Escolar Documentos
Profissional Documentos
Cultura Documentos
for Linux
Supporting
BMC Provisioning Module version 5.0.00 for Linux
November 2008
www.bmc.com
Copyright 2008 BMC Software, Inc. BMC, BMC Software, and the BMC Software logo are the exclusive properties of BMC Software, Inc., are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other BMC trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other countries. All other trademarks or registered trademarks are the property of their respective owners. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. UNIX is the registered trademark of The Open Group in the US and other countries. BMC Software considers information included in this documentation to be proprietary and confidential. Your use of this information is subject to the terms and conditions of the applicable End User License Agreement for the product and the proprietary and restricted rights notices included in this documentation.
Customer support
You can obtain technical support by using the BMC Software Customer Support website or by contacting Customer Support by telephone or e-mail. To expedite your inquiry, see Before contacting BMC.
Support website
You can obtain technical support from BMC 24 hours a day, 7 days a week at http://www.bmc.com/support_home. From this website, you can
s s s s s s s s
read overviews about support services and programs that BMC offers find the most current information about BMC products search a database for issues similar to yours and possible solutions order or download product documentation download products and maintenance report an issue or ask a question subscribe to receive proactive e-mail alerts when new product notices are released find worldwide BMC support center locations and contact information, including e-mail addresses, fax numbers, and telephone numbers
product information product name product version (release number) license number and password (trial or permanent)
operating system and environment information machine type operating system type, version, and service pack or other maintenance level such as PUT or PTF system hardware configuration serial numbers related software (database, application, and communication) including type, version, and service pack or maintenance level
s s s
sequence of events leading to the issue commands and options that you used messages received (and the time and date that you received them) product error messages messages from the operating system, such as file system full messages from related software
(USA or Canada) Contact the Order Services Password Team at 800 841 2031, or send an e-mail message to ContractsPasswordAdministration@bmc.com. (Europe, the Middle East, and Africa) Fax your questions to EMEA Contracts Administration at +31 20 354 8702, or send an e-mail message to password@bmc.com. (Asia-Pacific) Contact your BMC sales representative or your local BMC office.
Contents
About this book New Identity Management terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Syntax statements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 1 Overview 11 11 13 13 14 15 15 15 16 17 19 20 20 21 22 23 24 24 25 26 27 29 30 30 30 35 35 36 37 37 37 38
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Provisioning Module deployment for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Local versus remote Managed System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Password interception facility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 2 Installation
Before installing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hardware/software requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Checking for Suid-enabled file system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Defining Provisioning Module administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Implementation overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Implementation procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Install BMC Provisioning Services Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Add Provisioning Module for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 (Only for Local Managed System) Modify Services Manager file permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Configure MSCS parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 (Only for a remote Managed System) Configure SSH Secure Shell. . . . . . . . . 6 Import the Managed System Type definition into Enterprise SecurityStation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Set up Managed System administrator Accounts. . . . . . . . . . . . . . . . . . . . . . . . 8 (Only for local Managed System) (Optional) Password Interceptor Client . . Chapter 3 Configuring SSH Secure Shell
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Software requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Services Manager SSH connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Before configuring SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating a root-like user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents
Automated configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Pre-configuration checks on the remote host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Automatic configuration procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 After configuring SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Verifying SSH communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Managing more than one remote Managed System host. . . . . . . . . . . . . . . . . . . . . 51 Manual configuration of SSH Secure Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 1 Services Manager computer configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 2 Remote Managed System host configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 3 Verifying SSH communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 4 Updating the Administrator file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 5 Managing more than one remote Managed System host . . . . . . . . . . . . . . . . . 66 Chapter 4 Maintenance 67
Changing the Managed System administrator security level . . . . . . . . . . . . . . . . . . . . 67 Managing Password Interceptor messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Chapter 5 Provisioning Module implementation for Linux 71
Provisioning Module and Linux interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Provisioning Module function list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Account functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Account data translation tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Account Provisioning Module function descriptions. . . . . . . . . . . . . . . . . . . . . . . . 76 Group functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Group data translation tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Group Provisioning Module function descriptions . . . . . . . . . . . . . . . . . . . . . . . . . 81 AccountGroup connection operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Connection Provisioning Module function descriptions . . . . . . . . . . . . . . . . . . . . . 84 Resource functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Resource Provisioning Module function descriptions . . . . . . . . . . . . . . . . . . . . . . . 88 Resource ACL functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Resource ACL data translation tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Resource ACL Provisioning Module function descriptions . . . . . . . . . . . . . . . . . . 91 Managed System functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Managed System data translation tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Managed System Provisioning Module function descriptions . . . . . . . . . . . . . . . . 94 Appendix A Managed System specific fields 97
Description of table column titles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Function tables for Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Account functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Group functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 AccountGroup Connection functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Resource functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 ACL/ACE functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Managed System parameter functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Appendix B
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Description of parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MSCS parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Listing of the MSCSPARM file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appendix C Appendix D Verifying the Password Interceptor installation Uninstalling Password Interceptor
Interactive uninstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Silent uninstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Appendix E Appendix F Parameter coordination with Enterprise SecurityStation Migrating from CONTROL-SA/Agent 119 121 121 121 122 122 123
Contents
Tables
New terminology for Services Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 New terminology for Enterprise SecurityStation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Linux system requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 MSCS parameters for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Installation parameters for Password Interceptor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Provisioning Module function list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Standard Account fields in Enterprise SecurityStation . . . . . . . . . . . . . . . . . . . . . . . . . 74 Linux-specific Account fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Standard Group fields in Enterprise SecurityStation . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Linux-specific Group fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Standard connection fields in Enterprise SecurityStation . . . . . . . . . . . . . . . . . . . . . . . 83 Standard Resource fields in Enterprise SecurityStation . . . . . . . . . . . . . . . . . . . . . . . . 86 Linux-specific Resource fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Standard Resource ACL fields in Enterprise SecurityStation . . . . . . . . . . . . . . . . . . . 90 Linux-specific Resource ACL fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Standard Managed System fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Managed System-specific fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Description of columns in Managed System-specific field tables . . . . . . . . . . . . . . . . 98 Description of columns for specific types of entities . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Account functions for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Group functions for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Resource functions for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 ACL/ACE functions for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Managed System parameter functions for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 MSCS parameters of the Provisioning Module for Linux . . . . . . . . . . . . . . . . . . . . . . 104 Summary of required parameter coordination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Tables
10
NOTE
This book assumes that you are familiar with your host operating system.
NOTE
Online books are formatted as Portable Document Format (PDF) or HTML files. To view, print, or copy PDF books, use the free Adobe Reader from Adobe Systems. If your product installation does not install the reader, you can obtain the reader at http://www.adobe.com.
This book should be used together with the BMC Provisioning Services Manager Administrator Guide to install, configure, and maintain the BMC Provisioning Services Manager product.
11
Table 1
Managed System Managed System Configuration Set (MSCS) This is the set of information used by a Provisioning Module for handling a specific Managed System. The MSCS includes, for example, the parameter containing the Default administrator name.
BMC Provisioning Module, Provisioning Module Note: Within the context of the Services Manager documentation set, the term Provisioning Module is used to represent any type of Module for Identity Management (for example: Password Module, Audit Module) developed by BMC, by the site or by an external vendor.
Offline Interceptor CTSPARM parameters RSSAPI file RSSPARM parameters SA-Agent platform
Standard Offline Interceptor SM parameter MSCSAPI file MSCS parameters Services Manager computer
Table 2
Legacy Terminology Enterprise User User Group Job Code RSS User RSS RSS Administrator RSS Type
12
Related documentation
Related documentation
The following related publications supplement this book:
Category Document Description Provides detailed information about the installation of BMC Provisioning Module on Linux platform. Provides a comprehensive listing and explanation of all messages issued by these products.
Core BMC Provisioning Services Manager for Documents Linux Installation Guide BMC Provisioning Services Manager and BMC Provisioning Module Messages Manual
Enterprise SecurityStation Administration Provides details for various customization and Guide maintenance procedures for the Enterprise SecurityStation installation and database. Standalone utilities are also described. This book is designed for the Enterprise SecurityStation workstation administrator and outlines administrator responsibilities. Enterprise SecurityStation Console Administration Guide Describes administrative functions performed using the ESS Console. This includes setting up Platform and Managed System objects, defining ESS administrators, performing download operations, and configuring fields (keywords) in entity records. Describes how to perform security administration tasks using the ESS Console. Describes Enterprise SecurityStation concepts, features, facilities, and operating instructions in detail. It may be used as a learning guide as well as a reference guide.
Conventions
This book uses the following special conventions:
s
All syntax, operating system terms, and literal examples are presented in this typeface. Variable text in path names, system messages, or syntax is displayed in italic text:
testsys/instance/fileName
The symbol => connects items in a menu sequence. For example, Actions => Create Test instructs you to choose the Create Test command from the Actions menu.
13
Syntax statements
Syntax statements
The following example shows a sample syntax statement:
COMMAND KEYWORD1 [KEYWORD2 | KEYWORD3] KEYWORD4={YES | NO} fileName...
The following table explains conventions for syntax statements and provides examples:
Item Items in italic type represent variables that you must replace with a name or value. If a variable is represented by two or more words, initial capitals distinguish the second and subsequent words. Brackets indicate a group of optional items. Do not type the brackets when you enter the option. A comma means that you can choose one or more of the listed options. You must use a comma to separate the options if you choose more than one option. Braces indicate that at least one of the enclosed items is required. Do not type the braces when you enter the item. Example alias databaseDirectory serverHostName [tableName, columnName, field] [-full, -incremental, -level] (UNIX)
{DBDName | tableName} UNLOAD device={disk | tape, fileName | deviceName} {-a | -c} (UNIX)
A vertical bar means that you can choose only one of the listed items. In the example, you would choose either commit or cancel. An ellipsis indicates that you can repeat the previous item or items as many times as necessary.
14
Chapter
1
15 15 16 17
Overview
This chapter presents the following topics: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Provisioning Module deployment for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Local versus remote Managed System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Password interception facility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction
Welcome to BMC Provisioning Module for Linux, the Managed System-specific component of BMC Provisioning Services Manager. BMC Provisioning Services Manager is the client/server solution from BMC Software that enables you to manage security systems distributed across multiple incompatible platforms. This guide describes concepts and tools required by the administrator for setting up and administering BMC Provisioning Module for Linux.
Chapter 1 Overview
15
This is the operating system on the Services Manager computer. A given instance of the Provisioning Module can handle a single local Managed System.
s
This is the operating system on a remote platform (referred to as a remote Managed System host). A given instance of the Provisioning Module can handle any number of remote Managed Systems.
Since data is managed locally, the Provisioning Module operations do not require network traffic with a remote Managed System host. Password Interception and Resource/Resource ACLs management is supported.
The Services Manager and Provisioning Module are installed and maintained separately on each Managed System.
Reduced implementation and maintenance effort by requiring only a single installation of BMC Provisioning Services Manager and the Provisioning Module. Support for specific configuration restrictions such as hosting facilities.
If communication between the Services Manager computer and the remote host fails, the Services Manager cannot handle the remote Managed System as the network communication is down. For remote Managed Systems, password interception and management of resources or resource ACLs are not supported. Linux CLI restrictions apply for specific functionality. For more information, see Chapter 5, Provisioning Module implementation for Linux.
NOTE
Password interception is not invoked when:
s s
The system administrator changes an Account password on the Services Manager computer. The password is changed for the root Account.
Chapter 1 Overview
17
NOTE
Password interception is not available when managing a remote Managed System host.
18
Chapter
Installation
This chapter describes how to install and configure the BMC Provisioning Module product for the Linux operating system. The following topics are discussed: Before installing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Hardware/software requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Checking for Suid-enabled file system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Defining Provisioning Module administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Implementation overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Implementation procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 1 Install BMC Provisioning Services Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2 Add Provisioning Module for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3 (Only for Local Managed System) Modify Services Manager file permissions . 26 4 Configure MSCS parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 5 (Only for a remote Managed System) Configure SSH Secure Shell. . . . . . . . . 29 6 Import the Managed System Type definition into Enterprise SecurityStation . 30 7 Set up Managed System administrator Accounts. . . . . . . . . . . . . . . . . . . . . . . . 30 8 (Only for local Managed System) (Optional) Password Interceptor Client . . 30
Chapter 2
Installation
19
Before installing
Before installing
Before running the installation procedure, it is recommended that you review the information in this section to help ensure that the installation procedure runs smoothly and successfully.
Hardware/software requirements
Ensure that the hardware and software requirements described in this section are satisfied before starting installation of the Provisioning Module.
NOTE
If you want to use the automatic procedure for configuring SSH described in this book, the Provisioning Module must be installed before configuring SSH. If you use the manual procedure, the Provisioning Module can be installed before or after configuring SSH.
For more information on configuring SSH Secure Shell, see Chapter 3, Configuring SSH Secure Shell.
Password interception
Password interception is not supported for remote Managed System hosts.
20
Before installing
NOTE
BMC Provisioning Services Manager can be installed in any directory in a local file system (not on the NFS).
Table 3
Component Memory Disk Space
Managed Systems
1 Enter the following command to display the free disk space for the local file
system:
df -l
2 Enter the following command to check that the file system is a mounted file
system:
mount -p | grep fileSystem
The variable fileSystem is the file system where you plan to install BMC Provisioning Services Manager. If the result of the mount command contains the option nosuid, you must either re-mount the file system to allow suid programs or select a different file system.
Chapter 2
Installation
21
Before installing
Default administrator
For local Managed System: Most types of Provisioning Modules use the Default administrator to retrieve information from the Managed System database. However, for Linux, a Default administrator Account is not used. For remote Managed System: A special Default administrator entry in the Administrator file is used to hold the passphrase used by the Provisioning Module to connect to the remote Managed System host. The remote Default administrator is added automatically by the ssh-config.sh script (see page 42), or manually if you are using the manual configuration (see page 52). This Default administrator is used internally by SSH, and is not defined as an administrator in Enterprise SecurityStation.
NOTE
The details of the Default administrator typically will not require any further manipulation; however, if required, it can also be manipulated manually via the ctsadm utility. For more information, see BMC Provisioning Services Manager Administrator Guide for Linux.
NOTE
(Local Managed Systems only) A Managed System administrator cannot be renamed.
22
Implementation overview
NOTE
(Remote Managed Systems only) A Managed System administrator must be added to the Administrator file by defining the Managed System administrator in Enterprise SecurityStation Console and not by using the ctsadm utility. However, you can use the utility later if you wish to alter the Managed System administrator details (such as the administrators password).
Unattended administrator
This Account is defined in the Managed System with administrator privileges. The Services Manager logs in as this Account to perform actions that originate from automatic operations in Enterprise SecurityStation, such as synchronizing passwords for all the Accounts of a Person. Optionally select or define an account in the Managed System to serve as the Unattended administrator. (You can also use the same account for a Managed System administrator and as the Unattended administrator.)
Implementation overview
Implementation of BMC Provisioning Module for Linux consists of the following procedures: 1. Install BMC Provisioning Services Manager. If it is not already installed, install the Services Manager on the Linux computer. 2. Add Provisioning Module for Linux. 3. Modify Services Manager file permissions. 4. Configure the MSCS parameters. MSCS parameters must be configured for each Linux Managed System to be handled via the Services Manager computer. 5. (Only for Remote Managed System) Configure SSH Secure Shell. 6. Import the Managed System Type definition into Enterprise SecurityStation. 7. Set up the Managed System administrator Accounts. 8. (Only for Local Managed System) Install the Password Interceptor.
Chapter 2 Installation 23
Implementation procedures
Implementation procedures
This section describes the implementation procedures in detail. The following steps are described:
Figure 1
24
Implementation procedures
NOTE
s
BMC Provisioning Module version 5.0.00 for Linux (32-bit) is not compatible with BMC Provisioning Services Manager version 5.1.00 for Linux (64-bit). BMC Provisioning Module version 5.0.00 for Linux (32-bit) must be used only with BMC Provisioning Services Manager version 5.1.00 for Linux (32-bit). BMC Provisioning Module version 5.0.00 for Linux (64-bit) must be used only with BMC Provisioning Services Manager version 5.1.00 for Linux (64-bit).
The pmz file is located in the following directory on the installation CD:
s s
For 32-bit Provisioning Module under /Install/32-bit For 64-bit Provisioning Module under /Install/64-bit
When you have finished adding the Provisioning Module, Figure 2 is displayed.
Chapter 2
Installation
25
Implementation procedures
Figure 2
3 (Only for Local Managed System) Modify Services Manager file permissions
If you want to perform the provisioning of a Local Linux Managed System, you have to modify the ownership and permissions of the BMC Provisioning Services Manager executable files before configuring MSCS parameters.
To change the ownership and permissions of Services Managers executable files 1 Log in to the Services Manager computer as user root. 2 Enter the following command to locate the Services Manager executable files:
cd smPath/bin
26
Implementation procedures
3 Enter the following commands to change the file ownership and permissions:
chown root ctsadm ctssoffi p_ctscd p_ctscs apiver chmod 4750 ctsadm ctssoffi p_ctscd p_ctscs apiver
Chapter 2
Installation
27
Implementation procedures
Table 4
Parameter
DEFAULT_ADMIN
Do not configure the DEFAULT_ADMIN parameter when creating a remote Managed System. Configure the DEFAULT_ADMIN parameter only after creating a remote Managed System.
DEFAULT_ADMIN_PASSWORD For local Managed System: Password of the administrator account. For remote Managed System: Passphrase of private key of Services Manager owner account. IS_REMOTE_RSS Whether the Managed System is local or remote. Y: remote Managed System N: local Managed System Default: N REMOTE_HOST_NAME IP address or host name of the remote Managed System host managed by the Provisioning Module. Note: This is applicable only when the value of the MSCS parameter IS_REMOTE_RSS is set to Y.
28
Implementation procedures
Table 4
Parameter
EXPECT_PASSWD_FIRST
For Red Hat Enterprise Linux 5: New UNIX [pP]assword:.* For SUSE Linux Enterprise Server versions 10: New [pP]assword:.*
EXPECT_PASSWD_SECOND
This parameter should only be modified at Default: Retype new UNIX [pP]assword.*:.* the request of Customer Support. A regular expression that represents the string returned by the remote Managed System host when a user password is modified on the Provisioning Module platform (the passwd command is run) and a verification is requested. Default values for:
s
For more information regarding specific Linux MSCS parameters, refer to Appendix B, MSCS configuration parameters. For more information regarding common parameters for all Managed System types, refer to the BMC Provisioning Services Manager Administrator Guide.
Chapter 2
Installation
29
Implementation procedures
Interactive installation
This procedure is used to install a new instance of the Password Interceptor Client, directly from the product CD.
To perform the Interactive installation for the Password Interceptor 1 On the Services Manager platform, log in as the Services Manager owner. 2 In the same session, change the user context to a superuser or root.
30
Implementation procedures
3 Enter the following commands to create a temporary directory to which you will
copy the Password Interceptor files:
mkdir /tmp/DRLIS.5.0.00 chmod 777 /tmp/DRLIS.5.0.00
where managedSystemName is the name of the Managed System for which you are installing the Password Interceptor. The following prompt is displayed: Enter the full path of the Services Manager directory [<path>]:
9 The script displays a series of prompts, requesting data to customize the Password
Interceptor. For information on responding to these prompts, see Table 5 below.
Chapter 2
Installation
31
Implementation procedures
Table 5
Parameter
Directory where inetd The following prompt is displayed: client will be installed Enter the directory where inetd client will be installed [/usr/sbin]: Enter the directory in which the inetd client program will be installed. This directory is referred to as client-dir in the installation procedure. This directory must be on a local file system. Directory in which to install the PWI exit module used to intercept passwords TCP/IP port number for password interception The following prompt is displayed: Enter the directory where PAM library will be installed [/lib/security]: The script backs up the file /etc/services and displays the following prompt: Select TCP/IP port number for password interception [6690]: Enter the password interception port number. By default, the password interception facility uses the next consecutive port following the ports specified for TCP/IP Port Number (described on page 30). For example, if you use the default of 2470 and 2471 for that parameter, the default for the password interception facility is 2472. (Verify that the TCP/IP port to be used for the password interception facility is not already in use. If it is used, locate a different port to use for the password interception facility. Enter the selected port (or accept the default) when you are asked to supply the Password interception port number.)
Several additional messages are displayed as customization continues. When the installation procedure is completed, the following message is displayed. Installation ended successfully
11 Stop and start the Services Manager to enable password interception. 12 Enable password interception for Linux users. NOTE
To uninstall Password Interceptor, refer to Appendix D, Uninstalling Password Interceptor.
32
Implementation procedures
Silent installation
This procedure is used to perform a non-interactive installation of a new instance of the Password Interceptor from an installation image.
To perform the silent installation for the Password Interceptor 1 Enter the following commands to create a temporary directory to which you will
copy the Password Interceptor files:
mkdir /tmp/DRLIS.5.0.00 chmod 777 /tmp/DRLIS.5.0.00
product CD.
3 In a text editor open the pwiLinux.silent.properties file. Update the required values
in the file and save the file. Figure 3 lists a sample pwiLinux.silent.properties file. Figure 3 Sample pwiLinux.silent.properties file (part 1 of 2)
************************************************* Silent installer property file ************************************************* ######################################################## # PRODUCT NAME : PWI for Linux # PRODUCT VERSION : 5.0.00 ########################################################
# #
-------------------------------------------------------------------# Directory where the Services Manager is installed SMINSTALLDIR=/local/home/sithu/bmc/idm/ServicesManager --------------------------------------------------------------------------------------------------------------------------------------# MS Name MS_NAME=loc_lnx2 --------------------------------------------------------------------------------------------------------------------------------------# Directory where inetd client will be installed : INETD_DIR=/usr/sbin --------------------------------------------------------------------
Chapter 2
Installation
33
Implementation procedures
Figure 3
-------------------------------------------------------------------# Directory where PAM library will be installed : PAMLIB_DIR=/lib/security --------------------------------------------------------------------------------------------------------------------------------------# TCP/IP port number for password interception: PWI_PORT_NO=9080 --------------------------------------------------------------------
4 On the Services Manager computer, log in as the Services Manager owner. 5 In the same session, change the user context to a superuser or root. 6 Enter the following command to go to the Services Manager home directory:
cd $SM_INSTALL_DIR
34
Chapter
3
35 37 37 37 39 51 52
Overview
Remote Security Administration is implemented for the Services Manager by configuring all remote Managed System hosts in the network to communicate with the Services Manager using SSH (Secure Shell), thereby providing secure encrypted sessions between the hosts. The SSH configuration consists of a Services Manager computer (SSH client), where Provisioning Module for Linux is installed. The Services Manager computer communicates via the SSH protocol with multiple remote Managed System hosts (no installation of Services Manager is required on the remote hosts). On each remote Managed System host, an SSH daemon (sshd or sshd2) is typically running and awaiting a connection request from the SSH client on the Services Manager computer.
35
Overview
Figure 4 illustrates an example of an SSH configuration under BMC Provisioning Services Manager. Figure 4 SSH configuration in the BMC Provisioning Services Manager environment
Authentication
BMC Provisioning Services Manager uses SSH with public key authentication. The public key authentication method consists of two secret components: a key pair and a passphrase. The secret components are as follows:
s
The Services Manager public key is used by the remote Managed System host for user authentication, to verify the identity of the Services Manager computer and then for sending encrypted data to the Services Manager computer.
s
The Services Manager private key is used for decrypting data which has been encrypted by the remote Managed System host with the Services Manager public key. The private key can only be used together with a secret passphrase. The passphrase is used to decrypt the user private key to create an authenticator. The passphrase and the key pair enable Services Manager to securely login to the various remote Managed System hosts.
NOTE
For verification of the identity of each remote Managed System host and for sending encrypted data to the remote Managed System host, Services Manager uses the remote host public key.
36
Software requirements
Tectia Server / Client User and Administrator Manuals for versions 4.3, 4.4, 5.0 and above at http://www.ssh.com/products/client-server/ OpenSSH at http://www.openssh.org/
Software requirements
Ensure that the SSH software is installed and working properly on the Services Manager computer and on all remote Managed System hosts to be managed. For more information, see the Compatibility section of the BMC Provisioning Module Release Notes for Linux.
SSH should be configured on the Services Manager computer (SSH Client) so that the Services Manager owner account can connect and manage the remote Managed System hosts with root or root-like user capabilities. SSH should be configured on each remote Managed System host (SSH Servers) to be managed using Services Manager. Once the configuration procedure is performed for one remote Managed System host, different methods can be used to configure subsequent remote Managed System hosts.
37
For more information, see Managing more than one remote Managed System host on page 51 for automated configuration procedure and 5 Managing more than one remote Managed System host on page 66 for manual configuration procedure.
s
The authentication method required by the Services Manager is public key using SSH protocol 2.
NOTE
Other authentication methods are not supported.
During the configuration procedure you are prompted to enter a passphrase. Record this passphrase, as you will be required to re-enter it later. Ensure that Services Manager has stopped and Interceptor processes are not running. For more information, see BMC Provisioning Services Manager Administrator Guide for Linux.
To create a root-like user 1 Enter the following command on the Remote Host to create a root-like user:
useradd -d / rootLikeUser
2 Change the UID field for the root-like user to 0 by editing the /etc/passwd file. NOTE
Check that the setting to change the password on every login for the root-like user on the remote system is disabled.
38
Automated configuration
Automated configuration
Automatic configuration procedure does not support Tectia SSH 5.0 and above. To manually configure Tectia SSH 5.0 and above, see Manual configuration of SSH Secure Shell on page 52. The topics in this section describe the automated configuration procedure of SSH. Pre-configuration checks on the remote host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Automatic configuration procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . After configuring SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Verifying SSH communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing more than one remote Managed System host. . . . . . . . . . . . . . . . . . . . . . . . 39 42 47 50 51
Tectia SSH
1 Log in to the remote Managed System host as user root. 2 Open the file /etc/ssh2/sshd2_config (usually located in /etc/ssh2). 3 Verify that the following parameters are set as specified:
PermitRootLogin AllowedAuthentications LoginGraceTime StrictModes MaxConnections IgnoreRhosts AllowHosts AllowUsers subsystem yes publickey, password 30 (recommended value) yes (recommended value) 0 yes
39
Automated configuration
where:
mainhost IP address or full host name of the Services Manager computer. If the IP address is specified, it must be prefixed with \i; if the host name is specified, it must be the full host name, specified with the domain name. For example: AllowHosts AllowHosts \i184.16.320.12 sushi.fin.bmc.com
Note: It is recommended that you enter the IP address instead of the host name. path/sftp-server rootLikeUser Full path and file name of the sftp-server binary. A user created using the procedure Creating a root-like user on page 38.
Modify the entries as required. Save the file and exit. Enter one of the following commands to stop the ssh daemon process:
OR
/etc/ssh2/sshd2 stop
s
Enter one of the following commands to start the ssh daemon process:
/usr/local/sbin/sshd2
OR
/etc/ssh2/sshd2 start
where /usr/local/sbin/sshd2 is an example for the path to start the ssh daemon process.
40
Automated configuration
OpenSSH
1 Log in to the remote Managed System host as user root. 2 Open the file sshd_config (usually located in either /usr/local/etc or /etc/ssh). 3 Verify that the following parameters are set as specified:
PermitRootLogin Protocol PubkeyAuthentication LoginGraceTime StrictModes IgnoreRhosts PasswordAuthentication RhostsAuthentication AllowUsers Subsystem sftp yes 2 yes 30 (recommended value) yes (recommended value) yes yes no rootLikeUser [root] sftpServer
The variable sftpServer is the full path and file name of the sftp-server binary where rootLikeUser is a user created using the procedure Creating a root-like user on page 38.
Modify the entries as required. Save the file and exit. Enter the following commands:
OR
41
Automated configuration
Do the following steps: Enter the following command to stop the ssh daemon process:
kill-9 sshdPid
where sshdPid is the ID of the sshd process. Enter the following command to start the ssh daemon process:
path/sshd
For example, /ussr/local/sbin/sshd is the path to start the ssh daemon process.
The following text is displayed: Enter file in which the key is (//.ssh/id_rsa): Enter the full path of the host public key (typically
/usr/local/etc/ssh_host_dsa_key.pub).
NOTE
Before starting this procedure, ensure you have access to the password of the account, which has the user ID (UID) as zero (0) on the remote Managed System host that you wish to manage. This account can be other than root, but the user ID of this account should be zero.
42
Automated configuration
To run the automatic configuration procedure 1 On the Services Manager computer, log in as the Services Manager owner (usually
user smOwner).
where:
sshType sshPort remoteMsName remoteHostName remoteSSHUser -c - Tectia SSH -o - OpenSSH The port number used to communicate with the remote Managed System host. The name of the MSCS defined for the remote Managed System host that you wish to manage. The name of the remote Managed System host that you wish to manage. User on the remote host which has the use id (UID) as zero (0) and used to connect through SSH from Services Managers computer. Refer to Creating a root-like user on page 38 for more information. (Optional) Name for the generated key pair files. (Optional) Key file name will be sm-owner-localHost. (Optional) Key file name will be sm-owner-localHost-remoteHost The variable remoteHost is the name of the remote Managed System host. * If, during a subsequent run of this automatic configuration procedure, you try to generate another key pair with an identical value for the parameters keyPairFileName, F1 or F2, SSH uses the existing key pair and does not generate a new key pair.
keyPairFileName * F1 F2
NOTE
The default value of the argument {keyPairFileName | F1 | F2} is F1. Therefore, if you wish to generate a different key pair for each remote Managed System host, ensure you use either the F2 or keyPairFileName parameter.
43
Automated configuration
Looking for ctsaian-spock-felix public and private keys in ctsaian@spock:/home1/ctsaian/.ssh. Couldn't find your DSA keypair. Creating a keypair using ssh-keygen. This may take few minutes. You should NOT give an empty passphrase! Generating public/private dsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again:
NOTE
The sample output throughout this procedure is for a configuration using Open SSH. This illustrates the procedure for defining the SSH connection for user ctsaian on Services Manager computer spock to remote Managed System host felix.
3 You are prompted to enter (and then re-enter) a passphrase for the new key.
Enter a string of characters (any type). It is highly recommended that you enter a passphrase at least 20 characters long, including spaces and punctuation. Text similar to the following is displayed:
Your identification has been saved in /home1/ctsaian/.ssh/ctsaianspock-felix. Your public key has been saved in /home1/ctsaian/.ssh/ctsaianspock-felix.pub. The key fingerprint is: e3:07:40:5b:ad:6a:66:ae:7c:a0:ac:1f:3d:ed:6b:54 ctsaian@spock Using your new key pair in ctsaian-spock-felix as your identity on ctsaian@spock.
44
Automated configuration
-- Step 2.
-- Step 3. Send public key of ctsaian to remote host felix and retrieve its public key. Now running scp to send public key to root on felix. Most likely you'll have to type a password. You may authenticate the remote host public key's fingerprint if you wish. scp -rp /home1/ctsaian/.ssh/.ssh root@felix: The authenticity of host 'felix (172.16.110.186)' can't be established. DSA key fingerprint is 43:6d:eb:0c:c6:ed:04:37:c3:e3:a7:52:ab:b4:96:06. Are you sure you want to continue connecting (yes/no)?
4 (Optional) At this point, if you wish to authenticate the remote Managed System
host, compare the fingerprint that you acquired in step 5 on page 41 with the fingerprint displayed in the output from the previous step. Performing this comparison provides protection against man-in-the-middle attacks.
If you wish to exit the automatic configuration procedure (for example, if the fingerprints that you compared in step 4 (above) were not identical), enter No. Text similar to the following is displayed:
Host key verification failed. lost connection ERROR: scp command failed
If you wish to continue the automatic configuration procedure and add the remote Managed System host public key to your known hosts, enter Yes. Text similar to the following is displayed:
Warning: Permanently added 'felix,172.16.110.186' (DSA) to the list of known hosts root@felix's password:
45
Automated configuration
6 Enter the root password of the remote Managed System host (you are asked to
re-enter the password for confirmation). Text similar to the following is displayed:
Now running ssh to add public key file name to authorization file for root on felix. Most likely you'll have to type a password again. root@felix's password: -- Step 4. Retrieve public key of root from remote host felix.
Now running ssh to retrieve the public key from felix. You may authenticate the remote host public key's fingerprint if you wish. Most likely you'll have to type the passphrase. ssh root@172.16.110.186 date Enter passphrase for key '/home1/ctsaian/.ssh/ctsaian-spock-felix':
7 The process described in the preceding display is required to verify the SSH
connection and, in certain cases, to retrieve the remote Managed System host public key. Enter the passphrase that was defined in step 3 on page 44. Text similar to the following is displayed:
Sun Jan 26 12:32:33 IST 2003 -- Step 5. file. Add default administrator to the Administrator file
46
Automated configuration
If the Default administrator is successfully added to the Administrator file, the following message is displayed:
ssh configuration successfully completed.
If the Default administrator is not successfully added to the Administrator file, the following message is displayed:
failure in ctsadm ERROR:failed to add default administrator PassPhraseADM to MSADM.DAT file
This message indicates that the CTSADM utility, which performs this action, attempted to connect to the remote Managed System host using the passphrase you entered and did not succeed. If this occurs, it is recommended that you do the following: 1. Try re-entering the passphrase. This procedure is described in 4 Updating the Administrator file on page 65. If this fails, continue with the next item. 2. Locate the relevant error messages in the CTSADM log file at the following location and act accordingly:
smPath/logs/ADM_MSG_processId.log
NOTE
The name of the special Default administrator (PassPhraseADM) in the Administrator file must not be changed.
NOTE
This procedure should not be used if you are employing SSH for other applications which utilize password authentication.
47
Automated configuration
Tectia SSH
1 Log in to the remote Managed System host as user root. 2 Open the file /etc/ssh2/sshd2_config in a text editor (usually located in /etc/ssh2). 3 Verify that the following parameters are set as specified:
PermitRootLogin AllowedAuthentications nopwd publickey
NOTE
If you want to be able to login remotely as root to the remote Managed System using a password, you are not required to modify the PermitRootLogin parameter. However, BMC recommends that you set this parameter to nopwd so that remote login can be performed only using public key authentication and not using the root password.
4 Modify the entries as required. 5 Save the file and exit. 6 Enter one of the following commands to stop the ssh daemon process:
kill cat /etc/ssh2/sshd2_22.pid
OR
/etc/ssh2/sshd2 stop
7 Enter one of the following commands to start the ssh daemon process:
/usr/local/sbin/sshd2
OR
/etc/ssh2/sshd2 start /usr/local/sbin/sshd2 is an example path.
48
Automated configuration
Open SSH
1 Log in to the remote Managed System host as user root. 2 Open the file /etc/ssh/sshd_config in a text editor. 3 Verify that the following parameters are set as specified:
PermitRootLogin PasswordAuthentication without-password no
NOTE
If you want to be able to login remotely as root to the remote Managed System using a password, you are not required to modify the PermitRootLogin parameter. However, BMC recommends that you set this parameter to nopwd so that remote login can be performed only using public key authentication and not using the root password.
4 Modify the entries as required. 5 Save the file and exit. 6 Enter the following commands:
stopsrc -s sshd stopsrc -s prngd startsrc -s prngd startsrc -s sshd
OR Do the following steps: Enter the following command to stop the ssh daemon process:
kill-9 sshdPid
where sshdPid is the ID of the sshd process. Enter the following command to start the ssh daemon process:
path/sshd
For example, /ussr/local/sbin/sshd is the path to start the ssh daemon process.
49
Automated configuration
After you have configured SSH on the Services Manager computer and remote Managed System host. Upon recovery of the Services Manager computer or the remote Managed System host. Whenever the sshd (or sshd2 or ssh-server-g3) process fails on the remote Managed System host.
To verify SSH communication 1 Log in to the remote host as root user. 2 Ensure that the sshd (or sshd2 or ssh-server-g3) process is running by specifying the
following command:
ps -ef | grep sshd
OR
ps -ef | grep sshd2
OR
ps -ef | grep ssh-server-g3
3 On the Services Manager computer, log in as the Services Manager owner (usually
user smOwner).
The variable port is the port number on which the ssh server is running on remote host and remoteHost is one of the following:
50
Automated configuration
Tectia SSH
The IP address or host name of the remote Managed System host, exactly as specified in the MSCS parameter REMOTE_HOST_NAME.
s
Open SSH
The IP address or host name of the remote Managed System host. A prompt is displayed, asking you to specify the passphrase you specified earlier.
5 Enter the passphrase that you entered in the automatic procedure (see page 44) or
in the manual procedure (see page 52). If the passphrase is verified, the contents of the root directory of the remote Managed System host are displayed.
Generate a single DSA public and private key pair. Generate a new DSA public and private key pair for each additional remote Managed System host with a separate passphrase. This is the recommended option. Generate a new DSA public and private key pair for each remote host; however, use the same passphrase for each generated key pair. For options 2 and 3, complete the following procedures:
s s s s s
Before configuring SSH on page 37 Pre-configuration checks on the remote host on page 39 Automatic configuration procedure on page 42 After configuring SSH on page 47 Verifying SSH communication on page 50
51
1.1Generate a DSA key pair 1.2Create an identification file 1.3Set up the SSH configuration file 1.4Retrieve the remote Managed System host Public Key
NOTE
Configure SSH on the Services Manager computer while logged on as the Services Manager owner (usually user smOwner).
NOTE
If you are using Tectia SSH version 5.0 and above, create a symbolic link to sshg3 as follows: ln s <path-name>/sshg3 /bin/ssh For example: ln s /opt/tectia/bin/sshg3 /bin/ssh
52
To generate a DSA key pair 1 Activate ssh-keygen to generate a DSA key pair (public key and private key) by
specifying one of the following commands:
Tectia SSH version below 5.0 ssh-keygen2 [fileName] Tectia SSH version 5.0 and above ssh-keygen-g3 [fileName] Open-SSH ssh-keygen -b 1024 -t dsa [-f fileName]
The variable fileName is the full pathname of a file that you may optionally specify for the key pair.
Tectia SSH only: If you do not specify a file name in the command, a file name
NOTE
Open SSH Only: If you are generating a separate key pair for each remote Managed System host that you wish to manage, you should either name the key pair now or name the next key pair you generate. If this is not done, the next key pair you generate will overwrite the original key pair.
53
NOTE
It is highly recommended that you enter a passphrase at least 20 characters long, including spaces and punctuation.
3 (Open-SSH Only) If you did not specify the pathname for a key pair file in the sshkeygen command, you are prompted now to specify this information. Specify the full pathname for the file or just press Enter to accept the default (described below). Tectia SSH
The private key and public key are created in the following locations:
s s
File name that you specified for the key pair in step 1 on page 53. If you did not specify a file name for the key pair, the file name is: id_dsa_2048_sequenceId The variable sequenceId is an automatically-generated number which identifies the specific key pair.
NOTE
If you have more than one key pair, each key pair is identified by a consecutive sequence ID.
Open SSH
Unless you specified a different pathname when running ssh-keygen, the private key and public key are created in the following locations:
s s
54
NOTE
This procedure is not required for Open SSH.
To create or modify an identification file 1 Using a text editor, create or open the file smOwnerHome/.ssh2/identification. 2 Insert the following line to identify the private key file:
IdKey PrivateKeyFileName
The variable PrivateKeyFileName is the name of the private key file that was generated in step 3 on page 54.
For example:
IdKey
id_dsa_2048_a
NOTE
Each user has a separate IdKey. Insert a separate entry for each generated key pair.
55
2 Save the file. 3 Enter the following command to change permissions for the ssh2_config file:
chmod 600 smOwnerHome/.ssh2/ssh2_config
default-settings/idle-timeout time=5
56
OpenSSH
Perform the following actions:
The variable KeyFileName is the full path and name of the private key file that was generated in step 1 on page 53.
2 Save the file. 3 Enter the following command to change permissions for the config file:
chmod 600 smOwnerHome/.ssh/config
57
WARNING
If a remote Managed System host public key changes, you should replace the new file in the specified location on the Services Manager computer. Do not replace the public key unless you can verify its validity.
Copy the remote Managed System host public key from the remote Managed System host to the Services Manager computer. The default location and file name on the remote Managed System host is:
/etc/ssh2/hostkey.pub
The required location and file name on the Services Manager computer is: smOwnerHome/.ssh2/hostkeys/key_port_remoteHost.pub where:
port remoteHost The port number on the server where sshd2 runs (default 22) The IP address or host name of the remote Managed System host, exactly as specified in the MSCS parameter REMOTE_HOST_NAME.
Complete this procedure for each remote Managed System host connected to the Services Manager.
Copy the remote Managed System host public key from the remote Managed System host to the Services Manager computer. The default location and file name on the remote Managed System host is:
/etc/ssh2/hostkey.pub
The required location and file name on the Services Manager computer is: smOwnerHome/.ssh2/hostkeys/key_port_remoteHost.pub
58
where:
port remoteHost The port number on the server where ssh-server-g3 runs (default 22) The IP address or host name of the remote Managed System host, exactly as specified in the MSCS parameter REMOTE_HOST_NAME.
Complete this procedure for each remote Managed System host connected to the Services Manager.
Open SSH
Perform the following:
s
Edit or create the file smOwnerHome/.ssh/known_hosts in a text editor. Insert a line that contains the following data:
where:
remoteHostName ipAddress Name of the remote Managed System host IP address of the remote Managed System host.
remoteHostPublicKey The actual contents of the key file (typically ssh_host_dsa_key.pub), which can be found on the remote Managed System host at one of the following locations: /usr/local/etc /etc/ssh. For example: spock,172.16.110.119 ssh-rsa AAAAB3swets9sdfgsaefgsacvad==
59
To configure the remote Managed System host 1 Log in to the remote Managed System host as user root. 2 Create or edit the root file /.ssh2/authorization using a text editor.
Insert the following lines:
Key generatedPublicKey.pub Options allow-from=mainHost
where:
generatedPublicKey.pub the public key file name which was generated in procedure 1.1Generate a DSA key pair on page 53. mainHost the IP address or full host name of the Services Manager computer.
NOTE
It is recommended that you enter the IP address rather than the host name.
3 Copy the Services Manager computer public key to the remote Managed System
host /.ssh2/ directory. The public key is located on the Services Manager computer in the following location: smOwnerHome/.ssh2
60
where:
mainHost IP address or full host name of the Services Manager computer (Services Manager computer). If the IP address is specified, it must be prefixed with \i; if the host name is specified, it must be the full host name, specified with the domain name. Examples AllowHosts AllowHosts sftpServerPath \i184.16.320.12 sushi.fin.bmc.com
NOTE
It is recommended that you enter the IP address rather than the host name.
NOTE
It is recommended that you enter publickey if authentication is not used for any other method (hostbased or password).
Modify the entries as required. Save the file and exit. Enter the following command:
61
The variable sshdPid is the ID of the sshd2 process. The ID can be retrieved from the file sshd2_22.pid (usually located in /etc/ssh2 or /var/run) or can be obtained by specifying the following command:
ps -ef | grep sshd2
To configure the remote Managed System host 1 Log in to the remote Managed System host as user root. 2 Create a directory /.ssh2/authorized_keys using the following command:
mkdir /.ssh2/authorized_keys
NOTE
The default configuration file ssh-server-config-default.xml is typically located in: /etc/ssh2/
params/limits max-connections="0"
NOTE
It is recommended that you enter publickey only if authentication is not used for any other method (hostbased or password).
Modify the entries as required. Save the file and exit. Enter the following command:
./ssh-server-g3 reload
Open SSH
This section describes how to configure a remote Managed System host on OpenSSH using the authorized keys authentication method.
To configure the remote Managed System host 1 Log in to the remote Managed System host as user root. 2 Create or edit the root file /.ssh/authorized_keys:
Insert the following text on a single line:
from="mainHost",no-port-forwarding, no-X11-forwarding,no-agentforwarding,ssh-dss mainHostPublicKey
The variable mainHostPublicKey is the actual contents of the public key file on the Services Manager computer. This file was generated in procedure 1.1Generate a DSA key pair on page 53. The variable mainHost represents the IP address or full host name of the Services Manager computer.
63
NOTE
It is recommended that you enter the IP address rather than the host name.
3 Change permissions (to ensure that remote Managed System host /.ssh/ directory
and associated files are writable only by your account) by specifying the following commands:
chmod 755 chmod 644 /.ssh /.ssh/authorized_keys
4 Perform one of procedures that follow. To configure the remote Managed System host for OpenSSH 1 Open the file sshd_config (usually located in either /usr/local/etc or /etc/ssh). 2 Verify that the following parameters are set as specified:
PermitRootLogin Protocol PubkeyAuthentication LoginGraceTime StrictModes IgnoreRhosts PasswordAuthentication RhostsAuthentication AllowUsers Subsystem sftp without-password 2 yes 30 (recommended value) yes (recommended value) yes no no rootLikeUser [root]
sftpServerPath
The variable sftpServerPath is the full path and file name of the sftp-server binary.
NOTE
It is recommended that you enter publickey if authentication is not used for any other method (hostbased or password).
64
The variable sshPid is the ID of the sshd process. The ID can be retrieved from the file sshd.pid (usually located in /etc/ssh or /usr/local/etc), or can be obtained by specifying the following command:
ps -ef | grep sshd
NOTE
The administrator name PassPhraseADM is required for proper operation of the Services Manager. Under no circumstances should this name be changed.
To store the passphrase in the Administrator file 1 Stop the Services Manager.
Ensure that the Services Manager has completely stopped.
The variable passphrase is the passphrase you specified in step 3 on page 44. Be sure to enclose the passphrase in quotation marks.
65
Generate a single DSA public and private key pair. Complete the following procedures: 1.4Retrieve the remote Managed System host Public Key on page 57 2 Remote Managed System host configuration on page 59 3 Verifying SSH communication on page 65 4 Updating the Administrator file on page 65
Generate a new DSA public and private key pair for each additional remote Managed System host with a separate passphrase. This is the recommended option. Complete the following procedures: 1.1Generate a DSA key pair on page 53 1.2Create an identification file on page 55 1.4Retrieve the remote Managed System host Public Key on page 57 2 Remote Managed System host configuration on page 59 3 Verifying SSH communication on page 65 4 Updating the Administrator file on page 65
Generate a new DSA public and private key pair for each remote host; however, use the same passphrase for each generated key pair. Complete the following procedures: 1.1Generate a DSA key pair on page 53 (use the same passphrase for each key pair) 1.2Create an identification file on page 55 1.4Retrieve the remote Managed System host Public Key on page 57 2 Remote Managed System host configuration on page 59 3 Verifying SSH communication on page 65 4 Updating the Administrator file on page 65
66
Chapter
Maintenance
This chapter describes procedures that can be used to maintain and configure BMC Provisioning Module. These operations should only be performed by the administrator responsible for operation and maintenance of BMC Provisioning Module. The following procedures are described: Changing the Managed System administrator security level . . . . . . . . . . . . . . . . . . . . 67 Managing Password Interceptor messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Three levels of security are available for Managed System administrators used by BMC Provisioning Module:
s
SecurityStation. The administrator does not have to exist in the Managed System and does not require a password. When a transaction arrives from Enterprise SecurityStation, no check regarding the specified Managed System administrator is performed.
Chapter 4
Maintenance
67
NOTE
The level security Low cannot be set for a remote MSCS.
Medium The Managed System administrator defined in Enterprise SecurityStation can be any existing user in the Managed System.
When a transaction arrives from Enterprise SecurityStation, BMC Provisioning Module verifies the user name and password of the MSCS administrator.
s
High The Managed System administrator defined in Enterprise SecurityStation must be a root user (UID=0).
When a transaction arrives from Enterprise SecurityStation, BMC Provisioning Module verifies the user name and password of the Managed System administrator and verifies that the administrator is a root user. The default security level is specified as Medium during MSCS configuration. You can change the security level at any later time using the procedure below. For levels Medium and High, it may be necessary to set up one or more accounts to serve as Managed System administrators. These accounts on the local or remote Managed System should be defined in Enterprise SecurityStation as the Managed System administrators for this Managed System.
To change the Managed System administrator security level 1 Stop the Services Manager by specifying the following command:
stop-sm.sh
2 Ensure that Services Manager has stopped and Interceptor processes are not
running by specifying the following command:
show-sm.sh -c
68
5 Save the changes and exit from the Services Manager Administration Console. 6 Restart Services Manager by specifying the following command:
start-sm.sh
NOTE
If the PWI.conf file does not exist, or if either of the parameters specified below are not present in the file, then Password messages are managed according the default values specified below.
To configure the PWI.conf file 1 The PWI.conf should be opened or created from /etc/SA-agent/PWI.conf. 2 Insert or modify one or more entries using the following syntax:
parameter=value
Chapter 4
Maintenance
69
The parameters and values that can be specified are described below:
s
PWI_WRITE_SYSLOG
Whether to write Password Interceptor messages to the system logger. Possible values are Y and N. If set to N, the other parameters are ignored. Default: N
s
PWI_WRITE_PASSWD
Whether to write the intercepted encrypted password in the body of the PI message (only applicable if PWI_WRITE_SYSLOG is set to Y).
s
PWI_SYSLOG_LEVEL
Destination of Password Interceptor messages (only applicable if PWI_WRITE_SYSLOG is set to Y). The value assigned to this parameter indicates which of the priority parameters in /etc/syslog.conf should be used to determine where to write Password Interceptor messages. Possible values for the PWI_SYSLOG_LEVEL parameter are:
Value LOG_ERR LOG_INFO LOG_DEBUG Description Messages are written to all the locations specified by parameters *.err, *.warn, *.notice,*.info and *.debug. Messages are written to all the locations specified by parameters *.debug, and *.info Messages are written to the location specified by parameter *.debug. Default.
NOTE
Any line in the file that starts with # is regarded as a remark and is ignored. The PWI.conf file should contain entries for both PWI_WRITE_SYSLOG and PWI_SYSLOG_LEVEL.
70
Chapter
The Provisioning Module provides the means by which Enterprise SecurityStation, the Services Manager and the Linux Managed System can understand one another. The Provisioning Module for Linux is provided with two interfaces:
s
One interface is designed to interact with Linux according to its specific characteristics and capabilities. The second interface is identical for all implementations of the Provisioning Module. This interface is designed to interact with the Services Manager, providing a uniform method for the Services Manager to interact with all Managed Systems.
The Provisioning Module enables translation of Enterprise SecurityStation commands to the Linux command set. Managed System events occurring in Linux can be converted to terms that are understood by the Services Manager and transmitted to Enterprise SecurityStation. Most Services Manger - Provisioning Module operations are implemented using functions that update the Linux security database.(The Linux security database is referred to in this chapter as the Linux Managed System.) This chapter describes the Provisioning Module functions, the manner in which they affect the Linux Managed System and any special Managed System keyword handling considerations.
NOTE
This chapter refers to a Managed System which manages the Services Manager computer as the Local Managed System and a Managed System which manages the remote Managed System host as the Remote Managed System.
Chapter 5
71
Accounts Account passwords Groups Account-Group connections Resources (files) (only supported for a local Managed System) ACLs (access control lists) (only supported for a local Managed System) Managed System global parameters
The Provisioning Module is also designed to intercept Managed System-related events that occur in Linux but do not originate in Enterprise SecurityStation. These interceptions occur for the following events:
s s s s s
Changes in account definitions (add, delete and modify) Password changes (only supported for a local Managed System) Changes in group (add, delete and modify) Changes in account to group (add and delete) Changes in global Managed System definitions
All retrieval operations for accounts, groups, and connections are performed in the Managed System using Linux security system calls and the Linux CLI (Command Line Interface). All updates on a local Managed System are performed using the following steps: 1. Open the user, group or shadow file in read mode, with standard I/O system calls. 2. Create and open a temporary file. 3. Use standard I/O calls to copy the system file to the temporary file. 4. Make the changes (add, modify or delete) on the relevant record in the temporary file. 5. Close and save the temporary file. 6. Copy the system file to a backup. 7. Rename the temporary file to the system file name.
72
NOTE
On a remote Managed System, these updates are performed using the remote host CLI.
Access to resources and permanent ACEs is done directly on the Linux file system using system calls scandir() and stat() for retrieval and chown(), chgrp(), chmod(), mkdir() and mkfile() for updates. In Linux, extended ACLs are supported. These ACLs are accessed via special system calls.
Function Group
Group
AccountGroup Connection
Chapter 5
73
Account functions
Table 6
Resource
Function Group
Resource ACL
Managed System
CTSSetRSSParams CTSGetRSSParams
Account functions
This section describes the following:
s s s
Account data translation tables. Considerations and limitations for Account Provisioning module calls. Account Provisioning Module functions.
74
Account functions
Table 8
Field Name UID
DESCRIPTION SHELL HOME CREATE_HOME_DIR DELETE_HOME_DIR PWD_LASTCHG PWD_WARN INACTIVE PWD_ABS_EXPIRE MATURITY EXPIRATION LAST_LOGIN
Default Group
The group specified as the default group must already be defined in the Managed System.
s
Password Life
If the users password is designated as temporary, the user can log in with the current password, but must change it immediately.
s
In Linux, administrative privileges are determined by the UID. Users with UID equal to 0 are privileged.
s
When the value of this field is KEEP, after the change in the users default group, the Provisioning Module creates a connection between the user and the users old default group, effectively making the user a member of at least two groups: the new default group and the old default group. When the value of the field is DROP, the Provisioning Module removes the connection between the user and the users old default group, if it existed in the /etc/group file.
Chapter 5
75
Account functions
UID
In Linux, the UID is defined as a long integer whose expanded range is 0-4294967295.
s
Last Login
The field LAST_LOGIN is ignored by the Offline Interceptor and by the Global Sync operation.
s
Rename To
In Linux, it is the new name, which can be specified while modifying the account details.
s
This keyword is provided to rename the home directory when a new name is specified while updating the account details.
Provisioning Module Action CTSAddUser creates a user in the Linux Managed System using the following steps: 1. Add a new record to the /etc/passwd file. 2. Add a new record to the /etc/shadow file, in case a shadow file exists. Optionally, a home directory may be created for the user.
NOTE
In case the default group for the user is not specified, a default group for the user by the same name as that of a user is created. Therefore in this case /etc/group files is also modified.
76
Account functions
Considerations
If the CREATE_HOME_DIR parameter is specified as Y, the home directory is created for the user. The home directorys permissions are set to the users UID and GID. If the user already exists in the Managed System, an error is returned. If the UID specified for the user is already assigned to an existing user: A warning message is issued. If the flag ALLOW_DUP_UID is set to N in the MSCSPARM file, the user is not created and an error is returned. Field HOME must be specified as a full pathname (that is starting with a /). If the CREATE_HOME_DIR flag is set to Y, before the directory specified in HOME is created, the directory is validated as follows: If the directory is an existing file, an error is returned. If the directory already exists, a warning message is issued. If the MSCS parameter CHECK_PARENT_DIR is set to Y, the parent directory must exist. If it does not exist, an error is returned. When the directory is successfully created, its ownership is changed to the users UID and GID. If this operation fails, the directory is removed; however, the user is created regardless. If the UID field is left empty, BMC Provisioning Services Manager attempts to calculate the next free UID that is outside the reserved range (0 10).
CTSUpdUser
s
Description
CTSUpdUser updates the users details in the Linux Managed System as follows: 1. Update the users record in the /etc/passwd file. 2. Update the users record in the /etc/shadow file, in case a shadow file exists.
Chapter 5
77
Account functions
Considerations
When a new HOME is specified, this directory is not created. In addition, no validation is performed on the directory or on its parent directory.
s
If a newly-specified UID is already assigned to a different user: A warning message is issued. If the flag ALLOW_DUP_UID is set to N in the MSCSPARM file, the user is not updated and an error is returned.
If the users default group is modified, see Old Default User Group action on page 75. The password is not affected when the user is revoked or restored.
CTSRevokeUser
s
Description
CTSRevokeUser disables the login capabilities to the users account by setting the encrypted password in the Linux Managed System to the character !. When restoring the user, the ! suffixes the users original password. In case there is no shadow file, the user account is disabled by setting the encrypted password in the /etc/passwd file to *. This is performed using the same steps described for CTSUpdUser.
CTSUpdPassword
s
Description
CTSUpdPassword changes the users password and sets the password lifetime according to parameter PASSWORD_LIFE. The password information is modified in the Linux Managed System by updating the /etc/shadow file, in case a shadow file exists.
78
Account functions
CTSDelUser
s
Description
CTSDelUser deletes a users information in the Linux Managed System. This is performed as follows: 1. All the users connections to groups are removed from the /etc/group file. 2. The users record is removed from the /etc/shadow file, in case a shadow file exists. 3. The users record is removed from the /etc/passwd file.
CTSGetUsers
s
Description
CTSGetUsers retrieves user details from the Linux Managed System, using system call getpwent() to get the details of all users (from the /etc/passwd file). In case a shadow file exists, system call getspnam() is used to retrieve each users additional security attributes (from the /etc/shadow file).
s
Considerations
The users are returned in alphabetical order, sorted by user name. The Linux system calls return the users in no particular order. If the shell is not defined for the user, the string <NO SHELL> is returned as the value. If the home is not defined for the user, the string <NO HOME> is returned as the value. Wildcard retrieval is supported. When the mode is set to GET_WILD_USERS, details for user names starting with the specified prefix are retrieved.
Chapter 5
79
Group functions
User passwords are not retrieved since Enterprise SecurityStation does not store user passwords in its database.
Group functions
This section describes the following:
s s s
Group data translation tables. Considerations and limitations for Group Provisioning module calls. Group Provisioning Module functions.
Table 10
Field Name GID
General
All updates to the group information in the Linux Managed System are done with standard file I/O system calls. All group information retrieval is done by Linux system calls.
s
Parent Group
80
Group functions
GID
In Linux, the GID is defined as a long integer whose expanded range is 0-4294967295.
Description
CTSAddUG creates a user group in the Managed System by adding a new record to the /etc/group file.
s
Considerations
If the group already exists in the Managed System, an error is returned. If the GID specified for the group is already assigned to an existing group: A warning message is issued. If the flag ALLOW_DUP_GID is set to N in the MSCSPARM file, the group is not created and an error is returned. No users are connected to the group when it is created. If the GID field is blank, Services Manager attempts to calculate the next free GID that is outside the reserved range (0 20).
CTSUpdUG
s
Description
CTSUpdUG updates the group details by updating the group record in the /etc/group file.
Chapter 5
81
Group functions
Considerations
If the GID specified for the group is already assigned to an existing group: A warning message is issued. If the flag ALLOW_DUP_GID is set to N in the MSCSPARM file, the group is not created and an error is returned.
CTSDelUG
s
Description
CTSDelUG deletes the group from the Managed System by the following steps: 1. Get the list of group members. If group has members, an error is returned and the group is not deleted. 2. Delete the groups record from the /etc/group file.
CTSGetUGs
s
Description
CTSGetUGs retrieves group details from the Managed System by first using system call getgrent() to get all the groups.
s
Considerations
The groups are returned in alphabetical order, sorted by group name. Wildcard retrieval is not supported.
82
Considerations and limitations for Account-Group connection Provisioning module calls. AccountGroup connection Provisioning Module functions.
Chapter 5
83
Description
CTSAddUserToUG adds the user to the group member list. This is performed using the following steps: 1. Verify that the user exists in the Managed System. 2. Get the groups record from /etc/group using the system call getgrnam(). 3. If the user is already in the member list, return an error. 4. Add the user to the member list. 5. Write the updated record to the /etc/group file.
CTSUpdUserToUG
s
Description
This function is not implemented in the Provisioning Module of Linux, since there are no attributes for this connection.
84
CTSDelUserFromUG
s
Description
CTSDelUserFromUG deletes the user from the group member list. This is performed using the following steps: 1. Get the groups record from /etc/group using system call getgrnam(). 2. If the user is not in the member list, return an error. 3. Delete the user from the member list. 4. Write the updated record to the /etc/group file.
CTSGetConns
s
Description
CTSGetConns obtains user to group connection details by invoking various system calls: System call getgrnam() is used to retrieve all connections of one group. System call getpwnam() is used to retrieve one users default group. System call getgrent() is used to retrieve all the groups. System call getpwent() is used to retrieve all the users. Depending on the specific mode, connections can be retrieved for some groups, some users, all groups, all users and specific pairs of users and groups. This is done by using various combinations of these system calls.
s
Considerations
The list is sorted by users and then by user groups. Connections between groups and non-existing users are not retrieved. Similarly, connections between users and non-existing groups are not retrieved.
Chapter 5
85
Resource functions
Resource functions
This section describes the following:
s s s
Resource data translation tables. Considerations for Resource Provisioning module calls. Resource Provisioning Module functions.
NOTE
Resource functions are only supported for a local Managed System.
Table 13
Field name
86
Resource functions
General
Resources are not part of the Linux Managed System; rather, they are part of the Linux file system. However, some resource information (owner and group) is retrieved from the Managed System.
s
Resource Name
Full pathname for the resource is required. Environment variable substitution and user name substitution (~user) are not available.
s
Resource Type
All resources that are not directories are regarded as files, including sockets, named pipes, etc. All file names are unique, regardless of their type.
s
RES_TYPE
All resource information is retrieved using system call stat(). The resource type is determined from the field st_mode in the stat structure returned in the stat() call. The following values are returned: FILE for files DIR for directories In addition, the shell command file is invoked to get additional details about the file from its magic number. For more details, see the documentation for the file command and the contents of the file /etc/magic.
s
The UID and GID as retrieved by system call stat() are translated to user name and group name, respectively. If the UID or GID does not belong to any user/group, a dummy value (# # UID or # # GID) is returned. If a resource is NFS-mounted (that is the resource resides on file system of a remote host), the translation of UID and GID to owner and group, respectively, may be incorrect since the translation is provided by the local Managed System and not by the Managed System of the remote host.
s
These fields are displayed in the format YYYYMMDDhhmmss where YYYY is the year, MM is the month (01-12), DD is the day (01-31), hh is the hour (00-23), mm is the minutes (00-59) and ss is the seconds (00-59).
Chapter 5 Provisioning Module implementation for Linux 87
Resource functions
In Linux, the RES_CREATED is derived from the field st_ctime in the stat structure. This field is defined as file last status change time, which is set when the file status information is changed (for example, when the owner is changed). Therefore, the creation date can be later than the access date.
Description
Considerations
The parameters required to create a new resource on the Linux file system are: Resource name (absolute full path) Resource type (file or directory) Owner Group To create a file, the open() system call is used; to create a directory, the mkdir() system call is used. The owner and group are set by using the chown() and chgrp() system calls, respectively.
CTSDelRes
s
Description
88
Resource functions
Considerations
The parameters required to delete a resource from the Linux file system are: Resource name (absolute full path) Resource type (file or directory) To delete a file, the unlink() system call is used. To delete a directory, the rmdir() system call is used. Reserved system directories (for example, /, /etc, /usr) are not deleted by this function.
CTSUpdRes
s
Description
Considerations
The only parameters that can be updated are the resource owner (a user name) and the resource group (a group name). Since owner and group information is kept in UID and GID format respectively, a translation must be performed between these two representations. Therefore, if the specified user or group does not exist on the system, an error message is issued and the operation is not performed.
CTSGetRes
s
Description
Get resource information from the Linux Managed System and file system.
s
System call stat() is used to retrieve the resource information. The Managed System translates resource UID and GID to user name and group name, respectively.
Chapter 5
89
Considerations
When the specified resource is a directory, the directory information is retrieved. In addition, all files and sub-directories contained in the directory are retrieved and their information is returned. There is no further recursion beyond that level (that is the contents of the sub-directories are not retrieved).
Resource ACL data translation tables. Considerations for Resource ACL Provisioning module calls. Resource ACL Provisioning Module functions.
NOTE
Resource ACL functions are only supported for a local Managed System.
Table 15
Field name
Linux-specific Resource ACL fields Linux parameter Read permission Write permission Execute permission ACE is a default (Linux only)
90
General
In the Linux file system, each resource always has at least three ACEs: for owner, group and world. These ACEs are permanent; they cannot be deleted and their user and group cannot be changed.
s
ACE Type
For the three permanent ACEs, the user ACE has the type USER, the group ACE has the type GROUP and the world ACE has the type WORLD.
s
ACE Attribute
For the three permanent ACEs, the attribute is PERMANENT. The MASK ACE is also PERMANENT. The attribute of all other ACEs is REGULAR.
s
Description
This function is currently not implemented in Linux since extended ACEs are not supported.
CTSDelACE
s
Description
Chapter 5
91
This function is currently not implemented in Linux since extended ACEs are not supported.
CTSUpdACE
s
Description
The function locates the ACE specified by parameter old ACE in the resource ACL. If the old ACE is found, the ACE details are updated with information from parameter new ACE. The function uses the system call chmod() to update one of three permanent ACEs.
s
Considerations
The old ACE must match an existing ACE in all details; that is entity (user or group) and permissions. The only details that can be modified are the access permissions (read, write and execute). To change owner or group, function CTSUpdRes should be used. If the user or group are specified as # # UID or # # GID, the function will use the UID or GID. Otherwise, the user or group name is translated to UID/GID via the Linux Managed System. This enables modification of ACEs that refer to UIDs, and enables modification of GIDs that are not defined in the Managed System.
CTSGetResACL
s
Description
Gets resource ACL information from the Linux Managed System and file system.
s
If system call acl() exists, it is used to retrieve the resources ACL. If it does not exist or fails, stat() is used to retrieve the resource information. The Linux Managed System is used to translate the resource UID and GID to user name and group name, respectively.
92
Considerations
When the specified resource is a directory, its information is retrieved, but there is no recursion (that is files contained in the directory are not retrieved). For each ACE, the three permissions are retrieved. For example, if the resource owner is JohnDoe and his permissions are read and execute, the ACE contains: USER = JohnDoe GROUP = <empty> ACE Type =USER ACE Attribute = PERMANENT The ACE also contains the following information: READ_ACCESS =Y WRITE_ACCESS=N EXEC_ACCESS=Y ACE_DEFAULT=N
Managed System data translation tables. Considerations for Managed System Provisioning module calls. Managed System Provisioning Module functions.
Chapter 5
93
Table 17
Field name
Some global parameters are mapped to keywords in the /etc/login/defs file. There are no system calls to access this file, so standard I/O system calls are used. Other global parameters are mapped to values set and retrieved by the useradd command.
Description
Retrieves global Managed System parameters from the Linux Managed System.
s
Some values are retrieved from file /etc/default/passwd and /etc/login.defs. Empty values are returned if the file cannot be accessed or if the required keyword is missing. Other values are retrieved from the useradd command by invoking the command with the -D parameter.
94
CTSSetRSSParams
s
Description
Some values are updated in file /etc/default/passwd and /etc/login.defs. Other values are modified by invoking the useradd command with the -D parameter and the corresponding arguments.
Chapter 5
95
96
Appendix
Appendix A
97
Table 18
Field
Column title
Whether or not the field accepts a list of values. A list consists of values separated by commas. Possible values in this column are: L S identifies a list field. identifies a subfield of a list field (names of subfields are indented in the Field column). Character. All input is treated as characters even if all are digits. Flag. Input must be Y or N. Integer. Input must be numeric. Time. Input must be in the time format specified in the column Restrictions Date/Time. Input must be in the format specified in the column Restrictions. This format generally requires that the value be specified as a string consisting of the date or date/time. Selection from a list of predefined values.
Type of input accepted in the field. Possible values in this column are: C F N T D
S Len
Maximum number of characters in a character field. This field length only applies if the type (column T) is C. (Field length limitations for other data types are determined by information in columns L and Restrictions.) Validation restrictions such as numeric ranges or list of possible values. Underlined values (if any) are the default values.
Restrictions
The column titles for each type of entity differ slightly. Table 19 describes the meaning of the single-letter column titles used to indicate the type of function for which each Managed System-specific field is relevant. An X or M appearing in a column for a given field indicates that the field is relevant to that function.
98
Table 19
Account
Function type
Group
A U G D
AccountGroup Connection
C U G D
Resource
A U G D
ACL/ACE
C U G D
Managed System
S G
Account functions Group functions Resource functions ACL/ACE functions Managed System Parameter functions
Appendix A
99
Account functions
Table 20
Field CREATE_HOME_DIR DELETE_HOME_DIR DESCRIPTION EXPIRATION HOME INACTIVE MATURITY PWD_ABS_EXPIRE PWD_LASTCHG PWD_WARN SHELL UID LAST_LOGIN
N 10 N 10 N 10 D D C 8 8 256
DDMMYYYY X
N 10
N 10 C 20
Group functions
Table 21
Field GID
Resource functions
Table 22
Field RES_ACCESSED RES_CREATED 100
Table 22
Field
N 12
ACL/ACE functions
Table 23
Field ACE_DEFAULT EXEC_ACCESS READ_ACCESS WRITE_ACCESS
Appendix A
101
102
Appendix
Overview
The configuration of the Services Manager can be modified in many ways to suit the requirements of the enterprise in which it is implemented. A set of parameters referred to as MSCS parameters contains most of the parameters that determine the configuration of the Services Manager for each Managed System.
MSCS parameters can be viewed or modified using the BMC Provisioning Services
Manager Administration Console, described in the BMC Provisioning Services Manager Administrator Guide for Linux. This appendix describes those MSCS parameters that are used specifically to manage a Linux Managed System. Many of these parameters can be modified to suit user requirements. For a full description of other configuration parameters, see the BMC Provisioning Services Manager Administrator Guide for Linux.
Appendix B
103
Overview
Description of parameters
Table 25 on page 104 contains descriptions of MSCS parameters that are specific to Linux Managed Systems. The table contains the following columns:
s
Parameter
Name of the MSCS parameter. The presence of the symbol * in this column indicates that if the parameter is assigned an invalid value, the Services Manager automatically assigns the parameter the default value specified.
s
Description
Values
NOTE
Many of the MSCS parameters in the tables are not automatically present in the Services Manager Administration Console after the Services Manager installation. If you wish to assign a value to a specific parameter, it may be necessary to add the parameter in the Console. The value labeled as Coded appearing in the Values column of the tables that follow indicates the value assigned if the parameter is not present in the Console or if the parameter is assigned an invalid value. To see the default value for parameters that are present in the Console, see the listing of the MSCSPARM file on page 111.
MSCS parameters
Table 25
Parameter ADMIN_CASE_SENS*
ADMIN_FILE_REQ*
Y, N Default: N
ADMIN_USER_REQ*
104
Overview
Table 25
Parameter
ALLOW_DUP_GID
ALLOW_DUP_UID
ADMIN_UID_CHECK
Whether a user defined as an Managed System administrator requires root privileges (native UNIX only). The name of the executable path of the API library. Provisioning Module DLL This parameter cannot be modified under UNIX.
Y, N Default: N
API_LIB_DIR ATTACH_DLL
cts_api_Linux.so
CMDLINE_TIMEOUT
Default: 20 Time (in seconds) the Provisioning Module waits for a Command Line Interface (for example, useradd) to process on the remote Managed System host before stopping the transaction and returning an error. Name of the Managed System Default administrator account, which is used for GET operations. Note: Applicable only when the value of the ADMIN_USER_REQ parameter is Y.
DEFAULT_ADMIN
Appendix B
105
Overview
Table 25
Parameter
DEFAULT_CRYPT
2a - use Blowfish(2a) encryption md5 - use MD5 encryption des - use DES encryption (default value)
If the DEFAULT_CRYPT parameter is not present in the MSCSPARM file, DES encryption will be used. Note: The encryption method configured in the Services Manager and on the native Linux system must be the same. In Linux, the password encryption method is configured in the following file:
s s
DELETE_HOME_DIR_NQA
Whether users can delete a home directory of which they are not the owner. MSCS Description
DESCRIPTION ENABLE_FAILLOG_LOCK
Y, N An MSCS user who attempts to log in unsuccessfully a certain number of times Default: N is locked by the PAM authentication mechanism. This parameter determines whether the status of an MSCS user (locked or enabled) should be reported to ESS by the Standard Offline Interceptor or Global Sync operation. Note: This parameter should be manually added to the MSCSPARM file.
106
Overview
Table 25
Parameter
EXPECT_PASSPHRASE_COMM A regular expression that represents the Passphrase for key .*$ string returned by the remote Managed System host when a Provisioning Module process attempts to open a log in session. This string is used by the Provisioning Module platform to authenticate the remote Managed System host prior to sending the passphrase. Note: This parameter should only be modified at the request of Customer Support. EXPECT_PASSPHRASE_OPEN A regular expression that represents the Enter Passphrase for key .*$ string returned by the remote Managed System host when a Provisioning Module process attempts to open a log in session. This string is used by the Provisioning Module platform to authenticate the remote Managed System host prior to sending the passphrase. Note: This parameter should only be modified at the request of Customer Support. EXPECT_PASSPHRASE_TEC CLI prompt, which will be displayed when executes a command via SSH Client (for Tectia SSH). Passphrase for the private key: .*$
EXPECT_PASSWD_FIRST
A regular expression that represents the Default: New UNIX string returned by the remote Managed [pP]assword:.* System host when a user password is Default values: modified on the Provisioning Module platform (the passwd command is run). s For Red Hat Enterprise Note: This parameter should only be Linux 5: New UNIX modified at the request of Customer [pP]assword:.* Support. s For SUSE Linux
Appendix B
107
Overview
Table 25
Parameter
EXPECT_PASSWD_SECOND
IS_REMOTE_RSS
Whether the Managed System is a local Managed System or remote Managed System.
LONG_CMDLINE_TIMEOUT
The Provisioning Module waits for long commands to complete processing on the remote Managed System host before stopping the transaction and returning an error (For future use) Directory where the Standard Offline Interceptor database is located. Type of Managed System
MS_WORK_DIR MS_TYPE
108
Overview
Table 25
Parameter
OFLI_INTERCEPT*
OFLI_INTERVAL*
Minimum interval between consecutive Format hhmmss activations of the Standard Offline Interceptor. Default: 010000 Name of the lock obtained during Standard Online Interceptor operation. Applicable only for Managed Systems that support the Standard Online Interceptor.
ONLI_SEMAPHORE
OFLI_TMP_DIR
The name of the temporary directory of the Standard Offline Interceptor files. A separate directory is used for each Managed System. Mandatory if Standard Offline Interceptor is used. Whether the password is passed to Prescripts or Post-scripts in update password transactions. Full path of the PAM configuration file that states the maximum failed login attempts allowed for any user. This file is accessed by PAM while monitoring the Revoke/Restore status of an MSCS user, for tracking the multiple unsuccessful login failures. Note: Only applicable if ENABLE_FAILLOG_LOCK is set to Y Note: This parameter should be manually added to the MSCSPARM file. Y, N Default: N Default: /etc/pam.d/login
OFLI_SEMAPHORE PASS_PASSWORD*
PAM_LOGIN_ACCESS_FILE
REMOTE_HOST_NAME
IP address or host name of the remote Managed System host managed by the Provisioning Module.
Appendix B
109
Overview
Table 25
Parameter
SCRIPT_DIR SCP_TIMEOUT
SCRIPTS_TMP_DIR SM_ROOT_DIR
SSH_CONNECTION_TIMEOUT Time (in seconds) the Services Manager waits for a connection to the remote Managed System host, before stopping the transaction and returning an error. SSH_PORT SSH_REMOTE_USER
The port which is used by SSH Server on Default: 22 remotely managed Linux computer. This parameter determines how Services Default: root Manager logs in to a remote Managed System computer to perform remote provisioning. By default, the Services Manager uses the root user for remote provisioning. You can use this parameter to configure the Services Manager to use a non-root or root-like user for remote provisioning. This user is created using the procedure Creating a root-like user on page 38. Whether to support long group names. Y: Support group names up to 31 characters long. N: Support group names up to 16 characters long. Default: N
SUPPORT_LONG_GNAME
SUPPORT_LONG_UNAME
Y: Support user names up to 31 characters long. N: Support user names up to 8 characters long. Default: N
110
Table 25
Parameter
SUPPORT_LAST_LOGIN
SYNC_SEMAPHORE
Name of the lock obtained while the Standard Offline Interceptor or Global Sync is running (in order to avoid concurrent execution). Command Line Interface message that will be displayed, when the Provisioning Module executes Tectia client (SSH), in case of auto authentication. Command Line Interface message that will be displayed, when the Provisioning Module executes Tectia client (SCP), in case of auto authentication. Date of the last MSCS update.
TECSSH_CON_MSG
TECSCP_CON_MSG
UPDATED_ON
Appendix B
111
Figure 5
loc_lnx1 CMDLINE_TIMEOUT 20 loc_lnx1 LONG_CMDLINE_TIMEOUT 600 loc_lnx1 EXPECT_PASSPHRASE_COMM Passphrase for key .*$ loc_lnx1 EXPECT_PASSPHRASE_OPEN Enter passphrase for key .*$ loc_lnx1 EXPECT_PASSPHRASE_TEC Passphrase for the private key: .*$ loc_lnx1 TECSSH_CON_MSG Authentication successful..*$ loc_lnx1 TECSCP_CON_MSG TOC: 00:00:00.*$ loc_lnx1 EXPECT_PASSWD_FIRST New [pP]assword:.* loc_lnx1 EXPECT_PASSWD_SECOND new [pP]assword.*:.* loc_lnx1 EXPECT_LOG_USER N loc_lnx1 EXPECT_DEBUG N loc_lnx1 OFLI_INTERCEPT Y loc_lnx1 PASS_PASSWORD N loc_lnx1 OFLI_INTERVAL 010000 loc_lnx1 ADMIN_FILE_REQ Y loc_lnx1 ADMIN_USER_REQ Y loc_lnx1 ADMIN_CASE_SENS Y loc_lnx1 ADMIN_UID_CHECK N loc_lnx1 DEFAULT_ADMIN tstpm4 loc_lnx1 API_LIB_DIR /local/home/tstpm4/bmc/idm/ServicesManager/PM/Linux/bin loc_lnx1 MS_WORK_DIR /local/home/tstpm4/bmc/idm/ServicesManager/PM/Linux/work/loc_lnx1 loc_lnx1 SCRIPT_DIR /local/home/tstpm4/bmc/idm/ServicesManager/PM/Linux/scripts/loc_lnx1 loc_lnx1 SCRIPTS_TMP_DIR /local/home/tstpm4/bmc/idm/ServicesManager/PM/Linux/DATA/loc_lnx1/tmp loc_lnx1 SM_ROOT_DIR /local/home/tstpm4/bmc/idm/ServicesManager loc_lnx1 SYNC_SEMAPHORE Linux#loc_lnx1#SYNC_SEMAPHORE loc_lnx1 OFLI_SEMAPHORE Linux#loc_lnx1#OFLI_SEMAPHORE loc_lnx1 ONLI_SEMAPHORE Linux#loc_lnx1#ONLI_SEMAPHORE loc_lnx1 UPDATED_ON loc_lnx1 DEFAULT_CRYPT md5 loc_lnx1 OFLI_TMP_DIR /local/home/tstpm4/bmc/idm/ServicesManager/PM/Linux/DATA/loc_lnx1
112
Appendix
If you have installed the password interception support, the system files /etc/services and /etc/xinetd.conf are updated and lines are added to them. This section describes how to confirm that these system files have been updated correctly. 1. The files, inetdcl and libpam_bmc.so.1 must be copied to relevant configurable system directories (the installer of Password Interceptor should prompt for the same input). 2. The shared library libpam_bmc.so.1 must be copied to the /lib/security directory by default (if it is not specified at the time of Password Interceptor installation). 3. The executable file, inetdcl must be copied to the /usr/sbin directory by default (if it is not specified at the time of Password Interceptor installation). 4. The system files, /etc/pam.d/system-auth (for Red Hat Linux), /etc/pam.d/passwd (for SUSE Linux), /etc/services and /etc/xinetd.conf must be updated and the Password Interceptor entry must be added (if it is not specified at the time of Password Interceptor installation). 5. The system file /etc/pam.d/system-auth (for Red Hat Linux) and /etc/pam.d/passwd (for SUSE Linux) is updated and lines should be added to it (one for each PAM service). If the system service password is not present in the file, the corresponding Password Interceptor entry should not be added and password interception for that password service will not be active.
113
file; the corresponding Password Interceptor entry should be added after the system service entry. The Password Interceptor entry appears as follows:
password required bmc_pam_lib_path_name
For example:
password required /lib/security/libpam_bmc.so.1
6. The system file, /etc/services must include a new entry that serves the Password Interceptor mechanism. A system service entry appears as follows:
service_name service_port/tcp
114
where 7790 is the requested service port number. 7. The system file, /etc/xinetd.conf must include a new entry that enables the Password Interceptor mechanism. A system service entry appears as follows:
service newd_pwi { socket_type = stream protocol = tcp wait = yes/no user = owner_of_inedt_client server = inetd_client_path_name server_args = arguments_required_by_inetd_client env = env_setting instances = UNLIMITED }
115
For example:
#pm_pwi_start Dont remove, used for installation and uninstallation purposes # PM Modules (newd_pwi) service newd_pwi { socket_type = stream protocol = tcp wait = no user = root server = /usr/sbin/inetdcl server_args = /local/home/linsp4/control-sa/ Linux lnx_mscs env = SM_INSTALL_DIR=/local/home/linsp4/control-sa/ instances = UNLIMITED } #pm_pwi_end Dont remove, used for installation and uninstallation purposes
where newd_pwi is the name of the service that is exactly used in /etc/services file.
116
Appendix
Interactive uninstallation
To perform the Interactive uninstallation for the Password Interceptor 1 Log in to the Services Manager computer as user root. 2 Enter the following commands to create a temporary directory to which you will
copy the Password Interceptor files:
mkdir /tmp/DRLIS.5.0.00 chmod 777 /tmp/DRLIS.5.0.00
Appendix D
117
Silent uninstallation
7 At this point, stop and restart Services Manager to completely uninstall Password
Interceptor.
Silent uninstallation
To perform the silent uinstallation for the Password Interceptor 1 Log in to the Services Manager computer as user root. 2 Enter the following commands to create a temporary directory to which you will
copy the Password Interceptor files:
mkdir /tmp/DRLIS.5.0.00 chmod 777 /tmp/DRLIS.5.0.00
7 At this point, stop and restart Services Manager to completely uninstall Password
Interceptor.
118
Appendix
For the Services Manager to communicate successfully with Enterprise SecurityStation, the Provisioning Module installation/environmental parameters listed in Table 26 must be coordinated with parameters specified in the Enterprise SecurityStation Console. Table 26
Summary of required parameter coordination ESS Console Parameter Managed System Name TCP/IP Host TCP/IP Port Number Encryption Managed System Properties window Platform Properties window Platform Properties window Platform Properties window
Services Manager computer Managed System Name Host Name or Host IP Address TCP/IP Port Number Transmitted Data Encryption
Appendix E
119
120
Appendix
F
121 121 122 122
Overview
This appendix describes the procedure for migrating from CONTROL-SA/Agent to BMC Provisioning Services Manager and BMC Provisioning Module. This release of BMC Provisioning Module for Linux does not provide a procedure for upgrading an earlier version of CONTROL-SA/Agent for Linux. However, you can migrate from CONTROL-SA/Agent for Linux version 3.1.02, to BMC Provisioning Module for Linux version 5.0.00.
Migration procedure
The following methods can be used to migrate from CONTROL-SA/Agent to BMC Provisioning Services Manager and BMC Provisioning Module:
s s
Appendix F
121
Interactive migration
Interactive migration
1 To migrate to the Services Manager and the Provisioning Module, perform the
migration procedure given in the appendix, Migrating from CONTROL-SA/Agent in the BMC Provisioning Services Manager Installation Guide for Linux.
2 To complete the migration for the Provisioning Module, stop all the transactions
and run the Offline Interceptor in Initial mode.
Automated migration
An automated migration procedure is now available to migrate an existing CONTROL-SA/Agent to BMC Provisioning Services Manager and BMC Provisioning Module. For more information, see the "Automated migration procedures" section in the BMC Provisioning Services Manager Installation Guide for Linux.
122
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Index
A
ADMIN 69 ADMIN_FILE_REQ parameter 69 Administrator file storing the passphrase in 65 authentication method required by Services Manager 38
I
implementation overview 23 implementation procedures 24 IS_REMOTE_RSS parameter 28
B
BMC Software, contacting 2
L
Linux hardware/software requirements 21 Local Managed System advantages and disadvantages 16 described 16 login sessions Services Manager SSH connections 37
C
configuration 103 configuring SSH automatic procedure 42 pre-configuration checks 37 pre-configuration checks on the remote host 39 configuring SSH Secure Shell overview 35 CONTROL 12 CONTROL-SA/Agent old and new terminology 12 conventions, documentation 13 CTSPARM parameters old and new parameters 12 customer support 3
M
Managed System old and new terminology 12 Managed System administrators about 22 Managed System Configuration Set old and new terminology 12 Managing remote Managed System host pre-install requirements 20 man-in-the-middle attack, protecting against 45 Minimum Password Length parameter described 94 MSCS old and new terminology 12 MSCS Configuration procedure, described 27 MSCS parameters Managed System-specific parameters 103 old and new terminology 12 MSCSAPI file old and new terminology 12
D
DSK key pair generating 53
F
functions of Provisioning Module 73
H
host key, described 57
Index
123
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
P
passphrase defining 53 Password interception support for remote Managed Systems 20 Password Interceptor Client installation 30 Password Interceptor Messages managing 69 Password length how calculated 94 product support 3 Provisioning Module deployment 15 function list 73 old and new terminology 12
SSH Secure Shell manual configuration 52 configuring the remote host 59 retrieving the remote host public key 57 setting up SSH configuration files 56 updating the Administrator file 65 ssh-keygen command 53 ssh-keygen2 command 53 support, customer 3 syntax statement conventions 14 system logger password interceptor messages 69
T
technical support 3 The 71
R
Remote Managed System advantages and disadvantages 16 described 16 PassPhraseADM administrator 22 remote Managed System host described 16 RSS old and new terminology 12 RSSAPI file old and new terminology 12 RSSPARM parameters old and new terminology 12
U
Unattended administrator 23 USA-API old and new terminology 12
S
SA-Agent platform old and new terminology 12 Secure 35 Services Manager computer old and new terminology 12 Services Manager public key defining 59 Services Manager SSH connections login sessions 37 SSH authentication described 36 SSH Communication testing 50 SSH configuration configuring more than one remote host 51, 66 SSH Secure Shell configuration creating an identification file 55
124
Notes