Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Management Console for Unix Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix Hosts Working with Host Systems Managing Local Groups Managing Local Users Active Directory Integration Authentication Services Integration Privilege Manager Integration Reporting Setting Preferences Security Troubleshooting Tips
Auto Profile Issues Active Directory Issues Auditing and Compliance Cannot Create a Service Connection Point Check Authentication Services Agent Status Commands Not Available CSV or PDF Reports Do Not Open Database Port Number Is Already in Use Elevation Is Not Working Hosts Do Not Display Import File Lists Fakepath Information Does Not Display in the Console Java Applet Failures License Info in Report is not Accurate Out of Memory Error Post Install Configuration Fails on Unix or Mac Privilege Manager Feature Issues Profile Task Never Completes questusr Account was Deleted Readiness Check Failed Recovering From a Failed Upgrade Reports Are Slow Reset the Supervisor Password Running on a Windows 2008 R2 Domain Controller Service Account Login Fails Setting Custom Configuration Settings Single Sign-on (SSO) Issues JVM Memory Tuning Suggestions Start/Stop/Restart Management Console for Unix Service Tool Bar Buttons Are Not Enabled UID or GID Conflicts
System Maintenance Command Line Utilities Web Services Database Maintenance

Check QAS Agent Status Manually

To check QAS agent status

  1. Select one or more hosts on the All Hosts view, open the Check menu from the Prepare panel of the tool bar and choose Check QAS agent status.

  2. In the Log on to Host dialog, enter the user credentials to access the selected host(s) and click OK.

    A progress bar displays in the Task Progress pane and the Host Notifications tab indicates the number of hosts with warnings or failures detected.

    Note: This task requires elevated credentials.

    If you select multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    • If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected host(s) and click OK.
    • If you selected multiple hosts and the Enter different credentials for each selected host option, it displays a grid which allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.
  3. Select the Host Notifications tab to view the reported warnings or failures.

    (See View the QAS Status Errors for details.)

Check QAS Agent Status Automatically

To have updated information about the status of Authentication Services agents, you can configure the mangement console to periodically check the QAS agent status automatically. If it detects a status change on the host, it reports the following warnings or failures to the Host Notifications tab:

  • Critical Failure
  • Failure
  • Warning

To configure the console to automatically check the QAS agent status

  1. Select one or more hosts on the All Hosts view, open the Check menu from the Prepare panel of the tool bar, and choose Check QAS agent status automatically...

    Note: This option is only available for multiple hosts if all hosts are in the same "Check QAS agent status" state; that is, they all have automatic status checking turned on, or they all have automatic status checking turned off.

  2. Select the Check status automatically option, set the frequency for the health status check, and click OK.

    Note: Use standard crontab syntax when entering Advanced schedule settings.

  3. On the Log on to Host dialog, enter the user credentials to access the selected host(s) and click OK.

    Note: This task requires elevated credentials.

    When configured for automatic checking, the QAS state column on the All Hosts view displays the icon. Then, if the server does not receive a heartbeat in over 4 hours (by default), it displays the icon. No icon in the QAS state column indicates the host is not configured to check the QAS agent status automatically.

    If you select multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    • If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected host(s) and click OK.
    • If you selected multiple hosts and the Enter different credentials for each selected host option, it displays a grid which allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.

    Note: If you receive a GID conflict error, see UID or GID Conflicts.

  4. View the QAS Agent status for each host on the Host Notification tab.

    (See View the QAS Status Errors for details.)

    When you configure a host to check the QAS agent status automatically, the mangement console,

    1. Creates "questusr" (the user service account), if it does not already exist, and, a corresponding "questgrp" group on the host that the mangement console uses for automatic QAS agent status checking.
    2. Adds questusr as an implicit member of questgrp.
    3. Adds the auto-check SSH key to questusr's authorized_keys, /var/opt/quest/home/questusr/.ssh/authorized_keys.
    4. Verifies the user service account can login to the host.
    5. Creates a Authentication Services cron job that runs QAS status according to the specified interval.

    Note: If you receive an error message saying you could not log in with the user service account, please refer to Service Account Login Fails to troubleshooting this issue.

    The questusr account is a non-privileged account that does not require root-level permissions. This account is used by the console to gather information about existing users and groups in a read-only fashion, however, the mangement console does not use the questusr account to make changes to any configuration files.

    Note: If questusr is inadvertently deleted from the console, the console will not be updated. To recreate the "questusr" account, re-configure the host for automatic QAS agent status checking.

To disable automatic status checking

  1. Select one or more hosts on the All Hosts view and choose Check QAS agent status automatically....
  2. Clear the Check status automatically option on the Check QAS Agent Status Automatically dialog and click OK.
  3. On the Log on to Host dialog, enter the user credentials to access the selected host(s) and click OK.

When you disable auto-status checking for a host, the mangement console

  1. Leaves the "questusr" and the corresponding "questgrp" accounts on the host.
  2. Leaves questusr as an implicit member of questgrp.
  3. Removes the auto-check SSH key from that user's authorized_keys file.
  4. Removes the cron job on the host.

View the QAS Status Errors

After you have checked the status of the Authentication Services hosts, you can view the reported failures or warnings on the Host Notifications tab.

To view QAS agent status

  1. From the Host Notifications tab, select the QAS Status view.

    Note: If the Host Notifications tab is not currently available on the mangement console, open the Open Views menu and choose Host Notifications.

  2. Expand the host to see the warning and failure messages.

    The QAS Status view indicates the health status of the listed Authentication Services hosts using these icons:

    • - Critical Failure
    • - Failure
    • - Warning
  3. To list only the hosts of one or more status levels
    1. Open the QAS Status state column drop-down menu, indicated with icon.
    2. Navigate to the Filters option.
    3. Choose one or more of the status levels.

    Note: The mangement console does not preserve the filter settings across log-on sessions. To clear the filter settings, click the Clear column filters button in the tool bar. If the Clear column filters button is not enabled, no status filters are set.

  4. To see the details about a particular warning or failure message, double-click it and open the Properties window.

    Note: You can also click the icon in the tool bar to show status properties.

  5. To close the status Properties window, click the Show status properties icon.
  6. To re-check the QAS agent status for a host, select any warning or failure for that host and click the Check QAS agent status button on the tool bar.

    Note: The Check QAS Status button is only available when a warning or failure is selected.

  7. To change the auto-status configuration, open the Check menu and choose Check QAS agent status automatically....

    Note: You can also right-click any warning or failure to access the two Check QAS options.

View the QAS Status Heartbeat Errors

The host sends a heartbeat every four hours by default. If the server does not receive a heartbeat in over four hours, it displays an alert on the QAS Heartbeat tab.

Note: The QAS Status Heartbeat tab only lists hosts that fail to send a heartbeat in four hours.

To view QAS agent heartbeat

  1. From the Host Notifications tab, select the QAS Status Heartbeat view.

    The QAS Status Heartbeat view shows alerts for hosts that have failed to send a QAS agent status heartbeat using this icon:

    - No heartbeat received in over 4 hours

    Note: You can customize the heartbeat interval for the automatic QAS Status update. (See Customize Auto-Task Settings for details.)

    When a host, configured for automatic checking, receives a QAS agent status heartbeat error, in addition to displaying the alert on the QAS Status Heartbeat view, it displays the icon in the Authentication Services state column on the All Hosts view.

Related Documents