Chat now with support
Chat with Support

Privilege Manager for Unix 7.2.1 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Policy servers are failing

The primary and secondary policy servers must be able to communicate with each other and the remote hosts must be able to communicate with the policy servers in the policy group.

For example, if you run the pmloadcheck command on a policy server or PM Agent to determine that it can communicate with other policy servers in the policy group, you may get output similar to the following:

++ Checking host:myhost.example.com (10.10.181.87) ... [FAIL]

There are several possible reasons for failure:

  • Policy server host is down
  • Network outage
  • Service not running on policy server host

These are some ways to verify that the Privilege Manager for Unix service is running properly on the policy server host:

  1. To verify the policy server configuration, run
    # pmsrvinfo
  2. To verify that the service is running, enter
    # ps -ef | grep pmserviced
  3. To verify that the pmmasterd port is in a listening state on the primary policy server, enter
    # netstat -na | grep 12345
  4. To verify the service is enabled, look for the following in the Privilege Manager for Unix configuration file (/etc/opt/quest/qpm4u/pm.settings)
    pmmasterdEnabled YES
  5. To restart the service (on a Linux host), enter
    # /etc/init.d/pmserviced restart

    -Or-

    pmserviced -s
  6. Check for other communication issues, such as with your firewall, name resolution, dead network interface, and so forth.

pmgit Troubleshooting

This section describes common issues that may occur when using pmgit. Follow the instructions to troubleshoot pmgit operation.

Setting alert for syntactically incorrect policies

Since policy edits are not locally bound to the policy server when using Git policy management, syntactically incorrect policies can enter the Git repository. To address such cases, set an alert from the policy server to warn you if the policy is incorrect.

As an administrator, you can use your own alert script which pmgit tool can call if the policy syntax checking returns an error message after the synchronization between the Git policy repository and the SVN policy repository.

If an alert script is configured, the pmgit tool calls it with 2 parameters:

  • Email address from the last Git commit

  • Error message from the syntax check

Sample script

This is a sample script in bash which sends the error message to the user who initiated the last commit.

#!/bin/bash

email_address="$1"
shift
error_msg="$@"
				
/usr/sbin/sendmail -F "noreply" "${email_address}" <<EOF
subject:pmgit error
				
Syntax error occured in one of the policy files:
"${error_msg}"
EOF

To set pmgit tool to send alert messages based on your alert script, see pmgit Set.

Automatic synchronization failed

Error

After a successful Git policy management configuration and automatic update interval setting, Syslog sends the error message:

pmgit: Failed to fetch <Git:_URL>.: Permission denied, please try again. <user>@<host>: Permission denied (publickey,password)
Cause

You have not configured Git for passwordless authentication.

Effect

Automatic synchronization between Git and SVN is not working because pmgit update cannot run in the background due to a password prompt.

Solution

Configure Git to allow Git operations from the policy server towards the remote repository.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating