Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Installation Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Installing and configuring Authentication Services Installing and joining from the Unix command line Getting started with Authentication Services Troubleshooting Enterprise package deployment

Profile hosts

Profiling imports information about the host, including local users and groups, into the mangement console. It is a read-only operation and no changes are made to the host during the profiling operation. Profiling does not require elevated privileges.

To profile hosts

  1. Select one or more hosts on the All Hosts view and click Profile from the Prepare panel of the tool bar, or open the Profile menu and choose Profile.
  2. In the Profile Host dialog, enter user credentials to access the host(s).

    If you selected multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

  3. If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter the following information:
    1. Enter the user name and password to log onto the selected host(s).
    2. Optionally enter the SSH port to use. It uses port 22 by default.
    3. To save the credentials entered for the host, select the Save my credentials on the server option.

      Once saved, the mangement console uses these credentials to access the host during this and subsequent sessions.

    Note: If you do not save a password to the server, the user name and password fields will be blank the first time the mangement console needs credentials to complete a task on the host during a log on session. Once entered, the mangement console caches the user name and password and reuses these credentials during the current session, and pre-populates the user name and password fields in subsequent tasks during the current log on session.

    If you choose to save a host's credentials to the server, the mangement console encrypts the credentials and saves them in the Java keystore. Saved user names and passwords persist across log on sessions, and when needed, the mangement console pre-populates the user name and password fields each subsequent time it needs them to perform a task. (For more information, see Caching Unix Host Credentials in the online Help.)

  4. If you selected multiple hosts and the Enter different credentials for each selected host option, a grid displays allowing you to enter different credentials and specify different settings for each host.
    1. To enter different credentials, place your cursor in the Username and Password columns to the right of the Host column and enter the credentials to use.
    2. To change the SSH port for a host, place your cursor in the SSH Port column and enter the new SSH port number.
    3. To save the credentials entered for a host, select the check box in the Save column.
  5. If you want the mangement console to prompt you to review and accept new SSH keys for the selected hosts (that do not have previously cached SSH keys), clear the Automatically accept SSH keys option before you click OK.

    Note: When profiling one or more hosts, you must accept at least one key before continuing. The mangement console only profiles hosts with accepted keys.

    By default the Automatically accept SSH keys option is checked. This enables the mangement console to automatically accept SSH key for all selected hosts that do not have a previously cached key. When it accepts the key, the console adds it to the accepted-keys cache on the Management Console for Unix server. If you clear the Automatically accept SSH keys option, when the mangement console encounters a modified key, it opens the Validate Host SSH Keys dialog, allowing you to manually accept keys that are encountered. Once you have manually verified the fingerprint, the console adds the SSH host key(s) to the accepted-keys cache.

    Note: Once you profile a host, all future tasks that involve an SSH connection will verify the SSH host key against the accepted-keys cache. When profiling, if the console encounters a modified key, the profile task prompts you to accept new/changed key(s). When performing any other SSH action, other than profile, if the console encounters a different SSH key, the task will fail. To update the accepted-keys cache for the host, you can either profile/reprofile the host, accept the new key, and try the task again. Or, you can import a new SSH host key from the host's properties or from the All Hosts view. (See Import SSH Host Key or Managing SSH Host Keys in the online help for more information.)

A progress bar displays in the Task Progress pane. The final status of the task displays, including any failures or advisories encountered.

Profile automatically

To keep the Management Console for Unix database up to date with accurate information about users, groups, and One Identity products, you can configure the mangement console to profile hosts automatically.

BEST PRACTICE: Configure newly added hosts for auto-profiling before you perform any other actions so that the mangement console dynamically updates user and group information. (See UID or GID Conflicts in online Help.)

Configuring a host for auto-profiling sets up a cron job on the client that runs every five minutes. If it detects changes on the host, it triggers a profile operation.

The cron job detects changes to the following:

  • local users, groups, or shells
  • installed Authentication Services or Privilege Manager software
  • Authentication Services access control lists
  • Authentication Services mapped user information
  • Privilege Manager configuration
  • Authentication Services configuration
  • Privilege Manager licenses

The cron job also sends a heartbeat every day. This updates the Last profiled date displayed on the host properties. If the Last profiled date is more than 24 hours old, the host icon changes to to indicate no heartbeat.

To configure automatic profiling

  1. Select one or more hosts on the All Hosts view, open the Profile menu from the Prepare panel of the tool bar, and choose Profile Automatically.

    Note: The Profile Automatically option is only available for multiple hosts if all hosts are in the same ‘Auto-profile’ state; that is, they all have ‘Auto-profile’ turned on, or they all have ‘Auto-profile’ turned off.

  2. In the Profile Automatically dialog, select the Profile the host automatically option.
  3. Choose the user account you want to use for profiling, either:
    • Create a user service account on the host

      When you choose to create the user service account on the host, if it does not already exist, the mangement console, does the following:

      1. Creates "questusr", the user service account, and a corresponding "questgrp" group on the host that the mangement console uses for automatic profiling.
      2. Adds questusr as an implicit member of questgrp.

      -OR-

    • Use an existing user account (user must exist on all selected hosts)

      (Click Select to browse for a user.)

  4. Click OK on the Profile Automatically dialog.

    Whether you choose to create the user service account or use an existing user account, the mangement console,

    • Adds the user account (the "questusr" or your existing user account) to the cron.allow file, if necessary. For example, the console takes no action if the cron.allow file does not already exist, but there is a cron.deny file:
      cron.allow cron.deny Console’s action Resultant User Access
      NO NO Creates cron.allow and adds root and questusr to it Both root and questusr have access.
      NO YES No action All users have access except those in cron.deny; questusr has access unless explicitly denied.
      YES NO Adds questusr to cron.allow Users in cron.allow have access.
      YES YES Adds questusr to cron.allow Users in cron.allow have access unless in cron.deny.
    • Adds the auto-profile SSH key to questusr's authorized_keys, /var/opt/quest/home/questusr/.ssh/authorized_keys.
    • Verifies the service account user can login to the host.

    Note: If you receive an error message saying you could not log in with the user service account, please refer to Service Account Login Fails in online Help to troubleshooting this issue.

    The questusr account is a non-privileged account that does not require root-level permissions. This account is used by the console to gather information about existing user and groups in a read-only fashion, however, the mangement console does not use questusr account to make changes to any configuration files.

    If questusr is inadvertently deleted from the console, the console turns ‘Auto-profiling’ off.

    To recreate the "questusr" account

    1. Re-profile the host.
    2. Reconfigure the host for automatic profiling.
  5. On the Log on to Host dialog, enter the user credentials to access the selected host(s) and click OK.

    Note: This task requires elevated credentials.

    If you select multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    1. If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected host(s) and click OK.
    2. If you selected multiple hosts and the Enter different credentials for each selected host option, it displays a grid which allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.

To disable automatic profiling

  1. Select one or more hosts on the All Hosts view and choose Profile Automatically.
  2. Clear the Profile the host automatically option and click OK.
  3. On the Log on to Host dialog, enter the user credentials to access the selected host(s) and click OK.

When you disable auto-profiling for a host, the mangement console,

  1. leaves the "questusr" and the corresponding "questgrp" accounts on the host, if they were previously created.
  2. leaves questusr as an implicit member of questgrp, if it exists.
  3. removes the user account (the "questusr" or your existing user account) from the cron.allow file.
  4. removes the auto-profile SSH key from that user's authorized_keys file.

Install software on hosts

Once you have successfully added and profiled one or more hosts, and checked them for AD Readiness, you can remotely deploy software products to them from the mangement console.

To install Authentication Services software on hosts

  1. Select one or more profiled hosts on the All Hosts view and click the Install Software tool bar button.

    Note: The Install Software tool bar menu is enabled when you select hosts that are profiled.

    The tool bar button will not be active if

    • You have not selected any hosts.
    • You have selected multiple hosts with different states (added, profiled, or joined).

  2. On the Install Software dialog, select the Authentication Services software products you want to install and click OK.
    • Authentication Services Agent (Required) - Select to allow Active Directory users access to selected host. Authentication Services provides centralized user and authentication management. It uses Kerberos and LDAP to provide secure data transport and an authentication framework that works with Microsoft Active Directory. Components include: vasd, nss_vas, pam_vas, and vastool.
    • Authentication Services for Group Policy (Required) - Select to install the Group Policy component which provides Active Directory Group Policy support for Unix, Linux, and Mac OS X platforms.
    • Authentication Services for NIS - Select to install the NIS Proxy component which provides the NIS compatibility features for Authentication Services. vasyp is a NIS daemon that acts as a ypserv replacement on each host.
    • Authentication Services for LDAP - Select to install the LDAP Proxy component which provides a way for applications that use LDAP bind to authenticate users to Active Directory without using secure LDAP (LDAPS). Instead of sending LDAP traffic directly to Active Directory domain controllers, you can configure applications to send plain text LDAP traffic to vasldapd by means of the loopback interface. vasldapd proxies these requests to Active Directory using Kerberos as the security mechanism.
    • Dynamic DNS Updater - Select to install the Dynamic DNS Updater component which provides a way to dynamically update host records in DNS and can be triggered by DHCP updates.
    • Defender PAM Module - Select to install the Defender authentication components for PAM based Unix/Linux systems. Includes PAM module, documentation and utilities to appropriately configure the PAM subsystem for Active Directory/Defender OTP authentication.

    Note: You must install the Authentication Services Agent and the Group Policy packages.

    Note: If you do not see all of these software packages, verify the path to the software packages is correctly set in System Settings. (Refer to Set the Authentication Services Client Software Location on the Server in the mangement console online help for details.)

  3. On the Log on to Host dialog, enter the user credentials to access the selected host(s) and click OK.

    Note: This task requires elevated credentials.

    If you selected multiple hosts, it asks whether you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    1. If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected host(s) and click OK.
    2. If you selected multiple hosts and the Enter different credentials for each selected host option, it displays a grid which allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.

Check readiness

Once you install the software on your remote hosts, the mangement console allows you to perform a series of tests to verify that a host meets the minimum requirements to join an Active Directory domain. Running the readiness checks does NOT require elevated privileges.

Note: This task is only available when you are logged on as supervisor or an Active Directory account in the Manage Hosts role. (See Roles and Permissions System Settings in the mangement console online Help for more information.)

To check host(s) for Active Directory Readiness

  1. Select one or more hosts on the All Hosts view of the Hosts tab, open the Check menu from the Prepare panel of the tool bar, and choose Check for AD Readiness.
  2. In the Check AD Readiness view, enter the Active Directory domain to use for the readiness check.
  3. Enter Active Directory user credentials, and click OK.
  4. On the Log on to Host dialog, enter the user credentials to access the selected host(s) and click OK.

    If you selected multiple hosts, it asks whether you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    1. If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected host(s) and click OK.
    2. If you selected multiple hosts and the Enter different credentials for each selected host option, it displays a grid which allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.

A progress bar displays in the Task Progress pane on the All Hosts page. The final status of the task displays, including any failures or advisories encountered. To see the AD Readiness check results, open the host's property page and select the Readiness Check Results tab.

Related Documents