Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Management Console for Unix Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix Hosts Working with Host Systems Managing Local Groups Managing Local Users Active Directory Integration Authentication Services Integration Privilege Manager Integration Reporting Setting Preferences Security Troubleshooting Tips
Auto Profile Issues Active Directory Issues Auditing and Compliance Cannot Create a Service Connection Point Check Authentication Services Agent Status Commands Not Available CSV or PDF Reports Do Not Open Database Port Number Is Already in Use Elevation Is Not Working Hosts Do Not Display Import File Lists Fakepath Information Does Not Display in the Console Java Applet Failures License Info in Report is not Accurate Out of Memory Error Post Install Configuration Fails on Unix or Mac Privilege Manager Feature Issues Profile Task Never Completes questusr Account was Deleted Readiness Check Failed Recovering From a Failed Upgrade Reports Are Slow Reset the Supervisor Password Running on a Windows 2008 R2 Domain Controller Service Account Login Fails Setting Custom Configuration Settings Single Sign-on (SSO) Issues JVM Memory Tuning Suggestions Start/Stop/Restart Management Console for Unix Service Tool Bar Buttons Are Not Enabled UID or GID Conflicts
System Maintenance Command Line Utilities Web Services Database Maintenance

How Management Console for Unix Works

Management Console for Unix is a JEE (Java Enterprise Edition) web application that simplifies local user and group management on Unix, Linux, and Mac systems using a "mangement console". You access the mangement console through a supported web browser.

Management Console for Unix is deployed on a web server, or more specifically a Java Servlet container running on a Sun JRE (Java Runtime Environment) 1.6 or greater.

Figure 1: Management Console for Unix Architecture

By default, requests are secured by enforcing connections over HTTPS. Communication between the web browser and web server are accomplished through HTTP requests over SSL. Requests from a supported web browser are sent to the web server, which processes the request and returns a response.

The web server fulfills requests by gathering data from one or more locations. These requests are filled from data found in Active Directory, the supplied database, or by collecting data from one or more Unix, Linux, and Mac systems.

The data is stored in a local database on the Management Console for Unix web server. Access to the database is accomplished through JDBC (Java Database Connectivity) technology and is secured by credential authentication (that is, only administrators have access to the Management Console for Unix data directory). Active Directory connections are made through LDAP. These LDAP connections are authenticated with a valid Active Directory user account.

Secure connections to all Unix, Linux, and Mac systems are performed through the SSH protocol. Prior to exchanging SSH credentials, the system’s SSH host key is compared against a known SSH host key. If the key validation is successful an authentication attempt is performed. If the key validation determines that the system SSH host key does not match the known SSH host key, authentication will not be attempted until the known SSH host key matches a system SSH host key.

You can run Management Console for Unix separately in a supported web browser or, you can run the mangement console from within the Authentication Services Control Center. You can install it on Windows, Unix, Linux, or Mac. One Identity does not advise managing a Unix host by more than one mangement console in order to avoid redundancy and inconsistencies in stored information. If you manage the same Unix host by more than one mangement console, you should enable auto-profile for that host to minimize inconsistencies that may occur between instances of the mangement consoles.

Installing Management Console for Unix

To remotely manage local users and groups on Unix, Linux, and Mac systems with the mangement console, you must install a Java-based web application that runs on a server which allows you to run a "mangement console" inside a web browser.

The topics in this section explain how to install Management Console for Unix for the first time and how to upgrade it from an older version. It includes the steps for installing and configuring the mangement console on a Windows, Unix, or Mac machine. These instructions assume that you are installing the mangement console from a product ISO.

Note: If you already have Quest Identity Manager for Unix installed and are now upgrading it, please refer to Upgrade Quest Identity Manager for Unix.

System Requirements

Prior to installing Management Console for Unix, ensure your system meets the minimum hardware and software requirements for your platform.

Table 1: System requirements
Component Requirements
Supported Windows Platforms

Can be installed on 32-bit or 64-bit editions of the following configurations:

  • Windows XP SP2 (or later)
  • Windows Vista
  • Windows 7
  • Windows 8
  • Windows Server 2003 SP1 (or later)
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012

NOTE: When running Management Console for Unix on Windows Server 2008 R2 (or greater), functioning as a domain controller, the process must be elevated. As a best practice, One Identity does not recommend that you install or run the Windows components on Active Directory domain controllers. The recommended configuration is to install them on an administrative workstation.

The performance of some Active Directory searches may be better on:

  • 64bit: Windows Server 2003 64-bit and above
  • 32bit: Windows Server 2003 SP1 + hotfix* or Windows 2003 SP2 (and above)

    (*Click Microsoft Support to read a Microsoft article entitled, "A hotfix is available that improves the performance of programs that query Active Directory for group memberships in Windows Server 2003".

    To apply this hotfix, you must have Windows Server 2003 Service Pack 1 (SP1 or greater) installed.

    NOTE: The x64-based versions of Windows Server 2003 already include the fixes and features that are included in Windows Server 2003 SP1. If the computer is running an x64-based version of Windows Server 2003, you do not have to install SP1.

Server Requirements

The Management Console for Unix server requires Sun JRE (Java Runtime Environment) version 1.6. Installation of the server on a Windows operating system includes a download of 32-bit version of the 1.6 JRE for server use; Linux and Mac servers can run a 64-bit version of the 1.6 JRE.

A separate Java browser plugin may be required for the web browser. (For more information see Supported Web Browsers below.)

NOTE: Management Console for Unix
  • is not supported on AIX
  • does not support Java 1.7
Managed Host Requirements

Click www.oneidentity.com/products/authentication-services/ to view a list of Unix, Linux, and Mac platforms that support Authentication Services.

Click www.oneidentity.com/products/privilege-manager-for-unix/ to review a list of Unix and Linux platforms that support Privilege Manager for Unix.

Click www.oneidentity.com/products/privilege-manager-for-sudo/ to review a list of Unix, Linux, and Mac platforms that support Privilege Manager for Sudo.

NOTE: To enable the Management Console for Unix server to interact with the host, you must install both an SSH server (that is, sshd) and an SSH client on each managed host. Both OpenSSH 2.5 (and higher) and Tectia SSH 5.0 (and higher) are supported.

NOTE: Management Console for Unix does not support Security-Enhanced Linux (SELinux).
Default Memory Requirement:

1024 MB

NOTE: See JVM Memory Tuning Suggestions for information about changing the default memory allocation setting in the configuration file.
Supported Web Browsers

While the Management Console for Unix server requires Sun JRE (Java Runtime Environment) version 1.6; to use specific features such as the SSH to Host feature or the Policy Editors, you must install the Sun JRE browser plugin version 1.6 or greater. You can install both the Sun JRE and the Java browser plugin on the same machine. For example, if you are running the browser on the machine where the server resides, you may install both the Sun JRE 1.6 and the Java browser plugin 1.7.

Management Console for Unix officially supports the following Web browsers:

  • Microsoft Internet Explorer 7, 8, 9, and 10
  • Mozilla Firefox 3 and greater

    NOTE: Java applets may be blocked from running in Firefox 18 with older Java versions (prior to 1.7).

    See Java Applet Failures for more information.

  • Apple Safari 4 (Mac only; Windows not supported)

NOTE: One Identity recommends that you:

  • Do not open two sessions of the mangement console in the same browser.
  • Set your screen resolution to a minimum of 1024 x 768 for the best results.

Network Port Requirements

Management Console for Unix must be able to communicate with Active Directory including domain controllers, global catalogs and DNS servers using Kerberos, LDAP and DNS protocols. The following table summarizes the network ports that must be open and their function.

Table 2: Network ports
Port Protocol Function
22 TCP Default TCP port number used for Secure Shell (SSH) access to Unix hosts being managed by the mangement console.
53 TCP and UDP Used for DNS. Since Management Console for Unix uses DNS to locate domain controllers, DNS servers used by the Unix hosts must serve Active Directory DNS SRV records.
88 TCP and UDP Used for Kerberos authentication and Kerberos service ticket requests against Active Directory Domain Controllers. UDP is used by default, but TCP is also used if the Kerberos ticket is too large for UDP transport.
137 TCP and UDP Used for resolving NetBIOS names, as per RFC1002. UDP is tried first, with fall back to TCP.
389 TCP and UDP Used for LDAP searches against Active Directory Domain Controllers. TCP is normally used, but UDP is used when detecting the Active Directory site membership.
3268 TCP Used for LDAP searches against Active Directory global catalogs. TCP is always used when searching against the global catalog.
9001 TCP Default TCP port used internally on the loopback interface of the Management Console for Unix server for JDBC connections.
9080 TCP Non-SSL Port number (http:) for the Management Console for Unix Web server; configurable at install time.
9443 TCP Default Management Console for Unix Web server TCP port used for HTTPS; configurable at install time.
Related Documents