Configure Secondary Policy Server
After you install and configure a primary policy server, you are ready to configure additional policy servers for load balancing purposes.
To configure a secondary policy server
-
Check the Policy Server for configuration readiness.
(See Check Policy Server Readiness for details.)
-
Install the Privilege Manager Policy Server package on the secondary server host.
(See Install the Privilege Manager Packages for details.)
-
From the All Hosts view, open the Join or Configure tool bar menu and navigate to Configure Policy Server | As Secondary Policy Server....
-
On the Configure Secondary Policy Server dialog,
-
Choose the policy group you want to associate with the secondary policy server.
-
Enter the pmpolicy service account password in the Join password box.
Note: The Join password is the password for the pmpolicy service account that was set when the primary policy server was configured. (See Configure the Primary Policy Server for details.)
-
Select the Join agent or plugin to policy group option, if you want to join the secondary policy server to the policy group at this time.
When you join a policy server to a policy group, you are indicating which policy group you want to use for policy verification. That is, you are enabling that host to validate security privileges against a single common policy file located on the primary policy server, instead of a policy file located on the local host.
Note: Policy servers can only be joined to policy groups they host (that is, manage). You cannot join a Sudo Plugin host to a pmpolicy server group or the PM Agent host to a sudo policy server group.
You can join the server to the policy group later. (See Join the Host to a Policy Group for details.)
-
-
On the Log on to Host dialog, enter the user credentials to access the selected host and click OK.
This information is pre-populated if you saved the credentials for the host.
Install PM Agent or Sudo Plugin on a Remote Host
Once you have installed and configured the primary policy server, you are ready to install a PM Agent or Sudo Plugin on a remote host.
Related Topics
Check Client for Policy Readiness
Install Privilege Manager Agent or Plugin Software
Check Client for Policy Readiness
Check Client for Policy Readiness performs a series of tests to verify that the specified host(s) meet the minimum requirements to be joined to a policy server.
This command is only available, if
- a primary policy server is active in System Settings. (See Configure a Service Account for details.)
-AND-
- the selected host(s) are not already joined to a policy group.
|
|
Note: For the readiness check to finish successfully, the path to the Privilege Manager software packages must be correctly set in System Settings. (See Set Privilege Manager Software Path for details.) |
To check host(s) for policy readiness
-
Select one or more hosts on the All Hosts view of the Hosts tab, open the Check menu from the Prepare panel of the tool bar, and choose Check Client for Policy Readiness.
-
In the Check Client for Policy Readiness dialog, choose a policy group to use for the check and click OK.
-
On the Log on to Host dialog, enter user credentials to access the host(s) and click OK.
Note: This task requires elevated credentials.
If you select multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.
-
If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected host(s) and click OK.
-
If you selected multiple hosts and the Enter different credentials for each selected host option, it displays a grid which allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.
-
-
To check the results of the readiness check,
-
Right-click the host on the All Hosts view of the Hosts tab, and choose Readiness Check Results.
-
Choose Policy Readiness from the drop-down menu, if necessary.
The results of the Check Client for Policy Readiness check depend on whether you run it on a Sudo Plugin or PM Agent host.
Running the readiness check on a Sudo Plugin host performs these tests:
- Basic Network Conditions:
- Hostname is configured
- Hostname can be resolved
- Reverse lookup returns it own IP
- Policy Server Connectivity
- Hostname of policy server can be resolved
- Can ping the policy server
- Can make a connection to policy server
- Policy server is eligible for a join
- Sudo Installation
- sudo is present on the host
- sudo is in a functional state
- sudo is version 1.8.1 (or greater)
- Prerequisites to support off-line policy caching
- SSH keyscan is available
- Policy server port is available
Running the check on a PM Agent host runs these tests:
- Basic Network Conditions:
- Hostname is configured
- Hostname can be resolved
- Reverse lookup returns it own IP
- Privilege Manager for Unix Client Network Requirements
- PM Agent port is available (TCP/IP port 12346)
- Tunnel port is available (TCP/IP port 12347)
- Policy Server Connectivity
- Hostname of policy server can be resolved
- Can ping the policy server
- Can make a connection to policy server
- Policy server is eligible for a join
- Policy server can make a connection to the PM Agent on port 12346
A progress bar displays in the Task Progress pane. The final status of the task displays, including any failures or advisories encountered.
-
- If the readiness check completed with failures or advisories, correct the issue(s) and run the policy server readiness check again.
Install Privilege Manager Agent or Plugin Software
There are two Privilege Manager client software packages available to install onto a remote host that provide central policy management, granular access control reporting, as well as the ability to enable, gather, store and playback keystroke logs.
|
|
Note: Centralized policy management and keystroke logging are licensed separately. |
- Sudo Plugin is a plug-in to Sudo 1.8.1 (or higher). With the Sudo Plugin installed, when you execute a command using sudo, the plugin sends the command to the policy server for evaluation rather than to the local host. This allows you to centrally manage a sudoers policy file located on the primary policy server that is used by all the Sudo Plugin clients.
Note: Before you install the Sudo Plugin on the host, ensure the host has Sudo 1.8.1 or higher installed on it. While you can install the Sudo Plugin without Sudo 1.8.1, you cannot join the host to a policy server without it.
- Privilege Manager Agent. With the PM Agent installed, when you execute a command, the client sends the command to the policy server for evaluation rather than to the local host. This allows you to centrally manage a pmpolicy file located on the primary policy server that is used by all the PM Agent clients.
To install the Privilege Manager client software and join to a policy group
- Select one or more profiled hosts on the All Hosts view.
- Click Install Software from the Prepare panel on the All Hosts view.
Note: The Install Software tool bar menu is enabled when you select hosts that are profiled.
The tool bar button will not be active if
- You have not selected any hosts.
- You have selected hosts that are not profiled.
Note: When you install the Privilege Manager Policy Server it installs all three Privilege Manager packages on that host. However, once you have installed the Sudo Plugin onto a remote host, the mangement console will not allow you to install the PM Agent on that host; and once you have installed the PM Agent onto a remote host, the mangement console will not allow you to install the Sudo Plugin on that host.
-
On the Install Software dialog, select Sudo Plugin or Privilege Manager Agent and, optionally, select the Join option if you want to join the remote host to the policy group at this time. You can only install one package or the other.
Note: If you do not see these software packages, verify the path to the software packages is correctly set in System Settings. (Refer to Set Privilege Manager Software Path for details.)
Note: When you join a remote host to a policy group, you are indicating which policy group you want to use for policy verification. That is, you are enabling that host to validate security privileges against a single common policy file located on the primary policy server, instead of a policy file located on the local host.
You can join the remote host to the policy group later. (See Join the Host to a Policy Group for details.)
The Join process configures the host to run the Privilege Manager software with a policy group that you have previously activated in System Settings. If you have not already activated a policy group (as explained in Configure a Service Account), you can install the Privilege Manager software without "joining" the host to a policy group at this time. Later, you can use the Join to Policy Group option from the Join or Configure menu to join the host to a policy group.
-
On Join to Policy Group tab,
- Select the policy group to use for the policy verification.
- Enter the pmpolicy password in the Join password box.
The Join password is the password for the pmpolicy user that was setup when the Policy Server was configured. (See Configure the Primary Policy Server for details.)
- Set the default policy server failover order within the policy group by ordering the hosts in the Policy Server list using the up and down arrows.
Where there are two or more policy servers, Privilege Manager connects to the next available server when it cannot make a connection to a policy server.
Note: To change the failover order, unjoin the host from the policy group and then rejoin it using new settings.
- At the Install Software dialog, click OK.
-
On the Log on to Host dialog, enter your host credentials and click OK to start the installation process.
Note: This task requires elevated credentials.
The mangement console displays the version of Privilege Manager in the Version column; and, if it is joined, the name of the policy group to which the host is joined in the Status column.