Safeguard Authentication Services 4.1.5 - Management Console for Unix Administration Guide

Installing and Uninstalling the Console on Windows Installing the Console From the Windows Command Line Installing and Uninstalling the Console on Unix Installing and Uninstalling the Console on Mac Installing and Uninstalling the Console From the Mac Command Line

Launching the Management Console Setup Management Console for Unix

Configure the Console for Active Directory Logon Setup Console Access by Role Identify Console Set Supervisor Password Dialog Summary Dialog

Management Console for Unix Log On Page Getting Started Tab Upgrade Quest Identity Manager for Unix

Reset Custom Configuration Settings

Upgrade Management Console for Unix

Preparing Unix Hosts

Add Host(s) to the Management Console Rename Host Profile Host(s)

Profile Hosts Automatically View the Auto-Profile Status View the Auto-Profile Heartbeat Errors

Check Readiness

Working with Host Systems

Install Software on Host(s) Using the Console Search Options

Basic Search Options Advanced Search Options Save Search Criteria Remove Saved Searches

Filter All Hosts View Content Review Host Properties Remove Host(s) from Management Console SSH to Host Import SSH Host Key

Managing Local Groups

Add Local Group Search for Groups Modify Group Properties Add Users to a Local Group Remove User from Local Group Delete Local Group Review the Local Unix Groups Report

Managing Local Users

Add Local User Search for Users Modify User Properties Modify Multiple User's Properties Reset Local User's Password System Users

Mark System Users Manually Mark Multiple System Users

Delete Local User Review the Local Unix Users Report

Active Directory Integration

Enable Active Directory Features Add an Active Directory Group Account Add an Active Directory User Account Search for Active Directory Objects View or Modify Active Directory User Properties View or Modify Active Directory Group Properties

Authentication Services Integration

Install Authentication Services Configure Active Directory for Authentication Services

Configuring Active Directory for Authentication Services About Active Directory Configuration

View the Authentication Services Agent Columns Set Authentication Services Software Path Check Host for AD Readiness

Review the Authentication Services Readiness Report

Install Authentication Services Software Packages

Upgrade Authentication Services

Join Host(s) to Active Directory

Optional Join Commands Unjoin Host from Active Directory

Configure Host Access Control Check QAS Agent Status

Check QAS Agent Status Manually Check QAS Agent Status Automatically View the QAS Status Errors View the QAS Status Heartbeat Errors

Add AD User to a Local Group Mapping Local Users to Active Directory Users

Enable Local User for AD Authentication List Local Users Required to Use AD Authentication

Test the Mapped User Login Configuring the Console to Recognize Unix Attributes in AD Unix-Enable an Active Directory Group

Review the Unix-enabled AD Groups Report

Unix-Enable an Active Directory User

Review the Unix-enabled AD Users Report

Test the Active Directory User Login

Privilege Manager Integration

Getting Started Configure a Primary Policy Server

Check Policy Server Readiness Install the Privilege Manager Packages Configure the Primary Policy Server Join the Host to a Policy Group

Unjoin Host from Policy Group

Configure a Secondary Policy Server

Configure Secondary Policy Server

Install PM Agent or Sudo Plugin on a Remote Host

Check Client for Policy Readiness Install Privilege Manager Agent or Plugin Software

Managing Security Policy

Open Policy Files

Rolling Back the Policy File

Edit Panel Commands Editing PM Policy Files

Default Roles (or Profiles) Modify Privilege Manager Role Properties

Override Role Property Defaults Role Property Variables

Add a New Privilege ManagerPrivilege Manager Role Add a New Privilege Manager Restricted Shell Role Add New Privilege Manager Role Based on an Existing Role Save Policy Files Delete Privilege Manager Role Change Policy Version Review Policy Changes Manage Role Defaults Modifying PM Policy Files With the Text Editor

Review the Access & Privileges by User Report Review the Access & Privileges by Host Report

Event Logs and Keystroke Logging

Enable Keystroke Logging Record Keystrokes List Events and Replaying Keystroke Logs

Replay Log Controls

Reporting

Run Reports Reports

Host Reports User Reports Group Reports Access & Privileges Reports Product Licenses Usage Reports

Setting Preferences

User Preferences

General User Preferences

SSH Terminal Access to Host Set Default Domain

Host Credentials User Preferences

Modify Saved Host Credentials Remove Saved Host Credentials

System Settings

General System Settings

Duplicate SSH Host Keys Set Session Timeout Mark Host System Users Automatically Console Information Settings

Publish Console to Active Directory

Change Supervisor Account Password Set Custom Privilege Elevation Commands

Console Roles and Permissions System Settings

Add (or Remove) Role Members Review the Console Access & Privileges Report

Active Directory System Settings

Active Directory Configuration

Advanced Settings Default Logon Domain

Privilege Manager System Settings

Configure a Service Account Unconfigure a Service Account Activate Policy Groups Deactivate Policy Groups Software & Licenses

Set Privilege Manager Software Path Check for Privilege Manager Licenses Privilege Manager License Alerts

Authentication Services System Settings

Set Authentication Services Software Path Authentication Services License Alerts Check for Authentication Services Licenses Import Authentication Services Licenses Configure Windows 2003 R2 Schema

Security

Management Console for Unix Server and Console

Authenticating the Supervisor User Authenticating Active Directory Users Using Windows Integrated Authentication Authenticating Active Directory Users Using a Username and Password Installing a Production Certificate

Generating a Custom SSL/TLS Certificate and Key Pair for Management Console for Unix Import Certificate to Trusted Domains on Windows and Mac Import Certificate to Trusted Domains on Unix or Linux Disabling SSL/TLS Encryption

Customizing HTTP and SSL/TLS Ports Change Allowed Ciphers

Active Directory Managed Unix Hosts

Managing SSH Host Keys Known_hosts File Format Handling Changes to SSH Host Keys Detecting Multiple Hosts With the Same Key Caching Unix Host Credentials

Security of Credential Caching

Database Security Summary of Security Recommendations

Troubleshooting Tips

Auto Profile Issues

Auto Profile Takes a Long Time Auto Profile Returns an Error

Active Directory Issues

Active Directory Connectivity Issues Unable to Configure Active Directory Active Directory is Disabled Active Directory Tasks Are Disabled

Auditing and Compliance Cannot Create a Service Connection Point Check Authentication Services Agent Status Commands Not Available CSV or PDF Reports Do Not Open Database Port Number Is Already in Use Elevation Is Not Working Hosts Do Not Display Import File Lists Fakepath Information Does Not Display in the Console Java Applet Failures

Java Control Panel

License Info in Report is not Accurate Out of Memory Error Post Install Configuration Fails on Unix or Mac Privilege Manager Feature Issues

Join to Policy Group Failed Join to Policy Group Option is Not Available Preflight Fails Because the Policy Server Port is Unavailable Policy Editor Is Not Available Policy Editor Runs Slow Policy Change Report Reports Newlines

Profile Task Never Completes questusr Account was Deleted Readiness Check Failed Recovering From a Failed Upgrade Reports Are Slow Reset the Supervisor Password Running on a Windows 2008 R2 Domain Controller Service Account Login Fails Setting Custom Configuration Settings

Customize Auto-Task Settings Enable Debug Log

Single Sign-on (SSO) Issues

Configure a Firefox Web Browser for SSO Configure an IE Web Browser for SSO Disable Single Sign-on (SPNEGO/HTTP Negotiation) Disable SSPI for Single Sign-on Enable SSO for Remote Browser Clients

JVM Memory Tuning Suggestions Start/Stop/Restart Management Console for Unix Service

Linux or Solaris Machines HP Unix (HPUX) Machine Windows Machine Mac OS X Machine

Tool Bar Buttons Are Not Enabled UID or GID Conflicts

System Maintenance

Backup Procedure Restore Procedure

Command Line Utilities

MCU PowerShell Cmdlets and Unix CLI Commands MCU PowerShell Cmdlets

Installing MCU PowerShell Cmdlets Viewing MCU PowerShell Cmdlet Help Information

Unix CLI Commands

Installing Unix CLI Packages Uninstalling Unix CLI Packages Upgrading the Unix CLI Packages

Mac CLI Commands

Installing Mac CLI Packages Installing Mac CLI Packages Using the GUI

Examples of Using Command Line Utilities

Connect to the Console Add Host to the Console Create Local Group Across all Managed Hosts Add a Local User to a Group on Each Managed Host Add Localuser to a Group on All Linux Machines Get a User on a Specific Computer Find a UID on a Computer Remove All Credentials Stored in the Console for a Specific Host Set a Local User's Password View a Group’s Membership

Web Services

Accessing the Web Services Web Services Web Services Examples

Database Maintenance

Database Location and Files Database Backup Procedure Database States

Setting Custom Configuration Settings

Troubleshooting Tips > Setting Custom Configuration Settings

When you start the Management Console for Unix service, it reads Java Virtual Machine (JVM) system variables from a configuration file.

You can set custom configuration settings by adding system variables, one per line, to the custom.cfg file, in the form:

-Dproperty=value.

The custom.cfg file is in the application data directory:

On Windows XP/2003 Server:

%SystemDrive%:\Documents and Settings\All Users\Application Data\Quest Software\Management Console for Unix\resources

On Windows 2008 Server/Vista/7:

%SystemDrive%:\ProgramData\Quest Software\Management Console for Unix\resources

On Unix/Mac:
```
/var/opt/quest/mcu/resources
```

Here are some general tips for adding system variables to the custom.cfg file:

All system variable declarations must be on its own line:
```
-Xms512m 
-Xmx512m
```
Do not enter multiple entries on a single line like this:
```
-Xms512m -Xmx512m
```
A line preceded by a # character specifies a commented line and will be ignored.
The system variable declarations are case sensitive. Be sure to enter lines to the custom.cfg file carefully.
Restart the console service to enable the system variable declarations.

The following topics give you details about setting custom system variables:

To customize the heartbeat interval for auto-tasks, see Customize Auto-Task Settings.
To enable and generate debug logs, see Enable Debug Log.
To tune JVM memory settings, see JVM Memory Tuning Suggestions.
To disable SSL/TLS Authentication, see Disabling SSL/TLS Encryption.
To solve single sign-on issues, see Single Sign-on (SSO) Issues.

Customize Auto-Task Settings

Troubleshooting Tips > Setting Custom Configuration Settings > Customize Auto-Task Settings

Management Console for Unix uses a heartbeat to verify that the:

host system is still properly configured to send updates
current QAS status is accurate

You can customize the heartbeat interval for the automatic QAS Status update. However, if you change the heartbeat interval you must reconfigure automatic QAS agent status for all hosts previously configured.

To customize heartbeat interval

Locate the custom.cfg file.

(See Setting Custom Configuration Settings for more information about customizing configuration settings for the mangement console.)
Add the following property:
```
-Dmcu.QasStatusHeartbeatsPerDay=n
```
where n is the number of times per day. (The default is 6 times a day.)

Valid values are: 1,2,3,4,6,8,12, and 24 times a day.

The actual time of day that heartbeats are sent vary from host to host.
Save the custom.cfg file.
Restart the Management Console for Unix service.

Enable Debug Log

Troubleshooting Tips > Setting Custom Configuration Settings > Enable Debug Log

Technical Support may request that you enable and generate some debug logs for troubleshooting purposes.

To enable the debug log

Stop the Management Console for Unix service
(See Start/Stop/Restart Management Console for Unix Service for details.)
Open the custom.cfg file for editing.
(See Setting Custom Configuration Settings for general information about customizing configuration settings for the mangement console.)

Add these system variables to the custom.cfg file:

-Dlog4j.configuration=log4j-debug.xml

AND

-Djcsi.kerberos.debug=true

Save the custom.cfg file.

Start the Management Console for Unix service.

By default, the debug logs are saved in the application data directory at:

On Windows XP/Windows Server 2003:

%SystemDrive%:\Documents And Settings\All Users\Application Data\Quest Software\Management Console for Unix\logs

On Windows Vista/Windows 7:

%SystemDrive%:\ProgramData\Quest Software\Management Console for Unix\logs

On Unix/Mac platforms:
```
/var/opt/quest/mcu
```

Single Sign-on (SSO) Issues

Troubleshooting Tips > Single Sign-on (SSO) Issues

Management Console for Unix uses the host computer's Active Directory credentials to publish its address to the Control Center, perform single sign-on, and to validate a user's log on. On a Microsoft Windows server, the host computer's credentials are available by means of the Windows SSPI, but this limits Management Console for Unix to managing hosts in the same forest to which the Windows server is joined.

If you wish to use Management Console for Unix to manage a foreign domain or forest from a Windows server, then you must disable SSPI. (See Disable SSPI for Single Sign-on.) However disabling SSPI will disable single sign-on capabilities.

Note: To perform single sign-on, you must

Configure Management Console for Unix for Active Directory.
Join your Management Console for Unix server to an Active Directory domain.
If your Management Console for Unix server is on a Linux platform, you must have Authentication Services installed to join Active Directory.
Join the client host (where the browser is located) to the Active Directory domain.
Login to the browser host using an Active Directory account.

On a Unix server, Management Console for Unix looks for the host computer's credentials by searching for a Kerberos keytab file in the following default locations:

/etc/opt/quest/vas/HTTP.keytab
/etc/opt/quest/vas/host.keytab

To override the default location, set the console.keytab system property in the custom.cfg configuration file, as follows:

-Dconsole.keytab=<PropertyValue>

(See Setting Custom Configuration Settings for more information about overriding the default configuration settings.)

If Management Console for Unix cannot find host computer credentials, it will run without host credentials by relying on a correctly configured DNS to find foreign domain controllers. This means that Management Console for Unix will be unable to publish its address to the Control Center, perform single sign-on, or fully validate passwords used when logging on.

Note: When you install Management Console for Unix2.5 on Windows 8, Windows SSPI is automatically turned off because single sign-on does not currently work on Windows 8.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Safeguard Authentication Services 4.1.5 - Management Console for Unix Administration Guide

Setting Custom Configuration Settings

Customize Auto-Task Settings

Enable Debug Log

Single Sign-on (SSO) Issues