Add System to TPAM

Transcription

Add System to TPAM

The Privileged Appliance and Modules
(TPAM) 2.5
Client Setup Guide
Copyright© 2015 Dell Inc. All rights reserved.
This product is protected by U.S. and international copyright and intellectual property laws. Dell™, SonicWALL and the Dell
logo are trademarks of Dell Inc. in the United States and/or other jurisdictions. MAC OS, OS X are trademarks of Apple, Inc.,
registered in the U.S. and other countries. Check Point is a registered trademark of Check Point Software Technologies Ltd. or
its affiliates. Cisco is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other
countries. ForeScout and CounterACT are trademarks of ForeScout Technologies, Inc. Fortinet is a registered trademark of the
Fortinet Corporation in the United States and/or other countries. FreeBSD is a registered trademark of the FreeBSD foundation.
H3C is a trademark of Hangzhou H3C Technologies, Co. Ltd. Google and Chrome are trademarks of Google, Inc., used with
permission. HP, OPENVMS and Tru64 are registered trademarks of Hewlett-Packard Development Company. AS/400, IBM and
AIX are registered trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide.
Juniper, JUNOS and NetScreen are registered trademarks of Juniper Networks, Inc. in the United States and other countries.
Linux® is a registered trademark Linus Torvalds in the United States, other countries, or both. MariaDB is a registered
trademark of MariaDB Corporation. Microsoft, Active Directory, Internet Explorer, and Windows are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Mozilla and Firefox are
registered trademarks of the Mozilla Foundation. NetApp is a registered trademark of NetApp, Inc., registered in the U.S. and
other countries. Nokia is a registered trademark of Nokia Corporation. Novell is a registered trademark of Novell, Inc. in the
United States and/or other countries. Oracle, Java, MySQL, and Solaris are trademarks of Oracle and/or its affiliates. PAN-OS
is a registered trademark of Palo Alto Networks, Inc. PowerPassword is a registered trademark of BeyondTrust Software, Inc.
PROXYSG is a trademark of Blue Coat Systems, Inc., registered in the United States and other countries. Stratus is a registered
trademark of Stratus Technologies Bermuda Ltd. Teradata is a registered trademark of Teradata Corporation or its affiliates in
the United States or other countries. UNIX and UNIXWARE is a registered trademark of The Open Group in the United States
and other countries. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other
jurisdictions. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks
and names or their products. Dell disclaims any proprietary interest in the marks and names of others.
Legend
CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.
WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.
IMPORTANT NOTE, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.
TPAM Client Setup Guide
Updated - November 2015
Software Version - 2.5
TPAM 2.5
Client Setup Guide
2
Contents
AS/400 (iSeries) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Add the Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Testing System/Checking Password: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Changing Password: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Cisco Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Cisco Router (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Cisco Router (TEL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Cisco PIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Dell Remote Access Client (DRAC) Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Configure the DRAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Log on to the Dell Remote Access Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Create the Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
FreeBSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Add the Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Using sudo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
SSH Daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Create and Modify DSS Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Allow Domain Account PSM Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
HP iLO2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
HP-UX Trusted and Untrusted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Unlock Locked Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
IBM Hardware Management Console (HMC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
TPAM 2.5
Client Setup Guide
3
Juniper Junos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Management Access Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
LDAP and LDAPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Mac OS® X(10.4-10.8) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Enable SSH Daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Create and Modify the DSS Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Mainframe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Mainframe (RACF) . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create the Functional Account . . . . . . . . . . . . . . . . .
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . .
Password Check . . . . . . . . . . . . . . . . . . . . . . . . . . .
Password Change . . . . . . . . . . . . . . . . . . . . . . . . . .
....
....
....
....
....
....
....
....
....
....
...
...
...
...
...
....
....
....
....
....
...
...
...
...
...
. .38
. .38
. .38
. .38
. .38
Mainframe LDAP (RACF/TopSecret) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Add System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Account Name Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Mainframe (ACF2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Add the Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Add the System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Password Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Password Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
MS SQL Server (2000 & 2005) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Authentication and Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
TPAM Commands for Managing MS SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Encryption Recommendation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
SQL Server Named Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Nokia IPSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Novell NDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
TPAM 2.5
Client Setup Guide
4
OpenVMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Oracle (9i,10g,11g) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
TPAM Commands for Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
POS 4690 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Add Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Add a Password Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
ProxySG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Add Functional Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Add Functional Account via the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
PSM Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Web access proxy profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Set the default web access proxy profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Add a web access proxy profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Assign a web access proxy profile to a DPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Delete a web access proxy profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Add web access system to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
SAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Add Permissions to Functional Account in SAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
SonicWALL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Sybase Adaptive Server Enterprise (ASE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
TPAM Commands for Sybase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
HP NonStop Tandem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
TPAM 2.5
Client Setup Guide
5
Server Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
TPAM Client Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Test Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Teradata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Define a Data Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Tru64 Enhanced Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Using sudo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
SSH2 Daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Linux® and UNIX® Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Create and Modify the Public Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
VMware vSphere 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Windows Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Windows Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Test System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
Troubleshoot System Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Add Windows Domain Member System to TPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Test and Troubleshoot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Test System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Troubleshoot System Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
TPAM 2.5
Client Setup Guide
6
About Dell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Contacting Dell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Technical Support Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
TPAM 2.5
Client Setup Guide
7
1
AS/400 (iSeries)
•
Add the Functional Account
•
Add System to TPAM
Create a new functional account on the AS/400 and assign it a password. Grant the functional account the
privileges required to use the chgusrprf command on other profiles.
Add System to TPAM
From the TPAM menu, Systems, Accounts, & Collections | Systems | Add System. Provide the name for the
system and Network Address (this can be either IP address or DNS name) of the AS/400. If automatic password
management is desired, check the option box to do so, and configure the change settings according to your
deployment plan.
Select AS400 as the platform.
Click the Connection tab to configure the details for the functional account, and other communication options.
TPAM 2.5
Client Setup Guide
8
Specify the functional account used on the AS400, and enter the password for the account.
Note the option to specify an Alternate Port. If the default Telnet port of 23 is not used (check with the AS400
administrator), enter the port in this field on which the device will be listening for connections.
Testing System/Checking Password:
•
Telnet access to the AS/400 with a 3270 or 5250 emulator.
•
No special characters needed to be pressed other than carriage return on login. Pressing enter after
initial login is acceptable.
•
SYSTEM: is present on the screen following a successful login. (This is usually in the upper right hand
corner, see illustration below)
Changing Password:
•
The functional account has the required privileges to use chgusrprf from the command prompt.
•
The result message for a successful change displays at the very least the following on screen:
•
USER PROFILE <managed_account> CHANGE
TPAM 2.5
Client Setup Guide
9
2
Cisco Devices
•
Cisco Router (SSH)
•
Cisco Router (TEL)
•
Cisco PIX
Cisco Router (SSH)
SSH v2 protocol is used to connect to the Cisco® device.
Username and password authentication is used for connections, managed locally on the Cisco Device.
Cisco Switches use the same platform type in TPAM.
system and network Address (this can be either IP address or DNS name) of the Cisco appliance. If automatic
password management is desired, check the option box to do so, and configure the change settings according to
your deployment plan.
Select Cisco Router (SSH) as the platform.
TPAM 2.5
Client Setup Guide
10
Specify the functional account used on the Cisco appliance, and enter the password for the account. Windows®
Domain functional accounts may also be used as the functional accounts for Cisco platforms. The connection
will use the designated domain account to manage the platform.
Note the option to specify an Alternate Port. If the default SSH port of 22 is not used (check with the network
Cisco Router (TEL)
The telnet protocol is used for the connection to the Cisco device.
This method uses the line password authentication method and enable authentication method for management.
Select Cisco Router (TEL) as the platform.
Specify the functional account used on the Cisco appliance, and enter the password for the account or the line
definition – whichever method is used for authentication to the appliance. Windows Domain functional accounts
may also be used as the functional accounts for Cisco platforms. The connection will use the designated domain
account to manage the platform.
Note the option to specify an Alternate Port. If the default Telnet port of 23 is not used (check with the network
TPAM 2.5
Client Setup Guide
11
Cisco PIX
Select Cisco PIX as the platform.
Specify the functional account used on the Cisco appliance, and enter the password for the account. Windows
Domain functional accounts may also be used as the functional accounts for Cisco platforms. The connection
will use the designated domain account to manage the platform.
Note the option to specify an Alternate Port. If the default port of 22 is not used (check with the network
TPAM 2.5
Client Setup Guide
12
3
Dell Remote Access Client (DRAC)
Systems
•
Introduction
•
Configure the DRAC
•
Log on to the Dell Remote Access Web Interface
•
Create the Functional Account
•
Add System to TPAM
Introduction
This chapter provides step by step instructions for configuring Dell™ Remote Access Client systems to be
managed by TPAM. The steps involved are functional account creation and modification, as well as SSH key
installation and configuration if necessary. Administrative knowledge of Dell Remote Access is assumed.
Configure the DRAC
To set the network configuration options:
1
Connect a monitor and USB keyboard to the front of the server.
2
Connect an ethernet cable to the Dell remote access NIC on the back of the server.
TPAM 2.5
Client Setup Guide
13
3
Start the server and wait for the BOOT screen to display the option for Remote Access Setup. Access the
interface by pressing Ctrl+E keys within 5 seconds of the option appearing on the screen.
4
On the main screen scroll down to select Lan Parameters and press the ENTER key.
5
Scroll down the list to locate the IPv4 settings and set the required information (IP address, Subnet
mask, and Gateway). Once the required information is entered press the ESC key to exit the screen.
6
Scroll down the main menu to select Lan User Configuration and press the ENTER key.
7
Enter the Account User Name and enter and confirm a password.
TPAM 2.5
Client Setup Guide
14
8
Press the ESC key.
9
Select Save Changes and Exit and press the ENTER key.
10 From the main screen press the ESC key to exit and the system will continue to start.
Log on to the Dell Remote Access Web
Interface
To log on to the Dell Remote Access Web interface:
1
Launch a DRAC supported web browser and browse to https://<DRACipaddress>.
2
Log on to the DRAC using the username and password configured during the initial set up.
3
Select Remote Access | Network Security from the menu.
4
Click on the Services tab. Make sure the Enabled check box is selected for the SSH service.
5
Click the Apply button.
TPAM 2.5
Client Setup Guide
15
In this example the functional account will be named root.
To create the functional account:
1
Click on iDRAC Settings on the left hand menu.
2
Click on the Network/Security tab.
3
Click on Users tab.
4
Click on the User ID number for the root account.
5
Select Configure User.
6
Click the Next button.
7
Under the General section:
•
Select the Enable User check box
•
Enter root for the User Name
•
Select the Change Password check box.
•
Enter and confirm a password
TPAM 2.5
Client Setup Guide
16
8
9
In the IPMI User Privileges section:
•
Select Operator for the Maximum LAN User Privilege Granted
•
Select None for Maximum Serial Port User Privilege Granted
•
Leave the Enable Serial Over LAN check box clear
In the iDRAC User Privileges section:
•
Select Operator from the Roles list
•
Select the Login to iDRAC check box
•
Select the Configure Users check box.
The rest of the check boxes in this section should be clear.
10 Click the Apply button.
11 Log out
Add System to TPAM
From the TPAM menu, select Systems, Accounts, & Collections | Systems | Add System. Provide the name for
the system and Network Address (this can be either IP address or DNS name). Select Dell Remote Access as the
platform. If automatic password management is desired, check the option box to do so, and configure the
change settings according to your deployment plan.
TPAM 2.5
Client Setup Guide
17
.
Click the Connection tab to configure the functional account properties for the system. Enter root for the
Account Name.
Note that the option exists to specify a TCP port other than port 22 (the default SSH port). If the system to be
managed is configured to communicate on a port other than 22 for SSH, specify the port in the Alternate Port
field.
For more detailed information regarding these and other options for configuring the managed systems, please
consult the TPAM Administrator Guide.
Select an authentication method from one of the following:
•
Select the Password option button and enter the same password used in the iDRAC functional account
set up.
-- OR --
•
Select the DSS option button. Select the Avail System Std. Keys or Use System Specific Key option. In
this example we will choose the default system standard key id_dsa.pub. Click the Get Open SSH button
to download the key to your local system.
Select the Allow Functional Account to be Requested for password release check box.
TPAM 2.5
Client Setup Guide
18
Click the Save Changes button.
If authenticating using a DSS key, from the iDRAC browser, select Remote Access | Network/Security | Users.
Locate the SSH Key Configurations menu, select Upload SSH Key(s) and then Next.
Upload the key that was downloaded from TPAM.
TPAM 2.5
Client Setup Guide
19
4
FreeBSD
•
Introduction
•
•
Using sudo
•
SSH Daemon
•
Add System to TPAM
•
Create and Modify DSS Key
•
Allow Domain Account PSM Access
Introduction
This section provides step by step instructions for configuring OpenSSH for FreeBSD® systems to be managed by
TPAM. The steps involved are verification that the ssh daemon is enabled and configured, creation and
modification of the functional account, and if necessary SSH key installation and configuration. Administrative
knowledge of FreeBSD and familiarity with the vi editor are assumed.
Log on to the FreeBSD system as root (or root equivalent account) and create the functional account on the
FreeBSD. In our examples, the functional account is named funcacct.
Using sudo
Instead of using a root equivalent account to manage the account on the FreeBSD system the functional account
can leverage sudo. Log into the FreeBSD system as root (or root equivalent account) and use visudo to edit
/usr/local/etc/sudoers and add the following lines under the “User privilege specifications” section of the file:
funcacct ALL=(root) NOPASSWD: /bin/grep funcacct ALL=(root) NOPASSWD:
/usr/bin/passwd
You will also need to add the following line so that sudo does not require a tty for the functional account.
Defaults:funcacct!requiretty
TPAM 2.5
Client Setup Guide
20
SSH Daemon
Account management of FreeBSD systems is performed using the SSH protocol. In order for our appliance to
properly communication with a FreeBSD system its’ ssh daemon must be enabled and properly configured.
Log on to the FreeBSD system as a root account and navigate to the /etc/ssh directory. Make a backup of the
sshd_config file using the cp command and then open sshd_config using vi.
Verify that the following settings are not commented out and set to yes.
PermitUserEnvironment yes
PasswordAuthentication yes
UsePAM no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
If any of these settings would conflict with other ssh dependent applications you can override settings on a per
user basis using “Match User”
Match User funcacct
UsePAM no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh /authorized_keys
Add System to TPAM
the system and Network Address (this can be either IP address or DNS name). If automatic password
deployment plan.
In order to manage the accounts the functional account can leverage sudo. Enter sudo as the Delegation Prefix.
Click the Connection tab to configure the functional account properties for the system.
TPAM 2.5
Client Setup Guide
21
field.
If password authentication will be used for the functional account, select the Password option and provide the
current valid password for the account. To use the key that has been imported from the preceding steps, select
the DSS option and follow the steps outlined in Create and Modify DSS Key.
Under Account Credentials select DSS and then under DSS Key Details select either one of the Avail. System
Std. Keys or Use System Specific key. In this example we will choose the default system standard key id_dsa.
Click the Get Open SSH button to download the key to your local system.Using an ssh/scp client you will then
upload the key to the FreeBSD using the functional account to authenticate.
Once the file has been uploaded, log into the FreeBSD system. Create the .ssh directory for the functional
account & then change directory to the newly create directory:
mkdir .ssh
cd .ssh
Copy the id_dsa.pub file that you downloaded into the .ssh directory as the file authorized_keys:
cp /Users/funcacct/id_dsa.pub authorized_keys
Edit the sshd_config file on the managed FreeBSD system (/etc/ssh/sshd_config) to include the following in the
“Authentication” section:
AuthorizedKeysFile
.ssh/authorized_keys
A placeholder account can be created on a FreeBSD system to allow a domain account PSM access. Add the
account with None selected for password management. On the PSM Session Details tab select SSH- Automatic
Login Using Password as the proxy type. On the PSM Details Session Authentication tab select the domain
account from the Use Windows Domain Account list.
TPAM 2.5
Client Setup Guide
22
5
HP iLO2
•
Introduction
•
•
Add System to TPAM
•
Introduction
This section provides step by step instructions for configuring HP iLO2 systems to be managed by TPAM. The
steps involved are functional account creation and modification, and SSH key installation and configuration.
Administrative knowledge of HP iLO2 is assumed.
Following the steps below, create the functional account on the HP iLO2 system and modify its properties (the
account “funcacct” is used in this example). Log on to the web interface of the HP iLO2 with an administrator
account, select the Administration tab, then User Administration and then click the New button.
Provide the user name and login name of the functional account (in this instance “funcacct”).
IMPORTANT: In order for TPAM to function properly, the User Name and Login Name fields must be
identical for the functional account as well as any managed accounts.
TPAM 2.5
Client Setup Guide
23
In order for the functional account to manage other accounts on the HP iLO2 it ONLY needs Allowed selected
for Administer User Accounts. The option Remote Console Access is referring to access of the server the HP iLO2
is paired to, not SSH access to the HP iLO2 itself.
Add System to TPAM
deployment plan.
TPAM 2.5
Client Setup Guide
24
field.
the DSS option and follow the steps outlined in Create and Modify DSS Key.
Under Account Credentials select DSS and then under DSS Key Details select either one of the Avail. System
Std. Keys or Use System Specific key. In this example we will choose the default system standard key id_dsa.
Click the Get Open SSH button to download the key to your local system.
In order for this file to be properly imported into the HP iLO2 the name of the functional account will need to
be appended at the end of the DSS key line. Using a text editor, open id_dsa.pub and go to the end of the line
the DSS key is on, add a space and then type the HP iLO2 user name of the functional account, in this case
“funcacct”. Once that has been added close the file and save your changes.
Log on to the web interface of the HP iLO2 with an administrator account and go to Settings | Security.
Browse to the location of the modified id_dsa.pub file and then click the Authorize Key button.
Upon successful authorization, the key file will be listed as the functional account’s user name.
TPAM 2.5
Client Setup Guide
25
6
HP-UX Trusted and Untrusted
•
Add System to TPAM
•
Unlock Locked Accounts
•
Add System to TPAM
system and Network Address (this can be either IP address or DNS name). If automatic password management is
desired, check the option box to do so, and configure the change settings according to your deployment plan.
There is a Delegation Prefix field available so that you can preface the commands that TPAM uses to manage
passwords. The delegation prefix can also be used to specify an absolute path to the command that TPAM uses
to manage password for the system.
Specify the functional account used on the HP-UX system, and enter the password for the account.
TPAM 2.5
Client Setup Guide
26
IMPORTANT: Make sure you assign a password rule for the system/account that has a maximum of 8
characters long. Passwords longer than 8 characters will not work.
Note the option to specify an Alternate Port. If the default port of 22 is not used (check with the HP-UX
For the HP-UX (trsuted) platform, locked accounts will be unlocked by TPAM when making a password change.
To unlock an HP-UX account (during a password reset) TPAM has the functional account issue the command
/usr/lbin/modprpw. If using delegation prefix the functional account must have permissions to execute the
command, otherwise the password reset will fail.
A placeholder account can be created on a HP-UX system to allow a domain account PSM access. Add the
TPAM 2.5
Client Setup Guide
27
7
IBM Hardware Management Console
(HMC)
•
Introduction
•
•
Add System to TPAM
•
Introduction
This document will guide you through configuring your IBM® Hardware Management Console (HMC) for TPAM
password management. This guide is intended for an IBM HMC administrator or a SME (Subject-Matter Expert)
who is familiar with your IBM HMC configuration and custom configurations. Your HMC administrator or SME may
wish to assign permissions more granularity
TPAM connects to the IBM HMC appliance using SSH. The functional account is used to issue commands for
changing account passwords, including itself (if applicable). The functional account requires hmcsuperadmin
or similar permissions to reset user’s passwords.
Add System to TPAM
the system and Network Address (this can be either IP address or DNS name) of the server on which the
database resides. If automatic password management is desired, check the option box to do so, and configure
the change settings according to your deployment plan.
Select “IBM HMC” as the platform.
TPAM 2.5
Client Setup Guide
28
current valid password for the account.
NOTE: The option exists to specify a TCP port other than port 22 (the default SSH port). If the system to
be managed is configured to communicate on a port other than 22 for SSH, specify the port in the
Alternate Port field.
Click the Save Changes button. Click the Accounts button to configure the managed account(s) as required for
the system. Select the account on the Listing tab and click the Details tab.
A placeholder account can be created on a HMC system to allow a domain account PSM access. Add the account
with None selected for password management. On the PSM Session Details tab select SSH- Automatic Login
Using Password as the proxy type. On the PSM Details Session Authentication tab select the domain account
from the Use Windows Domain Account list.
TPAM 2.5
Client Setup Guide
29
8
Juniper Junos
•
Introduction
•
•
Management Access Configuration
•
Add System to TPAM
Introduction
This section provides instructions for configuring Junos® devices to be managed by TPAM. The steps involved are
verification that the SSH service for management access is enabled and configured, verification of the
functional account, and if necessary SSH key installation and configuration. Administrative knowledge of Junos
and familiarity with its CLI configuration are assumed.
NOTE: The TPAM Junos platform does not support the Jupiter high availability cluster environment. To
support this the customer must utilize TPAM custom platform functionality found in TPAM v2.5.911+
For Junos the functional account must be the device’s root account. TPAM can be configured to authenticate to
the Junos device using plain-text password or DSS key authentication.
Management Access Configuration
TPAM manages the device over SSH using the Junos CLI, please consult the Junos documentation of your device
for the appropriate configuration steps to allow secure access to the SSH service.
Add System to TPAM
the system and Network Address (this can be either IP address or DNS name). Select Juniper(JunOS) as the
platform. Select the appropriate password rule that matches your Junos device’s configuration. Junos supports
the following five character classes for plain text passwords:
•
Lowercase letters
•
Uppercase letters
•
Numbers
•
Punctuation
•
Special Characters: !@#$%^&*,+<>:;
TPAM 2.5
Client Setup Guide
30
Control characters are not recommended.
If automatic password management is desired, check the option box to do so, and configure the change settings
according to your deployment plan.
field.
If DSS key authentication will be used select the DSS option and select either one of the Avail. System Std. Keys
or Use System Specific Key. In this example we will choose the default system standard key id_dsa. Click the
Get Open SHH button to download the key to your downloads folder. Please consult the Junos documentation of
your device on how to configure DSS authentication and install the key to your device.
TPAM 2.5
Client Setup Guide
31
9
LDAP and LDAPS
•
Add System to TPAM
Add System to TPAM
Click the Connection tab to configure the details for the functional account, distinguished name and other
communication options.
Note that the option exists to specify a TCP port other than port 389 (the default LDAP port) or 636 for LDAPS.
If the system to be managed is configured to communicate on a port other than 389 for LDAP, specify the port in
the Alternate Port field.
TPAM 2.5
Client Setup Guide
32
10
Mac OS® X(10.4-10.8)
•
Introduction
•
Enable SSH Daemon
•
•
Add System to TPAM
•
Create and Modify the DSS Key
•
Introduction
This section provides step by step instructions for configuring OpenSSH for Mac OS® X systems to be managed by
TPAM. The steps involved are verification that the ssh daemon is enabled and configured, creation and
modification of the functional account, and if necessary SSH key installation and configuration. Administrative
knowledge of Mac OS® X and familiarity with the vi editor are assumed.
