To install the secondary server
For example, on a 64-bit Red Hat® Linux®, run:
# cd server/linux-x86_64
# rpm –-install qpm-server-*.rpm
NOTE: The Solaris® server has a filename that starts with QSFTpmsrv.
When you install the qpm-server package, it installs all three Privilege Manager for Unix components on that host: the Privilege Manager Policy Server, the PM Agent, and the Sudo Plugin. You can only join a PM Agent host to a Privilege Manager policy server or a Sudo Plugin host to a sudo policy server. (See Security Policy Types for more information about policy types.)
You use the pmsrvconfig -s <primary_server> command to configure a secondary server. (See pmsrvconfig for more information about the pmsrvconfig command options.)
To configure the secondary server
# pmsrvconfig –s <primary_policy_server>
where <primary_policy_server> is the name of your primary policy server.
pmsrvconfig prompts you for the "Join" password from the primary policy server, exchanges ssh keys for the pmpolicy service user, and updates the new secondary policy server with a copy of the master (production) policy.
Once you have installed and configured a secondary server, you are ready to join the PM Agent or Sudo Plugin to it. (See Join Hosts to Policy Group for details.)
To verify the PM Agent configuration
NOTE: If you have installed the Sudo Plugin component using the qpm-plugin package, use the pmplugininfo command to verify the plugin configuration, as follows:
The pmclientinfo command displays the current configuration settings. For example:
[root@host1 /]# pmclientinfo - Joined to a policy group : YES - Name of policy group : polsrv1.example.com - Hostname of primary policy server : polsrv1.example.com - Policy type configured on policy group : pmpolicy [root@host1 /]# [root@host2 /]# pmplugininfo - Joined to a policy group : YES - Name of policy group : polsrv1.example.com - Hostname of primary policy server : polsrv1.example.com - Policy type configured on policy group : sudo - Pathname of compatible sudo binary : /usr/local/bin/sudo v1.8.2 [root@host2 /]#
The secondary server PM Agent or Sudo Plugin will be joined to the secondary server. This is unique because all other PM Agent or Sudo Plugin hosts must join to the primary server.
Load balancing is handled on each client, using information that is returned from the policy server each time a session is established.
If a session cannot be established because the policy server is unavailable (or offline) that policy server is marked as unavailable, and no further pmrun sessions are sent to it until the next retry interval..
pmloadcheck runs transparently on each host to check the availability and loading of the policy server. When a policy server is marked as unavailable, pmloadcheck attempts to connect to it at intervals. If it succeeds, the policy server is marked as available and able to run Privilege Manager sessions.
To view the current status of the policy server, run the following command:
# pmloadcheck [-f]
If the policy server cannot be contacted, the last known information for this host is reported.