Chat now with support
Chat with Support

Safeguard Authentication Services 4.2.3 - Installation Guide

Privileged Access Suite for Unix Introducing One Identity Authentication Services Installing and configuring Authentication Services Installing and joining from the Unix command line Getting started with Authentication Services Troubleshooting Enterprise package deployment

Restarting Authentication Services services

  1. The method for restarting services varies by platform:
    1. To restart Authentication Services on Linux or Oracle Solaris, enter:
      /etc/init.d/vasd restart
    2. To restart Authentication Services on HP-UX, enter:
      /sbin/init.d/vasd restart
    3. To restart Authentication Services on AIX, enter:
      stopsrc -s vasd
      startsrc -s vasd

Note: Due to library changes between the Authentication Services 4.1 and 4.2, the system may need to be rebooted before all processes load the new libraries.

Uninstalling the Authentication Services agent packages

To uninstall the Authentication Services agent packages

  1. Log in and open a root shell.
  2. Run the following commands to remove the packages.

    See Additional configuration information that follows the table.

    Table 33: Authentication Services: Agent uninstall commands
    Package Command
    RPM # rpm -e vasclnt
    DEB # dpkg -r vaslcnt
    Oracle Solaris # pkgrm vasclnt
    HP-UX # swremove vasclnt
    AIX # installp -u vasclnt
    macOS

    /<mount>/Uninstall.app/Contents/MacOS/Uninstall' --console --force vasclnt

    FreeBDS

    pkg delete <package name>

Additional configuration information
  • Linux: The rpm –e vasclnt and the dpkg -r vaslcnt commands run scripts that halt the daemon, unconfigure Authentication Services, flush, and delete the Authentication Services cache before finally removing the files.
  • HP-UX: The swremove vasclnt command does not clean up the empty directories that the vasclnt package used. In order to clean these up, manually remove the /opt/quest directory after you uninstall.

Oracle Solaris 10 zones/containers support

Zones (or containers) were introduced in Oracle Solaris 10. Zones is a partitioning technology used to virtualize operating system services and provide an isolated and secure environment for running applications. There are two types of non-global zone root filesystem models:

  • sparse root
  • whole root

The sparse root zone model optimizes the sharing of objects while the whole root zone model provides the maximum configurability. Additional information on Oracle Solaris 10 and Zones can be found at www.sun.com.

Authentication Services and Oracle Solaris 10 Zones installation guidelines

To install Authentication Services in a Oracle Solaris 10 Zones configuration

  • In Oracle Solaris 10 Zones, only the global zone is permitted to do time synchronization. Therefore, if you want to run Authentication Services in any Oracle Solaris Zone configuration, you must timesync the Global Zone with Active Directory. Time synchronization is a requirement of the Kerberos protocol and since Authentication Services is built on Kerberos, Authentication Services also has this requirement.
  • The same version of Authentication Services should be installed in any combination of global, whole root, and sparse root zone configurations.
  • To disable time synchronization for Authentication Services on the sparse zone, run the below command:
    vastool configure vas vasd timesync-interval 0
  • The following symlinks must exist in the global zone in order for the sparse zones to work correctly:
    • /usr/lib/security/pam_vas3.so | /opt/quest/usr/lib/security/pam_vas3.so
    • /usr/lib/security/sparcv9/pam_vas3.so | /opt/quest/usr/lib/security/sparcv9/pam_vas3.so
    If /usr is shared, you need the following symlinks in the global zone pointing to counterpart files in /opt/quest/lib:
    • /usr/lib/nss_vas4.so.1 | /opt/quest/lib/nss/nss_vas4.so.1
    • /usr/lib/security/pam_vas3.so | /opt/quest/usr/lib/security/pam_vas3.so
    In such a scenario, you do not need Authentication Services joined to a domain in the global zone in order for sparse zones to work, but the symlinks must exist.

Each zone must have its own unique copy of /etc and /var because Authentication Services stores zone-specific information in those locations. Sharing /etc and /var with the global zone is not a supported configuration.

Related Documents