Safeguard Authentication Services 4.1.5 - Management Console for Unix Administration Guide

Installing and Uninstalling the Console on Windows Installing the Console From the Windows Command Line Installing and Uninstalling the Console on Unix Installing and Uninstalling the Console on Mac Installing and Uninstalling the Console From the Mac Command Line

Launching the Management Console Setup Management Console for Unix

Configure the Console for Active Directory Logon Setup Console Access by Role Identify Console Set Supervisor Password Dialog Summary Dialog

Management Console for Unix Log On Page Getting Started Tab Upgrade Quest Identity Manager for Unix

Reset Custom Configuration Settings

Upgrade Management Console for Unix

Preparing Unix Hosts

Add Host(s) to the Management Console Rename Host Profile Host(s)

Profile Hosts Automatically View the Auto-Profile Status View the Auto-Profile Heartbeat Errors

Check Readiness

Working with Host Systems

Install Software on Host(s) Using the Console Search Options

Basic Search Options Advanced Search Options Save Search Criteria Remove Saved Searches

Filter All Hosts View Content Review Host Properties Remove Host(s) from Management Console SSH to Host Import SSH Host Key

Managing Local Groups

Add Local Group Search for Groups Modify Group Properties Add Users to a Local Group Remove User from Local Group Delete Local Group Review the Local Unix Groups Report

Managing Local Users

Add Local User Search for Users Modify User Properties Modify Multiple User's Properties Reset Local User's Password System Users

Mark System Users Manually Mark Multiple System Users

Delete Local User Review the Local Unix Users Report

Active Directory Integration

Enable Active Directory Features Add an Active Directory Group Account Add an Active Directory User Account Search for Active Directory Objects View or Modify Active Directory User Properties View or Modify Active Directory Group Properties

Authentication Services Integration

Install Authentication Services Configure Active Directory for Authentication Services

Configuring Active Directory for Authentication Services About Active Directory Configuration

View the Authentication Services Agent Columns Set Authentication Services Software Path Check Host for AD Readiness

Review the Authentication Services Readiness Report

Install Authentication Services Software Packages

Upgrade Authentication Services

Join Host(s) to Active Directory

Optional Join Commands Unjoin Host from Active Directory

Configure Host Access Control Check QAS Agent Status

Check QAS Agent Status Manually Check QAS Agent Status Automatically View the QAS Status Errors View the QAS Status Heartbeat Errors

Add AD User to a Local Group Mapping Local Users to Active Directory Users

Enable Local User for AD Authentication List Local Users Required to Use AD Authentication

Test the Mapped User Login Configuring the Console to Recognize Unix Attributes in AD Unix-Enable an Active Directory Group

Review the Unix-enabled AD Groups Report

Unix-Enable an Active Directory User

Review the Unix-enabled AD Users Report

Test the Active Directory User Login

Privilege Manager Integration

Getting Started Configure a Primary Policy Server

Check Policy Server Readiness Install the Privilege Manager Packages Configure the Primary Policy Server Join the Host to a Policy Group

Unjoin Host from Policy Group

Configure a Secondary Policy Server

Configure Secondary Policy Server

Install PM Agent or Sudo Plugin on a Remote Host

Check Client for Policy Readiness Install Privilege Manager Agent or Plugin Software

Managing Security Policy

Open Policy Files

Rolling Back the Policy File

Edit Panel Commands Editing PM Policy Files

Default Roles (or Profiles) Modify Privilege Manager Role Properties

Override Role Property Defaults Role Property Variables

Add a New Privilege ManagerPrivilege Manager Role Add a New Privilege Manager Restricted Shell Role Add New Privilege Manager Role Based on an Existing Role Save Policy Files Delete Privilege Manager Role Change Policy Version Review Policy Changes Manage Role Defaults Modifying PM Policy Files With the Text Editor

Review the Access & Privileges by User Report Review the Access & Privileges by Host Report

Event Logs and Keystroke Logging

Enable Keystroke Logging Record Keystrokes List Events and Replaying Keystroke Logs

Replay Log Controls

Reporting

Run Reports Reports

Host Reports User Reports Group Reports Access & Privileges Reports Product Licenses Usage Reports

Setting Preferences

User Preferences

General User Preferences

SSH Terminal Access to Host Set Default Domain

Host Credentials User Preferences

Modify Saved Host Credentials Remove Saved Host Credentials

System Settings

General System Settings

Duplicate SSH Host Keys Set Session Timeout Mark Host System Users Automatically Console Information Settings

Publish Console to Active Directory

Change Supervisor Account Password Set Custom Privilege Elevation Commands

Console Roles and Permissions System Settings

Add (or Remove) Role Members Review the Console Access & Privileges Report

Active Directory System Settings

Active Directory Configuration

Advanced Settings Default Logon Domain

Privilege Manager System Settings

Configure a Service Account Unconfigure a Service Account Activate Policy Groups Deactivate Policy Groups Software & Licenses

Set Privilege Manager Software Path Check for Privilege Manager Licenses Privilege Manager License Alerts

Authentication Services System Settings

Set Authentication Services Software Path Authentication Services License Alerts Check for Authentication Services Licenses Import Authentication Services Licenses Configure Windows 2003 R2 Schema

Security

Management Console for Unix Server and Console

Authenticating the Supervisor User Authenticating Active Directory Users Using Windows Integrated Authentication Authenticating Active Directory Users Using a Username and Password Installing a Production Certificate

Generating a Custom SSL/TLS Certificate and Key Pair for Management Console for Unix Import Certificate to Trusted Domains on Windows and Mac Import Certificate to Trusted Domains on Unix or Linux Disabling SSL/TLS Encryption

Customizing HTTP and SSL/TLS Ports Change Allowed Ciphers

Active Directory Managed Unix Hosts

Managing SSH Host Keys Known_hosts File Format Handling Changes to SSH Host Keys Detecting Multiple Hosts With the Same Key Caching Unix Host Credentials

Security of Credential Caching

Database Security Summary of Security Recommendations

Troubleshooting Tips

Auto Profile Issues

Auto Profile Takes a Long Time Auto Profile Returns an Error

Active Directory Issues

Active Directory Connectivity Issues Unable to Configure Active Directory Active Directory is Disabled Active Directory Tasks Are Disabled

Auditing and Compliance Cannot Create a Service Connection Point Check Authentication Services Agent Status Commands Not Available CSV or PDF Reports Do Not Open Database Port Number Is Already in Use Elevation Is Not Working Hosts Do Not Display Import File Lists Fakepath Information Does Not Display in the Console Java Applet Failures

Java Control Panel

License Info in Report is not Accurate Out of Memory Error Post Install Configuration Fails on Unix or Mac Privilege Manager Feature Issues

Join to Policy Group Failed Join to Policy Group Option is Not Available Preflight Fails Because the Policy Server Port is Unavailable Policy Editor Is Not Available Policy Editor Runs Slow Policy Change Report Reports Newlines

Profile Task Never Completes questusr Account was Deleted Readiness Check Failed Recovering From a Failed Upgrade Reports Are Slow Reset the Supervisor Password Running on a Windows 2008 R2 Domain Controller Service Account Login Fails Setting Custom Configuration Settings

Customize Auto-Task Settings Enable Debug Log

Single Sign-on (SSO) Issues

Configure a Firefox Web Browser for SSO Configure an IE Web Browser for SSO Disable Single Sign-on (SPNEGO/HTTP Negotiation) Disable SSPI for Single Sign-on Enable SSO for Remote Browser Clients

JVM Memory Tuning Suggestions Start/Stop/Restart Management Console for Unix Service

Linux or Solaris Machines HP Unix (HPUX) Machine Windows Machine Mac OS X Machine

Tool Bar Buttons Are Not Enabled UID or GID Conflicts

System Maintenance

Backup Procedure Restore Procedure

Command Line Utilities

MCU PowerShell Cmdlets and Unix CLI Commands MCU PowerShell Cmdlets

Installing MCU PowerShell Cmdlets Viewing MCU PowerShell Cmdlet Help Information

Unix CLI Commands

Installing Unix CLI Packages Uninstalling Unix CLI Packages Upgrading the Unix CLI Packages

Mac CLI Commands

Installing Mac CLI Packages Installing Mac CLI Packages Using the GUI

Examples of Using Command Line Utilities

Connect to the Console Add Host to the Console Create Local Group Across all Managed Hosts Add a Local User to a Group on Each Managed Host Add Localuser to a Group on All Linux Machines Get a User on a Specific Computer Find a UID on a Computer Remove All Credentials Stored in the Console for a Specific Host Set a Local User's Password View a Group’s Membership

Web Services

Accessing the Web Services Web Services Web Services Examples

Database Maintenance

Database Location and Files Database Backup Procedure Database States

Import Certificate to Trusted Domains on Unix or Linux

Security > Management Console for Unix Server and Console > Installing a Production Certificate > Import Certificate to Trusted Domains on Unix or Linux

To import certificates to trusted domains on Unix or Linux platforms

As root, run the following commands:

cp server.crt /etc/ssl/certs
cp server.key /etc/ssl/private

Disabling SSL/TLS Encryption

Security > Management Console for Unix Server and Console > Installing a Production Certificate > Disabling SSL/TLS Encryption

SSL is enabled by default. A self-signed certificate is installed but you should replace it with a valid certificate for your organization. While not recommended, it is possible to disable SSL/TLS encryption entirely.

To disable SSL/TLS encryption

Add the following line to the custom.cfg file:
```
-Dssl.enabled=false
```
Note: All HTTPS traffic will be redirected to the HTTP port.
Update any browser bookmarks to specify the HTTP port number.

Customizing HTTP and SSL/TLS Ports

Security > Management Console for Unix Server and Console > Customizing HTTP and SSL/TLS Ports

To customize HTTP and SSL/TLS ports

Add the following lines to the custom.cfg file:

-Dport.https=<port>
-Dport.http=<port>

where <port> is any port number not already in use on the machine hosting the server and -Dport.https is for SSL ports and -Dport.http is for non-SSL port.

Note: The Command Line utilities and Web Services do not work unless you connect with the non-secure (http) port which allows the utility to discover the secure port.

For more information about the Command Line utilities and Web Services, refer to these links:

See Setting Custom Configuration Settings for general information about customizing configuration settings for the mangement console.

Change Allowed Ciphers

Security > Management Console for Unix Server and Console > Change Allowed Ciphers

The cipher suites used by Jetty SSL are provided by the JVM. (See Java ™ Cryptography Architecture Sun Providers Documentation.) The ciphers are used in preference order. If a vulnerability is discovered in a cipher (or if it is considered too weak to use), it is possible to include or exclude it without the need to update the JVM in jetty.xml. (See jetty:// SSL Cipher Suites or Jetty/Howto/CipherSuites for more information.)

To include or exclude the used ciphers by SSL/TLS

From the installation directory, navigate to the etc directory.

By default, the installation directory is:
- On Windows 32-bit platforms:
```
%SystemDrive%:\Program Files\Quest Software\Management Console for Unix
```
- On Windows 64-bit platforms:
```
%SystemDrive%:\Program Files (x86)\Quest Software\Management Console for Unix
```
- On Unix/Mac platforms:
```
/opt/quest/mcu
```
From the etc directory, open the jetty.xml file for editing and do one of the following:
- Uncomment the IncludeCipherSuites section and list the cipher suites you wish to support in the include section.
- Uncomment the ExcludeCipherSuites section and list the cipher suites you wish to disable in the exclude section.
Note: By default the jetty.xml file contains sample cipher suites in both the include and the exclude sections.
Replace the sample ciphers in the uncommented include or exclude section of the jetty.xml file with ciphers recognized by your JVM.

For a list of available cipher suites, visit The SunJSSE Provider.

Note: This customization is not upgradable. If you upgrade Management Console for Unix at a future date, you will have to make these changes again, as the jetty.xml file will be overwritten.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Safeguard Authentication Services 4.1.5 - Management Console for Unix Administration Guide

Import Certificate to Trusted Domains on Unix or Linux

Disabling SSL/TLS Encryption

Customizing HTTP and SSL/TLS Ports

Change Allowed Ciphers