Enable SSH Daemon
Account management of Mac OS® X systems is performed using the SSH protocol. In order for the TPAM
appliance to properly communication with a Mac OS® X system its’ ssh daemon must be enabled and configured.
Log on to the Mac OS® X system with an administrator account and open System Preferences.
Click on Sharing.
TPAM 2.5
Client Setup Guide
33
Please verify that the Remote Login check box is selected and that Allow access will be granted for the
functional account. If the functional account is not a member of the Administrators group, remote login access
for that account will need to be specifically allowed here.
Once you have verified that Remote Login access via ssh has been enabled and properly configured within
System Preferences you will need to verify that sshd_config file is properly configured as well.
Using terminal navigate to the /private/etc folder, make a backup of the sshd_config file using the cp command
and then open sshd_config using vi.cp.
Verify that the following settings are not commented out and set to yes.
UsePAM no
If any of these settings would conflict with other ssh dependent applications you can override settings on a per
user basis using “Match User”
Match User funcacct
UsePAM no
AuthorizedKeysFile .ssh/authorized_keys
Following the steps below, create the functional account on a Mac OS® X system and modify its properties (the
account “funcacct” is used in this example). Log into the Mac OS® X system with an administrator account and
open System Preferences.
TPAM 2.5
Client Setup Guide
34
Click on Accounts.
You may have to click the lock icon to make changes. You’ll be prompted to provide the administrator account’s
password. Click the + button to add the functional account.
Select Administrator from the New Account list, then provide a full name, account name, password and retype
the password to verify it. Then click the Create Account button.
TPAM 2.5
Client Setup Guide
35
Add System to TPAM
the system and Network Address (this can be either IP address or DNS name). If adding a MAC OS® X 10.8 system
select MacOSX 10.7 as the platform. If automatic password management is desired, check the option box to do
so, and configure the change settings according to your deployment plan.
field.
the DSS option and follow the steps outlined in Create and Modify the DSS Key.
Create and Modify the DSS Key
Log on to the Mac OS® X system as functional account. From the TPAM menu, select Systems, Accounts, &
Collections | Systems | Add System. From there locate and select the system you have defined for this Mac®
and then click the Connection tab.
TPAM 2.5
Client Setup Guide
36
Under Account Credentials select DSS and then under DSS Key Details select either one of the Avail. System Std.
Keys or Use System Specific Key. In this example we will choose the default system standard key id_dsa. Click
the Get Open SHH button to download the key to your downloads folder.
Next you will need to open the Terminal application to perform the following steps.
Create the .ssh directory for the functional account and then change directory to the newly create directory:
mkdir .ssh
cd .ssh
Copy the id_dsa.pub file that you downloaded into the.ssh directory as the file authorized_keys:
cp /Users/funcacct/Downloads/id_dsa.pub authorized_keys
Edit the sshd_config file on the managed Mac® system (/private/etc/ssh/sshd_config) to include the following
in the “Authentication” section:
AuthorizedKeysFile
.ssh/authorized_keys
A placeholder account can be created on a MAC OS® system to allow a domain account PSM access. Add the
TPAM 2.5
Client Setup Guide
37
11
Mainframe
•
Mainframe (RACF)
•
Mainframe LDAP (RACF/TopSecret)
•
Mainframe (ACF2)
Mainframe (RACF)
The functional account is the used to issue the alu command for changing account passwords, including itself.
The functional account requires system special permission.
Add System to TPAM
Configure the new system in TPAM as would be done for any system, selecting Mainframe as the platform.
Specify the functional account used and the password assigned.
Password Check
TPAM connects via 3270 and waits for an input prompt. TPAM enters the username and waits for the password
prompt. The password is entered and TPAM waits for an input prompt. Logoff is entered and the session is
evaluated to determine success.
Password Change
The above procedure is followed except the alu password command is entered before the Logoff command is
sent.
Mainframe LDAP (RACF/TopSecret)
Add System to TPAM
deployment plan.
TPAM 2.5
Client Setup Guide
38
Note that the option exists to specify a TCP port other than port 389 (the default LDAP port) or 636 for LDAPS.
If the system to be managed is configured to communicate on a port other than 389 for LDAP, specify the port in
the Alternate Port field. Select the Use SSL check box if LDAPS is to be used.
Enter the name of the functional account that has been created on the mainframe and its password. Follow the
procedure for adding accounts to modify the Functional account to include the DN of this account in the
description field.
The Custom Command field is where you place the LDAP attributes in a space delimited format. For RACF®,
there are two attributes that need to be present. The following string represents a valid Custom Command field
for RACF:
racfPassword racfattributes:noexpired
TopSecret requires 3 attributes, an example is below:
userPassword userPassword-Interval:0XX userPassword-Expire:
In all cases, the first attribute must be the password attribute.
Account Name Setup
When setting up accounts for Mainframe LDAP managed systems the Account Name field is not where the actual
account name will be listed.
For example the name you enter in the Functional Account field on the Connection tab is just a place holder.
TPAM 2.5
Client Setup Guide
39
The Description field on the Account Details Information tab is where you must enter the account name for all
accounts on a LDAP/LDAPS managed systems.
All communication between TPAM and the managed LDAP/LDAPS system on the back end will use the account
name in the Description field.
Mainframe (ACF2)
The functional account is used to issue the acf command for changing account passwords, including itself. The
functional account requires operator security permissions. The TPAM functional account requires the following
permissions:
•
Ability to connect to the Mainframe ACF2 using 3270.
•
Appropriate permissions to change/modify the password for all TPAM managed accounts.
•
Appropriate permissions to modify the ACF2 pswd-exp flag.
•
Access to log on to TSO.
Add the System to TPAM
deployment plan.
TPAM 2.5
Client Setup Guide
40
Click the Connection tab to configure the functional account properties for the system. If applicable in your
custom patch, TPAM will use the configured Custom Command.
Password Check
To check passwords TPAM connects via 3270 and waits for an input prompt. TPAM enters the username and waits
for the password prompt. The password is entered and TPAM waits for an input prompt. Logoff is entered and
the session is evaluated to determine success.
Password Change
To change a password the above procedure is followed except the acf password command is entered before the
Logoff command is sent.
TPAM 2.5
Client Setup Guide
41
12
MS SQL Server (2000 & 2005)
•
Authentication and Encryption
•
TPAM Commands for Managing MS SQL Server
•
Encryption Recommendation
•
•
Add System to TPAM
•
SQL Server Named Instances
The authentication to Microsoft® SQL Server® never sends the password in clear text. Once connected, however,
all SQL commands issued and the results are sent in clear text unless either the client or the server request
protocol encryption. TPAM, as the client, does not attempt to force the encryption because 1) it would fail to
connect to any server that does not meet the requirements for SSL encryption, and 2) it would require that the
certificate installed at the server is in the certificate trust list on TPAM. TPAM only includes the default Trusted
Root Certificates supplied with the operating system and occasionally updated through OS patches. If the
database server mandates encryption via the Force Protocol Encryption setting in the Server Network
Configuration, TPAM can and will adhere to that mandate.
TPAM Commands for Managing MS SQL
Server
•
Test System - TPAM opens a connection to the database server using the username/password of the
functional account. If the connection can be established, the test is successful; otherwise, it is
considered a failure.
•
Check Password - TPAM opens a connection to the database server using the username/password of the
account being checked. If the connection can be established, the test is successful. If not, TPAM then
connects to the database using the functional account and queries master..syslogins for the existence of
the account. If the account exists, it is reported that there is a password mismatch, if it does not, the
error indicates that the account does not exist, and if this connection cannot be established, then an
“unable to connect” message is returned.
•
Change Password – TPAM connects to the database using the username/password of the functional
account and executes the sp_password system stored procedure for the account. The authentication is
encrypted, but the text of the SQL to execute the stored procedure is sent in clear text, by default. This
means that the password that is being set for the account can be sniffed from the wire. If protocol
encryption is mandated from the database server, nothing is sent in clear text.
TPAM 2.5
Client Setup Guide
42
It is recommended to use protocol encryption with Microsoft SQL Server databases. It is included with the
product (free), easy to set up, and has only a slight performance impact. It is likely that passwords are not the
only sensitive information being stored in or retrieved from the database. The following links provide
information on setting up the protocol encryption on SQL Server 2000 database servers.
http://support.microsoft.com/kb/276553
http://support.microsoft.com/kb/316898
For SQL Server 2005, the following link provides detailed instructions.
http://technet.microsoft.com/en-us/library/ms189067.aspx
There is no additional setup required at TPAM to utilize secure connections to Microsoft SQL Server. If it is
specified at the DBMS, it will be used by TPAM.
Create a new account on the SQL Server to be the TPAM functional account (the name questtpam is used in
these examples). Give the account a password. Configure this account to use SQL Server Authentication, not
integrated authentication.
Example: exec sp_addlogin ‘questtpam’,’password’
Add the questtpam functional account to the System Administrators server role.
Example: sp_addsrvrolemember @loginame = ‘questtpam’ , @rolename = ‘sysadmin’
Add System to TPAM
Select “MS SQL Server” as the platform.
The general format of the extra database connection strings is parm=value;parm=value;...
The commands allowed in the Extra DB Connection string are:
•
encrypt=yes|true|no|false
•
initial catalog=databaseName (same as database=databaseName)
•
database=databaseName
TPAM 2.5
Client Setup Guide
43
•
trustservercertificate=yes|true|no|false
•
encryptpassword=yes|true|no|false
•
min pool size=#
•
max pool size=#
NOTE: When using a "local computer account" as the functional account the extra DB connection string is
ignored for purposes of Check System, Check Password, and Change Password. Account discovery still uses
it in this case.
Click the Connection tab to specify the details for the functional account.
Specify the functional accountused on the SQL Server (i.e. ‘questtpam’), and enter the password for the
account.
If MS SQL server supports Windows Authentication in addition to SQL authentication, you can leverage the
Domain Account or Local Computer Account as a functional account. The corresponding Windows Active
Directory® or Windows system/account should be created beforehand, so that you can choose this account on
the Connection tab of the MS SQL Server system.
Notice the Tunnel DB Connection through SSH check box. Database tunneling through SSH provides the ability
to securely connect to a remote database.
For DBMS accounts, SSH tunneling only uses public key and not manual passwords for establishing the SSH
connections.
TIP: Make sure that the default of AllowTCP Forwarding is set to Yes in the SSH Configuration file of the
managed system.
TPAM 2.5
Client Setup Guide
44
SQL Server Named Instances
TPAM supports dynamic ports by using the network address\namedinstance value in the network address field on
the Systems Detail tab in TPAM. If TPAM detects a named instance value in this field it will not use the Port
listed on the Connection tab or the default port of 1433 to connect to the MS SQL Server system. Instead TPAM
will query for the dynamic port.
If using named instances with static ports, the instance name should not be included in the network address
field, and indicate the static port number on the connection tab.
TPAM 2.5
Client Setup Guide
45
13
Nokia IPSO
•
Introduction
•
•
Add System to TPAM
•
Introduction
This section provides step by step instructions for configuring Nokia® IPSO systems to be managed by TPAM. The
steps involved are creation and modification of the functional account, and adding the system to TPAM.
Log on to the Nokia IPSO system URL (Nokia Network Voyager) - http://IPADDRESS/ as admin and create the
functional account. In our examples, the functional account is named “funcacct”.
From the Top Menu, click Config. From the Configuration Menu, under Security and Access Configuration, click
Users. Locate Add new user:. Enter funcacct (User names must be 1-8 characters long) for Username. Enter 0
(Zero) for Uid. Enter /var/funcacct for Home Directory.
Click the Apply button. Click the Save button. Set the “funcacct” account password.
Enter New Password:
Enter New Password (verify):
Click the Apply button.
TPAM 2.5
Client Setup Guide
46
Add System to TPAM
deployment plan.
field.
Nokia IPSO uses password authentication for the functional account, select the Password option and provide the
Enter Alternate port: (if applicable)
Enter Connection Timeout: Default [20] Seconds.
Enter Functional Account to be used: [funcacct]
Select Password. Enter password. Must match password supplied in Add the Functional Account section.
Click the Test System button.
A placeholder account can be created on a Nokia IPSO system to allow a domain account PSM access. Add the
TPAM 2.5
Client Setup Guide
47
14
Novell NDS
•
Add System to TPAM\
Add System to TPAM
Click the Connection tab to configure the details for the functional account, distinguished name and other
communication options.
Note that the option exists to specify a port other than port 636 (the default Novell® port). If the system to be
managed is configured to communicate on a port other than 636 for Novell, specify the port in the Alternate
Port field.
TPAM 2.5
Client Setup Guide
48
15
OpenVMS
•
Add System to TPAM
Add System to TPAM
deployment plan.
Select the Connection tab to configure the details for the functional account, and other communication
options.
Note the option to specify an Alternate Port. If the default port of 22 is not used, enter the port in this field.
Enter the name of the functional account that has been created on the database and its password or DSS Key
option. The functional account must have SECURITY as an authorized privilege, must have RW access to
SYSUAF.DAT, and SYSUAF.DAT must be in the functional account's default directory (i.e., default of SYS$SYSTEM).
TPAM 2.5
Client Setup Guide
49
16
Oracle (9i,10g,11g)
•
•
TPAM Commands for Oracle
•
•
•
Add System to TPAM
By default, the connection that TPAM establishes to the Oracle® database server utilizes a secure authentication
protocol. Like all of the other DBMS, however, all data sent between the client and the database server after
authentication is then unencrypted. This means that when changing the password for an account, the new
password being set for the account is sent in clear text. Oracle has an optional feature that can be installed
called Oracle Advanced Security Option. This is available for both 9i and 10g, and can be used to provide
encryption of data in transit between the client and the server (in addition to many other security
enhancements it provides.) This option allows the DBA to configure a listener for an instance to require a secure
channel via SSL. Like Sybase®, it is possible to set up both secure and unsecured listeners for the same instance.
TPAM Commands for Oracle
•
•
Check Password - TPAM opens a connection to the database server using the username/password of the
connects to the database using the functional account. If the connection is successful, then TPAM
assumes a password mismatch for the account. Otherwise, an “Unable to connect” result is returned.
•
account and executes “alter user xxx identified by yyy” to change the account’s password. The
authentication is encrypted, but the text of the SQL is sent in clear text.
It is recommended to configure a secure listener on all Oracle instances for use with TPAM. Consult your Oracle
documentation or DBA to set up the secure listener for the data server.
Create a UserID that uses password authentication.
TPAM 2.5
Client Setup Guide
50
Example: create user “questtpam” identified by “password” default tablespace “USERS”;
Grant “create session” and “alter user” privileges to the account.
Example: grant “create session” to “questtpam”;
grant alter user to “questtpam”;
Add System to TPAM
Select “Oracle” as the platform.
NOTE: If you do not want to use the 2 part password change method for the system then select Oracle
(Legacy) as the platform. Oracle (Legacy) will does not support AutoDiscovery.
The commands allowed in the Extra DB Connection string are:
•
dba privilege=SYSDBA|SYSOPER
•
pooling=true|false
•
min pool size=#
•
max pool size=#
•
incr pool size=#
•
decr pool size=#
•
connection lifetime=#
•
connection timeout=#
Click on the Connection tab.
Specify the functional account used on the Oracle database (i.e. ‘questtpam’), and enter the password for the
account.
NOTE: If the functional account is sys, this account needs to have the sysdba role in order for TPAM to
successfully connect.
TPAM 2.5
Client Setup Guide
51
Notice the Tunnel DB Connection through SSH check box. Database tunneling through SSH provides the ability
to securely connect to a remote database.
connections.
managed system.
TPAM 2.5
Client Setup Guide
52
17
POS 4690
•
Add Functional Account
•
Add a Password Rule
•
Add System to TPAM
1
Log on to the POS 4690 system.
2
Enter 1 and press the ENTER key.
3
TPAM 2.5
Client Setup Guide
53
4
5
6
Enter your Operator ID and press the ENTER key.
TPAM 2.5
Client Setup Guide
54
7
Enter the ID for the Manager model.
8
Enter a Password for the ID.
9
Enter Y and press the ENTER key.
TPAM 2.5
Client Setup Guide
55
10 Enter Y and press the ENTER key.
12 Enter N and press the ENTER key.
TPAM 2.5
Client Setup Guide
56
Add a Password Rule
The System Administrator will need to configure a password rule for the 4690 systems in the admin interface as
shown below. POS 4690 systems only allow numeric characters for the password.
TPAM 2.5
Client Setup Guide
57
Add System to TPAM
deployment plan.
Select the password rule that was created for the POS 4690 systems from the Password Rule list.
Make sure that the Functional Account name matches the Operator ID that you configured on the POS 4690
system.
TPAM 2.5
Client Setup Guide
58
18
ProxySG
•
Introduction
•
•
Add Functional Account via the CLI
•
Add System to TPAM
Introduction
TPAM has the ability to manage two accounts on Blue Coat®’s ProxySG® systems, the Enable and the Funcacct
(console account).
The functional account for the ProxySG is the console access account. This account is also used for CLI access to
ProxySG. The name of the account is determined by the Administrator. This account can be altered through the
Blue Coat Web Console or through the CLI console. If these are not configured please refer to
ProxySg_InstallGuide document.
1
Access the Blue Coat console at https://Blue Coats’s IP or DNS:8082
2
Click on Authentication | Console Access.
3
Enter a new user name in the User Name field.
TPAM 2.5
Client Setup Guide
59
4
After entering the new user name you will be prompted to re-authenticate. Enter the user name and
password and click the OK button.
5
Click the Change Password button.
6
Enter and confirm the new password. Click the OK button.
7
After entering the new password you will be prompted to re-authenticate. Enter the user name and
password and click the OK button.
