Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Installing Secondary Servers

To install the secondary server

  1. From the command line of the host designated as your secondary policy server, log on as the root user.
  2. Change to the directory containing the qpm-server package for your specific platform.

    For example, on a 64-bit Red Hat® Linux®, run:

    # cd server/linux-x86_64
  3. Run the platform-specific installer. For example, run:
    # rpm –-install qpm-server-*.rpm

    NOTE: The Solaris® server has a filename that starts with QSFTpmsrv.

    When you install the qpm-server package, it installs all three Privilege Manager for Unix components on that host: the Privilege Manager Policy Server, the PM Agent, and the Sudo Plugin. You can only join a PM Agent host to a Privilege Manager policy server or a Sudo Plugin host to a sudo policy server. (See Security Policy Types for more information about policy types.)

Configuring a Secondary Server

You use the pmsrvconfig -s <primary_server> command to configure a secondary server. (See pmsrvconfig for more information about the pmsrvconfig command options.)

To configure the secondary server

  1. From the command line of the secondary server host, run:
    # pmsrvconfig –s <primary_policy_server>

    where <primary_policy_server> is the name of your primary policy server.

    pmsrvconfig prompts you for the "Join" password from the primary policy server, exchanges ssh keys for the pmpolicy service user, and updates the new secondary policy server with a copy of the master (production) policy.

    Once you have installed and configured a secondary server, you are ready to join the PM Agent or Sudo Plugin to it. (See Join Hosts to Policy Group for details.)

Verify Privilege Manager for Unix PM Agent Configuration

Installation and Configuration > Configure a Secondary Policy Server > Configuring a Secondary Server > Verify Privilege Manager for Unix PM Agent Configuration

To verify the PM Agent configuration

  1. From the command line, run:
    # pmclientinfo

    NOTE: If you have installed the Sudo Plugin component using the qpm-plugin package, use the pmplugininfo command to verify the plugin configuration, as follows:

    # pmplugininfo

    The pmclientinfo command displays the current configuration settings. For example:

    [0][root@host1 /]# pmclientinfo
       - Joined to a policy group                 : YES
       - Name of policy group                     : polsrv1.example.com
       - Hostname of primary policy server        : polsrv1.example.com
       - Policy type configured on policy group   : pmpolicy
    [0][root@host1 /]#
    
    [0][root@host2 /]# pmplugininfo
       - Joined to a policy group                 : YES
       - Name of policy group                     : polsrv1.example.com
       - Hostname of primary policy server        : polsrv1.example.com
       - Policy type configured on policy group   : sudo
       - Pathname of compatible sudo binary       : /usr/local/bin/sudo v1.8.2
    [0][root@host2 /]#

    The secondary server PM Agent or Sudo Plugin will be joined to the secondary server. This is unique because all other PM Agent or Sudo Plugin hosts must join to the primary server.

Load Balancing on the Client

Load balancing is handled on each client, using information that is returned from the policy server each time a session is established.

If a session cannot be established because the policy server is unavailable (or offline) that policy server is marked as unavailable, and no further pmrun sessions are sent to it until the next retry interval..

pmloadcheck runs transparently on each host to check the availability and loading of the policy server. When a policy server is marked as unavailable, pmloadcheck attempts to connect to it at intervals. If it succeeds, the policy server is marked as available and able to run Privilege Manager sessions.

To view the current status of the policy server, run the following command:

# pmloadcheck [-f]

If the policy server cannot be contacted, the last known information for this host is reported.

Related Documents