Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Configure a Primary Policy Server

Installation and Configuration > Configure a Primary Policy Server

The first thing you must do is install and configure the host you want to use as your primary policy server.

Check the Server for Installation Readiness

Installation and Configuration > Configure a Primary Policy Server > Check the Server for Installation Readiness

Privilege Manager for Unix comes with a Preflight program that checks to see if your system meets the install requirements.

To check for installation readiness

  1. Log on as the root user.
  2. Change to the directory containing the qpm-server package for your specific platform.

    For example, on a 64-bit Red Hat® Linux®, run:

    # cd server/linux-x86_64
  3. To ensure that the pmpreflight command is executable, run:
    # chmod 755 pmpreflight
  4. To verify your primary policy server host meets installation requirements, run:
    # sh pmpreflight.sh –-server

    NOTE: Running pmpreflight.sh –-server performs these tests:

    • Basic Network Conditions:
      • Hostname is configured
      • Hostname can be resolved
      • Reverse lookup returns it own IP
    • Privilege Manager for Unix Server Network Requirements
      • Policy server port is available (TCP/IP port 12345)
    • Privilege Manager for Unix Prerequisites
      • SSH keyscan is available
  5. Resolve any reported issues and rerun pmpreflight until all tests pass.

TCP/IP Configuration

Privilege Manager for Unix uses TCP/IP to communicate with networked computers, so it is essential that you have TCP/IP correctly configured. If you cannot use programs such as rlogin and ping to communicate between your computers, then TCP/IP is not working properly; consult your system administrator to find out why and make appropriate changes.

Ensure that your host has a statically assigned IP address and that your host name is not configured to the loopback IP address 127.0.0.1 in the /etc/hosts file.

Firewalls

When the agent and policy server are on different sides of a firewall, Privilege Manager for Unix needs a number of ports to be kept open. By default, Privilege Manager for Unix can use ports in the 600 to 31024 range, but when using a firewall, you may want to limit the ports that can be used.

You can restrict Privilege Manager for Unix to using a range of ports in the reserved ports range (600 to 1023) and the non-reserved ports range (1024 to 65535). We recommend that a minimum of six ports are assigned to Privilege Manager for Unix in the reserved ports range and twice that number of ports are assigned in the non-reserved ports range.

Use the setreserveportrange and setnonreserveportrange settings in the /etc/opt/quest/qpm4u/pm.settings file to open the ports in the required ranges. (See PM Settings Variables for details.)

If configuring Privilege Manager for Unix to use NAT (Network Address Translation), you may need to configure the pmtunneld component. (See Configuring Firewalls for more information about using Privilege Manager for Unix with NAT and restricting port numbers.)

Related Documents