Chat now with support
Chat with Support

Privilege Manager for Unix 7.3 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Configuring Network Address Translation (NAT)

To configure Privilege Manager for Unix to allow the use of Network Address Translation (NAT), you must add both the external and internal IP address of the firewall to tunnelrunhosts list in the /etc/opt/quest/qpm4u/pm.settings file.

For more information about modifying the Privilege Manager for Unix configuration settings, see PM settings variables.

Configuring Kerberos encryption

You can configure Privilege Manager for Unix to use Kerberos encryption to authenticate and to exchange encryption key information

To configure Privilege Manager for Unix to use Kerberos encryption, edit or insert the following line in the /etc/opt/quest/qpm4u/pm.settings file:

kerberos yes

Also, to use Kerberos with Privilege Manager for Unix, ensure that suitable Service Principal Names (SPNs) are registered. Using the generic host service-type, configure the SPNs like this:

host/sun17.quest.com

Substitute your own host names.

If the SPN has been registered using the fully qualified DNS name, you can abbreviate the SPNs to the service-type, such as:

host

Specify the service principal names using the mprincipal and lprincipal settings in the pm.settings file. For example, on an agent with a host name of sun17.quest.com, and a SPN registered as db_serve1.quest.com, specify:

mprincipal host 
lprincipal host/db_server1.quest.com

You may need to modify these other settings according to your Kerberos configuration:

Table 18: Other Kerberos configuration settings
Kerberos Setting Description

keytab

Location of the keytab file.

Default: /etc/opt/quest/vas/host.keytab

krb5rchache

Location of the Kerberos cache.

Default: /var/tmp

krbconf

Location of the Kerberos configuration file.

Default: /etc/opt/quest/vas/vas.conf

For more information about modifying the Privilege Manager for Unix configuration settings, see PM settings variables.

Configuring certificates

You can enable configurable certification for use with Privilege Manager for Unix. Configurable certification is a method of proprietary certification based on the system hardware ID, MD5 checksums and DES encryption.

Use the pmkey command to generate and install certificates. For example, to generate a new certificate and put it into the specified file, enter:

# pmkey -a <filename>

To install the newly generated certificate from the specified file, enter:

# pmkey -i <filename>

Enable configurable certification

To enable configurable certification

  1. Ensure that you have configured a Privilege Manager for Unix policy server and a Privilege Manager for Unix client.

  2. Add the following statement to the /etc/opt/quest/qpm4u/pm.settings file on each host:

    certificates YES
  3. To generate a key on the Privilege Manager for Unix policy server, enter:

    # pmkey -a <policy server filename>

    When prompted, enter a phrase or keyword.

  4. To install the key on the Privilege Manager for Unix policy server, run

    # pmkey -i <policy server filename>

    You must enter the same filename in both the -a and -i commands shown above.

  5. To generate a key on each Privilege Manager for Unix client, enter:

    # pmkey -a <client filename>

    When prompted, enter a phrase or keyword. Note: you must use the same phrase or keyword to generate the client and policy server certificates.

  6. To install the key on the Privilege Manager for Unix client, run

    # pmkey -i <client filename>

    You must enter the same filename in both the -a and -i commands shown above.

  7. Copy the key file you have created on each of the Privilege Manager for Unix clients to the Privilege Manager for Unix policy server.

  8. Copy the key file you have created on the Privilege Manager for Unix policy server to the Privilege Manager for Unix client.

    The keys are located in /etc/opt/quest/qpm4u/.qpm4u/.keyfiles/<key filename>.

  9. On the Privilege Manager for Unix policy server, enter:

    # pmkey -i <client filename>
  10. On the Privilege Manager for Unix client, enter:

    # pmkey -i <policy server filename>

    Configurable certification is now enabled.

    By default, pmkey certifies the pass phrase when installing the keyfile for other hosts. If you do not want pmkey to certify the pass phrase when installing the keyfile for other hosts, use -f in the pmkey -i command, like this:

    # pmkey -i <keyfile> -f
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating