is no longer used.
    ##
    ## Run "/opt/quest/sbin/pmpolicy edit" to edit the actual sudoers rules.
    ##

    When you unjoin the Sudo Plugin, Privilege Manager for Sudo removes those lines from the local sudoers file.

    If you configure Privilege Manager for Unix using the pmpolicy type, Privilege Manager creates a profile-based (or role based) policy. This security policy simplifies setup and maintenance through use of easy-to-manage profile (or role) templates.

    1. In the Import policy data from box, enter a path to the policy data to override the default and import the initial security policy from the specified location.

      For example, enter

      /tmp/pmpolicy/pm.conf
    2. In the Import license file from box, click Browse to select a product license file from the local file system.

      You can skip this step initially. Privilege Manager comes with a 30-day trial license. After 30 days, Privilege Manager continues to allows you to run ten Sudo Plugin clients without a license, but requires a license for the PM Agents. See Software & Licenses settings for details.

  4. Enter the pmpolicy service account password in the Join Password box.

    Note: You will use this password when you add secondary policy servers or join remote hosts to this policy group.

  5. Select the Join agent or plugin to policy group option if you want to join primary policy server to the policy group at this time.

    When you join a policy server to a policy group, you are indicating which policy group you want to use for policy verification. That is, you are enabling that host to validate security privileges against a single common policy file located on the primary policy server, instead of a policy file located on the local host.

    Note: Policy servers can only be joined to policy groups they host (that is, manage). You cannot join a Sudo Plugin host to a pmpolicy server group or the PM Agent host to a sudo policy server group.

    You can join the agent or plugin to the policy group later. See Joining the host to a policy group for details.

  6. On the Log on to Host dialog, enter the user credentials to access the selected host and click OK.

    This information is pre-populated if you saved the credentials for the host.

Joining the host to a policy group

When you join a host to a policy group, it enables that host to validate security privileges against a single common policy file located on the primary policy server, instead of on the host.

Note: To join a host to a policy group, the host must meet all of these conditions:

  • When using a sudo policy type, to join a policy group, the selected hosts must have Sudo 1.8.1 (or higher), the Sudo Plugin software installed, and be added and profiled to the mangement console.
  • When using pmpolicy type, the host must have the PM Agent software installed on it. See Installing Privilege Manager agent or plugin software.
  • A service account must be configured. See Configuring a service account.
  • A policy group must be active. See Activating policy groups.
  • If you select multiple hosts to join, they must be of the same type (sudo or pmpolicy). However, when selecting multiple primary servers, the Join option will be disabled because each primary server belongs to a different policy group.

Policy servers can only be joined to policy groups they host (that is, manage). You cannot join a Sudo Plugin host to a pmpolicy server group or the PM Agent host to a sudo policy server group.

To join a host to a policy group

  1. From the list on the All Hosts view, select one or more hosts that have the Privilege Manager software installed, open the Join or Configure toolbar menu, and choose Join to Policy Group.

    Note: The Join to Policy Group option is enabled when you select hosts that have the Privilege Manager software installed and are not already joined to a policy group.

    The toolbar button will not be active if

    • You have not selected any hosts.
    • You have selected hosts that are already joined.

  2. On the Policy Group tab,

    1. Select the policy group to use for the policy verification.

      The Policy group drop-down menu lists the configured policy groups with the policy server type in parenthesis, either pmpolicy or sudo.

    2. Enter the pmpolicy service account password in the Join password box.

      Note: The Join password is the password for the pmpolicy service account that was set when you configured the primary server. See Configuring the primary policy server for details.

  3. On the Failover tab,

    1. Set the failover parameters, if you desire, and click OK.

      Note: If you set the failover parameter to random order, Privilege Manager ignores the ordering of the policy servers.

    2. Set the default policy server failover order within the policy group by ordering the hosts in the Policy Server list using the up and down arrows.

      Where there are two or more policy servers, Privilege Manager connects to the next available server when it cannot make a connection to a policy server.

      Note: To change the failover order, unjoin the host from the policy group and then rejoin it using new settings.

  4. On the Log onto Host dialog, enter the user credentials to access the selected hosts and click OK.

    Note: This task requires elevated credentials. The mangement console pre-populates this information if you saved the credentials for the host.

    The Task Progress pane on the All Hosts view displays a progress bar and the final status of the tasks, including any failures or advisories encountered.

Related Documents