Safeguard Authentication Services 4.1.5 - Upgrade Guide

Management Console for Unix log on page

Whenever you launch the mangement console, you must enter an authorized account to proceed. The Management Console for Unix features that are available depend on the account with which you log in.

To use the core version to manage local Unix users and groups and to access the mangement console system settings, you must use the supervisor account (that is, you must log on with the supervisor user name). However, to use the Active Directory features of Management Console for Unix, you must log on with an Active Directory account that has been granted access to the mangement console. That is, defined during the post-installation configuration. (See Setup Console Access by Role in online Help for details.) To add additional accounts to this access list, see Add (or Remove) Role Members in online Help for details.

To log on to the mangement console

1. Enter the user name and password and click Sign In.

   Enter:

   • the supervisor account name
   • a sAMAccountName, which uses the default domain
   • a User Principal Name in the form, username@domain

   The mangement console opens and displays the user name you specified in the upper right-hand corner of the screen.

2. To log on using a different account, click the authenticated user's login name and click Sign Out. Then sign back on using a different account.

   The Log-on page redisplays, allowing you to enter a different account.

Prepare Unix hosts

The mangement console provides a central management and reporting console for local Unix users and groups.

Using Management Console for Unix with Authentication Services not only allows you to centrally manage your hosts, but it allows you to do these additional features for managing Unix systems with Active Directory:

• Ability to remotely install Authentication Services agents, join systems to Active Directory, and implement AD-based authentication for Unix, Linux, and Mac OS X systems.
• Ability to manage access control on a single host system or across multiple hosts.
• Ability to create reports about Unix-enabled users and groups in Active Directory.
• Ability to create access control reports that show which user is permitted to log into which Unix host.

Whether you have the core version or are using the mangement console with Authentication Services, once you have successfully installed Management Console for Unix, you must first add your hosts to the console, and then profile them to gather system information. Once a host is added and profiled you can then manage users and groups on the hosts and run reports.

Add hosts to the management console

In order to manage a Unix host from the mangement console, you must first add the host. Go to the Hosts tab of the mangement console to either manually enter hosts or import them from a file.

To add hosts to the mangement console

1. Click the Add Hosts tool bar button to display the Add Hosts dialog.
2. To manually add one or more hosts, enter the FQDN, IP address, or short name of a host you want to add to the mangement console and either click the Add button or press Enter.

   Once added, the Host column displays the value you enter. The mangement console uses that value to connect to the host. You can rename the host if it has not been profiled using the Rename Host command on the Host panel of the tool bar. After a host is profiled the only way to change what is displayed in the Host column is to remove the host from the console and re-add it. For example, if you add a host by its IP address, the IP address displays in the Host column (as well as in the IP Address column); to change what is displayed in the Host column, you must use the Remove from console tool bar button to remove the host from the console; then use the Add Hosts button to re-add the client by its host name. If you had profiled the host before removing it, you will have to re-profile it after re-adding it.

3. To add hosts from a known_hosts file, click the Import button.
   1. On the Import hosts from file dialog, browse to select a .txt file containing a list of hosts to import.

      Once imported, the host addresses display in the Add Host dialog list.

      Note: The valid format for an import file is: .txt file - contains the IP address or DNS name, one per line known_hosts file - contains address algorithm hostKey (separated by a space), one entry per line (See Known_hosts File Format in the online help for more information about the supported known_hosts file format.)

4. Once you have a list of one or more hosts to add, if you do not wish to profile the host(s) at this time, clear the Profile hosts after adding option.

   Note: If you add more hosts to the list than selected in the Rows to show drop-down menu in the View panel of the tool bar, this option is disabled.

5. If you do not clear the Profile hosts after adding option on the Add Hosts dialog, when you click OK, the Profile Host dialog prompts you to enter the user credentials to access the host(s). (Refer to Profile hosts which walks you through the host profile steps.)
6. If you clear the Profile hosts after adding option on the Add Hosts dialog, when you click OK, the Add Hosts dialog closes and control returns to the mangement console.

   The mangement console lists hosts that were successfully added on the All Hosts view by the FQDN, IP address, or short name of the hosts you entered on the Add Hosts dialog.

Profile hosts

Profiling imports information about the host, including local users and groups, into the mangement console. It is a read-only operation and no changes are made to the host during the profiling operation. Profiling does not require elevated privileges.

To profile hosts

1. Select one or more hosts on the All Hosts view and click Profile from the Prepare panel of the tool bar, or open the Profile menu and choose Profile.
2. In the Profile Host dialog, enter user credentials to access the host(s).

   If you selected multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

3. If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter the following information:
   1. Enter the user name and password to log onto the selected host(s).
   2. Optionally enter the SSH port to use. It uses port 22 by default.
   3. To save the credentials entered for the host, select the Save my credentials on the server option.

      Once saved, the mangement console uses these credentials to access the host during this and subsequent sessions.

   Note: If you do not save a password to the server, the user name and password fields will be blank the first time the mangement console needs credentials to complete a task on the host during a log on session. Once entered, the mangement console caches the user name and password and reuses these credentials during the current session, and pre-populates the user name and password fields in subsequent tasks during the current log on session. If you choose to save a host's credentials to the server, the mangement console encrypts the credentials and saves them in the Java keystore. Saved user names and passwords persist across log on sessions, and when needed, the mangement console pre-populates the user name and password fields each subsequent time it needs them to perform a task. (For more information, see Caching Unix Host Credentials in the online Help.)

4. If you selected multiple hosts and the Enter different credentials for each selected host option, a grid displays allowing you to enter different credentials and specify different settings for each host.
   1. To enter different credentials, place your cursor in the Username and Password columns to the right of the Host column and enter the credentials to use.
   2. To change the SSH port for a host, place your cursor in the SSH Port column and enter the new SSH port number.
   3. To save the credentials entered for a host, select the check box in the Save column.
5. If you want the mangement console to prompt you to review and accept new SSH keys for the selected hosts (that do not have previously cached SSH keys), clear the Automatically accept SSH keys option before you click OK.

   Note: When profiling one or more hosts, you must accept at least one key before continuing. The mangement console only profiles hosts with accepted keys.

   By default the Automatically accept SSH keys option is checked. This enables the mangement console to automatically accept SSH key for all selected hosts that do not have a previously cached key. When it accepts the key, the console adds it to the accepted-keys cache on the Management Console for Unix server. If you clear the Automatically accept SSH keys option, when the mangement console encounters a modified key, it opens the Validate Host SSH Keys dialog, allowing you to manually accept keys that are encountered. Once you have manually verified the fingerprint, the console adds the SSH host key(s) to the accepted-keys cache.

   Note: Once you profile a host, all future tasks that involve an SSH connection will verify the SSH host key against the accepted-keys cache. When profiling, if the console encounters a modified key, the profile task prompts you to accept new/changed key(s). When performing any other SSH action, other than profile, if the console encounters a different SSH key, the task will fail. To update the accepted-keys cache for the host, you can either profile/reprofile the host, accept the new key, and try the task again. Or, you can import a new SSH host key from the host's properties or from the All Hosts view. (See Import SSH Host Key or Managing SSH Host Keys in the online help for more information.)

A progress bar displays in the Task Progress pane. The final status of the task displays, including any failures or advisories encountered.