All packages shipped by One Identity come with a signature. Signature verification depends on the platform:
-
MacOS packages are signed by an Apple developer certificate.
-
Windows packages are signed by a Microsoft developer certificate.
-
Linux, FreeBSD, AIX, Solaris and HP-UX packages are signed with a PGP key.
You can find the public key at pgp.mit.edu and at keyserver.ubuntu.com.
To fetch the public key, use its id:
gpg --keyserver <keyserver> --recv C5C4EC20AFB5B8E678085F81B161CD624417450C
You can also find the same public key in the oneidentity_pgpkey.pub file. To import it, use the following command:
gpg --import oneidentity_pgpkey.pub
To verify package signature
-
Download the public key.
-
Verify the files.
-
For platforms with separate .sig file signatures, use gpg2:
gpg --verify <file>.sig <file>
-
For rpm packages, import the public key into the rpm's database:
gpg --export -a "C5C4EC20AFB5B8E678085F81B161CD624417450C" >pubkey
rpm --import pubkey
And verify with:
rpm --checksig --verbose <file>
-
For debian packages, use debsig-verify.
One Identity provides the preflight utility to check a host's suitability to run Safeguard Authentication Services by verifying a number of environmental considerations necessary for joining an Active Directory domain.
This utility obtains answers to the following questions:
- Does Safeguard Authentication Services support the host on which this utility is being run?
- Are the operating system and any patches at requisite levels?
- Is there at least one visible domain controller (DC)?
- Are global catalogs available on any of the domain controllers?
- Are all services needed by Safeguard Authentication Services available?
- Is an Safeguard Authentication Services application configuration set up on the target domain?
The preflight command-line utility performs the following verifications.
Install checks:
- Check for supported operating system and correct operating system patches.
- Check for sufficient disk space to install Safeguard Authentication Services.
Join checks:
- Check that the hostname of the system is not localhost.
- Check if the name service is configured to use DNS.
- Check resolv.conf for proper formatting of name service entries and that the host can be resolved.
- Check for a name server that has the appropriate DNS SRV records for Active Directory.
- Detect a writable domain controller with UDP port 389 open.
- Detect Active Directory site, if available.
- Check if TCP port 464 is open for Kerberos kpasswd.
- Check if UDP port 88 and TCP port 88 are open for Kerberos traffic.
- Check if TCP port 389 is open for LDAP.
- Check for a global catalog server and if TCP port 3268 is open for communication with global catalog servers.
- Check for a valid time skew against Active Directory.
- Check for the Safeguard Authentication Services application configuration in Active Directory.
Post-join checks:
- Check if TCP port 445 is open for Microsoft CIFS traffic.
You can find the preflight.sh script at the root of the ISO. This script runs the correct preflight version for your system.
The most important options and arguments to preflight are:
Note: The preflight utility does not make any changes to your system.
To run preflight
- Mount the Safeguard Authentication Services distribution media.
- Enter the following command at the root of the Safeguard Authentication Services ISO:
# ./preflight.sh -u Administrator example.com
where Administrator is your user name and example.com is the name of your domain.
By default, preflight outputs the results of the verifications for the three types of checks (Install checks, Join checks, and Post-join checks) to the console. Run the preflight utility with the --verbose option to obtain detailed information about the various checks in those categories.
The last line of the output tells you whether you are ready to continue deploying Safeguard Authentication Services.
If you did not get a Preflight Checks complete with status Success message, correct any failures indicated before continuing with the Safeguard Authentication Services installation. Be aware of any "Advisories" that it returns, as they may effect your ability to install or join.
Note: If you get a message that says, Unable to locate Safeguard Authentication Services Application Configuration, you can ignore that error for now and proceed with the Safeguard Authentication Services installation. The Safeguard Authentication Services Active Directory Configuration Wizard starts automatically to help you configure Active Directory for Safeguard Authentication Services the first time you start the Control Center. Or, you can create the Safeguard Authentication Services application configuration from the command line, as explained in Creating the application configuration from the Unix command line.
Note: For information about other preflight options, either run preflight --help or refer to the preflight man page located in the docs directory of the installation media. See Resolving preflight failures for additional help in resolving issues.
Follow the steps in this topic if you are installing a Safeguard Authentication Services 5.0.1 for the first time; that is, if you are not upgrading from VAS 3.5.
The Safeguard Authentication Services installation script, install.sh, installs Safeguard Authentication Services, joins the domain, and allows you to install licenses. You can run the install script in interactive mode by using the -i option. This provides you with a menu of valid operations to perform, including Running preflight.
You can also automate the installation process by running install.sh in "unattended" mode using -q option. In this mode you may specify a set of commands for the script to perform.
Note: For more information on the Safeguard Authentication Services installation script, run:
install.sh --help
