Chat now with support
Chat with Support

Privilege Manager for Unix 6.1 Common Documents - Administration Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager programs Installation Packages

Local daemon hosts

Each machine that runs requests using Privilege Manager for Unix must run a pmlocald daemon. Typically you will run pmlocald on all your machines. See pmlocald for more information.

Installing the Privilege Manager packages

After you make sure your primary policy server host meets the system requirements, you are ready to install the Privilege Manager packages.

To install the Privilege Manager packages

  1. From the command line of the host designated as your primary policy server, run the platform-specific installer. For example, run:
    # rpm –-install qpm-server-*.rpm

    NOTE: The Solaris server has a filename that starts with QSFTpmsrv.

    When you install the qpm-server package, it installs all three Privilege Manager components on that host: the Privilege Manager Policy Server, the PM Agent, and the Sudo Plugin.

For details instructions on installing and configuring Privilege Manager for Sudo, see the One Identity Privilege Manager for Sudo Administration Guide.

Modifying PATH environment variable

After you install the primary policy server, you may want to update your PATH to include the Privilege Manager commands.

To modify the user's PATH environment variable

  1. If you are a Privilege Manager administrator, add these quest-specific directories to your PATH environment:
    /opt/quest/bin:/opt/quest/sbin
  2. If you are a Privilege Manager user, add this path to your PATH environment:
    /opt/quest/bin

Configuring the primary policy server for Privilege Manager for Unix

Once you install the Privilege Manager for Unix server packages, the next task is to configure the primary policy server.

NOTE: The first policy server you setup is the primary policy server.

To configure the primary policy server for a pmpolicy type

  1. From the command line of the primary policy server host, run:
    # /opt/quest/sbin/pmsrvconfig -m pmpolicy

    NOTE: The pmsrvconfig command supports many command-line options; see pmsrvconfig for details or run pmsrvconfig with the -h option to display the help.

    When you run pmsrvconfig with the -i (interactive) option, the configuration script gathers information from you by asking you a series of questions. During this interview, you are allowed to either accept a default setting or set an alternate setting.

    Once you have completed the policy server configuration script interview, it configures the policy server.

  2. When you run pmsrvconfig for the first time, it asks you to read and accept the End User License Agreement (EULA).
  3. Enter a password for the new pmpolicy service account and confirm it. This password is also called the "Join" password. You will use this password when you add secondary policy servers or join remote hosts to this policy group.

    The configuration process:

    • Creates the /etc/opt/quest/qpm4u/pm.settings file, which contains various parameters and settings
    • Installs service entries in the /etc/services file, which contains unique port numbers for pmmasterd and pmlocald
    • Generates a SSH key for log access
    • Generates the master policy, a profile-based policy
    • Creates the SVN database repository for the master policy
    • Checks out a production copy of the master policy
    • Performs a syntax check of the master policy
    • Starts the Privilege Manager service (pmserviced). See pmserviced for details.
    • Reloads the pmloadcheck configuration. See pmloadcheck for details.
Related Documents