PM Linux Administration

BMC Provisioning Module Administrator Guide
for Linux
Supporting
BMC Provisioning Module version 5.0.00 for Linux
November 2008
www.bmc.com
Contacting BMC Software

You can access the BMC Software website at http://www.bmc.com. From this website, you can obtain information about the company, its products, corporate offices, special events, and career opportunities.
United States and Canada

Address BMC SOFTWARE INC 2101 CITYWEST BLVD HOUSTON TX 77042-2827 USA Telephone 713 918 8800 or 800 841 2031 Fax 713 918 8000
Outside United States and Canada

Telephone (01) 713 918 8800 Fax (01) 713 918 8000
Copyright 2008 BMC Software, Inc. BMC, BMC Software, and the BMC Software logo are the exclusive properties of BMC Software, Inc., are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other BMC trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other countries. All other trademarks or registered trademarks are the property of their respective owners. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. UNIX is the registered trademark of The Open Group in the US and other countries. BMC Software considers information included in this documentation to be proprietary and confidential. Your use of this information is subject to the terms and conditions of the applicable End User License Agreement for the product and the proprietary and restricted rights notices included in this documentation.
Restricted rights legend

U.S. Government Restricted Rights to Computer Software. UNPUBLISHED -- RIGHTS RESERVED UNDER THE COPYRIGHT LAWS OF THE UNITED STATES. Use, duplication, or disclosure of any data and computer software by the U.S. Government is subject to restrictions, as applicable, set forth in FAR Section 52.227-14, DFARS 252.227-7013, DFARS 252.227-7014, DFARS 252.227-7015, and DFARS 252.227-7025, as amended from time to time. Contractor/Manufacturer is BMC SOFTWARE INC, 2101 CITYWEST BLVD, HOUSTON TX 77042-2827, USA. Any contract notices should be sent to this address.
Customer support
You can obtain technical support by using the BMC Software Customer Support website or by contacting Customer Support by telephone or e-mail. To expedite your inquiry, see Before contacting BMC.
Support website
You can obtain technical support from BMC 24 hours a day, 7 days a week at http://www.bmc.com/support_home. From this website, you can
s s s s s s s s
read overviews about support services and programs that BMC offers find the most current information about BMC products search a database for issues similar to yours and possible solutions order or download product documentation download products and maintenance report an issue or ask a question subscribe to receive proactive e-mail alerts when new product notices are released find worldwide BMC support center locations and contact information, including e-mail addresses, fax numbers, and telephone numbers
Support by telephone or e-mail

In the United States and Canada, if you need technical support and do not have access to the web, call 800 537 1813 or send an e-mail message to customer_support@bmc.com. (In the subject line, enter SupID:<yourSupportContractID>, such as SupID:12345). Outside the United States and Canada, contact your local support center for assistance.
Before contacting BMC

Have the following information available so that Customer Support can begin working on your issue immediately:
s
product information product name product version (release number) license number and password (trial or permanent)
operating system and environment information machine type operating system type, version, and service pack or other maintenance level such as PUT or PTF system hardware configuration serial numbers related software (database, application, and communication) including type, version, and service pack or maintenance level
s s s
sequence of events leading to the issue commands and options that you used messages received (and the time and date that you received them) product error messages messages from the operating system, such as file system full messages from related software
License key and password information

If you have questions about your license key or password, contact BMC as follows:
s
(USA or Canada) Contact the Order Services Password Team at 800 841 2031, or send an e-mail message to ContractsPasswordAdministration@bmc.com. (Europe, the Middle East, and Africa) Fax your questions to EMEA Contracts Administration at +31 20 354 8702, or send an e-mail message to password@bmc.com. (Asia-Pacific) Contact your BMC sales representative or your local BMC office.
Contents
About this book New Identity Management terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Syntax statements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 1 Overview 11 11 13 13 14 15 15 15 16 17 19 20 20 21 22 23 24 24 25 26 27 29 30 30 30 35 35 36 37 37 37 38
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Provisioning Module deployment for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Local versus remote Managed System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Password interception facility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 2 Installation
Before installing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hardware/software requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Checking for Suid-enabled file system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Defining Provisioning Module administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Implementation overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Implementation procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Install BMC Provisioning Services Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Add Provisioning Module for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 (Only for Local Managed System) Modify Services Manager file permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Configure MSCS parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 (Only for a remote Managed System) Configure SSH Secure Shell. . . . . . . . . 6 Import the Managed System Type definition into Enterprise SecurityStation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Set up Managed System administrator Accounts. . . . . . . . . . . . . . . . . . . . . . . . 8 (Only for local Managed System) (Optional) Password Interceptor Client . . Chapter 3 Configuring SSH Secure Shell
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Software requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Services Manager SSH connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Before configuring SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating a root-like user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents
Automated configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Pre-configuration checks on the remote host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Automatic configuration procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 After configuring SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Verifying SSH communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Managing more than one remote Managed System host. . . . . . . . . . . . . . . . . . . . . 51 Manual configuration of SSH Secure Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 1 Services Manager computer configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 2 Remote Managed System host configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 3 Verifying SSH communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 4 Updating the Administrator file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 5 Managing more than one remote Managed System host . . . . . . . . . . . . . . . . . 66 Chapter 4 Maintenance 67
Changing the Managed System administrator security level . . . . . . . . . . . . . . . . . . . . 67 Managing Password Interceptor messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Chapter 5 Provisioning Module implementation for Linux 71
Provisioning Module and Linux interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Provisioning Module function list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Account functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Account data translation tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Account Provisioning Module function descriptions. . . . . . . . . . . . . . . . . . . . . . . . 76 Group functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Group data translation tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Group Provisioning Module function descriptions . . . . . . . . . . . . . . . . . . . . . . . . . 81 AccountGroup connection operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Connection Provisioning Module function descriptions . . . . . . . . . . . . . . . . . . . . . 84 Resource functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Resource Provisioning Module function descriptions . . . . . . . . . . . . . . . . . . . . . . . 88 Resource ACL functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Resource ACL data translation tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Resource ACL Provisioning Module function descriptions . . . . . . . . . . . . . . . . . . 91 Managed System functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Managed System data translation tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Managed System Provisioning Module function descriptions . . . . . . . . . . . . . . . . 94 Appendix A Managed System specific fields 97
Description of table column titles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Function tables for Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Account functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Group functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 AccountGroup Connection functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Resource functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 ACL/ACE functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Managed System parameter functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
BMC Provisioning Module Administrator Guide for Linux
Appendix B
MSCS configuration parameters
103 103 104 104 111 113 117
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Description of parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MSCS parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Listing of the MSCSPARM file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appendix C Appendix D Verifying the Password Interceptor installation Uninstalling Password Interceptor
Interactive uninstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Silent uninstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Appendix E Appendix F Parameter coordination with Enterprise SecurityStation Migrating from CONTROL-SA/Agent 119 121 121 121 122 122 123
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Migration procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Interactive migration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Automated migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Index
Contents
Tables
New terminology for Services Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 New terminology for Enterprise SecurityStation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Linux system requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 MSCS parameters for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Installation parameters for Password Interceptor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Provisioning Module function list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Standard Account fields in Enterprise SecurityStation . . . . . . . . . . . . . . . . . . . . . . . . . 74 Linux-specific Account fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Standard Group fields in Enterprise SecurityStation . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Linux-specific Group fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Standard connection fields in Enterprise SecurityStation . . . . . . . . . . . . . . . . . . . . . . . 83 Standard Resource fields in Enterprise SecurityStation . . . . . . . . . . . . . . . . . . . . . . . . 86 Linux-specific Resource fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Standard Resource ACL fields in Enterprise SecurityStation . . . . . . . . . . . . . . . . . . . 90 Linux-specific Resource ACL fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Standard Managed System fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Managed System-specific fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Description of columns in Managed System-specific field tables . . . . . . . . . . . . . . . . 98 Description of columns for specific types of entities . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Account functions for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Group functions for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Resource functions for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 ACL/ACE functions for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Managed System parameter functions for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 MSCS parameters of the Provisioning Module for Linux . . . . . . . . . . . . . . . . . . . . . . 104 Summary of required parameter coordination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Tables
10
About this book

This book contains detailed information about BMC Provisioning Module for Linux and is intended for system administrators. Like most BMC Software documentation, this book is available in printed and online formats. Visit the BMC Software Customer Support page at http://www.bmc.com/support_home to request additional printed books or to view online books and notices (such as release notes and technical bulletins). Some product shipments also include the online books on a documentation CD.
NOTE
This book assumes that you are familiar with your host operating system.
NOTE
Online books are formatted as Portable Document Format (PDF) or HTML files. To view, print, or copy PDF books, use the free Adobe Reader from Adobe Systems. If your product installation does not install the reader, you can obtain the reader at http://www.adobe.com.
This book should be used together with the BMC Provisioning Services Manager Administrator Guide to install, configure, and maintain the BMC Provisioning Services Manager product.
New Identity Management terminology

New terminology is being phased in with the release of new BMC Identity Management products. Enterprise SecurityStation application servers, database, and BMC Provisioning Modules will all phase in the new terminology during the coming product release cycles. BMC Provisioning Services Manager and its related documentation now use this new terminology. Table 1 on page 12 describes the differences between the current and new terminology for Services Manager, and Table 2 on page 12 describes the terminology for the entities used by Enterprise SecurityStation.
About this book
11
New Identity Management terminology
Table 1
New terminology for Services Manager

New Terminology BMC Provisioning Services Manager, Services Manager Replaced with one of the following:
s s
Legacy Terminology CONTROL-SA/Agent, SA-Agent RSS
Managed System Managed System Configuration Set (MSCS) This is the set of information used by a Provisioning Module for handling a specific Managed System. The MSCS includes, for example, the parameter containing the Default administrator name.
USA-API module, USA-API
BMC Provisioning Module, Provisioning Module Note: Within the context of the Services Manager documentation set, the term Provisioning Module is used to represent any type of Module for Identity Management (for example: Password Module, Audit Module) developed by BMC, by the site or by an external vendor.
Offline Interceptor CTSPARM parameters RSSAPI file RSSPARM parameters SA-Agent platform
Standard Offline Interceptor SM parameter MSCSAPI file MSCS parameters Services Manager computer
Table 2
New terminology for Enterprise SecurityStation

New Terminology Person/Persons Group Profile Account Managed System Managed System administrator Managed System Type
Legacy Terminology Enterprise User User Group Job Code RSS User RSS RSS Administrator RSS Type
12
Related documentation
Related documentation
The following related publications supplement this book:
Category Document Description Provides detailed information about the installation of BMC Provisioning Module on Linux platform. Provides a comprehensive listing and explanation of all messages issued by these products.
Core BMC Provisioning Services Manager for Documents Linux Installation Guide BMC Provisioning Services Manager and BMC Provisioning Module Messages Manual
Enterprise SecurityStation Administration Provides details for various customization and Guide maintenance procedures for the Enterprise SecurityStation installation and database. Standalone utilities are also described. This book is designed for the Enterprise SecurityStation workstation administrator and outlines administrator responsibilities. Enterprise SecurityStation Console Administration Guide Describes administrative functions performed using the ESS Console. This includes setting up Platform and Managed System objects, defining ESS administrators, performing download operations, and configuring fields (keywords) in entity records. Describes how to perform security administration tasks using the ESS Console. Describes Enterprise SecurityStation concepts, features, facilities, and operating instructions in detail. It may be used as a learning guide as well as a reference guide.
Enterprise SecurityStation Console User Guide
Conventions
This book uses the following special conventions:
s
All syntax, operating system terms, and literal examples are presented in this typeface. Variable text in path names, system messages, or syntax is displayed in italic text:
testsys/instance/fileName
The symbol => connects items in a menu sequence. For example, Actions => Create Test instructs you to choose the Create Test command from the Actions menu.
About this book
13
Syntax statements
Syntax statements
The following example shows a sample syntax statement:
COMMAND KEYWORD1 [KEYWORD2 | KEYWORD3] KEYWORD4={YES | NO} fileName...
The following table explains conventions for syntax statements and provides examples:
Item Items in italic type represent variables that you must replace with a name or value. If a variable is represented by two or more words, initial capitals distinguish the second and subsequent words. Brackets indicate a group of optional items. Do not type the brackets when you enter the option. A comma means that you can choose one or more of the listed options. You must use a comma to separate the options if you choose more than one option. Braces indicate that at least one of the enclosed items is required. Do not type the braces when you enter the item. Example alias databaseDirectory serverHostName [tableName, columnName, field] [-full, -incremental, -level] (UNIX)
{DBDName | tableName} UNLOAD device={disk | tape, fileName | deviceName} {-a | -c} (UNIX)
A vertical bar means that you can choose only one of the listed items. In the example, you would choose either commit or cancel. An ellipsis indicates that you can repeat the previous item or items as many times as necessary.
{commit | cancel} {-commit | -cancel} (UNIX) columnName . . .
14
Chapter
1
15 15 16 17
Overview
This chapter presents the following topics: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Provisioning Module deployment for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Local versus remote Managed System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Password interception facility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction
Welcome to BMC Provisioning Module for Linux, the Managed System-specific component of BMC Provisioning Services Manager. BMC Provisioning Services Manager is the client/server solution from BMC Software that enables you to manage security systems distributed across multiple incompatible platforms. This guide describes concepts and tools required by the administrator for setting up and administering BMC Provisioning Module for Linux.
Provisioning Module deployment for Linux

BMC Provisioning Module for Linux installation can manage multiple local/remote Linux platforms. When installed on a Linux platform, BMC Provisioning Services Manager with the BMC Provisioning Module can manage the local Linux operating system (referred to as the Managed System) as well as multiple remote Linux platforms.
Chapter 1 Overview
15
Local versus remote Managed System

This section describes the considerations for handling Managed Systems locally or remotely. Each Managed System has its own Managed System database containing security administration data for the Managed System. When the Managed System is the native security of an operating system, a given Provisioning Module can handle the following types of Managed Systems:
s
Local Managed System
This is the operating system on the Services Manager computer. A given instance of the Provisioning Module can handle a single local Managed System.
s
Remote Managed System
This is the operating system on a remote platform (referred to as a remote Managed System host). A given instance of the Provisioning Module can handle any number of remote Managed Systems.
Local Managed System administration

BMC Provisioning Services Manager, together with the Provisioning Module, is installed on each Managed System where status changes are monitored dynamically. Local Managed System administration provides the following advantages:
s
Since data is managed locally, the Provisioning Module operations do not require network traffic with a remote Managed System host. Password Interception and Resource/Resource ACLs management is supported.
Local Managed System administration has the following disadvantage:

s
The Services Manager and Provisioning Module are installed and maintained separately on each Managed System.
Remote Managed System administration

The remote administration architecture requires the installation of only one instance of BMC Provisioning Services Manager, together with the Provisioning Module, on a single computer. This Provisioning Module is able to handle multiple Managed Systems through remote access (based on an SSH Secure Shell connection), in addition to managing the local Managed System on the Services Manager computer.
16 BMC Provisioning Module Administrator Guide for Linux
Remote Managed System administration provides the following advantages:

s
Reduced implementation and maintenance effort by requiring only a single installation of BMC Provisioning Services Manager and the Provisioning Module. Support for specific configuration restrictions such as hosting facilities.
Remote Managed System administration has the following disadvantages:

s
If communication between the Services Manager computer and the remote host fails, the Services Manager cannot handle the remote Managed System as the network communication is down. For remote Managed Systems, password interception and management of resources or resource ACLs are not supported. Linux CLI restrictions apply for specific functionality. For more information, see Chapter 5, Provisioning Module implementation for Linux.
Password interception facility

BMC Provisioning Module provides the capability of password interception as described in this section. Password interception and synchronization for a given person is only effective when the option Enable Password Synchronization is enabled for the person in the Person Properties window (described in the Enterprise SecurityStation Console User Guide). In addition, password interception and/or synchronization for a specific Account is only effective when the option Include in Password Sync is enabled in the Account Properties window (described in the Enterprise SecurityStation Console User Guide). Under the native operating system, the password interception facility detects the change of a password by the Account. The new password is intercepted and sent to Enterprise SecurityStation to be propagated to other Managed Systems in which the Account is defined.
NOTE
Password interception is not invoked when:
s s
The system administrator changes an Account password on the Services Manager computer. The password is changed for the root Account.
Chapter 1 Overview
17
NOTE
Password interception is not available when managing a remote Managed System host.
18
Chapter
Installation
This chapter describes how to install and configure the BMC Provisioning Module product for the Linux operating system. The following topics are discussed: Before installing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Hardware/software requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Checking for Suid-enabled file system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Defining Provisioning Module administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Implementation overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Implementation procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 1 Install BMC Provisioning Services Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2 Add Provisioning Module for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3 (Only for Local Managed System) Modify Services Manager file permissions . 26 4 Configure MSCS parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 5 (Only for a remote Managed System) Configure SSH Secure Shell. . . . . . . . . 29 6 Import the Managed System Type definition into Enterprise SecurityStation . 30 7 Set up Managed System administrator Accounts. . . . . . . . . . . . . . . . . . . . . . . . 30 8 (Only for local Managed System) (Optional) Password Interceptor Client . . 30
Chapter 2
Installation
19
Before installing
Before installing
Before running the installation procedure, it is recommended that you review the information in this section to help ensure that the installation procedure runs smoothly and successfully.
Hardware/software requirements
Ensure that the hardware and software requirements described in this section are satisfied before starting installation of the Provisioning Module.
Managing a remote Managed System host

This section describes considerations for managing a remote Managed System host. Any number of Managed System hosts can be managed by a single installation of BMC Provisioning Module.
SSH Secure Shell

You must install and configure SSH Secure Shell on the Services Manager computer and on each remote Managed System host that you wish to handle.
NOTE
If you want to use the automatic procedure for configuring SSH described in this book, the Provisioning Module must be installed before configuring SSH. If you use the manual procedure, the Provisioning Module can be installed before or after configuring SSH.
For more information on configuring SSH Secure Shell, see Chapter 3, Configuring SSH Secure Shell.
Password interception
Password interception is not supported for remote Managed System hosts.
20
Before installing
Provisioning Module system requirements

Table 3 describes the requirements for the computer on which the BMC Provisioning Services Manager and BMC Provisioning Module will be installed.
NOTE
BMC Provisioning Services Manager can be installed in any directory in a local file system (not on the NFS).
Table 3
Component Memory Disk Space
Linux system requirements

Requirement 64 MB RAM 30 MB of available disk space is required on the local file system. See the Compatibility section of the BMC Provisioning Module Release Notes for Linux.
Managed Systems
Checking for Suid-enabled file system

BMC Services Manager must be installed in a file system that is mounted to allow suid programs. To determine how a file system is mounted use the procedure below.
1 Enter the following command to display the free disk space for the local file
system:
df -l
2 Enter the following command to check that the file system is a mounted file
system:
mount -p | grep fileSystem
The variable fileSystem is the file system where you plan to install BMC Provisioning Services Manager. If the result of the mount command contains the option nosuid, you must either re-mount the file system to allow suid programs or select a different file system.
Chapter 2
Installation
21
Before installing
Defining Provisioning Module administrators

This section describes special administrator accounts used by the BMC Provisioning Module.
Default administrator
For local Managed System: Most types of Provisioning Modules use the Default administrator to retrieve information from the Managed System database. However, for Linux, a Default administrator Account is not used. For remote Managed System: A special Default administrator entry in the Administrator file is used to hold the passphrase used by the Provisioning Module to connect to the remote Managed System host. The remote Default administrator is added automatically by the ssh-config.sh script (see page 42), or manually if you are using the manual configuration (see page 52). This Default administrator is used internally by SSH, and is not defined as an administrator in Enterprise SecurityStation.
NOTE
The details of the Default administrator typically will not require any further manipulation; however, if required, it can also be manipulated manually via the ctsadm utility. For more information, see BMC Provisioning Services Manager Administrator Guide for Linux.
Managed System administrators

To administer the native Linux Managed System from Enterprise SecurityStation, one or more accounts must be set up on the Services Manager computer to serve as Managed System Administrators. These accounts will later be added to the Services Manager Administrator file, and defined and connected to ESS administrators in Enterprise SecurityStation. These accounts are used by Enterprise SecurityStation to perform administrative functions (such as defining accounts) in the Linux Managed System. Select or define an Account in the Managed System to serve as the Managed System administrator.
NOTE
(Local Managed Systems only) A Managed System administrator cannot be renamed.
22
Implementation overview
NOTE
(Remote Managed Systems only) A Managed System administrator must be added to the Administrator file by defining the Managed System administrator in Enterprise SecurityStation Console and not by using the ctsadm utility. However, you can use the utility later if you wish to alter the Managed System administrator details (such as the administrators password).
Unattended administrator
This Account is defined in the Managed System with administrator privileges. The Services Manager logs in as this Account to perform actions that originate from automatic operations in Enterprise SecurityStation, such as synchronizing passwords for all the Accounts of a Person. Optionally select or define an account in the Managed System to serve as the Unattended administrator. (You can also use the same account for a Managed System administrator and as the Unattended administrator.)
Implementation overview
Implementation of BMC Provisioning Module for Linux consists of the following procedures: 1. Install BMC Provisioning Services Manager. If it is not already installed, install the Services Manager on the Linux computer. 2. Add Provisioning Module for Linux. 3. Modify Services Manager file permissions. 4. Configure the MSCS parameters. MSCS parameters must be configured for each Linux Managed System to be handled via the Services Manager computer. 5. (Only for Remote Managed System) Configure SSH Secure Shell. 6. Import the Managed System Type definition into Enterprise SecurityStation. 7. Set up the Managed System administrator Accounts. 8. (Only for Local Managed System) Install the Password Interceptor.
Chapter 2 Installation 23
Implementation procedures
This section describes the implementation procedures in detail. The following steps are described:
1 Install BMC Provisioning Services Manager

If the BMC Provisioning Services Manager has not already been installed, refer to the BMC Provisioning Services Manager Installation Guide for Linux for installation procedures. Upon completion of the installation process, a screen similar to Figure 1 on page 24 is displayed.
Figure 1
Services Manager Installationcompleted
24
2 Add Provisioning Module for Linux

Refer to the BMC Provisioning Services Manager Installation Guide for instructions on how to add a Provisioning Module.
NOTE
s
BMC Provisioning Module version 5.0.00 for Linux (32-bit) is not compatible with BMC Provisioning Services Manager version 5.1.00 for Linux (64-bit). BMC Provisioning Module version 5.0.00 for Linux (32-bit) must be used only with BMC Provisioning Services Manager version 5.1.00 for Linux (32-bit). BMC Provisioning Module version 5.0.00 for Linux (64-bit) must be used only with BMC Provisioning Services Manager version 5.1.00 for Linux (64-bit).
The pmz file is located in the following directory on the installation CD:
s s
For 32-bit Provisioning Module under /Install/32-bit For 64-bit Provisioning Module under /Install/64-bit
When you have finished adding the Provisioning Module, Figure 2 is displayed.
Chapter 2
Installation
25
Figure 2
Provisioning Module Wizardfinish setup
3 (Only for Local Managed System) Modify Services Manager file permissions
If you want to perform the provisioning of a Local Linux Managed System, you have to modify the ownership and permissions of the BMC Provisioning Services Manager executable files before configuring MSCS parameters.
To change the ownership and permissions of Services Managers executable files 1 Log in to the Services Manager computer as user root. 2 Enter the following command to locate the Services Manager executable files:
cd smPath/bin
26
where smPath is the directory where the Services Manager is installed.
3 Enter the following commands to change the file ownership and permissions:
chown root ctsadm ctssoffi p_ctscd p_ctscs apiver chmod 4750 ctsadm ctssoffi p_ctscd p_ctscs apiver
4 Log out from root.
4 Configure MSCS parameters

MSCS parameters must be configured for each Linux Managed System (Local or Remote) to be handled via the Services Manager computer. Only one MSCS can be configured for a Local Managed System. In order to enable password interception for the local Managed System, configure the local MSCS before configuring MSCS for the remote Managed System. To configure MSCS parameters for a Linux Managed System, refer to the description of modifying a Managed System Configuration Set parameter using the BMC Provisioning Services Manager Configuration Console. This can be found in the BMC Provisioning Services Manager Administrator Guide. Log in as the Service Manager owner and configure the MSCS parameters. Enter values for each parameter described in Table 4. Table 4
Parameter ADMIN_UID_CHECK
MSCS parameters for Linux (part 1 of 3)

Description Whether a user defined as a Managed System administrator requires root privileges (locally managed Linux only). See the section Changing the Managed System administrator security level on page 67 to configure the ADMIN_UID_CHECK and ADMIN_FILE_REQ parameters. Values Y, N Default: N
Chapter 2
Installation
27
Table 4
Parameter

Description Values For Local Managed System: Account name For a remote Managed System host must always in the Managed System. contain the value: PassPhraseADM For Remote Managed System: Name of a special Default administrator entry in the Administrator file. This entry contains the passphrase used by the Provisioning Module to connect to the remote Managed System host. Note:
s
DEFAULT_ADMIN
Do not configure the DEFAULT_ADMIN parameter when creating a remote Managed System. Configure the DEFAULT_ADMIN parameter only after creating a remote Managed System.
DEFAULT_ADMIN_PASSWORD For local Managed System: Password of the administrator account. For remote Managed System: Passphrase of private key of Services Manager owner account. IS_REMOTE_RSS Whether the Managed System is local or remote. Y: remote Managed System N: local Managed System Default: N REMOTE_HOST_NAME IP address or host name of the remote Managed System host managed by the Provisioning Module. Note: This is applicable only when the value of the MSCS parameter IS_REMOTE_RSS is set to Y.
28
Table 4
Parameter

Description Values This parameter should only be modified at Default: New UNIX [pP]assword:.* the request of Customer Support. A regular expression that represents the string returned by the remote Managed System host when a user password is modified on the Provisioning Module platform (the passwd command is run). Default values:
s
EXPECT_PASSWD_FIRST
For Red Hat Enterprise Linux 5: New UNIX [pP]assword:.* For SUSE Linux Enterprise Server versions 10: New [pP]assword:.*
EXPECT_PASSWD_SECOND
This parameter should only be modified at Default: Retype new UNIX [pP]assword.*:.* the request of Customer Support. A regular expression that represents the string returned by the remote Managed System host when a user password is modified on the Provisioning Module platform (the passwd command is run) and a verification is requested. Default values for:
s
Red Hat Enterprise Linux 5: Re-type new UNIX [pP]assword.*:.*
SUSE Linux Enterprise Server versions 10: Re-enter

New [pP]assword:
For more information regarding specific Linux MSCS parameters, refer to Appendix B, MSCS configuration parameters. For more information regarding common parameters for all Managed System types, refer to the BMC Provisioning Services Manager Administrator Guide.
5 (Only for a remote Managed System) Configure SSH Secure Shell

Configure the SSH client on the Services Manager computer and SSH Server on all the remote Linux computers to be managed using the Provisioning Module. For more information, see Chapter 3, Configuring SSH Secure Shell.
Chapter 2
Installation
29
6 Import the Managed System Type definition into Enterprise SecurityStation

For this release of Provisioning Module for Linux, you must import the Managed System Type definition DBexport.Linux.TAR into Enterprise SecurityStation. This file can be found in subdirectory ESS on the product CD. For instructions on importing a Managed System Type definition into Enterprise SecurityStation, see the description of utility instrss in the Enterprise SecurityStation Administration Guide. For more information regarding the compatibility with Enterprise SecurityStation, see the Compatibility section of the BMC Provisioning Module Release Notes for Linux.
7 Set up Managed System administrator Accounts

Define the Managed System administrators and Unattended administrator in Enterprise SecurityStation. For more information, see Defining Provisioning Module administrators on page 22.
8 (Only for local Managed System) (Optional) Password Interceptor Client

After configuring MSCS parameters, you have the option of installing the Password Interceptor for locally managed Linux only. The Password Interceptor can be installed using the following procedures:
s s
Interactive installation Silent installation
Interactive installation
This procedure is used to install a new instance of the Password Interceptor Client, directly from the product CD.
To perform the Interactive installation for the Password Interceptor 1 On the Services Manager platform, log in as the Services Manager owner. 2 In the same session, change the user context to a superuser or root.
30
3 Enter the following commands to create a temporary directory to which you will
copy the Password Interceptor files:
mkdir /tmp/DRLIS.5.0.00 chmod 777 /tmp/DRLIS.5.0.00
4 Copy the files install_pwi.sh and INSTALL_CLIENT.LINUX.TAR from the

installation CD to the directory /tmp/DRLIS.5.0.00. These files can be found in subdirectory Install/PWI on the product CD.
5 Enter the following command to go to the Services Manager home directory:

cd $SM_INSTALL_DIR
6 Give executable permissions to /tmp/DRLIS.5.0.00/install_pwi.sh using the following

command:
chmod 755 /tmp/DRLIS.5.0.00/install_pwi.sh
7 Enter the following command:

/tmp/DRLIS.5.0.00/install_pwi.sh r managedSystemName
where managedSystemName is the name of the Managed System for which you are installing the Password Interceptor. The following prompt is displayed: Enter the full path of the Services Manager directory [<path>]:
8 Enter the Services Manager path:

smPath
9 The script displays a series of prompts, requesting data to customize the Password
Interceptor. For information on responding to these prompts, see Table 5 below.
Chapter 2
Installation
31
Table 5
Parameter
Installation parameters for Password Interceptor

Description
Directory where inetd The following prompt is displayed: client will be installed Enter the directory where inetd client will be installed [/usr/sbin]: Enter the directory in which the inetd client program will be installed. This directory is referred to as client-dir in the installation procedure. This directory must be on a local file system. Directory in which to install the PWI exit module used to intercept passwords TCP/IP port number for password interception The following prompt is displayed: Enter the directory where PAM library will be installed [/lib/security]: The script backs up the file /etc/services and displays the following prompt: Select TCP/IP port number for password interception [6690]: Enter the password interception port number. By default, the password interception facility uses the next consecutive port following the ports specified for TCP/IP Port Number (described on page 30). For example, if you use the default of 2470 and 2471 for that parameter, the default for the password interception facility is 2472. (Verify that the TCP/IP port to be used for the password interception facility is not already in use. If it is used, locate a different port to use for the password interception facility. Enter the selected port (or accept the default) when you are asked to supply the Password interception port number.)
Several additional messages are displayed as customization continues. When the installation procedure is completed, the following message is displayed. Installation ended successfully
10 Confirm the Password Interceptor installation.

For more information, see Appendix C, Verifying the Password Interceptor installation.
11 Stop and start the Services Manager to enable password interception. 12 Enable password interception for Linux users. NOTE
To uninstall Password Interceptor, refer to Appendix D, Uninstalling Password Interceptor.
32
Silent installation
This procedure is used to perform a non-interactive installation of a new instance of the Password Interceptor from an installation image.
To perform the silent installation for the Password Interceptor 1 Enter the following commands to create a temporary directory to which you will
2 Copy the files install_pwi.sh, INSTALL_CLIENT.LINUX.TAR, and

pwiLinux.silent.properties file from the installation CD to the directory /tmp/DRLIS.5.0.00. These files can be found in subdirectory Install/PWI on the
product CD.
3 In a text editor open the pwiLinux.silent.properties file. Update the required values
in the file and save the file. Figure 3 lists a sample pwiLinux.silent.properties file. Figure 3 Sample pwiLinux.silent.properties file (part 1 of 2)
************************************************* Silent installer property file ************************************************* ######################################################## # PRODUCT NAME : PWI for Linux # PRODUCT VERSION : 5.0.00 ########################################################
# #
-------------------------------------------------------------------# Directory where the Services Manager is installed SMINSTALLDIR=/local/home/sithu/bmc/idm/ServicesManager --------------------------------------------------------------------------------------------------------------------------------------# MS Name MS_NAME=loc_lnx2 --------------------------------------------------------------------------------------------------------------------------------------# Directory where inetd client will be installed : INETD_DIR=/usr/sbin --------------------------------------------------------------------
Chapter 2
Installation
33
Figure 3
Sample pwiLinux.silent.properties file (part 2 of 2)
-------------------------------------------------------------------# Directory where PAM library will be installed : PAMLIB_DIR=/lib/security --------------------------------------------------------------------------------------------------------------------------------------# TCP/IP port number for password interception: PWI_PORT_NO=9080 --------------------------------------------------------------------
4 On the Services Manager computer, log in as the Services Manager owner. 5 In the same session, change the user context to a superuser or root. 6 Enter the following command to go to the Services Manager home directory:
cd $SM_INSTALL_DIR
7 Give executable permissions to /tmp/DRLIS.5.0.00/install_pwi.sh using the following

command:
chmod 755 /tmp/DRLIS.5.0.00/install_pwi.sh
8 Enter the following command to run the installation in silent mode:

/tmp/DRLIS.5.0.00/Install/install_pwi.sh -i silent -f /tmp/DRLIS.5.0.00/Install/pwiLinux.silent.properties
9 Confirm the Password Interceptor installation.

For more information, see Appendix C, Verifying the Password Interceptor installation.
10 Stop and start the Services Manager to enable password interception.
34
Chapter
3
35 37 37 37 39 51 52
Configuring SSH Secure Shell

This chapter describes how to configure SSH Secure Shell when handling remote Managed Systems. The following topics are discussed in this chapter: Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Software requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Services Manager SSH connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Before configuring SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Automated configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing more than one remote Managed System host. . . . . . . . . . . . . . . . . . . . . . . . Manual configuration of SSH Secure Shell. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview
Remote Security Administration is implemented for the Services Manager by configuring all remote Managed System hosts in the network to communicate with the Services Manager using SSH (Secure Shell), thereby providing secure encrypted sessions between the hosts. The SSH configuration consists of a Services Manager computer (SSH client), where Provisioning Module for Linux is installed. The Services Manager computer communicates via the SSH protocol with multiple remote Managed System hosts (no installation of Services Manager is required on the remote hosts). On each remote Managed System host, an SSH daemon (sshd or sshd2) is typically running and awaiting a connection request from the SSH client on the Services Manager computer.
Chapter 3 Configuring SSH Secure Shell
35
Overview
Figure 4 illustrates an example of an SSH configuration under BMC Provisioning Services Manager. Figure 4 SSH configuration in the BMC Provisioning Services Manager environment
Authentication
BMC Provisioning Services Manager uses SSH with public key authentication. The public key authentication method consists of two secret components: a key pair and a passphrase. The secret components are as follows:
s
Services Manager Public key
The Services Manager public key is used by the remote Managed System host for user authentication, to verify the identity of the Services Manager computer and then for sending encrypted data to the Services Manager computer.
s
Services Manager Private key
The Services Manager private key is used for decrypting data which has been encrypted by the remote Managed System host with the Services Manager public key. The private key can only be used together with a secret passphrase. The passphrase is used to decrypt the user private key to create an authenticator. The passphrase and the key pair enable Services Manager to securely login to the various remote Managed System hosts.
NOTE
For verification of the identity of each remote Managed System host and for sending encrypted data to the remote Managed System host, Services Manager uses the remote host public key.
36
Software requirements
For more information on SSH, see the following references:

s
Tectia Server / Client User and Administrator Manuals for versions 4.3, 4.4, 5.0 and above at http://www.ssh.com/products/client-server/ OpenSSH at http://www.openssh.org/
Software requirements
Ensure that the SSH software is installed and working properly on the Services Manager computer and on all remote Managed System hosts to be managed. For more information, see the Compatibility section of the BMC Provisioning Module Release Notes for Linux.
Services Manager SSH connections

When managing a remote Managed System, Services Manager requires up to six concurrent SSH connections. The SSH tool which is installed on your remote host must therefore support at least six concurrent connections. A separate login session is opened for the Notification Server, Transaction Server and Standard Offline Interceptor processes (when the Standard Offline Interceptor is active). Additional sessions are required for executing secure copy (scp) commands (Services Manager is periodically required to copy security information from the remote Managed System host).
Before configuring SSH

Before configuring SSH, note the following:
s
SSH should be configured on the Services Manager computer (SSH Client) so that the Services Manager owner account can connect and manage the remote Managed System hosts with root or root-like user capabilities. SSH should be configured on each remote Managed System host (SSH Servers) to be managed using Services Manager. Once the configuration procedure is performed for one remote Managed System host, different methods can be used to configure subsequent remote Managed System hosts.
37
Before configuring SSH
For more information, see Managing more than one remote Managed System host on page 51 for automated configuration procedure and 5 Managing more than one remote Managed System host on page 66 for manual configuration procedure.
s
The authentication method required by the Services Manager is public key using SSH protocol 2.
NOTE
Other authentication methods are not supported.
During the configuration procedure you are prompted to enter a passphrase. Record this passphrase, as you will be required to re-enter it later. Ensure that Services Manager has stopped and Interceptor processes are not running. For more information, see BMC Provisioning Services Manager Administrator Guide for Linux.
Creating a root-like user

This section describes how to create a user with root privileges, if you want to use a user other than root to connect to this host, remotely from the BMC Provisioning Module using SSH Client.
To create a root-like user 1 Enter the following command on the Remote Host to create a root-like user:
useradd -d / rootLikeUser
rootLikeUser is the name of the root-like user.
2 Change the UID field for the root-like user to 0 by editing the /etc/passwd file. NOTE
Check that the setting to change the password on every login for the root-like user on the remote system is disabled.
38
Automated configuration
Automatic configuration procedure does not support Tectia SSH 5.0 and above. To manually configure Tectia SSH 5.0 and above, see Manual configuration of SSH Secure Shell on page 52. The topics in this section describe the automated configuration procedure of SSH. Pre-configuration checks on the remote host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Automatic configuration procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . After configuring SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Verifying SSH communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing more than one remote Managed System host. . . . . . . . . . . . . . . . . . . . . . . . 39 42 47 50 51
Pre-configuration checks on the remote host

This section describes the procedure for verifying the remote Managed System host configuration file settings. You must ensure that each parameter value is set as specified in this section before proceeding with the configuration.
Tectia SSH
1 Log in to the remote Managed System host as user root. 2 Open the file /etc/ssh2/sshd2_config (usually located in /etc/ssh2). 3 Verify that the following parameters are set as specified:
PermitRootLogin AllowedAuthentications LoginGraceTime StrictModes MaxConnections IgnoreRhosts AllowHosts AllowUsers subsystem yes publickey, password 30 (recommended value) yes (recommended value) 0 yes
mainHost rootLikeUser, [root] sftp path/sftp-server
39
where:
mainhost IP address or full host name of the Services Manager computer. If the IP address is specified, it must be prefixed with \i; if the host name is specified, it must be the full host name, specified with the domain name. For example: AllowHosts AllowHosts \i184.16.320.12 sushi.fin.bmc.com
Note: It is recommended that you enter the IP address instead of the host name. path/sftp-server rootLikeUser Full path and file name of the sftp-server binary. A user created using the procedure Creating a root-like user on page 38.
4 If these parameters are not set as specified above, do the following:

s
Modify the entries as required. Save the file and exit. Enter one of the following commands to stop the ssh daemon process:
kill cat /etc/ssh2/sshd2_22.pid
OR
/etc/ssh2/sshd2 stop
s
Enter one of the following commands to start the ssh daemon process:
/usr/local/sbin/sshd2
OR
/etc/ssh2/sshd2 start
where /usr/local/sbin/sshd2 is an example for the path to start the ssh daemon process.
40
5 Acquire the host public key fingerprint to avoid man-in-the-middle attacks by

specifying the following command:
ssh-keygen2 -F /etc/ssh2/hostkey.pub
OpenSSH
1 Log in to the remote Managed System host as user root. 2 Open the file sshd_config (usually located in either /usr/local/etc or /etc/ssh). 3 Verify that the following parameters are set as specified:
PermitRootLogin Protocol PubkeyAuthentication LoginGraceTime StrictModes IgnoreRhosts PasswordAuthentication RhostsAuthentication AllowUsers Subsystem sftp yes 2 yes 30 (recommended value) yes (recommended value) yes yes no rootLikeUser [root] sftpServer
The variable sftpServer is the full path and file name of the sftp-server binary where rootLikeUser is a user created using the procedure Creating a root-like user on page 38.

s
Modify the entries as required. Save the file and exit. Enter the following commands:
stopsrc -s sshd stopsrc -s prngd startsrc -s prngd startsrc -s sshd
OR
41
Do the following steps: Enter the following command to stop the ssh daemon process:
kill-9 sshdPid
where sshdPid is the ID of the sshd process. Enter the following command to start the ssh daemon process:
path/sshd
For example, /ussr/local/sbin/sshd is the path to start the ssh daemon process.
5 Acquire the host public key fingerprint to avoid man-in-the-middle attacks by

specifying the following command:
ssh-keygen -l
The following text is displayed: Enter file in which the key is (//.ssh/id_rsa): Enter the full path of the host public key (typically
/usr/local/etc/ssh_host_dsa_key.pub).
Automatic configuration procedure

This section describes the procedure for configuring SSH on the Services Manager computer and on the remote Managed System host using the script ssh-config.sh.
NOTE
Before starting this procedure, ensure you have access to the password of the account, which has the user ID (UID) as zero (0) on the remote Managed System host that you wish to manage. This account can be other than root, but the user ID of this account should be zero.
42
To run the automatic configuration procedure 1 On the Services Manager computer, log in as the Services Manager owner (usually
user smOwner).

smPath/PM/Linux/scripts/ssh-config.sh sshType sshPort remoteMsName remoteHostName remoteSSHUser [{keyPairFileName|F1|F2}]
where:
sshType sshPort remoteMsName remoteHostName remoteSSHUser -c - Tectia SSH -o - OpenSSH The port number used to communicate with the remote Managed System host. The name of the MSCS defined for the remote Managed System host that you wish to manage. The name of the remote Managed System host that you wish to manage. User on the remote host which has the use id (UID) as zero (0) and used to connect through SSH from Services Managers computer. Refer to Creating a root-like user on page 38 for more information. (Optional) Name for the generated key pair files. (Optional) Key file name will be sm-owner-localHost. (Optional) Key file name will be sm-owner-localHost-remoteHost The variable remoteHost is the name of the remote Managed System host. * If, during a subsequent run of this automatic configuration procedure, you try to generate another key pair with an identical value for the parameters keyPairFileName, F1 or F2, SSH uses the existing key pair and does not generate a new key pair.
keyPairFileName * F1 F2
For example: /home1/ctsaian/bmc/idm/ServicesManager/PM/Linux/scripts/ssh-co nfig.sh -o 22 remote1 felix root F1
NOTE
The default value of the argument {keyPairFileName | F1 | F2} is F1. Therefore, if you wish to generate a different key pair for each remote Managed System host, ensure you use either the F2 or keyPairFileName parameter.
43
Text similar to the following is displayed:

SSH-CONFIG FOR BMC Provisioning Module -------------------------------------Using OpenSSH -- Step 1. Generate new key pair.
Looking for ctsaian-spock-felix public and private keys in ctsaian@spock:/home1/ctsaian/.ssh. Couldn't find your DSA keypair. Creating a keypair using ssh-keygen. This may take few minutes. You should NOT give an empty passphrase! Generating public/private dsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again:
NOTE
The sample output throughout this procedure is for a configuration using Open SSH. This illustrates the procedure for defining the SSH connection for user ctsaian on Services Manager computer spock to remote Managed System host felix.
3 You are prompted to enter (and then re-enter) a passphrase for the new key.
Enter a string of characters (any type). It is highly recommended that you enter a passphrase at least 20 characters long, including spaces and punctuation. Text similar to the following is displayed:
Your identification has been saved in /home1/ctsaian/.ssh/ctsaianspock-felix. Your public key has been saved in /home1/ctsaian/.ssh/ctsaianspock-felix.pub. The key fingerprint is: e3:07:40:5b:ad:6a:66:ae:7c:a0:ac:1f:3d:ed:6b:54 ctsaian@spock Using your new key pair in ctsaian-spock-felix as your identity on ctsaian@spock.
44
-- Step 2.
Create local ssh configuration file.
-- Step 3. Send public key of ctsaian to remote host felix and retrieve its public key. Now running scp to send public key to root on felix. Most likely you'll have to type a password. You may authenticate the remote host public key's fingerprint if you wish. scp -rp /home1/ctsaian/.ssh/.ssh root@felix: The authenticity of host 'felix (172.16.110.186)' can't be established. DSA key fingerprint is 43:6d:eb:0c:c6:ed:04:37:c3:e3:a7:52:ab:b4:96:06. Are you sure you want to continue connecting (yes/no)?
4 (Optional) At this point, if you wish to authenticate the remote Managed System
host, compare the fingerprint that you acquired in step 5 on page 41 with the fingerprint displayed in the output from the previous step. Performing this comparison provides protection against man-in-the-middle attacks.
5 Perform one of the following actions:

s
If you wish to exit the automatic configuration procedure (for example, if the fingerprints that you compared in step 4 (above) were not identical), enter No. Text similar to the following is displayed:
Host key verification failed. lost connection ERROR: scp command failed
If you wish to continue the automatic configuration procedure and add the remote Managed System host public key to your known hosts, enter Yes. Text similar to the following is displayed:
Warning: Permanently added 'felix,172.16.110.186' (DSA) to the list of known hosts root@felix's password:
45
6 Enter the root password of the remote Managed System host (you are asked to
re-enter the password for confirmation). Text similar to the following is displayed:
Now running ssh to add public key file name to authorization file for root on felix. Most likely you'll have to type a password again. root@felix's password: -- Step 4. Retrieve public key of root from remote host felix.
Now running ssh to retrieve the public key from felix. You may authenticate the remote host public key's fingerprint if you wish. Most likely you'll have to type the passphrase. ssh root@172.16.110.186 date Enter passphrase for key '/home1/ctsaian/.ssh/ctsaian-spock-felix':
7 The process described in the preceding display is required to verify the SSH
connection and, in certain cases, to retrieve the remote Managed System host public key. Enter the passphrase that was defined in step 3 on page 44. Text similar to the following is displayed:
Sun Jan 26 12:32:33 IST 2003 -- Step 5. file. Add default administrator to the Administrator file
Enter the passphrase for key '/home1/ctsaian/.ssh/ctsaian-spock-felix':
8 Enter the passphrase that was defined in step 3 on page 44.

A special Default administrator called PassPhraseADM is now added to the Services Manager Administrator file. This entry is used to store the passphrase in the Administrator file.
46
If the Default administrator is successfully added to the Administrator file, the following message is displayed:
ssh configuration successfully completed.
If the Default administrator is not successfully added to the Administrator file, the following message is displayed:
failure in ctsadm ERROR:failed to add default administrator PassPhraseADM to MSADM.DAT file
This message indicates that the CTSADM utility, which performs this action, attempted to connect to the remote Managed System host using the passphrase you entered and did not succeed. If this occurs, it is recommended that you do the following: 1. Try re-entering the passphrase. This procedure is described in 4 Updating the Administrator file on page 65. If this fails, continue with the next item. 2. Locate the relevant error messages in the CTSADM log file at the following location and act accordingly:
smPath/logs/ADM_MSG_processId.log
NOTE
The name of the special Default administrator (PassPhraseADM) in the Administrator file must not be changed.
After configuring SSH

After configuring SSH, it is highly recommended that you perform the procedure described in this section. This procedure disables password authentication and only enables public key authentication.
NOTE
This procedure should not be used if you are employing SSH for other applications which utilize password authentication.
47
Tectia SSH
1 Log in to the remote Managed System host as user root. 2 Open the file /etc/ssh2/sshd2_config in a text editor (usually located in /etc/ssh2). 3 Verify that the following parameters are set as specified:
PermitRootLogin AllowedAuthentications nopwd publickey
NOTE
If you want to be able to login remotely as root to the remote Managed System using a password, you are not required to modify the PermitRootLogin parameter. However, BMC recommends that you set this parameter to nopwd so that remote login can be performed only using public key authentication and not using the root password.
4 Modify the entries as required. 5 Save the file and exit. 6 Enter one of the following commands to stop the ssh daemon process:
kill cat /etc/ssh2/sshd2_22.pid
OR
/etc/ssh2/sshd2 stop
7 Enter one of the following commands to start the ssh daemon process:
/usr/local/sbin/sshd2
OR
/etc/ssh2/sshd2 start /usr/local/sbin/sshd2 is an example path.
48
Open SSH
1 Log in to the remote Managed System host as user root. 2 Open the file /etc/ssh/sshd_config in a text editor. 3 Verify that the following parameters are set as specified:
PermitRootLogin PasswordAuthentication without-password no
NOTE
If you want to be able to login remotely as root to the remote Managed System using a password, you are not required to modify the PermitRootLogin parameter. However, BMC recommends that you set this parameter to nopwd so that remote login can be performed only using public key authentication and not using the root password.
4 Modify the entries as required. 5 Save the file and exit. 6 Enter the following commands:
stopsrc -s sshd stopsrc -s prngd startsrc -s prngd startsrc -s sshd
OR Do the following steps: Enter the following command to stop the ssh daemon process:
kill-9 sshdPid
where sshdPid is the ID of the sshd process. Enter the following command to start the ssh daemon process:
path/sshd
For example, /ussr/local/sbin/sshd is the path to start the ssh daemon process.
49
Verifying SSH communication

This section describes the procedure for verifying that the Services Manager computer can communicate with the remote Managed System host using SSH. This procedure should be performed under the following circumstances:
s
After you have configured SSH on the Services Manager computer and remote Managed System host. Upon recovery of the Services Manager computer or the remote Managed System host. Whenever the sshd (or sshd2 or ssh-server-g3) process fails on the remote Managed System host.
To verify SSH communication 1 Log in to the remote host as root user. 2 Ensure that the sshd (or sshd2 or ssh-server-g3) process is running by specifying the
following command:
ps -ef | grep sshd
OR
ps -ef | grep sshd2
OR
ps -ef | grep ssh-server-g3
3 On the Services Manager computer, log in as the Services Manager owner (usually
user smOwner).
4 Enter a command similar to the following:

ssh [-p port] root@remoteHost ls
The variable port is the port number on which the ssh server is running on remote host and remoteHost is one of the following:
50
Tectia SSH
The IP address or host name of the remote Managed System host, exactly as specified in the MSCS parameter REMOTE_HOST_NAME.
s
Open SSH
The IP address or host name of the remote Managed System host. A prompt is displayed, asking you to specify the passphrase you specified earlier.
5 Enter the passphrase that you entered in the automatic procedure (see page 44) or
in the manual procedure (see page 52). If the passphrase is verified, the contents of the root directory of the remote Managed System host are displayed.
Managing more than one remote Managed System host

Once you have configured the Services Manager computer and at least one remote Managed System host, you can choose one of the following options for each additional remote Managed System hosts that you wish to manage:
s
Generate a single DSA public and private key pair. Generate a new DSA public and private key pair for each additional remote Managed System host with a separate passphrase. This is the recommended option. Generate a new DSA public and private key pair for each remote host; however, use the same passphrase for each generated key pair. For options 2 and 3, complete the following procedures:
s s s s s
Before configuring SSH on page 37 Pre-configuration checks on the remote host on page 39 Automatic configuration procedure on page 42 After configuring SSH on page 47 Verifying SSH communication on page 50
51
Manual configuration of SSH Secure Shell

This section describes how to configure SSH Secure Shell manually on the Services Manager computer and the remote Managed System host. The following procedures are described in this section: 1 Services Manager computer configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 2 Remote Managed System host configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 3 Verifying SSH communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 4 Updating the Administrator file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 5 Managing more than one remote Managed System host . . . . . . . . . . . . . . . . . . . . . 66
1 Services Manager computer configuration

This section describes how to configure the Services Manager computer manually. The following procedures are described:
s s s s
1.1Generate a DSA key pair 1.2Create an identification file 1.3Set up the SSH configuration file 1.4Retrieve the remote Managed System host Public Key
NOTE
Configure SSH on the Services Manager computer while logged on as the Services Manager owner (usually user smOwner).
NOTE
If you are using Tectia SSH version 5.0 and above, create a symbolic link to sshg3 as follows: ln s <path-name>/sshg3 /bin/ssh For example: ln s /opt/tectia/bin/sshg3 /bin/ssh
52
1.1Generate a DSA key pair

The program ssh-keygen creates a .ssh or .ssh2 directory in the Services Manager account directory, and stores your new authentication key pair.
To generate a DSA key pair 1 Activate ssh-keygen to generate a DSA key pair (public key and private key) by
specifying one of the following commands:
Tectia SSH version below 5.0 ssh-keygen2 [fileName] Tectia SSH version 5.0 and above ssh-keygen-g3 [fileName] Open-SSH ssh-keygen -b 1024 -t dsa [-f fileName]
The variable fileName is the full pathname of a file that you may optionally specify for the key pair.
Tectia SSH only: If you do not specify a file name in the command, a file name
(containing a sequence ID) is automatically assigned to the key pair.

Open-SSH only: If you do not specify a file name in the command, you are later asked to specify a file name.
NOTE
Open SSH Only: If you are generating a separate key pair for each remote Managed System host that you wish to manage, you should either name the key pair now or name the next key pair you generate. If this is not done, the next key pair you generate will overwrite the original key pair.
2 You are prompted to enter a passphrase for the new key.

Enter a string of characters (any type).
53
NOTE
It is highly recommended that you enter a passphrase at least 20 characters long, including spaces and punctuation.
3 (Open-SSH Only) If you did not specify the pathname for a key pair file in the sshkeygen command, you are prompted now to specify this information. Specify the full pathname for the file or just press Enter to accept the default (described below). Tectia SSH
The private key and public key are created in the following locations:
s s
Private-key: smOwnerHome/.ssh2/fileName Public-key: smOwnerHome/.ssh2/fileName.pub
The variable fileName is one of the following:

s s
File name that you specified for the key pair in step 1 on page 53. If you did not specify a file name for the key pair, the file name is: id_dsa_2048_sequenceId The variable sequenceId is an automatically-generated number which identifies the specific key pair.
NOTE
If you have more than one key pair, each key pair is identified by a consecutive sequence ID.
Open SSH
Unless you specified a different pathname when running ssh-keygen, the private key and public key are created in the following locations:
s s
Private-key: smOwnerHome/.ssh/id_dsa Public-key: smOwnerHome/.ssh/id_dsa.pub
54
1.2Create an identification file

This procedure creates an identification file which stores information used to identify the private key file. If you have one or more existing key pairs, the identification file already exists.
NOTE
This procedure is not required for Open SSH.
To create or modify an identification file 1 Using a text editor, create or open the file smOwnerHome/.ssh2/identification. 2 Insert the following line to identify the private key file:
IdKey PrivateKeyFileName
The variable PrivateKeyFileName is the name of the private key file that was generated in step 3 on page 54.
For example:
IdKey
id_dsa_2048_a
NOTE
Each user has a separate IdKey. Insert a separate entry for each generated key pair.
3 Save the file.
55
1.3Set up the SSH configuration file

This section describes how to set up the required parameters in the ssh configuration file.
Tectia SSH version below 5.0

Perform the following actions:
1 Create the file smOwnerHome/.ssh2/ssh2_config and insert the following lines:

AllowedAuthentications AuthenticationSuccessMsg BatchMode ForcePTTYAllocation ForwardAgent ForwardX11 GatewayPorts KeepAlive NoDelay QuietMode TrustX11Applications StrictHostKeyChecking DontReadStdin publickey no no no no no no yes no no no yes no
2 Save the file. 3 Enter the following command to change permissions for the ssh2_config file:
chmod 600 smOwnerHome/.ssh2/ssh2_config
Tectia SSH version 5.0 and above

1 Create the client configuration file smOwnerHome/.ssh2/ssh-broker-config.xml by

configuring the following parameters as specified. The default file is located under
/etc/ssh2/ssh-tectia/auxdata/ssh-broker-ng/ssh-broker-config-default.xml. authentication-methods/authentication-method name="publickey" general/strict-host-key-checking enable="yes"
default-settings/idle-timeout time=5
2 Save the file.
56
3 Enter the following command to change permissions for the ssh-broker-config.xml

file:
chmod 600 smOwnerHome/.ssh2/ssh-broker-config.xml
OpenSSH
1 Create the file smOwnerHome/.ssh/config and insert the following lines:

PreferredAuthentications PubkeyAuthentication Protocol BatchMode FallBackToRsh UseRsh ForwardAgent ForwardX11 GatewayPorts KeepAlive HostbasedAuthentication HostKeyAlgorithms PasswordAuthentication NumberOfPasswordPrompts StrictHostKeyChecking IdentityFile publickey yes 2 no no no no no no yes no ssh-dss no 1 yes KeyFileName
The variable KeyFileName is the full path and name of the private key file that was generated in step 1 on page 53.
2 Save the file. 3 Enter the following command to change permissions for the config file:
chmod 600 smOwnerHome/.ssh/config
1.4Retrieve the remote Managed System host Public Key

The key pair created on the remote Managed System host is referred to as the Host key, which also consists of a private and public pair. The public key file is used by the Services Manager computer for server authentication, to verify the identity of each remote Managed System host and then for sending encrypted data to the remote Managed System host. This procedure describes how to copy the Host key public key file to the Services Manager computer.
57
WARNING
If a remote Managed System host public key changes, you should replace the new file in the specified location on the Services Manager computer. Do not replace the public key unless you can verify its validity.

Perform the following:
s
Copy the remote Managed System host public key from the remote Managed System host to the Services Manager computer. The default location and file name on the remote Managed System host is:
/etc/ssh2/hostkey.pub
The required location and file name on the Services Manager computer is: smOwnerHome/.ssh2/hostkeys/key_port_remoteHost.pub where:
port remoteHost The port number on the server where sshd2 runs (default 22) The IP address or host name of the remote Managed System host, exactly as specified in the MSCS parameter REMOTE_HOST_NAME.
Complete this procedure for each remote Managed System host connected to the Services Manager.

s
Copy the remote Managed System host public key from the remote Managed System host to the Services Manager computer. The default location and file name on the remote Managed System host is:
/etc/ssh2/hostkey.pub
The required location and file name on the Services Manager computer is: smOwnerHome/.ssh2/hostkeys/key_port_remoteHost.pub
58
where:
port remoteHost The port number on the server where ssh-server-g3 runs (default 22) The IP address or host name of the remote Managed System host, exactly as specified in the MSCS parameter REMOTE_HOST_NAME.
Complete this procedure for each remote Managed System host connected to the Services Manager.
Open SSH
s
Edit or create the file smOwnerHome/.ssh/known_hosts in a text editor. Insert a line that contains the following data:
remoteHostName,ipAddress ssh-dss remoteHostPublicKey
where:
remoteHostName ipAddress Name of the remote Managed System host IP address of the remote Managed System host.
remoteHostPublicKey The actual contents of the key file (typically ssh_host_dsa_key.pub), which can be found on the remote Managed System host at one of the following locations: /usr/local/etc /etc/ssh. For example: spock,172.16.110.119 ssh-rsa AAAAB3swets9sdfgsaefgsacvad==
2 Remote Managed System host configuration

The following section describes how to define the Services Manager public key file on the remote Managed System host. This key is required for user authentication, where the remote Managed System host must verify the identity of the Services Manager computer. The Services Manager public key is then used for sending encrypted data to the Services Manager computer.
59

This section describes how to configure Tectia SSH on a remote Managed System host using the authorization authentication method.
To configure the remote Managed System host 1 Log in to the remote Managed System host as user root. 2 Create or edit the root file /.ssh2/authorization using a text editor.
Insert the following lines:
Key generatedPublicKey.pub Options allow-from=mainHost
where:
generatedPublicKey.pub the public key file name which was generated in procedure 1.1Generate a DSA key pair on page 53. mainHost the IP address or full host name of the Services Manager computer.
NOTE
It is recommended that you enter the IP address rather than the host name.
3 Copy the Services Manager computer public key to the remote Managed System
host /.ssh2/ directory. The public key is located on the Services Manager computer in the following location: smOwnerHome/.ssh2
4 Enter the following commands to change permissions:

chmod 755 /.ssh2 chmod 644 /.ssh2/generatedPublicKey.pub chmod 644 /.ssh2/authorization
5 Open the file /etc/ssh2/sshd2_config (usually located in /etc/ssh2).
60
6 Verify that the following parameters are set as specified:

PermitRootLogin AllowedAuthentications LoginGraceTime StrictModes MaxConnections IgnoreRhosts AllowHosts AllowUsers subsystem sftp nopwd publickey 30 yes 0 yes mainHost rootLikeUser, [root] sftpServerPath
where:
mainHost IP address or full host name of the Services Manager computer (Services Manager computer). If the IP address is specified, it must be prefixed with \i; if the host name is specified, it must be the full host name, specified with the domain name. Examples AllowHosts AllowHosts sftpServerPath \i184.16.320.12 sushi.fin.bmc.com
Full path and file name of the sftp-server binary
NOTE
NOTE
It is recommended that you enter publickey if authentication is not used for any other method (hostbased or password).

s
Modify the entries as required. Save the file and exit. Enter the following command:
kill -HUP sshdPid
61
The variable sshdPid is the ID of the sshd2 process. The ID can be retrieved from the file sshd2_22.pid (usually located in /etc/ssh2 or /var/run) or can be obtained by specifying the following command:
ps -ef | grep sshd2

This section describes how to configure Tectia SSH on a remote Managed System host using the authorization authentication method.
To configure the remote Managed System host 1 Log in to the remote Managed System host as user root. 2 Create a directory /.ssh2/authorized_keys using the following command:
mkdir /.ssh2/authorized_keys
3 Copy the generatedPublicKey.pub file in to the above directory.

The variable generatedPublicKey.pub is the public key file name, which was generated in procedure 1.1Generate a DSA key pair on page 53.
4 Enter the following commands to change permissions:

chmod 755 /.ssh2 chmod 644 /.ssh2/authorized_keys chmod 644 /.ssh2/authorized_keys/generatedPublicKey.pub
5 Create or edit the configuration file ssh-server-config.xml located in the /etc/ssh2/

directory.
NOTE
The default configuration file ssh-server-config-default.xml is typically located in: /etc/ssh2/
6 Verify that the following parameters are set as specified:

authentication-methods/authentication/action="allow" authentication-methods/authentication/<auth-publickey /> authentication-methods/login-grace-time="30" authentication-methods/auth-file-modes strict="yes" connections/action="allow" 62 BMC Provisioning Module Administrator Guide for Linux
params/limits max-connections="0"
NOTE
It is recommended that you enter publickey only if authentication is not used for any other method (hostbased or password).

s
Modify the entries as required. Save the file and exit. Enter the following command:
./ssh-server-g3 reload
The file ssh-server-g3 is typically located in the /etc/init.d/ directory.
Open SSH
This section describes how to configure a remote Managed System host on OpenSSH using the authorized keys authentication method.
To configure the remote Managed System host 1 Log in to the remote Managed System host as user root. 2 Create or edit the root file /.ssh/authorized_keys:
Insert the following text on a single line:
from="mainHost",no-port-forwarding, no-X11-forwarding,no-agentforwarding,ssh-dss mainHostPublicKey
The variable mainHostPublicKey is the actual contents of the public key file on the Services Manager computer. This file was generated in procedure 1.1Generate a DSA key pair on page 53. The variable mainHost represents the IP address or full host name of the Services Manager computer.
63
NOTE
3 Change permissions (to ensure that remote Managed System host /.ssh/ directory
and associated files are writable only by your account) by specifying the following commands:
chmod 755 chmod 644 /.ssh /.ssh/authorized_keys
4 Perform one of procedures that follow. To configure the remote Managed System host for OpenSSH 1 Open the file sshd_config (usually located in either /usr/local/etc or /etc/ssh). 2 Verify that the following parameters are set as specified:
PermitRootLogin Protocol PubkeyAuthentication LoginGraceTime StrictModes IgnoreRhosts PasswordAuthentication RhostsAuthentication AllowUsers Subsystem sftp without-password 2 yes 30 (recommended value) yes (recommended value) yes no no rootLikeUser [root]
sftpServerPath
The variable sftpServerPath is the full path and file name of the sftp-server binary.
NOTE
It is recommended that you enter publickey if authentication is not used for any other method (hostbased or password).

s
Modify the entries as required. Save the file and exit.
64
Enter the following command:
kill -HUP sshPid
The variable sshPid is the ID of the sshd process. The ID can be retrieved from the file sshd.pid (usually located in /etc/ssh or /usr/local/etc), or can be obtained by specifying the following command:
ps -ef | grep sshd
3 Verifying SSH communication

To verify that the Services Manager can communicate with the remote Managed System host using SSH, see Verifying SSH communication on page 50.
4 Updating the Administrator file

The passphrase must be stored in the Administrator file. A special Default administrator called PassPhraseADM is added to the Administrator file for this purpose.
NOTE
The administrator name PassPhraseADM is required for proper operation of the Services Manager. Under no circumstances should this name be changed.
To store the passphrase in the Administrator file 1 Stop the Services Manager.
Ensure that the Services Manager has completely stopped.

ctsadm.sh A managedSystemName PassPhraseADM passphrase
The variable passphrase is the passphrase you specified in step 3 on page 44. Be sure to enclose the passphrase in quotation marks.
3 Restart the Services Manager.
65
5 Managing more than one remote Managed System host

Once you have configured the Services Manager computer and at least one remote Managed System host, you can choose one of the following options for each additional remote Managed System host that you wish to manage:
s
Generate a single DSA public and private key pair. Complete the following procedures: 1.4Retrieve the remote Managed System host Public Key on page 57 2 Remote Managed System host configuration on page 59 3 Verifying SSH communication on page 65 4 Updating the Administrator file on page 65
Generate a new DSA public and private key pair for each additional remote Managed System host with a separate passphrase. This is the recommended option. Complete the following procedures: 1.1Generate a DSA key pair on page 53 1.2Create an identification file on page 55 1.4Retrieve the remote Managed System host Public Key on page 57 2 Remote Managed System host configuration on page 59 3 Verifying SSH communication on page 65 4 Updating the Administrator file on page 65
Generate a new DSA public and private key pair for each remote host; however, use the same passphrase for each generated key pair. Complete the following procedures: 1.1Generate a DSA key pair on page 53 (use the same passphrase for each key pair) 1.2Create an identification file on page 55 1.4Retrieve the remote Managed System host Public Key on page 57 2 Remote Managed System host configuration on page 59 3 Verifying SSH communication on page 65 4 Updating the Administrator file on page 65
66
Chapter
Maintenance
This chapter describes procedures that can be used to maintain and configure BMC Provisioning Module. These operations should only be performed by the administrator responsible for operation and maintenance of BMC Provisioning Module. The following procedures are described: Changing the Managed System administrator security level . . . . . . . . . . . . . . . . . . . . 67 Managing Password Interceptor messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Changing the Managed System administrator security level

NOTE
To execute the procedures described in this chapter, log on to the Services Manager platform as the Services Manager owner (usually smOwner) and type the specified commands at the UNIX prompt.
Three levels of security are available for Managed System administrators used by BMC Provisioning Module:
s
Low A dummy Managed System administrator is defined in Enterprise
SecurityStation. The administrator does not have to exist in the Managed System and does not require a password. When a transaction arrives from Enterprise SecurityStation, no check regarding the specified Managed System administrator is performed.
Chapter 4
Maintenance
67
Changing the Managed System administrator security level
NOTE
The level security Low cannot be set for a remote MSCS.
Medium The Managed System administrator defined in Enterprise SecurityStation can be any existing user in the Managed System.
When a transaction arrives from Enterprise SecurityStation, BMC Provisioning Module verifies the user name and password of the MSCS administrator.
s
High The Managed System administrator defined in Enterprise SecurityStation must be a root user (UID=0).
When a transaction arrives from Enterprise SecurityStation, BMC Provisioning Module verifies the user name and password of the Managed System administrator and verifies that the administrator is a root user. The default security level is specified as Medium during MSCS configuration. You can change the security level at any later time using the procedure below. For levels Medium and High, it may be necessary to set up one or more accounts to serve as Managed System administrators. These accounts on the local or remote Managed System should be defined in Enterprise SecurityStation as the Managed System administrators for this Managed System.
To change the Managed System administrator security level 1 Stop the Services Manager by specifying the following command:
stop-sm.sh
Several minutes may be required for all pending requests to be processed.
2 Ensure that Services Manager has stopped and Interceptor processes are not
running by specifying the following command:
show-sm.sh -c
3 Open the Services Manager Administration Console using SMAdmin.sh utility.
68
Managing Password Interceptor messages
4 Modify the following parameters as necessary:

s
For Low security level:

ADMIN_UID_CHECK ADMIN_FILE_REQ N N
For Medium security level:

ADMIN_UID_CHECK ADMIN_FILE_REQ N Y
For High security level:

ADMIN_UID_CHECK ADMIN_FILE_REQ Y Y
5 Save the changes and exit from the Services Manager Administration Console. 6 Restart Services Manager by specifying the following command:
start-sm.sh

This section describes how to manage messages that are generated by the Password Interceptor. You can optionally determine whether or not to write password interceptor messages to the system logger, as well as the location to where the messages are written.
NOTE
If the PWI.conf file does not exist, or if either of the parameters specified below are not present in the file, then Password messages are managed according the default values specified below.
To configure the PWI.conf file 1 The PWI.conf should be opened or created from /etc/SA-agent/PWI.conf. 2 Insert or modify one or more entries using the following syntax:
parameter=value
Chapter 4
Maintenance
69
The parameters and values that can be specified are described below:
s
PWI_WRITE_SYSLOG
Whether to write Password Interceptor messages to the system logger. Possible values are Y and N. If set to N, the other parameters are ignored. Default: N
s
PWI_WRITE_PASSWD
Whether to write the intercepted encrypted password in the body of the PI message (only applicable if PWI_WRITE_SYSLOG is set to Y).
s
PWI_SYSLOG_LEVEL
Destination of Password Interceptor messages (only applicable if PWI_WRITE_SYSLOG is set to Y). The value assigned to this parameter indicates which of the priority parameters in /etc/syslog.conf should be used to determine where to write Password Interceptor messages. Possible values for the PWI_SYSLOG_LEVEL parameter are:
Value LOG_ERR LOG_INFO LOG_DEBUG Description Messages are written to all the locations specified by parameters *.err, *.warn, *.notice,*.info and *.debug. Messages are written to all the locations specified by parameters *.debug, and *.info Messages are written to the location specified by parameter *.debug. Default.
NOTE
Any line in the file that starts with # is regarded as a remark and is ignored. The PWI.conf file should contain entries for both PWI_WRITE_SYSLOG and PWI_SYSLOG_LEVEL.
3 Save the file and exit.
70
Chapter
Provisioning Module implementation for Linux

5
The Provisioning Module provides the means by which Enterprise SecurityStation, the Services Manager and the Linux Managed System can understand one another. The Provisioning Module for Linux is provided with two interfaces:
s
One interface is designed to interact with Linux according to its specific characteristics and capabilities. The second interface is identical for all implementations of the Provisioning Module. This interface is designed to interact with the Services Manager, providing a uniform method for the Services Manager to interact with all Managed Systems.
The Provisioning Module enables translation of Enterprise SecurityStation commands to the Linux command set. Managed System events occurring in Linux can be converted to terms that are understood by the Services Manager and transmitted to Enterprise SecurityStation. Most Services Manger - Provisioning Module operations are implemented using functions that update the Linux security database.(The Linux security database is referred to in this chapter as the Linux Managed System.) This chapter describes the Provisioning Module functions, the manner in which they affect the Linux Managed System and any special Managed System keyword handling considerations.
NOTE
This chapter refers to a Managed System which manages the Services Manager computer as the Local Managed System and a Managed System which manages the remote Managed System host as the Remote Managed System.
Chapter 5
71
Provisioning Module and Linux interaction
Provisioning Module and Linux interaction

The Provisioning Module is designed to interact with the Linux Managed System in two directions the update of information in the Managed System and retrieval of information from it. These activities are performed for the following entities:
s s s s s s s
Accounts Account passwords Groups Account-Group connections Resources (files) (only supported for a local Managed System) ACLs (access control lists) (only supported for a local Managed System) Managed System global parameters
The Provisioning Module is also designed to intercept Managed System-related events that occur in Linux but do not originate in Enterprise SecurityStation. These interceptions occur for the following events:
s s s s s
Changes in account definitions (add, delete and modify) Password changes (only supported for a local Managed System) Changes in group (add, delete and modify) Changes in account to group (add and delete) Changes in global Managed System definitions
All retrieval operations for accounts, groups, and connections are performed in the Managed System using Linux security system calls and the Linux CLI (Command Line Interface). All updates on a local Managed System are performed using the following steps: 1. Open the user, group or shadow file in read mode, with standard I/O system calls. 2. Create and open a temporary file. 3. Use standard I/O calls to copy the system file to the temporary file. 4. Make the changes (add, modify or delete) on the relevant record in the temporary file. 5. Close and save the temporary file. 6. Copy the system file to a backup. 7. Rename the temporary file to the system file name.
72
Provisioning Module function list
NOTE
On a remote Managed System, these updates are performed using the remote host CLI.
Access to resources and permanent ACEs is done directly on the Linux file system using system calls scandir() and stat() for retrieval and chown(), chgrp(), chmod(), mkdir() and mkfile() for updates. In Linux, extended ACLs are supported. These ACLs are accessed via special system calls.
Provisioning Module function list

Names and descriptions for Provisioning Module functions are listed in Table 6 according to entity type or functionality. A detailed description of each Provisioning Module function is provided later in this chapter. Container-related functions are not implemented in Linux and are therefore not included in this chapter. Table 6
Account
Provisioning Module function list (part 1 of 2)

Function CTSAddUser CTSUpdUser CTSRevokeUser CTSUpdPassword CTSDelUser CTSGetUsers Description Adds a new user. Updates an existing users details. Revoke/restore users account. Change a users password. Deletes an existing user. Retrieves user data. Adds a new user group. Updates an existing user groups details. Deletes an existing user group. Retrieves user group data. Connects a user to a user group. Updates the parameters of a user to user group connection. Deletes a connection between a user and a user group. Retrieves user to user group connections.
Function Group
Group
CTSAddUG CTSUpdUG CTSDelUG CTSGetUGs
AccountGroup Connection
CTSAddUserToUG CTSUpdUserToUG CTSDelUserFromUG CTSGetConns
Chapter 5
73
Account functions
Table 6
Resource
Provisioning Module function list (part 2 of 2)

Function CTSAddRes CTSUpdRes CTSDelRes CTSGetRes Description Creates an Managed System resource. Updates details of an existing Managed System resource. Deletes an Managed System resource. Retrieves Managed System resource data. Adds a new ACE to a resource ACL. Updates an existing ACEs details. Deletes an existing ACE from a resource ACL. Retrieves Managed System resource ACL data. Sets global Managed System parameters. Retrieves global Managed System parameters.
Function Group
Resource ACL
CTSAddACE CTSUpdACE CTSDelACE CTSGetResACL
Managed System
CTSSetRSSParams CTSGetRSSParams
Account functions
This section describes the following:
s s s
Account data translation tables. Considerations and limitations for Account Provisioning module calls. Account Provisioning Module functions.
Account data translation tables

Table 7 and Table 8 list the relationship between Account fields in Enterprise SecurityStation and the corresponding Account parameters in Linux. Table 7
Field Name Account ID Container Name Default User Group Password Life User Status User Administrative Status Old Default User Group Action
Standard Account fields in Enterprise SecurityStation

Corresponding Linux Parameter Login name N/A Primary group See Considerations below. See Considerations below. See Considerations below. See Considerations below.
74
Account functions
Table 8
Field Name UID
Linux-specific Account fields

Corresponding Linux Parameter User ID User Information Initial Program Home Directory Creates Home Directory Deletes Home Directory Date when password was last changed Number of days to warn before password expires Number of days of inactivity after which password expires Password expiration date Number of days before password can be changed Number of days after which password expires Last login date and time of the Account.
DESCRIPTION SHELL HOME CREATE_HOME_DIR DELETE_HOME_DIR PWD_LASTCHG PWD_WARN INACTIVE PWD_ABS_EXPIRE MATURITY EXPIRATION LAST_LOGIN
Considerations and limitations for Account Provisioning Module calls

s
Default Group
The group specified as the default group must already be defined in the Managed System.
s
Password Life
If the users password is designated as temporary, the user can log in with the current password, but must change it immediately.
s
User Administrative Status
In Linux, administrative privileges are determined by the UID. Users with UID equal to 0 are privileged.
s
Old Default User Group action
When the value of this field is KEEP, after the change in the users default group, the Provisioning Module creates a connection between the user and the users old default group, effectively making the user a member of at least two groups: the new default group and the old default group. When the value of the field is DROP, the Provisioning Module removes the connection between the user and the users old default group, if it existed in the /etc/group file.
Chapter 5
75
Account functions
UID
In Linux, the UID is defined as a long integer whose expanded range is 0-4294967295.
s
Last Login
The field LAST_LOGIN is ignored by the Offline Interceptor and by the Global Sync operation.
s
Rename To
In Linux, it is the new name, which can be specified while modifying the account details.
s
Adjust Home Directory
This keyword is provided to rename the home directory when a new name is specified while updating the account details.
Account Provisioning Module function descriptions

CTSAddUser
s
Description Adds a new user.
Provisioning Module Action CTSAddUser creates a user in the Linux Managed System using the following steps: 1. Add a new record to the /etc/passwd file. 2. Add a new record to the /etc/shadow file, in case a shadow file exists. Optionally, a home directory may be created for the user.
NOTE
In case the default group for the user is not specified, a default group for the user by the same name as that of a user is created. Therefore in this case /etc/group files is also modified.
76
Account functions
Considerations
If the CREATE_HOME_DIR parameter is specified as Y, the home directory is created for the user. The home directorys permissions are set to the users UID and GID. If the user already exists in the Managed System, an error is returned. If the UID specified for the user is already assigned to an existing user: A warning message is issued. If the flag ALLOW_DUP_UID is set to N in the MSCSPARM file, the user is not created and an error is returned. Field HOME must be specified as a full pathname (that is starting with a /). If the CREATE_HOME_DIR flag is set to Y, before the directory specified in HOME is created, the directory is validated as follows: If the directory is an existing file, an error is returned. If the directory already exists, a warning message is issued. If the MSCS parameter CHECK_PARENT_DIR is set to Y, the parent directory must exist. If it does not exist, an error is returned. When the directory is successfully created, its ownership is changed to the users UID and GID. If this operation fails, the directory is removed; however, the user is created regardless. If the UID field is left empty, BMC Provisioning Services Manager attempts to calculate the next free UID that is outside the reserved range (0 10).
CTSUpdUser
s
Description
Updates an existing users details.

s
Provisioning Module Action
CTSUpdUser updates the users details in the Linux Managed System as follows: 1. Update the users record in the /etc/passwd file. 2. Update the users record in the /etc/shadow file, in case a shadow file exists.
Chapter 5
77
Account functions
Considerations
When a new HOME is specified, this directory is not created. In addition, no validation is performed on the directory or on its parent directory.
s
If a newly-specified UID is already assigned to a different user: A warning message is issued. If the flag ALLOW_DUP_UID is set to N in the MSCSPARM file, the user is not updated and an error is returned.
If the users default group is modified, see Old Default User Group action on page 75. The password is not affected when the user is revoked or restored.
CTSRevokeUser
s
Description
Revokes/restores a users access.

s
Provisioning Module Actions
CTSRevokeUser disables the login capabilities to the users account by setting the encrypted password in the Linux Managed System to the character !. When restoring the user, the ! suffixes the users original password. In case there is no shadow file, the user account is disabled by setting the encrypted password in the /etc/passwd file to *. This is performed using the same steps described for CTSUpdUser.
CTSUpdPassword
s
Description
Change a users password.

s
CTSUpdPassword changes the users password and sets the password lifetime according to parameter PASSWORD_LIFE. The password information is modified in the Linux Managed System by updating the /etc/shadow file, in case a shadow file exists.
78
Account functions
In case there is no shadow file, the /etc/passwd file is updated.
CTSDelUser
s
Description
Deletes an existing user.

s
CTSDelUser deletes a users information in the Linux Managed System. This is performed as follows: 1. All the users connections to groups are removed from the /etc/group file. 2. The users record is removed from the /etc/shadow file, in case a shadow file exists. 3. The users record is removed from the /etc/passwd file.
CTSGetUsers
s
Description
Retrieves Managed System user data.

s
CTSGetUsers retrieves user details from the Linux Managed System, using system call getpwent() to get the details of all users (from the /etc/passwd file). In case a shadow file exists, system call getspnam() is used to retrieve each users additional security attributes (from the /etc/shadow file).
s
Considerations
The users are returned in alphabetical order, sorted by user name. The Linux system calls return the users in no particular order. If the shell is not defined for the user, the string <NO SHELL> is returned as the value. If the home is not defined for the user, the string <NO HOME> is returned as the value. Wildcard retrieval is supported. When the mode is set to GET_WILD_USERS, details for user names starting with the specified prefix are retrieved.
Chapter 5
79
Group functions
User passwords are not retrieved since Enterprise SecurityStation does not store user passwords in its database.
Group functions
s s s
Group data translation tables. Considerations and limitations for Group Provisioning module calls. Group Provisioning Module functions.
Group data translation tables

Table 9 and Table 10 list the relationship between Group fields in Enterprise SecurityStation and the corresponding group parameters in Linux. Table 9
Field Name Group name Parent Group
Standard Group fields in Enterprise SecurityStation

Linux Parameter Group name N/A
Table 10
Field Name GID
Linux-specific Group fields

Linux Parameter GID (Numeric Group ID)
Considerations and limitations for Group Provisioning Module calls

s
General
All updates to the group information in the Linux Managed System are done with standard file I/O system calls. All group information retrieval is done by Linux system calls.
s
Parent Group
Linux does not support use of parent groups.
80
Group functions
GID
In Linux, the GID is defined as a long integer whose expanded range is 0-4294967295.
Group Provisioning Module function descriptions

CTSAddUG
s
Description
Adds a new user group to the Linux Managed System.

s
Provisioning Module Action
CTSAddUG creates a user group in the Managed System by adding a new record to the /etc/group file.
s
Considerations
If the group already exists in the Managed System, an error is returned. If the GID specified for the group is already assigned to an existing group: A warning message is issued. If the flag ALLOW_DUP_GID is set to N in the MSCSPARM file, the group is not created and an error is returned. No users are connected to the group when it is created. If the GID field is blank, Services Manager attempts to calculate the next free GID that is outside the reserved range (0 20).
CTSUpdUG
s
Description
Updates an existing user groups details in the Linux Managed System.

s
CTSUpdUG updates the group details by updating the group record in the /etc/group file.
Chapter 5
81
Group functions
Considerations
If the GID specified for the group is already assigned to an existing group: A warning message is issued. If the flag ALLOW_DUP_GID is set to N in the MSCSPARM file, the group is not created and an error is returned.
CTSDelUG
s
Description
Deletes an existing user group from the Linux Managed System.

s
CTSDelUG deletes the group from the Managed System by the following steps: 1. Get the list of group members. If group has members, an error is returned and the group is not deleted. 2. Delete the groups record from the /etc/group file.
CTSGetUGs
s
Description
Retrieves group data from the Linux Managed System.

s
CTSGetUGs retrieves group details from the Managed System by first using system call getgrent() to get all the groups.
s
Considerations
The groups are returned in alphabetical order, sorted by group name. Wildcard retrieval is not supported.
82
AccountGroup connection operations

s
Considerations and limitations for Account-Group connection Provisioning module calls. AccountGroup connection Provisioning Module functions.
Considerations and limitations for connection Provisioning Module calls

In the Linux Managed System, connections can be retrieved and manipulated either by accessing the user details (the GID field in /etc/passwd file) or by accessing the group details (the member list in the groups record in the /etc/group file). All updates to the group information in the Linux Managed System are done with standard file I/O system calls. All group information retrieval is done by Linux system calls. Table 11
Field name Account name Group name Administrator type Attribute
Standard connection fields in Enterprise SecurityStation

Linux parameter User name Group name N/A Primary/secondary group
Linux-specific Connection Fields There are no Linux-specific fields on a connection.
Chapter 5
83
Connection Provisioning Module function descriptions

CTSAddUserToUG
s
Description
Connects a user to a user group.

s
CTSAddUserToUG adds the user to the group member list. This is performed using the following steps: 1. Verify that the user exists in the Managed System. 2. Get the groups record from /etc/group using the system call getgrnam(). 3. If the user is already in the member list, return an error. 4. Add the user to the member list. 5. Write the updated record to the /etc/group file.
CTSUpdUserToUG
s
Description
Updates the attributes of a user to group connection.

s
This function is not implemented in the Provisioning Module of Linux, since there are no attributes for this connection.
84
CTSDelUserFromUG
s
Description
Deletes a connection between a user and a user group.

s
CTSDelUserFromUG deletes the user from the group member list. This is performed using the following steps: 1. Get the groups record from /etc/group using system call getgrnam(). 2. If the user is not in the member list, return an error. 3. Delete the user from the member list. 4. Write the updated record to the /etc/group file.
CTSGetConns
s
Description
Retrieves user to group connections from the Linux Managed System.

s
CTSGetConns obtains user to group connection details by invoking various system calls: System call getgrnam() is used to retrieve all connections of one group. System call getpwnam() is used to retrieve one users default group. System call getgrent() is used to retrieve all the groups. System call getpwent() is used to retrieve all the users. Depending on the specific mode, connections can be retrieved for some groups, some users, all groups, all users and specific pairs of users and groups. This is done by using various combinations of these system calls.
s
Considerations
The list is sorted by users and then by user groups. Connections between groups and non-existing users are not retrieved. Similarly, connections between users and non-existing groups are not retrieved.
Chapter 5
85
Resource functions
Resource functions
s s s
Resource data translation tables. Considerations for Resource Provisioning module calls. Resource Provisioning Module functions.
NOTE
Resource functions are only supported for a local Managed System.
Resource data translation tables

Table 12 and Table 13 list the relationship between resource fields in Enterprise SecurityStation and the corresponding resource parameters in Linux. Table 12
Field name Resource Name Resource Type
Standard Resource fields in Enterprise SecurityStation

Linux parameter File name File type (file/directory)
Table 13
Field name
Linux-specific Resource fields

Linux parameter UID (Numeric User ID) GID (Numeric Group ID) File size (bytes) File type Creation date/time Last modification date/time Last access date/time
RES_OWNER RES_GROUP RES_SIZE RES_TYPE RES_CREATED RES_MODIFIED RES_ACCESSED
86
Resource functions
Considerations for Resource Provisioning Module calls

s
General
Resources are not part of the Linux Managed System; rather, they are part of the Linux file system. However, some resource information (owner and group) is retrieved from the Managed System.
s
Resource Name
Full pathname for the resource is required. Environment variable substitution and user name substitution (~user) are not available.
s
Resource Type
All resources that are not directories are regarded as files, including sockets, named pipes, etc. All file names are unique, regardless of their type.
s
RES_TYPE
All resource information is retrieved using system call stat(). The resource type is determined from the field st_mode in the stat structure returned in the stat() call. The following values are returned: FILE for files DIR for directories In addition, the shell command file is invoked to get additional details about the file from its magic number. For more details, see the documentation for the file command and the contents of the file /etc/magic.
s
RES_OWNER and RES_GROUP
The UID and GID as retrieved by system call stat() are translated to user name and group name, respectively. If the UID or GID does not belong to any user/group, a dummy value (# # UID or # # GID) is returned. If a resource is NFS-mounted (that is the resource resides on file system of a remote host), the translation of UID and GID to owner and group, respectively, may be incorrect since the translation is provided by the local Managed System and not by the Managed System of the remote host.
s
RES_CREATED, RES_ACCESSED and RES_MODIFIED
These fields are displayed in the format YYYYMMDDhhmmss where YYYY is the year, MM is the month (01-12), DD is the day (01-31), hh is the hour (00-23), mm is the minutes (00-59) and ss is the seconds (00-59).
Chapter 5 Provisioning Module implementation for Linux 87
Resource functions
In Linux, the RES_CREATED is derived from the field st_ctime in the stat structure. This field is defined as file last status change time, which is set when the file status information is changed (for example, when the owner is changed). Therefore, the creation date can be later than the access date.
Resource Provisioning Module function descriptions

CTSAddRes
s
Description
Adds a new resource.

s
CTSAddRes creates a new resource in the Linux file system.

s
Considerations
The parameters required to create a new resource on the Linux file system are: Resource name (absolute full path) Resource type (file or directory) Owner Group To create a file, the open() system call is used; to create a directory, the mkdir() system call is used. The owner and group are set by using the chown() and chgrp() system calls, respectively.
CTSDelRes
s
Description
Deletes an existing resource.

s
CTSDelRes deletes an existing resource from the Linux file system.
88
Resource functions
Considerations
The parameters required to delete a resource from the Linux file system are: Resource name (absolute full path) Resource type (file or directory) To delete a file, the unlink() system call is used. To delete a directory, the rmdir() system call is used. Reserved system directories (for example, /, /etc, /usr) are not deleted by this function.
CTSUpdRes
s
Description
Updates an existing resources details.

s
CTSUpdRes updates the resource details in the Linux file system.

s
Considerations
The only parameters that can be updated are the resource owner (a user name) and the resource group (a group name). Since owner and group information is kept in UID and GID format respectively, a translation must be performed between these two representations. Therefore, if the specified user or group does not exist on the system, an error message is issued and the operation is not performed.
CTSGetRes
s
Description
Get resource information from the Linux Managed System and file system.
s
System call stat() is used to retrieve the resource information. The Managed System translates resource UID and GID to user name and group name, respectively.
Chapter 5
89
Resource ACL functions
Considerations
When the specified resource is a directory, the directory information is retrieved. In addition, all files and sub-directories contained in the directory are retrieved and their information is returned. There is no further recursion beyond that level (that is the contents of the sub-directories are not retrieved).

s s s
Resource ACL data translation tables. Considerations for Resource ACL Provisioning module calls. Resource ACL Provisioning Module functions.
NOTE
Resource ACL functions are only supported for a local Managed System.
Resource ACL data translation tables

Table 14 and Table 15 list the relationship between resource ACL fields in Enterprise SecurityStation and the corresponding resource ACL parameters in Linux. Table 14
Field name ACE Type ACE User ACE Group ACE Attributes Standard Resource ACL fields in Enterprise SecurityStation Linux parameter See Considerations below UID GID See Considerations below
Table 15
Field name
Linux-specific Resource ACL fields Linux parameter Read permission Write permission Execute permission ACE is a default (Linux only)
READ_ACCESS WRITE_ACCESS EXEC_ACCESS ACE_DEFAULT
90
Considerations for Resource ACL Provisioning Module calls

s
General
In the Linux file system, each resource always has at least three ACEs: for owner, group and world. These ACEs are permanent; they cannot be deleted and their user and group cannot be changed.
s
ACE Type
For the three permanent ACEs, the user ACE has the type USER, the group ACE has the type GROUP and the world ACE has the type WORLD.
s
ACE Attribute
For the three permanent ACEs, the attribute is PERMANENT. The MASK ACE is also PERMANENT. The attribute of all other ACEs is REGULAR.
s
Resource Name and Resource Type
See Considerations for Resource Provisioning Module calls on page 87.
Resource ACL Provisioning Module function descriptions

CTSAddACE
s
Description
Adds an ACE to the resources ACL.

s
This function is currently not implemented in Linux since extended ACEs are not supported.
CTSDelACE
s
Description
Removes an ACE from the resources ACL.
Chapter 5
91
This function is currently not implemented in Linux since extended ACEs are not supported.
CTSUpdACE
s
Description
Updates details of an ACE in the resources ACL.

s
The function locates the ACE specified by parameter old ACE in the resource ACL. If the old ACE is found, the ACE details are updated with information from parameter new ACE. The function uses the system call chmod() to update one of three permanent ACEs.
s
Considerations
The old ACE must match an existing ACE in all details; that is entity (user or group) and permissions. The only details that can be modified are the access permissions (read, write and execute). To change owner or group, function CTSUpdRes should be used. If the user or group are specified as # # UID or # # GID, the function will use the UID or GID. Otherwise, the user or group name is translated to UID/GID via the Linux Managed System. This enables modification of ACEs that refer to UIDs, and enables modification of GIDs that are not defined in the Managed System.
CTSGetResACL
s
Description
Gets resource ACL information from the Linux Managed System and file system.
s
If system call acl() exists, it is used to retrieve the resources ACL. If it does not exist or fails, stat() is used to retrieve the resource information. The Linux Managed System is used to translate the resource UID and GID to user name and group name, respectively.
92
Managed System functions
Considerations
When the specified resource is a directory, its information is retrieved, but there is no recursion (that is files contained in the directory are not retrieved). For each ACE, the three permissions are retrieved. For example, if the resource owner is JohnDoe and his permissions are read and execute, the ACE contains: USER = JohnDoe GROUP = <empty> ACE Type =USER ACE Attribute = PERMANENT The ACE also contains the following information: READ_ACCESS =Y WRITE_ACCESS=N EXEC_ACCESS=Y ACE_DEFAULT=N

s s s
Managed System data translation tables. Considerations for Managed System Provisioning module calls. Managed System Provisioning Module functions.
Managed System data translation tables

Table 16 and Table 17 list the relationship between Managed System fields in Enterprise SecurityStation and the corresponding Managed System parameters in Linux. Table 16
Field name Minimum Password Length Max Expiration Period Max Login Attempts
Standard Managed System fields

Linux parameter PASSLENGTH in file /etc/default/passwd MAXWEEKS in file /etc/default/passwd This is always 5
Chapter 5
93
Table 17
Field name
Managed System-specific fields

Linux parameter Default group for new users Inactivity period for new users Base home directory for new users MINWEEKS in file /etc/default/passwd WARNWEEKS in file /etc/default/passwd Comments -g in useradd -D -f in useradd -D -b in useradd -D
UA_GROUP UA_INACTIVE UA_BASE MIN_WEEKS WARN_WEEKS
Considerations for Managed System parameters Provisioning Module calls

s
Minimum Password Length and Max Expiration Period
Some global parameters are mapped to keywords in the /etc/login/defs file. There are no system calls to access this file, so standard I/O system calls are used. Other global parameters are mapped to values set and retrieved by the useradd command.
Managed System Provisioning Module function descriptions

CTSGetRSSParams
s
Description
Retrieves global Managed System parameters from the Linux Managed System.
s
Some values are retrieved from file /etc/default/passwd and /etc/login.defs. Empty values are returned if the file cannot be accessed or if the required keyword is missing. Other values are retrieved from the useradd command by invoking the command with the -D parameter.
94
CTSSetRSSParams
s
Description
Sets global Managed System parameters in the Linux Managed System.

s
Some values are updated in file /etc/default/passwd and /etc/login.defs. Other values are modified by invoking the useradd command with the -D parameter and the corresponding arguments.
Chapter 5
95
96
Appendix
Managed System specific fields

This appendix provides reference tables for Managed System-specific fields. The following topics are discussed: Description of table column titles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Function tables for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Account functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Group functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Resource functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 ACL/ACE functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Managed System parameter functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Description of table column titles

Due to the many columns of information contained in the tables in this appendix, abbreviated column names are used. This section describes the meaning of the column titles for the Managed System-specific field tables later in the appendix. The columns described in Table 18 on page 98 appear in all the Managed Systemspecific Field tables in this appendix.
Appendix A
97
Description of table column titles
Table 18
Field
Description of columns in Managed System-specific field tables

Description Field name (as it appears in the Enterprise SecurityStation database). For list fields, the subfields are indented. By default, field labels are displayed in a Properties window in the ESS Console or Web Console. To view field names, click the right mouse button anywhere in the Properties window in the ESS Console (except on a field) and choose the option Show Field Names from the pop-up menu. The field names are displayed instead of the field labels.
Column title
Whether or not the field accepts a list of values. A list consists of values separated by commas. Possible values in this column are: L S identifies a list field. identifies a subfield of a list field (names of subfields are indented in the Field column). Character. All input is treated as characters even if all are digits. Flag. Input must be Y or N. Integer. Input must be numeric. Time. Input must be in the time format specified in the column Restrictions Date/Time. Input must be in the format specified in the column Restrictions. This format generally requires that the value be specified as a string consisting of the date or date/time. Selection from a list of predefined values.
Type of input accepted in the field. Possible values in this column are: C F N T D
S Len
Maximum number of characters in a character field. This field length only applies if the type (column T) is C. (Field length limitations for other data types are determined by information in columns L and Restrictions.) Validation restrictions such as numeric ranges or list of possible values. Underlined values (if any) are the default values.
Restrictions
The column titles for each type of entity differ slightly. Table 19 describes the meaning of the single-letter column titles used to indicate the type of function for which each Managed System-specific field is relevant. An X or M appearing in a column for a given field indicates that the field is relevant to that function.
98
Function tables for Linux
Table 19
Account
Description of columns for specific types of entities

Column title A U G D R P Description Add an account Update an account Get an account Delete an account Revoke/restore an account Update password Add group Update group Get group Delete group Connect account to group/role Update account to group/role connection Get account to group/role connection Disconnect account from group/role Add resource Update resource Get resource Delete resource Connect account to resource Update account to resource connection Get resource ACL Disconnect account from resource Set Managed System parameters Get Managed System parameters
Function type
Group
A U G D
AccountGroup Connection
C U G D
Resource
A U G D
ACL/ACE
C U G D
Managed System
S G

s s s s s
Account functions Group functions Resource functions ACL/ACE functions Managed System Parameter functions
Appendix A
99
Account functions
Table 20
Field CREATE_HOME_DIR DELETE_HOME_DIR DESCRIPTION EXPIRATION HOME INACTIVE MATURITY PWD_ABS_EXPIRE PWD_LASTCHG PWD_WARN SHELL UID LAST_LOGIN
Account functions for Linux

L T F F C C Len 1 1 512 0-2147483646 0-2147483646 0-2147483646 DDMMYYYY 0-2147483646 must begin with / 0-MAXINT X X X X X X 256 X X X X X Restrictions A X X X X X X X X X X X X X X X X X X X D U R P G
N 10 N 10 N 10 D D C 8 8 256
DDMMYYYY X
N 10
N 10 C 20
Group functions
Table 21
Field GID
Group functions for Linux

L T N Len 10 Restrictions 0-MAXINT A X D U M G
AccountGroup Connection functions

No Linux-specific fields exist for this function group.
Resource functions
Table 22
Field RES_ACCESSED RES_CREATED 100
Resource functions for Linux (part 1 of 2)

L T C C Len 14 14 Restrictions YYYYMMDDHHMMSS YYYYMMDDHHMMSS A D U G X X
Table 22
Field
Resource functions for Linux (part 2 of 2)

L T C C C C Len 16 14 8 256 Restrictions Managed System group YYYYMMDDHHMMSS Managed System user X X A X D U X G X X X X X
RES_GROUP RES_MODIFIED RES_OWNER RES_SIZE RES_TYPE
N 12
In Update Resource (column U), at least one of RES_OWNER or RES_GROUP is mandatory.
ACL/ACE functions
Table 23
Field ACE_DEFAULT EXEC_ACCESS READ_ACCESS WRITE_ACCESS
ACL/ACE functions for Linux

L T F F F F Len 1 1 1 1 X X X Restrictions C D X X X X X X X U G X X X X
Managed System parameter functions

Table 24
Field MIN_WEEKS UA_BASE UA_GROUP UA_INACTIVE WARN_WEEKS
Managed System parameter functions for Linux

L T N C C N N Len 5 256 12 5 5 Must begin with a / Managed System group >= 0 Restrictions S X X X X X G X X X X X
Appendix A
101
102
Appendix

This appendix presents the following topics: Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Description of parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 MSCS parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Overview
The configuration of the Services Manager can be modified in many ways to suit the requirements of the enterprise in which it is implemented. A set of parameters referred to as MSCS parameters contains most of the parameters that determine the configuration of the Services Manager for each Managed System.
MSCS parameters can be viewed or modified using the BMC Provisioning Services
Manager Administration Console, described in the BMC Provisioning Services Manager Administrator Guide for Linux. This appendix describes those MSCS parameters that are used specifically to manage a Linux Managed System. Many of these parameters can be modified to suit user requirements. For a full description of other configuration parameters, see the BMC Provisioning Services Manager Administrator Guide for Linux.
Appendix B
103
Overview
Description of parameters
Table 25 on page 104 contains descriptions of MSCS parameters that are specific to Linux Managed Systems. The table contains the following columns:
s
Parameter
Name of the MSCS parameter. The presence of the symbol * in this column indicates that if the parameter is assigned an invalid value, the Services Manager automatically assigns the parameter the default value specified.
s
Description
Description of the parameter.

s
Values
Possible values or limitations, and coded value (if any).
NOTE
Many of the MSCS parameters in the tables are not automatically present in the Services Manager Administration Console after the Services Manager installation. If you wish to assign a value to a specific parameter, it may be necessary to add the parameter in the Console. The value labeled as Coded appearing in the Values column of the tables that follow indicates the value assigned if the parameter is not present in the Console or if the parameter is assigned an invalid value. To see the default value for parameters that are present in the Console, see the listing of the MSCSPARM file on page 111.
MSCS parameters
Table 25
Parameter ADMIN_CASE_SENS*
MSCS parameters of the Provisioning Module for Linux (part 1 of 8)

Description Whether the Administrator name is case-sensitive. Whether a password is required for the log in process for the Managed System administrator. Values Y, N Default: Y
ADMIN_FILE_REQ*
Y, N Default: N
ADMIN_USER_REQ*
Whether a default administrator is used. Y, N Default: N
104
Overview
Table 25
Parameter

Description Whether the Group ID (GID) must be unique. Values N: The new GID must be unique. Y: A duplicate value is allowed. Default: N
ALLOW_DUP_GID
ALLOW_DUP_UID
Whether the User ID (UID) must be unique.
N: The new UID must be unique. Y: A duplicate value is allowed. Default: N
ADMIN_UID_CHECK
Whether a user defined as an Managed System administrator requires root privileges (native UNIX only). The name of the executable path of the API library. Provisioning Module DLL This parameter cannot be modified under UNIX.
Y, N Default: N
API_LIB_DIR ATTACH_DLL
cts_api_Linux.so
CMDLINE_TIMEOUT
Default: 20 Time (in seconds) the Provisioning Module waits for a Command Line Interface (for example, useradd) to process on the remote Managed System host before stopping the transaction and returning an error. Name of the Managed System Default administrator account, which is used for GET operations. Note: Applicable only when the value of the ADMIN_USER_REQ parameter is Y.
DEFAULT_ADMIN
Appendix B
105
Overview
Table 25
Parameter

Description Values Encryption method used in the Services 2a -Blowfish(2a) encryption Manager to encrypt Managed System method user passwords. md5 - MD5 encryption method The format of this parameter is: des - DES encryption method MSName DEFAULT_CRYPT encryption (default value) where encryption is one of the following:
s s s
DEFAULT_CRYPT
2a - use Blowfish(2a) encryption md5 - use MD5 encryption des - use DES encryption (default value)
If the DEFAULT_CRYPT parameter is not present in the MSCSPARM file, DES encryption will be used. Note: The encryption method configured in the Services Manager and on the native Linux system must be the same. In Linux, the password encryption method is configured in the following file:
s s
Red Hat Linux - /etc/pam.d/systemauth SuSE Linux - /etc/default/passwd Y, N
DELETE_HOME_DIR_NQA
Whether users can delete a home directory of which they are not the owner. MSCS Description
DESCRIPTION ENABLE_FAILLOG_LOCK
Y, N An MSCS user who attempts to log in unsuccessfully a certain number of times Default: N is locked by the PAM authentication mechanism. This parameter determines whether the status of an MSCS user (locked or enabled) should be reported to ESS by the Standard Offline Interceptor or Global Sync operation. Note: This parameter should be manually added to the MSCSPARM file.
106
Overview
Table 25
Parameter

Description Values
EXPECT_PASSPHRASE_COMM A regular expression that represents the Passphrase for key .*$ string returned by the remote Managed System host when a Provisioning Module process attempts to open a log in session. This string is used by the Provisioning Module platform to authenticate the remote Managed System host prior to sending the passphrase. Note: This parameter should only be modified at the request of Customer Support. EXPECT_PASSPHRASE_OPEN A regular expression that represents the Enter Passphrase for key .*$ string returned by the remote Managed System host when a Provisioning Module process attempts to open a log in session. This string is used by the Provisioning Module platform to authenticate the remote Managed System host prior to sending the passphrase. Note: This parameter should only be modified at the request of Customer Support. EXPECT_PASSPHRASE_TEC CLI prompt, which will be displayed when executes a command via SSH Client (for Tectia SSH). Passphrase for the private key: .*$
EXPECT_PASSWD_FIRST
A regular expression that represents the Default: New UNIX string returned by the remote Managed [pP]assword:.* System host when a user password is Default values: modified on the Provisioning Module platform (the passwd command is run). s For Red Hat Enterprise Note: This parameter should only be Linux 5: New UNIX modified at the request of Customer [pP]assword:.* Support. s For SUSE Linux
Enterprise Server versions 10: New

[pP]assword:.*
Appendix B
107
Overview
Table 25
Parameter

Description Values A regular expression that represents the Default: Retype new UNIX string returned by the remote Managed [pP]assword.*:.* System host when a user password is Default values for: modified on the Provisioning Module platform (the passwd command is run) and a verification is requested. s Red Hat Enterprise Linux 5: Re-type new UNIX Note: This parameter should only be [pP]assword.*:.* modified at the request of Customer Support. s SUSE Linux Enterprise Server versions 10: Reenter New [pP]assword: Whether log statements are required for N expect library. Whether debug statements are required N for expect library. Whether any Pre-scripts or Post-scripts modify remotely managed Linux computers security data. Note: Setting this parameter to Y imposes an additional load on the system. Y, N Default: N
EXPECT_PASSWD_SECOND
EXPECT_LOG_USER EXPECT_DEBUG HAVE_PRE_POST_SCRIPT
IS_REMOTE_RSS
Whether the Managed System is a local Managed System or remote Managed System.
Y: Remote Managed System N: Local Managed System Default: N
LONG_CMDLINE_TIMEOUT
The Provisioning Module waits for long commands to complete processing on the remote Managed System host before stopping the transaction and returning an error (For future use) Directory where the Standard Offline Interceptor database is located. Type of Managed System
MS_WORK_DIR MS_TYPE
108
Overview
Table 25
Parameter

Description Whether the Standard Offline Interceptor is started automatically by the Notification Server. Values Y: The Standard Offline Interceptor is started periodically by the Notification server. N: The Standard Offline Interceptor is not started by the Notification server. You must provide another means of scheduling the Standard Offline Interceptor. Default: Y
OFLI_INTERCEPT*
OFLI_INTERVAL*
Minimum interval between consecutive Format hhmmss activations of the Standard Offline Interceptor. Default: 010000 Name of the lock obtained during Standard Online Interceptor operation. Applicable only for Managed Systems that support the Standard Online Interceptor.
ONLI_SEMAPHORE
OFLI_TMP_DIR
The name of the temporary directory of the Standard Offline Interceptor files. A separate directory is used for each Managed System. Mandatory if Standard Offline Interceptor is used. Whether the password is passed to Prescripts or Post-scripts in update password transactions. Full path of the PAM configuration file that states the maximum failed login attempts allowed for any user. This file is accessed by PAM while monitoring the Revoke/Restore status of an MSCS user, for tracking the multiple unsuccessful login failures. Note: Only applicable if ENABLE_FAILLOG_LOCK is set to Y Note: This parameter should be manually added to the MSCSPARM file. Y, N Default: N Default: /etc/pam.d/login
OFLI_SEMAPHORE PASS_PASSWORD*
PAM_LOGIN_ACCESS_FILE
REMOTE_HOST_NAME
IP address or host name of the remote Managed System host managed by the Provisioning Module.
Appendix B
109
Overview
Table 25
Parameter

Description Directory name for customer scripts. Time (in seconds) the Services Manager Default: 90 waits for the scp (secure copy) command to complete processing on the remotely managed Linux computer before stopping the transaction and returning an error. Directory where temporary scripts are created. Root directory where the Services Manager has been installed. Default: 30 Values
SCRIPT_DIR SCP_TIMEOUT
SCRIPTS_TMP_DIR SM_ROOT_DIR
SSH_CONNECTION_TIMEOUT Time (in seconds) the Services Manager waits for a connection to the remote Managed System host, before stopping the transaction and returning an error. SSH_PORT SSH_REMOTE_USER
The port which is used by SSH Server on Default: 22 remotely managed Linux computer. This parameter determines how Services Default: root Manager logs in to a remote Managed System computer to perform remote provisioning. By default, the Services Manager uses the root user for remote provisioning. You can use this parameter to configure the Services Manager to use a non-root or root-like user for remote provisioning. This user is created using the procedure Creating a root-like user on page 38. Whether to support long group names. Y: Support group names up to 31 characters long. N: Support group names up to 16 characters long. Default: N
SUPPORT_LONG_GNAME
SUPPORT_LONG_UNAME
Whether to support long user names.
Y: Support user names up to 31 characters long. N: Support user names up to 8 characters long. Default: N
110
Listing of the MSCSPARM file
Table 25
Parameter

Description Whether the last log in time for an Account is displayed in the ESS Console. If this parameter is not present in the MSCSPARM file, the default value of N is used. Values Y: The last log in time for an Account is displayed in ESS Console. N: The last log in time for an Account is not displayed in ESS Console.
SUPPORT_LAST_LOGIN
SYNC_SEMAPHORE
Name of the lock obtained while the Standard Offline Interceptor or Global Sync is running (in order to avoid concurrent execution). Command Line Interface message that will be displayed, when the Provisioning Module executes Tectia client (SSH), in case of auto authentication. Command Line Interface message that will be displayed, when the Provisioning Module executes Tectia client (SCP), in case of auto authentication. Date of the last MSCS update.
TECSSH_CON_MSG
TECSCP_CON_MSG
UPDATED_ON

Parameter values listed in Figure 5 below are either the default values assigned during product installation or are based on typical user responses provided when running the Managed System Configuration program. Figure 5
loc_lnx1 loc_lnx1 loc_lnx1 loc_lnx1 loc_lnx1 loc_lnx1 loc_lnx1 loc_lnx1 loc_lnx1 loc_lnx1 loc_lnx1 loc_lnx1 loc_lnx1 loc_lnx1
Listing of the MSCSPARM file (part 1 of 2)

MS_TYPE Linux ATTACH_DLL cts_api_Linux.so DESCRIPTION DELETE_HOME_DIR_NQA N SUPPORT_LONG_GNAME N SUPPORT_LONG_UNAME N ALLOW_DUP_GID N IS_REMOTE_RSS N REMOTE_HOST_NAME HAVE_PRE_POST_SCRIPT N SSH_PORT 22 SSH_REMOTE_USER root SSH_CONNECTION_TIMEOUT 30 SCP_TIMEOUT 90
Appendix B
111
Figure 5
Listing of the MSCSPARM file (part 2 of 2)
loc_lnx1 CMDLINE_TIMEOUT 20 loc_lnx1 LONG_CMDLINE_TIMEOUT 600 loc_lnx1 EXPECT_PASSPHRASE_COMM Passphrase for key .*$ loc_lnx1 EXPECT_PASSPHRASE_OPEN Enter passphrase for key .*$ loc_lnx1 EXPECT_PASSPHRASE_TEC Passphrase for the private key: .*$ loc_lnx1 TECSSH_CON_MSG Authentication successful..*$ loc_lnx1 TECSCP_CON_MSG TOC: 00:00:00.*$ loc_lnx1 EXPECT_PASSWD_FIRST New [pP]assword:.* loc_lnx1 EXPECT_PASSWD_SECOND new [pP]assword.*:.* loc_lnx1 EXPECT_LOG_USER N loc_lnx1 EXPECT_DEBUG N loc_lnx1 OFLI_INTERCEPT Y loc_lnx1 PASS_PASSWORD N loc_lnx1 OFLI_INTERVAL 010000 loc_lnx1 ADMIN_FILE_REQ Y loc_lnx1 ADMIN_USER_REQ Y loc_lnx1 ADMIN_CASE_SENS Y loc_lnx1 ADMIN_UID_CHECK N loc_lnx1 DEFAULT_ADMIN tstpm4 loc_lnx1 API_LIB_DIR /local/home/tstpm4/bmc/idm/ServicesManager/PM/Linux/bin loc_lnx1 MS_WORK_DIR /local/home/tstpm4/bmc/idm/ServicesManager/PM/Linux/work/loc_lnx1 loc_lnx1 SCRIPT_DIR /local/home/tstpm4/bmc/idm/ServicesManager/PM/Linux/scripts/loc_lnx1 loc_lnx1 SCRIPTS_TMP_DIR /local/home/tstpm4/bmc/idm/ServicesManager/PM/Linux/DATA/loc_lnx1/tmp loc_lnx1 SM_ROOT_DIR /local/home/tstpm4/bmc/idm/ServicesManager loc_lnx1 SYNC_SEMAPHORE Linux#loc_lnx1#SYNC_SEMAPHORE loc_lnx1 OFLI_SEMAPHORE Linux#loc_lnx1#OFLI_SEMAPHORE loc_lnx1 ONLI_SEMAPHORE Linux#loc_lnx1#ONLI_SEMAPHORE loc_lnx1 UPDATED_ON loc_lnx1 DEFAULT_CRYPT md5 loc_lnx1 OFLI_TMP_DIR /local/home/tstpm4/bmc/idm/ServicesManager/PM/Linux/DATA/loc_lnx1
112
Appendix
Verifying the Password Interceptor installation

C
If you have installed the password interception support, the system files /etc/services and /etc/xinetd.conf are updated and lines are added to them. This section describes how to confirm that these system files have been updated correctly. 1. The files, inetdcl and libpam_bmc.so.1 must be copied to relevant configurable system directories (the installer of Password Interceptor should prompt for the same input). 2. The shared library libpam_bmc.so.1 must be copied to the /lib/security directory by default (if it is not specified at the time of Password Interceptor installation). 3. The executable file, inetdcl must be copied to the /usr/sbin directory by default (if it is not specified at the time of Password Interceptor installation). 4. The system files, /etc/pam.d/system-auth (for Red Hat Linux), /etc/pam.d/passwd (for SUSE Linux), /etc/services and /etc/xinetd.conf must be updated and the Password Interceptor entry must be added (if it is not specified at the time of Password Interceptor installation). 5. The system file /etc/pam.d/system-auth (for Red Hat Linux) and /etc/pam.d/passwd (for SUSE Linux) is updated and lines should be added to it (one for each PAM service). If the system service password is not present in the file, the corresponding Password Interceptor entry should not be added and password interception for that password service will not be active.
Appendix C Verifying the Password Interceptor installation
113
The system services are:

System service Description auth account password session Authenticate a user and set up user credentials. Provide account verification types of service (For example, Has the user's password expired?). Update authentication mechanisms (For example, Standard UNIX password-based access). This group of tasks covers things that should be done prior to a service being given and after it is withdrawn (For example, maintenance of audit trails and the mounting of the user's home directory).
A system service entry appears as follows:

service_name [required/sufficient] system_library_name arguments
For example, the password entry is as follows:

password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
If the system service entry is missing, it can be added manually to the

/etc/pam.d/system-auth (for Red Hat Linux) and /etc/pam.d/passwd (for SUSE Linux)
file; the corresponding Password Interceptor entry should be added after the system service entry. The Password Interceptor entry appears as follows:
password required bmc_pam_lib_path_name
For example:
password required /lib/security/libpam_bmc.so.1
6. The system file, /etc/services must include a new entry that serves the Password Interceptor mechanism. A system service entry appears as follows:
service_name service_port/tcp
114
where: service_name service port For example:

# TCP/IP ports used by SA-Agent. Added by ho4user2-pwi -Line 02# 11/03/02 at 13:48:21. Added by ho4user2-pwi -Line 02newd_pwi 7790/tcp # Added by ho4user2-pwi -Line 03Name of the service, which needs to be used in /etc/xinetd.conf file. tcp service port number.
where 7790 is the requested service port number. 7. The system file, /etc/xinetd.conf must include a new entry that enables the Password Interceptor mechanism. A system service entry appears as follows:
service newd_pwi { socket_type = stream protocol = tcp wait = yes/no user = owner_of_inedt_client server = inetd_client_path_name server_args = arguments_required_by_inetd_client env = env_setting instances = UNLIMITED }
where: owner_of_inedt_client inetd_client_path_name arguments_required_by_inetd_client env_setting

Determines the uid for the server process. The user name must exist in /etc/passwd. Determines the program to execute for this service. Determines the arguments passed to the server. These strings will be added to the environment before starting a server.
Appendix C Verifying the Password Interceptor installation
115
For example:
#pm_pwi_start Dont remove, used for installation and uninstallation purposes # PM Modules (newd_pwi) service newd_pwi { socket_type = stream protocol = tcp wait = no user = root server = /usr/sbin/inetdcl server_args = /local/home/linsp4/control-sa/ Linux lnx_mscs env = SM_INSTALL_DIR=/local/home/linsp4/control-sa/ instances = UNLIMITED } #pm_pwi_end Dont remove, used for installation and uninstallation purposes
where newd_pwi is the name of the service that is exactly used in /etc/services file.
116
Appendix
Uninstalling Password Interceptor

The Password Interceptor can be uninstalled using the following procedures:
s s
Interactive uninstallation Silent uninstallation
Interactive uninstallation
To perform the Interactive uninstallation for the Password Interceptor 1 Log in to the Services Manager computer as user root. 2 Enter the following commands to create a temporary directory to which you will
3 Copy the files uninstall_pwi.sh and INSTALL_CLIENT.Linux.TAR from the BMC

Software FTP site or from the installation CD to the directory /tmp/DRLIS.5.0.00. These files can be found in subdirectory Install on the product CD.
4 Type the following command to go to the Services Manager home directory:

cd $SM_INSTALL_DIR
5 Give executable permissions to /tmp/DRLIS.5.0.00/uninstall_pwi.sh using the

following command:
chmod 755 /tmp/DRLIS.5.0.00/uninstall_pwi.sh
Appendix D
Uninstalling Password Interceptor
117
Silent uninstallation

/tmp/DRLIS.5.0.00/uninstall_pwi.sh
7 At this point, stop and restart Services Manager to completely uninstall Password
Interceptor.
Silent uninstallation
To perform the silent uinstallation for the Password Interceptor 1 Log in to the Services Manager computer as user root. 2 Enter the following commands to create a temporary directory to which you will
3 Copy the files uninstall_pwi.sh and INSTALL_CLIENT.Linux.TAR from the BMC

Software FTP site or from the installation CD to the directory /tmp/DRLIS.5.0.00. These files can be found in subdirectory Install on the product CD.
4 Type the following command to go to the Services Manager home directory:

cd $SM_INSTALL_DIR
5 Give executable permissions to /tmp/DRLIS.5.0.00/uninstall_pwi.sh using the

following command:
chmod 755 /tmp/DRLIS.5.0.00/uninstall_pwi.sh

/tmp/DRLIS.5.0.00/uninstall_pwi.sh -i silent -t smPath
7 At this point, stop and restart Services Manager to completely uninstall Password
Interceptor.
118
Appendix
Parameter coordination with Enterprise SecurityStation

E
For the Services Manager to communicate successfully with Enterprise SecurityStation, the Provisioning Module installation/environmental parameters listed in Table 26 must be coordinated with parameters specified in the Enterprise SecurityStation Console. Table 26
Summary of required parameter coordination ESS Console Parameter Managed System Name TCP/IP Host TCP/IP Port Number Encryption Managed System Properties window Platform Properties window Platform Properties window Platform Properties window
Services Manager computer Managed System Name Host Name or Host IP Address TCP/IP Port Number Transmitted Data Encryption
Installation/environmental parameter Console window
Appendix E
Parameter coordination with Enterprise SecurityStation
119
120
Appendix
F
121 121 122 122
Migrating from CONTROL-SA/Agent

This chapter presents the following topics: Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Migration procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Interactive migration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Automated migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview
This appendix describes the procedure for migrating from CONTROL-SA/Agent to BMC Provisioning Services Manager and BMC Provisioning Module. This release of BMC Provisioning Module for Linux does not provide a procedure for upgrading an earlier version of CONTROL-SA/Agent for Linux. However, you can migrate from CONTROL-SA/Agent for Linux version 3.1.02, to BMC Provisioning Module for Linux version 5.0.00.
Migration procedure
The following methods can be used to migrate from CONTROL-SA/Agent to BMC Provisioning Services Manager and BMC Provisioning Module:
s s
Interactive migration Automated migration
Appendix F
Migrating from CONTROL-SA/Agent
121
Interactive migration
Interactive migration
1 To migrate to the Services Manager and the Provisioning Module, perform the
migration procedure given in the appendix, Migrating from CONTROL-SA/Agent in the BMC Provisioning Services Manager Installation Guide for Linux.
2 To complete the migration for the Provisioning Module, stop all the transactions
and run the Offline Interceptor in Initial mode.
Automated migration
An automated migration procedure is now available to migrate an existing CONTROL-SA/Agent to BMC Provisioning Services Manager and BMC Provisioning Module. For more information, see the "Automated migration procedures" section in the BMC Provisioning Services Manager Installation Guide for Linux.
122
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Index
A
ADMIN 69 ADMIN_FILE_REQ parameter 69 Administrator file storing the passphrase in 65 authentication method required by Services Manager 38
I
implementation overview 23 implementation procedures 24 IS_REMOTE_RSS parameter 28
B
BMC Software, contacting 2
L
Linux hardware/software requirements 21 Local Managed System advantages and disadvantages 16 described 16 login sessions Services Manager SSH connections 37
C
configuration 103 configuring SSH automatic procedure 42 pre-configuration checks 37 pre-configuration checks on the remote host 39 configuring SSH Secure Shell overview 35 CONTROL 12 CONTROL-SA/Agent old and new terminology 12 conventions, documentation 13 CTSPARM parameters old and new parameters 12 customer support 3
M
Managed System old and new terminology 12 Managed System administrators about 22 Managed System Configuration Set old and new terminology 12 Managing remote Managed System host pre-install requirements 20 man-in-the-middle attack, protecting against 45 Minimum Password Length parameter described 94 MSCS old and new terminology 12 MSCS Configuration procedure, described 27 MSCS parameters Managed System-specific parameters 103 old and new terminology 12 MSCSAPI file old and new terminology 12
D
DSK key pair generating 53
F
functions of Provisioning Module 73
H
host key, described 57
Index
123
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
P
passphrase defining 53 Password interception support for remote Managed Systems 20 Password Interceptor Client installation 30 Password Interceptor Messages managing 69 Password length how calculated 94 product support 3 Provisioning Module deployment 15 function list 73 old and new terminology 12
SSH Secure Shell manual configuration 52 configuring the remote host 59 retrieving the remote host public key 57 setting up SSH configuration files 56 updating the Administrator file 65 ssh-keygen command 53 ssh-keygen2 command 53 support, customer 3 syntax statement conventions 14 system logger password interceptor messages 69
T
technical support 3 The 71
R
Remote Managed System advantages and disadvantages 16 described 16 PassPhraseADM administrator 22 remote Managed System host described 16 RSS old and new terminology 12 RSSAPI file old and new terminology 12 RSSPARM parameters old and new terminology 12
U
Unattended administrator 23 USA-API old and new terminology 12
S
SA-Agent platform old and new terminology 12 Secure 35 Services Manager computer old and new terminology 12 Services Manager public key defining 59 Services Manager SSH connections login sessions 37 SSH authentication described 36 SSH Communication testing 50 SSH configuration configuring more than one remote host 51, 66 SSH Secure Shell configuration creating an identification file 55
124
Notes
*90120* *90120* *90120* *90120*

*90120*

PM Linux Administration

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

PM Linux Administration

Enviado por

Direitos autorais:

Formatos disponíveis

BMC Provisioning Module Administrator Guide

Contacting BMC Software

United States and Canada

Outside United States and Canada

Restricted rights legend

Support by telephone or e-mail

Before contacting BMC

License key and password information

BMC Provisioning Module Administrator Guide for Linux

MSCS configuration parameters

103 103 104 104 111 113 117

BMC Provisioning Module Administrator Guide for Linux

BMC Provisioning Module Administrator Guide for Linux

About this book

New Identity Management terminology

About this book

New Identity Management terminology

New terminology for Services Manager

Legacy Terminology CONTROL-SA/Agent, SA-Agent RSS

USA-API module, USA-API

New terminology for Enterprise SecurityStation

BMC Provisioning Module Administrator Guide for Linux

Enterprise SecurityStation Console User Guide

About this book

{commit | cancel} {-commit | -cancel} (UNIX) columnName . . .

BMC Provisioning Module Administrator Guide for Linux

Provisioning Module deployment for Linux

Provisioning Module deployment for Linux

Local versus remote Managed System

Local Managed System

Remote Managed System

Local Managed System administration

Local Managed System administration has the following disadvantage:

Remote Managed System administration

Provisioning Module deployment for Linux

Remote Managed System administration provides the following advantages:

Remote Managed System administration has the following disadvantages:

Password interception facility

Provisioning Module deployment for Linux

BMC Provisioning Module Administrator Guide for Linux

Managing a remote Managed System host

SSH Secure Shell

BMC Provisioning Module Administrator Guide for Linux

Provisioning Module system requirements

Linux system requirements

Checking for Suid-enabled file system

Defining Provisioning Module administrators

Managed System administrators

BMC Provisioning Module Administrator Guide for Linux

1 Install BMC Provisioning Services Manager

Services Manager Installationcompleted

BMC Provisioning Module Administrator Guide for Linux

2 Add Provisioning Module for Linux

Provisioning Module Wizardfinish setup

BMC Provisioning Module Administrator Guide for Linux

where smPath is the directory where the Services Manager is installed.

4 Log out from root.

4 Configure MSCS parameters

MSCS parameters for Linux (part 1 of 3)

MSCS parameters for Linux (part 2 of 3)

BMC Provisioning Module Administrator Guide for Linux

MSCS parameters for Linux (part 3 of 3)

Red Hat Enterprise Linux 5: Re-type new UNIX [pP]assword.*:.*

Red Hat Enterprise Linux 5: Re-type new UNIX [pP]assword.:.