Chat now with support
Chat with Support

One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration Reporting Setting preferences Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance

Service account login fails

There could be several reasons why you might receive an error message saying you could not log in with the user service account:

  • Account does not exist
  • Account has been disabled
  • Account has invalid gid or login shell
  • SSH server is not running
  • SSH keys are not configured properly
  • SSH server is not configured to allow login by means of SSH key
  • SElinux may be disallowing access to SSH server files needed for SSH key authentication

To troubleshoot your login failure,

  • Check your SSH server configuration to verify that public key authentication is enabled. (Refer to your SSH server configuration instructions for details.)
  • Test SSH key authentication with another user.
  • Reconfigure or disable SELinux.

Note: Configuring a service account on a host with Security-Enhanced Linux (SELinux) enabled might fail due to the enhanced security-related restrictions on the system. Contact Technical Support at https://support.oneidentity.com/ for instructions on how to either reconfigure or disable SELinux.

Setting custom configuration settings

When you start the Management Console for Unix service, it reads Java Virtual Machine (JVM) system properties from a configuration file.

You can set custom configuration settings by adding system properties, one per line, to the custom.cfg file, in the form:

-Dproperty=value.

The custom.cfg file is in the application data directory:

  • On Windows:
    %SystemDrive%:\ProgramData\Quest Software\Management Console for Unix\resources
  • On Unix/Linux:
    /var/opt/quest/mcu/resources

Here are some general tips for adding system properties to the custom.cfg file:

  • All system property declarations must be on its own line:
    -Xms512m 
    -Xmx512m
  • Do not enter multiple entries on a single line like this:
    -Xms512m -Xmx512m
  • A line preceded by a # character specifies a commented line and will be ignored.
  • The system property declarations are case sensitive. Be sure to enter lines to the custom.cfg file carefully.
  • Restart the console service to enable the system property declarations.

The following topics give you details about setting custom system properties:

Customize auto-task settings

Management Console for Unix uses a heartbeat to verify that the:

  • host system is still properly configured to send updates
  • current QAS status is accurate

You can customize the heartbeat interval for the automatic QAS Status update. However, if you change the heartbeat interval you must reconfigure automatic QAS agent status for all hosts previously configured.

To customize heartbeat interval

  1. Locate the custom.cfg file.

    See Setting custom configuration settings for more information about customizing configuration settings for the mangement console.

  2. Add the following property:

    -Dmcu.QasStatusHeartbeatsPerDay=n

    where n is the number of times per day. (The default is 6 times a day.)

    Valid values are: 1,2,3,4,6,8,12, and 24 times a day.

    The actual time of day that heartbeats are sent vary from host to host.

  3. Save the custom.cfg file.

  4. Restart the Management Console for Unix service.

Enable debug logging

Technical Support may request that you enable and generate some debug logs for troubleshooting purposes.

To enable the debug logging

  1. Stop the Management Console for Unix service

    See Start/stop/restart Management Console for Unix service for details.

  2. Open the custom.cfg file for editing.

    See Setting custom configuration settings for general information about customizing configuration settings for the mangement console.

  3. Add these system properties to the custom.cfg file:
    -Dlog4j.configuration=log4j-debug.xml

    AND

    -Djcsi.kerberos.debug=true
  4. Save the custom.cfg file.
  5. Start the Management Console for Unix service.

    By default, the debug logs are saved in the application data directory at:

    • On Windows platforms:
      %SystemDrive%:\ProgramData\Quest Software\Management Console for Unix\logs
    • On Unix/Linux platforms:
      /var/opt/quest/mcu
Related Documents