Processed Files List file
The Processed Files List file contains a list of files and directories for which the ownership was changed. It is produced by oat_changeowners. Backup files are saved in /var/opt/quest/oatwork.
Syntax
<file_list> ::= { <full_file_name> '(' <original_permissions> ')' <CRLF> }
<full_file_name> ::= <character> { <character> }
<original_permissions> ::= <character> { <character> }
Sample
/home/alex/work/ownertool/src/changer/test(0,0,l)
/home/alex/work/ownertool/src/changer/test/inner(0,0,l)
/home/alex/work/ownertool/src/changer/test/inner/copy_root:spartak(0,0,l)
/home/alex/work/ownertool/src/changer/test/inner/ln_masha:spartak(0,0,l)
/home/alex/work/ownertool/src/changer/test/inner/copy_masha:spartak(0,0,l)
/home/alex/work/ownertool/src/changer/test/root:spartak(0,0,l)
/home/alex/work/ownertool/src/changer/test/dup_inner(0,0,l)
/home/alex/work/ownertool/src/changer/test/dup_inner/copy_root:spartak(0,0,l)
Certificate Autoenrollment
Certificate Autoenrollment
Certificate Autoenrollment is a feature of Safeguard Authentication Services based on Microsoft Open Specifications. Certificate Autoenrollment allows macOS and Linux clients to take advantage of existing Microsoft infrastructure to automatically enroll for and install certificates. Certificate policy controls which certificates are enrolled and what properties those certificates will have.
With Certificate Autoenrollment, a public/private key pair is automatically generated according to certificate template parameters defined in Group Policy. The public key is sent to the Certification Authority (CA), and the CA responds with a new certificate corresponding to the public key, which is installed along with the private key into the appropriate system or user keychain on the Mac or Linux client.
You can use Group Policy to automatically configure which certificate enrollment policy servers to use for Certificate Autoenrollment and to periodically run Certificate Autoenrollment.
By following the instructions presented in this section, a system administrator will be able to configure new or existing systems to download certificate enrollment policy from a certificate enrollment policy server. Additionally, the systems will automatically enroll and renew certificates based on the certificate enrollment policy.
Certificate Autoenrollment is an optional package distributed with One Identity Safeguard Authentication Services. For instructions on installing this package, see the One Identity Safeguard Authentication Services Installation Guide.
Certificate Autoenrollment requirements and setup
Prior to installing One Identity Certificate Autoenrollment, ensure your system meets the following minimum hardware and software requirements.
Table 18: Certificate Autoenrollment: Minimum requirements
Java unlimited strength policy files |
For more information, see For more information, see Java requirement: Unlimited Strength Jurisdiction Policy Files.. |
Additional software |
Certificate Autoenrollment depends on services provided by a Microsoft Enterprise Certificate Authority (CA) in your environment.
In addition to Active Directory and an Enterprise CA, you must install the following software in your environment:
In order for Certificate Autoenrollment to function on client computers, you must configure the following policies:
Additionally, you must configure Java 1.8 (or later) as the default JVM for your system.
NOTE: Install JRE (Java Runtime Environment) on all platforms other than macOS. macOS requires JDK (Java Development Kit). Typing java on the command line provides instructions.
-
For Linux operating system, install JRE 1.8 (or later).
-
For macOS (that is, your operating system tells you to get it from Oracle), install the JDK. |
Rights |
Enterprise Administrator rights to install software and configure Group Policy and Certificate Template policy (only if Certificate Autoenrollment is not already configured for Windows hosts in your environment.) |
Java requirement: Unlimited Strength Jurisdiction Policy Files
By default, most JRE and JDK implementations enforce limits on cryptographic key strengths that satisfy US export regulations. These limits are often insufficient for Certificate Autoenrollment and may lead to "java.security.InvalidKeyException: Illegal key size" failures. The "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files" can be installed to remove these limits and enable Certificate Autoenrollment to function properly.
Do I need the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files?
In general the answer is: Yes, these files are needed.
Java 9 and above do not require these files, but Java 8 relies on these files.
Obtaining and installing the policy files
For Java implementations from IBM, the policy files are usually bundled with the JDK but not the JRE, so it may be more convenient to install the JDK rather than just the JRE. Once the JDK is installed its demo/jce/policy-files/unrestricted directory should contain two JAR files:
-
local_policy.jar
-
US_export_policy.jar
Use these files to replace the corresponding JAR files in the jre/lib/security directory of the JDK. Alternatively, the "Unrestricted SDK JCE policy files" can be downloaded from ibm.com.
For Java implementations from Sun, Oracle and Apple and for OpenJDK implementations, the policy files must be downloaded from Oracle. Java 8 version requires its own policy files:
This download is a zip file that includes a README.txt and two JAR files, local_policy.jar and US_export_policy.jar. Use these JAR files to replace the corresponding files in the JRE or JDK: