Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Management Console for Unix Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix Hosts Working with Host Systems Managing Local Groups Managing Local Users Active Directory Integration Authentication Services Integration Privilege Manager Integration Reporting Setting Preferences Security Troubleshooting Tips
Auto Profile Issues Active Directory Issues Auditing and Compliance Cannot Create a Service Connection Point Check Authentication Services Agent Status Commands Not Available CSV or PDF Reports Do Not Open Database Port Number Is Already in Use Elevation Is Not Working Hosts Do Not Display Import File Lists Fakepath Information Does Not Display in the Console Java Applet Failures License Info in Report is not Accurate Out of Memory Error Post Install Configuration Fails on Unix or Mac Privilege Manager Feature Issues Profile Task Never Completes questusr Account was Deleted Readiness Check Failed Recovering From a Failed Upgrade Reports Are Slow Reset the Supervisor Password Running on a Windows 2008 R2 Domain Controller Service Account Login Fails Setting Custom Configuration Settings Single Sign-on (SSO) Issues JVM Memory Tuning Suggestions Start/Stop/Restart Management Console for Unix Service Tool Bar Buttons Are Not Enabled UID or GID Conflicts
System Maintenance Command Line Utilities Web Services Database Maintenance

Import Certificate to Trusted Domains on Unix or Linux

To import certificates to trusted domains on Unix or Linux platforms

  1. As root, run the following commands:
    cp server.crt /etc/ssl/certs
    cp server.key /etc/ssl/private

Disabling SSL/TLS Encryption

SSL is enabled by default. A self-signed certificate is installed but you should replace it with a valid certificate for your organization. While not recommended, it is possible to disable SSL/TLS encryption entirely.

To disable SSL/TLS encryption

  1. Add the following line to the custom.cfg file:

    -Dssl.enabled=false

    Note: All HTTPS traffic will be redirected to the HTTP port.

  2. Update any browser bookmarks to specify the HTTP port number.

Customizing HTTP and SSL/TLS Ports

To customize HTTP and SSL/TLS ports

  1. Add the following lines to the custom.cfg file:

    -Dport.https=<port>
    -Dport.http=<port>

    where <port> is any port number not already in use on the machine hosting the server and -Dport.https is for SSL ports and -Dport.http is for non-SSL port.

    Note: The Command Line utilities and Web Services do not work unless you connect with the non-secure (http) port which allows the utility to discover the secure port.

    For more information about the Command Line utilities and Web Services, refer to these links:

    See Setting Custom Configuration Settings for general information about customizing configuration settings for the mangement console.

Change Allowed Ciphers

The cipher suites used by Jetty SSL are provided by the JVM. (See Java ™ Cryptography Architecture Sun Providers Documentation.) The ciphers are used in preference order. If a vulnerability is discovered in a cipher (or if it is considered too weak to use), it is possible to include or exclude it without the need to update the JVM in jetty.xml. (See jetty:// SSL Cipher Suites or Jetty/Howto/CipherSuites for more information.)

To include or exclude the used ciphers by SSL/TLS

  1. From the installation directory, navigate to the etc directory.

    By default, the installation directory is:

    • On Windows 32-bit platforms:
      %SystemDrive%:\Program Files\Quest Software\Management Console for Unix
    • On Windows 64-bit platforms:
      %SystemDrive%:\Program Files (x86)\Quest Software\Management Console for Unix
    • On Unix/Mac platforms:
      /opt/quest/mcu
  2. From the etc directory, open the jetty.xml file for editing and do one of the following:

    • Uncomment the IncludeCipherSuites section and list the cipher suites you wish to support in the include section.
    • Uncomment the ExcludeCipherSuites section and list the cipher suites you wish to disable in the exclude section.

    Note: By default the jetty.xml file contains sample cipher suites in both the include and the exclude sections.

  3. Replace the sample ciphers in the uncommented include or exclude section of the jetty.xml file with ciphers recognized by your JVM.

    For a list of available cipher suites, visit The SunJSSE Provider.

Note: This customization is not upgradable. If you upgrade Management Console for Unix at a future date, you will have to make these changes again, as the jetty.xml file will be overwritten.

Related Documents