Chat now with support
Chat with Support

One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration Reporting Setting preferences Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance

Auditing and compliance

Each action performed by the mangement console on a remote host is logged to the local syslog file. The syslog messages show you who performed the action, when, and the output (standard error, standard out).

Syslog reports any action that changes on the host, for example:

  • Add, delete, modify user or group account information
  • Add user to (or remove user from) users.allow
  • Configure Privilege Manager policy server
  • Enable (or disable) Auto Profile, SSH Key login, Auto Authentication Services agent status
  • Install software
  • Join to (or unjoin from) Active Directory or Privilege Manager policy group
  • Map user to (or unmap user from) Active Directory

Note: The messages are logged in the local syslog file. Local host logs messages to local audit log files based on your host configuration.

Cannot create a service connection point

To create an SCP for Management Console for Unix

  • While the mangement console does not need to be configured for Active Directory, Management Console for Unix must be installed on a computer that is joined to an Active Directory domain.
  • The computer object must have access to create child objects under its own computer object.  

    Note: The ability for SELF to create and delete child objects is allowed by default, so you should not have problems creating Service Connection Points (SCPs) unless the Discretionary Access Control List (DACL) has been changed to deny the Create all child objects permission.

  • If the console is installed on a Windows host, SSPI must be enabled.

If you cannot create an SCP, check whether the computer where Management Console for Unix is installed is joined to the Active Directory domain.

  • If the computer is NOT joined to the domain, then the Register a Service Connection Point with Active Directory option on the Console Information settings is disabled.

    Note: When Management Console for Unix is installed on a Unix or Linux computer, it might be possible that the Management Console for Unix server does not have access to the keytab file. When Management Console for Unix cannot read the keytab file, it acts as if it is installed on a Unix computer that is not joined to the domain.

  • If the computer is joined to the domain and the creation of the SCP fails, the most likely cause is that the computer Discretionary Access Control List (DACL) 'Create all child objects' was denied for SELF. Using the Active Directory Users and Computers (ADUC) tool, you can check and modify these permissions on the Security tab of the computer's properties. Consult the Microsoft documentation for information about using ADUC.

Check Authentication Services agent status commands not available

The "Check QAS" commands are only available for hosts that have the Authentication Services 4.0.3.78 (or later) Agent software installed. If your version of Authentication Services is not using the 4.0.3.78 version of the vas_status.sh script, the mangement console will not report QAS agent status. Furthermore, if you customize the vas_status.sh script, ensure the output for customized tests are in CSV format so that the mangement console will correctly report the results.

CSV or PDF reports do not open

If you are having trouble opening CVS or PDF reports, here are some suggestions:

  • Make sure your browser does not have a pop-up blocker enabled for the site. PDF and CSV files are opened as a window pop-up and require you to disable any browser pop ups before the report will open.
  • If you are running Management Console for Unix on Internet Explorer, you may need to adjust your IE settings, as explained below:

To adjust your IE settings

  1. From the Tools menu, select Internet Options.
  2. On the Advanced tab, scroll to Security section.
  3. Clear the Do not save encrypted pages to disk option.
  4. Apply the changes.
  5. Close and reopen your browser.
  6. Try downloading that file again.

Or, you may need to reset your Download options.

To modify the Download Internet options

  1. From your Internet Explorer browser, navigate to Tools | Internet Options and click the Security tab.

  2. In the Security Settings dialog, click the Custom level button, scroll down to Downloads, and ensure that the Automatic prompting for file downloads and File download settings are set to Enable.

    Note: If you hold down the Ctrl key after you open the Export drop-down menu and select PDF, it allows the download to happen even if you have the Automatic prompting for file downloads setting disabled.

Related Documents