Chat now with support
Chat with Support

Privilege Manager for Unix 6.1 Common Documents - Administration Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager programs Installation Packages

Hosts database

Ensure that each host on your network knows the names and IP addresses of all other hosts. This information is stored either in the /etc/hosts file on each machine, or in NIS maps or DNS files on a server. Whichever you use, ensure all host names and IP addresses are up-to-date and available.

Privilege Manager components must be able to use forward and reverse lookup of the host names and IP addresses of other components.

Reserve special user and group names

It is important for you to reserve the following special user and group names for Privilege Manager usage:

  • Users: questusr, pmpolicy
  • Groups: questgrp, pmpolicy, pmlog

The questusr account is a user service account created and used by Management Console for Unix to manage Privilege Manager policy and search event logs. It is a non-privileged account (that is, it does not require root-level permissions) that is used by the console to gather information about existing policy servers in a read-only fashion. The mangement console does not use questusr account to make changes to any configuration files. questgrp is the primary group (gid) for questusr.

The pmpolicy user is created on a primary or secondary server. It is a non-privileged service account (that is, it does not require root-level permissions) that is used to synchronize the security policy on policy servers.

The pmlog and pmpolicy groups are used to control access to log files and the security policy, respectively.

Applications and file availability

Since you can use Privilege Manager for Unix to run applications on remote machines, ensure that the applications and the files that they access are available from those machines. Typically, you can use a product such as NFS (supplied with most UNIX operating systems) to make users’ home directories and other files available in a consistent location across all computers.

Policy server daemon hosts

Privilege Manager requires that you choose a host to act as the policy server. This machine will run the pmmasterd daemon and must be available to manage requests for the whole network.

Run the policy server daemon on the most secure and reliable node. To maximize security, ensure the computer is physically inaccessible and carefully isolated from the network.

The policy server requires that the pmmasterd port (TCP/IP port 12345, by default) is available, and that PM Agent hosts joined to the policy server are able to communicate with the policy server on this network port.

You can run multiple policy servers for redundancy and stability. Privilege Manager automatically selects an available policy server if more than one is on the network. For now, choose one machine to run pmmasterd. See pmmasterd for more information.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating