Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Management Console for Unix Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix Hosts Working with Host Systems Managing Local Groups Managing Local Users Active Directory Integration Authentication Services Integration Privilege Manager Integration Reporting Setting Preferences Security Troubleshooting Tips
Auto Profile Issues Active Directory Issues Auditing and Compliance Cannot Create a Service Connection Point Check Authentication Services Agent Status Commands Not Available CSV or PDF Reports Do Not Open Database Port Number Is Already in Use Elevation Is Not Working Hosts Do Not Display Import File Lists Fakepath Information Does Not Display in the Console Java Applet Failures License Info in Report is not Accurate Out of Memory Error Post Install Configuration Fails on Unix or Mac Privilege Manager Feature Issues Profile Task Never Completes questusr Account was Deleted Readiness Check Failed Recovering From a Failed Upgrade Reports Are Slow Reset the Supervisor Password Running on a Windows 2008 R2 Domain Controller Service Account Login Fails Setting Custom Configuration Settings Single Sign-on (SSO) Issues JVM Memory Tuning Suggestions Start/Stop/Restart Management Console for Unix Service Tool Bar Buttons Are Not Enabled UID or GID Conflicts
System Maintenance Command Line Utilities Web Services Database Maintenance

Configure the Primary Policy Server

The first policy server you configure is the primary policy server which holds the master copy of the policy file. Additional policy servers configured in the policy group are secondary policy servers. The primary policy server and any number of additional secondary policy servers share a common policy. Adding secondary policy servers to a policy group allows you to load-balance the authorization requests on the policy servers.

To configure a primary policy server

  1. From the All Hosts view, open the Join or Configure tool bar menu and navigate to Configure Policy Server | As Primary Policy Server....

  2. On the Configure Primary Policy Server dialog,

    1. Enter a policy group name in the text box.

      Note: When the configuration is complete, this new policy group will be automatically configured and activated in the Privilege Manager system settings. (See Configure a Service Account for details.)

    2. Choose the policy type: either sudo policy type (Privilege Manager for Sudo) or pmpolicy type (Privilege Manager for Unix).

      (See Managing Security Policy for more information about the policy types.)

  3. Click Advanced to import an existing policy and/or a license file.

    If you configure Privilege Manager for Sudo using the default sudo policy type, Privilege Manager uses a copy of the /etc/sudoers file as its initial security policy if the file exists, otherwise it creates a generic sudoers file.

    Note: When you join a Sudo Plugin to a policy server, Privilege Manager for Sudo adds the following lines to the current local sudoers file, generally found in /etc/sudoers.

    ##
    ## WARNING: Sudoers rules are being managed by QPM4Sudo
    ## WARNING: Do not edit this file, it is no longer used.
    ##
    ## Run "/opt/quest/sbin/pmpolicy edit" to edit the actual sudoers rules.
    ##

    When you unjoin the Sudo Plugin, Privilege Manager for Sudo removes those lines from the local sudoers file.

    If you configure Privilege Manager for Unix using the pmpolicy type, Privilege Manager creates a profile-based (or role based) policy. This security policy simplifies setup and maintenance through use of easy-to-manage profile (or role) templates.

    1. In the Import policy data from box, enter a path to the policy data to override the default and import the initial security policy from the specified location.

      For example, enter

      /tmp/pmpolicy/pm.conf
    2. In the Import license file from box, click Browse to select a product license file from the local file system.

      You can skip this step initially. Privilege Manager comes with a 30-day trial license. After 30 days, Privilege Manager continues to allows you to run ten Sudo Plugin clients without a license, but requires a license for the PM Agents. (See Software & Licenses for details.)

  4. Enter the pmpolicy service account password in the Join Password box.

    Note: You will use this password when you add secondary policy servers or join remote hosts to this policy group.

  5. Select the Join agent or plugin to policy group option if you want to join primary policy server to the policy group at this time.

    When you join a policy server to a policy group, you are indicating which policy group you want to use for policy verification. That is, you are enabling that host to validate security privileges against a single common policy file located on the primary policy server, instead of a policy file located on the local host.

    Note: Policy servers can only be joined to policy groups they host (that is, manage). You cannot join a Sudo Plugin host to a pmpolicy server group or the PM Agent host to a sudo policy server group.

    You can join the agent or plugin to the policy group later. (See Join the Host to a Policy Group for details.)

  6. On the Log on to Host dialog, enter the user credentials to access the selected host and click OK.

    This information is pre-populated if you saved the credentials for the host.

Join the Host to a Policy Group

When you join a host to a policy group, it enables that host to validate security privileges against a single common policy file located on the primary policy server, instead of on the host.

Note: To join a host to a policy group, the host must meet all of these conditions:

  • When using a sudo policy type, to join a policy group, the selected host(s) must have Sudo 1.8.1 (or higher), the Sudo Plugin software installed, and be added and profiled to the mangement console.
  • When using pmpolicy type, the host must have the PM Agent software installed on it (see Install Privilege Manager Agent or Plugin Software).
  • A service account must be configured (see Configure a Service Account).
  • A policy group must be active (see Activate Policy Groups).
  • If you select multiple hosts to join, they must be of the same type (sudo or pmpolicy). However, when selecting multiple primary servers, the Join option will be disabled because each primary server belongs to a different policy group.

Policy servers can only be joined to policy groups they host (that is, manage). You cannot join a Sudo Plugin host to a pmpolicy server group or the PM Agent host to a sudo policy server group.

To join a host to a policy group

  1. From the list on the All Hosts view, select one or more hosts that have the Privilege Manager software installed, open the Join or Configure tool bar menu, and choose Join to Policy Group.

    Note: The Join to Policy Group option is enabled when you select hosts that have the Privilege Manager software installed and are not already joined to a policy group.

    The tool bar button will not be active if

    • You have not selected any hosts.
    • You have selected hosts that are already joined.

  2. On the Policy Group tab,

    1. Select the policy group to use for the policy verification.

      The Policy group drop-down menu lists the configured policy groups with the policy server type in parenthesis, either pmpolicy or sudo.

    2. Enter the pmpolicy service account password in the Join password box.

      Note: The Join password is the password for the pmpolicy service account that was set when you configured the primary server. (See Configure the Primary Policy Server for details.)

  3. On the Failover tab,

    1. Set the failover parameters, if you desire, and click OK.

      Note: If you set the failover parameter to random order, Privilege Manager ignores the ordering of the policy servers.

    2. Set the default policy server failover order within the policy group by ordering the hosts in the Policy Server list using the up and down arrows.

      Where there are two or more policy servers, Privilege Manager connects to the next available server when it cannot make a connection to a policy server.

      Note: To change the failover order, unjoin the host from the policy group and then rejoin it using new settings.

  4. On the Log onto Host dialog, enter the user credentials to access the selected host(s) and click OK.

    Note: This task requires elevated credentials. The mangement console pre-populates this information if you saved the credentials for the host.

    The Task Progress pane on the All Hosts view displays a progress bar and the final status of the tasks, including any failures or advisories encountered.

Unjoin Host from Policy Group

When you unjoin a host from a policy group, the host will no longer check for privileges against the policy in the policy group.

To unjoin host(s) from the policy group

  1. Select one or more hosts that are joined to a policy group from the list on the All Hosts view.
  2. Open the Unjoin tool bar menu and choose Unjoin from Policy Group.
  3. On the Unjoin host from policy group dialog, enter your credentials to log on to the host and click OK.

    Note: This task requires elevated credentials.

Configure a Secondary Policy Server

The primary policy server is always the first server configured in the policy server group; secondary servers are subsequent policy servers set up in the policy server group to help with load balancing. The "master" copy of the policy is kept on the primary policy server.

All policy servers (primary and secondary) maintain a working copy of the security policy stored locally. The initial working copy is initialized by means of a checkout from the repository when you configure the policy server. Following this, the policy servers automatically retrieve updates as required.

Related Documents