When you run pmsrvconfig with the -i (interactive) option, the configuration script gathers information from you by asking you a series of questions. During this interview, you are allowed to either accept a default setting or set an alternate setting.
The configuration script first asks you to read and accept the End User License Agreement (EULA). The second question asks if you want to configure the server as a sudo or a pmpolicy type server; the default is sudo. See Security policy types for more information about policy types. Depending on which type of server you are configuring the interview asks different questions.
The following table lists the default and alternative configuration settings when configuring a pmpolicy server. See PM settings variables for more information about the policy server configuration settings.
Configuration setting | Default | Alternate | ||||
---|---|---|---|---|---|---|
Configure Privilege Manager Policy Mode | ||||||
Configure host as primary or secondary policy group server: | primary |
Enter secondary, then supply the primary server host name. | ||||
Set Policy Group Name: | <FQDN name of policy server> | Enter Policy Group Name of your choice. | ||||
Policy mode:
See Security policy types for more information about policy types.
|
sudo |
Enter pmpolicy | ||||
Configure Security Policy | ||||||
Initialize the security policy? | YES |
Enter No | ||||
Configure Privilege Manager Daemon Settings | ||||||
Policy server command line options:
|
-ar |
Enter:
| ||||
Enable remote access functions?
|
NO
Does not make system information on this host available to policy servers located on other hosts. |
Enter Yes to allow remote policy servers to connect to this primary policy server for remote I/O logging, or to access functions in the policy file. Entering Yes allows you to list remote hosts. | ||||
If Yes, list of remote hosts allowed to connect to this policy server? | NO | Enter Yes, then add remote hosts to list. | ||||
Configure host as a PM Agent? | NO | Enter Yes, then configure command line options. | ||||
If Yes, configure command line options for the agent daemon? | pmlocaldopts is not set |
Enter:
| ||||
Configure pmlocald on this host? | NO | Enter Yes | ||||
Configure policy server host components to communicate with remote hosts through firewall? | NO | Enter Yes | ||||
Configure pmtunneld on this host? | NO | Enter Yes | ||||
Define host services?
|
YES
Adds services entries to the /etc/services file. |
Enter No | ||||
Communications Settings for Privilege Manager | ||||||
Policy server daemon port number:
|
12345 | Enter a port number for the policy server to communicate with agents and clients. | ||||
Specify a range of reserved port numbers for this host to connect to other defined Privilege Manager hosts across a firewall?
|
NO | Enter Yes, then enter a value between 600 and 1023:
| ||||
Specify a range of non-reserved port numbers for this host to connect to other defined Privilege Manager hosts across a firewall?
|
NO | Enter Yes, then enter a value between 1024 and 65535:
| ||||
Allow short host names?
|
YES | Enter No to use fully-qualified host names instead. | ||||
Configure Kerberos on your network?
|
NO | Enter Yes, then enter:
| ||||
Encryption level:
See Encryption for details.
|
AES | Enter one of these encryption options:
| ||||
Enable certificates?
|
NO |
Enter Yes, then answer: Generate a certificate on this host? (Default is NO.) Enter Yes and specify a passphrase for the certificate.
| ||||
Activate the failover timeout? | YES | Enter Yes, then assign the failover timeout in seconds: (Default is 10.) | ||||
Failover timeout in seconds:
|
10 | Enter timeout interval. | ||||
Configure Privilege Manager Logging Settings | ||||||
Send errors reported by the policy server and local daemons to syslog? | YES | Enter No | ||||
Policy server log location:
|
/var/log/pmmasterd.log | Enter a location. | ||||
Install Privilege Manager Licenses | ||||||
XML license file to apply: | (use the freeware product license) |
Enter enter location of the .xml license file. Enter Done when finished. | ||||
Password for pmpolicy user:
See Configuring the primary policy server for Privilege Manager for Unix for more information about pmpolicy service account. |
Enter <password>
|
|
NOTE: You can find an installation log file at: /opt/quest/qpm4u/install/pmsrvconfig_output_<Date>.log |
To verify the policy server configuration
# pmsrvinfo
The pmsrvinfo command displays the current configuration settings. For example:
Policy Server Configuration:
----------------------------
Privilege Manager version : 6.0.0
Listening port for pmmasterd daemon : 12345
Comms failover method : random
Comms timeout(in seconds) : 10
Policy type in use : pmpolicy
Group ownership of logs : pmlog
Group ownership of policy repository : pmpolicy
Policy server type : primary
Primary policy server for this group : <polsrv>.example.com
Group name for this group : <polsrv>.example.com
Location of the repository
: file:////var/opt/quest/<polsrv>/.<polsrv>/.repository/pmpolicy_repos/trunk
Hosts in the group : <polsrv>.example.com
|
NOTE: Note the entries for policy type (pmpolicy) and policy server type (primary). See Security policy types for more information about security policy types. |
If you are using the whatis database and you chose to install the man pages, you may wish to recompile the database to allow users to search the documentation using keywords.
Once you have installed and configured the primary policy server, you are ready to join it to a policy group. When you join a policy server to a policy group, it enables that host to validate security privileges against a single common policy file located on the primary policy server, instead of on the host.
For Unix agents (qpm-agent), you must "join" your policy servers to the policy group using the pmjoin command.
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy