One Identity Privileged Access Suite for Unix
Introducing One Identity Management Console for Unix
What's New in Management Console for Unix 2.5
What Are the Core Features of the Console?
How Management Console for Unix Works
Installing Management Console for Unix
System Requirements
Installing the Management Console
Preparing Unix Hosts
Working with Host Systems
Installing and Uninstalling the Console on Windows
Installing the Console From the Windows Command Line
Installing and Uninstalling the Console on Unix
Installing and Uninstalling the Console on Mac
Installing and Uninstalling the Console From the Mac Command Line
Launching the Management Console
Setup Management Console for Unix
Configure the Console for Active Directory Logon
Setup Console Access by Role
Identify Console
Set Supervisor Password Dialog
Summary Dialog
Management Console for Unix Log On Page
Getting Started Tab
Upgrade Quest Identity Manager for Unix
Upgrade Management Console for Unix
Install Software on Host(s)
Using the Console Search Options
Filter All Hosts View Content
Review Host Properties
Remove Host(s) from Management Console
SSH to Host
Import SSH Host Key
Managing Local Groups
Add Local Group
Search for Groups
Modify Group Properties
Add Users to a Local Group
Remove User from Local Group
Delete Local Group
Review the Local Unix Groups Report
Managing Local Users
Add Local User
Search for Users
Modify User Properties
Modify Multiple User's Properties
Reset Local User's Password
System Users
Delete Local User
Review the Local Unix Users Report
Active Directory Integration
Enable Active Directory Features
Add an Active Directory Group Account
Add an Active Directory User Account
Search for Active Directory Objects
View or Modify Active Directory User Properties
View or Modify Active Directory Group Properties
Authentication Services Integration
Install Authentication Services
Configure Active Directory for Authentication Services
View the Authentication Services Agent Columns
Set Authentication Services Software Path
Check Host for AD Readiness
Install Authentication Services Software Packages
Join Host(s) to Active Directory
Configure Host Access Control
Check QAS Agent Status
Privilege Manager Integration
Check QAS Agent Status Manually
Check QAS Agent Status Automatically
View the QAS Status Errors
View the QAS Status Heartbeat Errors
Add AD User to a Local Group
Mapping Local Users to Active Directory Users
Test the Mapped User Login
Configuring the Console to Recognize Unix Attributes in AD
Unix-Enable an Active Directory Group
Unix-Enable an Active Directory User
Test the Active Directory User Login
Getting Started
Configure a Primary Policy Server
Reporting
Setting Preferences
Check Policy Server Readiness
Install the Privilege Manager Packages
Configure the Primary Policy Server
Join the Host to a Policy Group
Configure a Secondary Policy Server
Install PM Agent or Sudo Plugin on a Remote Host
Managing Security Policy
Open Policy Files
Edit Panel Commands
Editing PM Policy Files
Event Logs and Keystroke Logging
Default Roles (or Profiles)
Modify Privilege Manager Role Properties
Add a New Privilege ManagerPrivilege Manager Role
Add a New Privilege Manager Restricted Shell Role
Add New Privilege Manager Role Based on an Existing Role
Save Policy Files
Delete Privilege Manager Role
Change Policy Version
Review Policy Changes
Manage Role Defaults
Modifying PM Policy Files With the Text Editor
Review the Access & Privileges by User Report
Review the Access & Privileges by Host Report
User Preferences
System Settings
Security
General System Settings
Duplicate SSH Host Keys
Set Session Timeout
Mark Host System Users Automatically
Console Information Settings
Change Supervisor Account Password
Set Custom Privilege Elevation Commands
Console Roles and Permissions System Settings
Active Directory System Settings
Privilege Manager System Settings
Configure a Service Account
Unconfigure a Service Account
Activate Policy Groups
Deactivate Policy Groups
Software & Licenses
Authentication Services System Settings
Management Console for Unix Server and Console
Troubleshooting Tips
Authenticating the Supervisor User
Authenticating Active Directory Users Using Windows Integrated Authentication
Authenticating Active Directory Users Using a Username and Password
Installing a Production Certificate
Active Directory
Managed Unix Hosts
Generating a Custom SSL/TLS Certificate and Key Pair for Management Console for Unix
Import Certificate to Trusted Domains on Windows and Mac
Import Certificate to Trusted Domains on Unix or Linux
Disabling SSL/TLS Encryption
Customizing HTTP and SSL/TLS Ports
Change Allowed Ciphers
Managing SSH Host Keys
Known_hosts File Format
Handling Changes to SSH Host Keys
Detecting Multiple Hosts With the Same Key
Caching Unix Host Credentials
Database Security
Summary of Security Recommendations
Auto Profile Issues
Active Directory Issues
System Maintenance
Command Line Utilities
Active Directory Connectivity Issues
Unable to Configure Active Directory
Active Directory is Disabled
Active Directory Tasks Are Disabled
Auditing and Compliance
Cannot Create a Service Connection Point
Check Authentication Services Agent Status Commands Not Available
CSV or PDF Reports Do Not Open
Database Port Number Is Already in Use
Elevation Is Not Working
Hosts Do Not Display
Import File Lists Fakepath
Information Does Not Display in the Console
Java Applet Failures
License Info in Report is not Accurate
Out of Memory Error
Post Install Configuration Fails on Unix or Mac
Privilege Manager Feature Issues
Join to Policy Group Failed
Join to Policy Group Option is Not Available
Preflight Fails Because the Policy Server Port is Unavailable
Policy Editor Is Not Available
Policy Editor Runs Slow
Policy Change Report Reports Newlines
Profile Task Never Completes
questusr Account was Deleted
Readiness Check Failed
Recovering From a Failed Upgrade
Reports Are Slow
Reset the Supervisor Password
Running on a Windows 2008 R2 Domain Controller
Service Account Login Fails
Setting Custom Configuration Settings
Single Sign-on (SSO) Issues
Configure a Firefox Web Browser for SSO
Configure an IE Web Browser for SSO
Disable Single Sign-on (SPNEGO/HTTP Negotiation)
Disable SSPI for Single Sign-on
Enable SSO for Remote Browser Clients
JVM Memory Tuning Suggestions
Start/Stop/Restart Management Console for Unix Service
Tool Bar Buttons Are Not Enabled
UID or GID Conflicts
MCU PowerShell Cmdlets and Unix CLI Commands
MCU PowerShell Cmdlets
Unix CLI Commands
Mac CLI Commands
Examples of Using Command Line Utilities
Web Services
Database Maintenance
Connect to the Console
Add Host to the Console
Create Local Group Across all Managed Hosts
Add a Local User to a Group on Each Managed Host
Add Localuser to a Group on All Linux Machines
Get a User on a Specific Computer
Find a UID on a Computer
Remove All Credentials Stored in the Console for a Specific Host
Set a Local User's Password
View a Group’s Membership
Post Install Configuration Fails on Unix or Mac
If you installed Management Console for Unix on a Unix or Mac computer that has Authentication Services installed and is joined to an Active Directory domain and encountered the following error message when running the post installation configuration of the mangement console: 'Can't find domain controller for <domain>', verify your installation configuration.
To verify the installation configuration on a Mac
- Verify that DNS is valid and that the server can connect to the domain.
- Verify that you are configured for a domain in the same forest to which you are joined.
Note: If the computer is not joined to a domain, you could have configured the mangement console for any domain reachable by DNS.
- If you have Authentication Services installed, verify that the host.keytab file is valid by running the following command without error:
/opt/quest/bin/vastool -u host/ -k <path_to_keytab> info id
Note: Typically, the host.keytab file is located at: /etc/opt/quest/vas/host.keytab.
- If you recently joined or rejoined and there are multiple domain controllers in the domain, wait for the computer object to be replicated to all domain controllers in the forest.
- Verify that the clocks for the Management Console for Unix server and the Active Directory domain controller are synchronized.
Kerberos requires that the Management Console for Unix server and Active Directory domain controller clocks are within five minutes of each other.
Privilege Manager Feature Issues
Management Console for Unix integrates with Privilege Manager, including the ability to centrally manage policy. The following topics may help you resolve some of the common problems you might encounter.
- Join to Policy Group Failed
- Join to Policy Group Option is Not Available
- Preflight Fails Because the Policy Server Port is Unavailable
- Policy Editor Is Not Available
- Policy Editor Runs Slow
- Policy Change Report Reports Newlines
Join to Policy Group Failed
When you join a remote Sudo Plugin host to a policy group you are required to enter a password in the Joined password box. The Join password is the password for the pmpolicy user that was set when the qpm-server was configured. (See Configure the Primary Policy Server for details.)
If the Join operation does not recognize the pmpolicy user password, you will receive an error message with the following snippet:
Enter password for pmpolicy@<host>:
[FAIL]
- Failed to copy file using ssh.
- Error: Failed to add the host to the list of known hosts
(/var/opt/quest/qpm4u/pmpolicy/.ssh/known_hosts).
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
** Failed to setup the required ssh access.
** The pmpolicy password is required to copy a file to the primary
** policy server.
** To complete this configuration, please rerun this command and
** provide the correct password.
Run the Join operation again entering a correct password.
Join to Policy Group Option is Not Available
Troubleshooting Tips > Privilege Manager Feature Issues > Join to Policy Group Option is Not Available
If you run the Check Client for Policy Readiness with no errors and the console indicates that the host is "Ready to join" a policy group, yet the Join to Policy Group option is not available, this topic will help you troubleshoot the issue.
To join a host to a policy group, the host must meet all of the following conditions:
- When using a sudo policy type, to join a policy group, the selected host(s) must have Sudo 1.8.1 (or higher), the Sudo Plugin software installed, and be added and profiled to the mangement console.
- When using pmpolicy type, the host must have the PM Agent software installed on it (see Install Privilege Manager Agent or Plugin Software).
- A service account must be configured on the primary policy server (see Configure a Service Account).
- A policy group must be active (see Activate Policy Groups).
- If you select multiple hosts to join, they must be of the same type (sudo or pmpolicy). However, when selecting multiple primary servers, the Join option will be disabled because each primary server belongs to a different policy group.
Once you meet these conditions, you can run the Join to Policy Group option from the Prepare panel of the All Hosts view (see Join the Host to a Policy Group for details).