Chat now with support
Chat with Support

Privilege Manager for Unix 6.1.1 - Administration Guide for Unix

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager programs Installation Packages

pmlicense

Syntax
pmlicense -h 
            [-c] 
            -v [-c] 
            -v <xmlfile> [-c]  
            -l|-x <xmlfile> [-c] [-f] [-e]
            -u [s|f][-c][-d m|y][-o <outfile>][-s d|h][-t u|p|k]
            -r [e]
            -z on |off[:<pid>]
Description

The pmlicense command allows you to display current license information, update a license (an expired one or a temporary one before it expires) or create a new one. If you do not supply an option, then pmlicense displays a summary of the combined licenses configured on this host.

Options

pmlicense has the following options.

Table 59: Options: pmlicense
Option Description
-c Displays output in CSV, rather than human-readable format.
–d Filters a license report; restricting the date to either:
  • m: Only report licenses used in the past month.
  • y: Only report licenses used in the past year.
-e Does not forward the license change to the other servers in the group.
-f Does not prompt for confirmation in interactive mode.
-h Displays usage.
-l <xmlfile>

Configures the selected XML license file, and forwards it to the other servers in the policy group.

This option must be run as the root user or a member of the pmpolicy group.

-o <outfile> Sends report output to selected file rather than to the default. For csv output, the default is file: /tmp/pmlicense_report_<uid>.txt; for human-readable output, the default is stdout.
-r Regenerates and configures the default trial license, removing any configured commercial licenses, and forwards this change to the other servers in the policy group.
-s Sort the report data by either:
  • d: date (newest first)
  • h: hostname (lowest first)
-t Filters license report by client type:
  • u: Privilege Manager for Unix client
  • p: sudo policy plugin
  • k: sudo keystroke plugin
-u Displays the current license utilization on the master policy server:
  • s: Show summary of hosts licensed
  • f: Show full details of hosts licensed, with last used times
-v If you do not provide a file argument, it displays the details of the currently configured license. If you provide a file argument, it verifies the selected XML license file and displays the license details.
-x <xmlfile>

Configures the selected XML license file.

This option is deprecated, use the "-l" option instead.

Enables or disables debug tracing.

Refer to Enabling program-level tracing before using this option.

License data is updated periodically by the pmloadcheck daemon. See pmloadcheck for details.

Examples

To display current license status information, enter the following:

# pmlicense

Privilege Manager displays the current license information, noting the status of the license. The output will be similar to the following:

*** One Identity Privilege Manager *** 
*** Privilege Manager for Unix VERSION 6.n.n (nnn) *** 
*** CHECKING LICENSE ON HOSTNAME:<host>, IP address: <IP> 
*** SUMMARY OF ALL LICENSES CURRENTLY INSTALLED *** 
*License Type                                  PERMANENT 
*Commercial/Freeware License                   COMMERCIAL 
*Expiration Date                               NEVER 
*Max QPM4U Client Licenses                     1000 
*Max Sudo Policy Plugin Licenses               0 
*Max Sudo Keystroke Plugin Licenses            0 
*Authorization Policy Type permitted           ALL 
*Total QPM4U Client Licenses In Use            2 
*Total Sudo Policy Plugins Licenses in Use     0 
*Total Sudo Keystroke Plugins Licenses in Use  0

*** LICENSE DETAILS FOR PRODUCT:QPM4U 
*License Version                               1.0 
*Licensed to company                           Testing 
*Licensed Product                              QPM4U(1) 
*License Type                                  PERMANENT 
*Commercial/Freeware License                   COMMERCIAL 
*License Status                                VALID
*License Key                                   PSXG-GPRH-PIGF-QDYV 
*License tied to IP Address                    NO 
*License Creation Date                         Tue Feb 08 2012 
*Expiration Date                               NEVER 
*Number of Hosts                               1000

To update or create a new a license, enter the following at the command line:

pmlicense -l <xmldoc>

Privilege Manager displays the current license information, noting the status of the license, and then validates the information in the selected .xml file, for example:

*** One Identity Privilege Manager for Unix *** 
*** Privilege Manager for Unix VERSION 6.n.n (nnn) *** 
*** CHECKING LICENSE ON HOSTNAME:<host>, IP address:<IP> *** 
*** SUMMARY OF ALL LICENSES CURRENTLY INSTALLED *** 
*License Type                                  PERMANENT 
*Commercial/Freeware License                   COMMERCIAL 
*Expiration Date                               NEVER 
*Max QPM4U Client Licenses                     1000 
*Max Sudo Policy Plugin Licenses               0 
*Max Sudo Keystroke Plugin Licenses            0 
*Authorization Policy Type permitted           ALL 
*Total QPM4U Client Licenses In Use            2 
*Total Sudo Policy Plugins Licenses in Use     0 
*Total Sudo Keystroke Plugins Licenses in Use  0 
*** Validating license file: <xmldoc> *** 
*** LICENSE DETAILS FOR PRODUCT:QPM4U 
*License Version                               1.0 
*Licensed to company                           Testing 
*Licensed Product                              QPM4U(1) 
*License Type                                  PERMANENT 
*Commercial/Freeware License                   COMMERCIAL 
*License Status                                VALID 
*License Key                                   PNFT-FDIO-YSLX-JBBH 
*License tied to IP Address                    NO 
*License Creation Date                         Tue Feb 08 2012 
*Expiration Date                               NEVER 
*Number of Hosts                               100 
*** The selected license file (<xmldoc>) contains a valid license *** 

Would you like to install the new license? y 
Type y to update the current license. 
Archiving current license… [OK] 
*** Successfully installed new license ***

pmlist

Syntax
pmlist
Description

The pmlist command displays a list of commands the current user is permitted to run. It is only valid when using the profile-based policy.

If the server is configured to use the default profile policy, use the pmlist command to list the commands that you are permitted to run. The server evaluates all configured profiles in the policy; for those that match the submit user and host, it prints out the commands that are permitted by the profile.

pmloadcheck

Syntax
pmloadcheck -v 
               -z on | off[:<pid>] 
               -s|-p|-i [-e <interval>][-t <sec>] 
               [-c|-f][-b][ -h <master>][-t <sec>] [-a][-r]
Description

The pmloadcheck daemon runs on each host. The pmloadcheck daemon runs on Privilege Manager for Sudo policy servers. By default, every 60 minutes the daemon verifies the status of the configured policy servers. It controls load balancing and failover for connections made from the host to the configured policy servers, and on secondary servers, it sends license data to the primary server.

When the pmloadcheck daemon runs, it attempts to establish a connection with the policy servers to determine their current status. If pmloadcheck successfully establishes a session with a policy server, it is marked as online and is made available for normal client sessions. If pmloadcheck does not successfully establish a session with a policy server, it is marked as offline.

Information is gathered from a policy server each time a normal client session connects to the policy server. This information is used to determine which policy server to use the next time a session is requested. If an agent cannot establish a connection to a policy server because, for example, the policy server is offline, then this policy server is marked as offline and no more connections are submitted to this policy server until it is marked available again.

To check the current status of all configured policy servers, and display a brief summary of their status, run pmloadcheck with no options. Add the –f option to show full details of each policy server status.

Options

pmloadcheck has the following options.

Table 60: Options: pmloadcheck
Option Description

-a

Verifies the connection as if certificates were configured.

-b

Runs in batch mode.

-c

Displays output in CSV format.

-e <interval>

Sets the refresh interval (in minutes) to determine how often the pmloadcheck daemon checks the policy server status. Default = 60.

-f

Shows full details of the policy server status when verifying and displaying policy server status.

-h <master>

Selects a policy server to verify.

-i

Starts up the pmloadcheck daemon, or prompt an immediate recheck of the policy server status if it is already running.

-P

Sends SIGNUP to a running daemon.

-p

Pauses (sends SIGUSR1) to a running daemon.

-r

Reports last cached data for selected servers instead of connecting to each one.

-s

Stops the pmloadcheck daemon if it is running.

-t <sec>

Specifies a timeout (in seconds) to use for each connection.

-v

Displays the version string and exits.

Enables or disables debug tracing.

Refer to Enabling program-level tracing before using this option.

pmlocald

Syntax
pmlocald - v | [-s] [-e <filename>] [-m <polserverspec>] | -z on|off [:<pid>]
Description

The Privilege Manager local daemon (pmlocald) runs programs when instructed to do so by the appropriate policy server daemon. pmlocald is started from pmserviced.

Unless the -m option is used, it first checks the /etc/opt/quest/qpm4u/pm.settings file to determine the policy server daemons from which it is allowed to accept requests. If the request is legitimate, it then runs and manages the program.

Options

pmlocald has the following options.

Table 61: Options: pmlocald
Option Description

-e <filename>

Sends any errors to the specified file; applies only to local daemon errors.

-m <polserverspec>

Specifies the policy server daemon from which requests are accepted. polserverspec is either a host name, or a netgroup name preceded by a + or a - (+ includes the netgroup, - excludes it). You can specify polserverspec more than once.

If you use the -m option, it does not consult masterhost setting in the /etc/opt/quest/qpm4u/pm.settings file.

-s

Sends any errors generated to syslog.

-v

Displays the version number of Privilege Manager and exits.

Enables or disables tracing for this program and optionally for a currently running process.

Refer to Enabling program-level tracing before using this option.

Files

File containing Privilege Manager communication parameters, including the list of valid master hosts:

/etc/opt/quest/qpm4u/pm.settings
Related Documents