This account information will be used to configure the Connection tab for the system in the TPAM web interface.
TPAM 2.5
Client Setup Guide
60
Add Functional Account via the CLI
The functional account can also be configured via CLI. Please refer to your Blue Coat documentation to obtain
the correct commands.
Example:
user create Funacct
user edit "funcacct”
hashed-password $1$vCk8O4tH$N9aII2A8duj4l41NDGZmS/
Add System to TPAM
deployment plan.
If a port other then 22 is being used, enter the Alternate Port.Enter the Functional Account name and password.
Enter the Enable Password for the ProxySG system.Click the Save Changes button.This will create the two
managed accounts that can be managed by the system. The enable and funcacct accounts. To view these
accounts click the Accounts button.
TPAM 2.5
Client Setup Guide
61
Attempts to create any other accounts will result in an error message.
The SSH protocol used is determined by how the ProxySG system is configured. It is assumed that only v1 or v2
may be enabled at any given time on the ProxySG.
TPAM 2.5
Client Setup Guide
62
19
PSM Web Access
•
Introduction
•
Web access proxy profiles
•
Set the default web access proxy profile
•
Add a web access proxy profile
•
Assign a web access proxy profile to a DPA
•
Delete a web access proxy profile
•
Add web access system to TPAM
Introduction
If your company has a web based application and you want to manage access to this application you can set up
a system with a platform of PSM Web Access.
NOTE: A DPA is required to use the PSM Web Access platform.
Web access proxy profiles
A web access proxy profile allows you to set the proxy configuration that is used for PSM Web Access systems.
Once added, the default web access proxy profile will automatically be assigned to any DPAs in the cluster and
be used by the WebAccessAccount when starting a PSM session. If another web access proxy is added in addition
to the default, it must be manually assigned to the DPA on the DPA Management page.
Set the default web access proxy profile
To set the default web access proxy profile:
1
Select Management | Profile Management from the menu.
2
Select Web Access Proxy from the Profile Type list.
3
Make sure the Default profile is highlighted in the list box on the left.
TPAM 2.5
Client Setup Guide
63
4
Enter the HTTP Proxy and/or HTTPS Proxy and Port to be used.
5
Now all DPAs will be assigned this proxy profile unless it is manually changed on the DPA Management page.
Add a web access proxy profile
To add a web access proxy profile:
1
2
Select Web Access Proxy from the Profile Type list.
3
Click the New Profile button.
4
Enter a unique name for the profile.
5
Enter the HTTP Proxy and/or HTTPS Proxy and Port to be used.
6
Assign a web access proxy profile to a DPA
To assign a web access proxy profile to a DPA:
1
Select Management | DPAs from the menu.
2
Select the DPA from the server list. Click the Details tab.
3
Select the web access proxy profile from the list.
4
Delete a web access proxy profile
To delete a connection profile:
1
2
Select Web Access Proxy as the profile type.
3
Select the profile to be deleted from the list.
TPAM 2.5
Client Setup Guide
64
4
Click the Delete Profile button.
5
Click the OK button on the confirmation window.
NOTE: A connection profile can only be deleted if it is not assigned to any DPAs
Add web access system to TPAM
the system.
Enter the URL that you want the sessions to be limited to in the Restricted URL field. Click the Save Changes
button. If you want the ability to navigate away from the restricted URL that is entered, preface the restricted
URL with “ALLOWNAV;”. This is not case-sensitive. For example to start at www.dell.com and allow navigation
away from there, ALLOWNAV;www.dell.com would be typed in the restricted URL box.
Click on the Affinity tab.
Select the PSM DPA Server that you want to use to manage these sessions.
Use the Ticket System tab to set any ticket validation requirements for session requests.
Assign permissions to this system using the Collections and Permissions tabs. Click the Save Changes button.
Saving the system will create a default WebAccessAccount which can then be requested by authorized users.
TPAM 2.5
Client Setup Guide
65
20
SAP
•
Add System to TPAM
•
Add Permissions to Functional Account in SAP
Add System to TPAM
To add SAP system to TPAM:
1
From the TPAM menu select Systems, Accounts, & Collections | Systems | Add System.
2
Enter the system name.
3
In the network address field the SAP host name and system number are entered in this format:
“hostname:sysnr”. For example a host name of n4shost.corp.company-software.lab with a instance
number of 42 would be entered as follows: n4shost.corp.company-software.lab:42
4
If automatic password management is desired, check the option box to do so, and configure the change
settings according to your deployment plan.
5
Enter the als client in the client ID field.
6
Click the Connection tab to configure the details for the functional account, and other communication
options.
7
Enter the name of the functional account that has been created in SAP and its password.
TPAM 2.5
Client Setup Guide
66
8
Click on the remaining tabs to complete configuration of the system. See the TPAM Administrator Guide
for more details on adding a system.
9
Add Permissions to Functional Account in
SAP
Within SAP the functional account used to communicate with TPAM must have an S_USER_GRP authorization
granted (or any authorization set that contains this authorization, e.g. SAP_ALL) for the functional account to
manage other users accounts.
To configure the functional account to work with TPAM:
1
Enter the functional account name in the User field.
2
Click the create icon.
TPAM 2.5
Client Setup Guide
67
3
Enter information on the Address tab.
4
Click the Save icon.
5
Click the Roles tab.
6
Enter the administrative role name.
7
Click the Save icon.
SAP passwords will remain in a “productive” state for all user types and TPAM will not reset passwords that have
been deactivated.
TPAM 2.5
Client Setup Guide
68
21
SonicWALL
•
Introduction
•
•
Add System to TPAM
Introduction
This section provides step by step instructions for configuring Dell SonicWALL™ Network Security Appliances
(NSA) to be managed by TPAM. The steps involved are creation and modification of the functional account, and
adding the system to TPAM.
NOTE: The Dell SonicWALL NSA must be running a SonicOS firmware revision of 5.9 or later.
Also, TPAM can change passwords for both the Admin account and all Local Users, it can only check passwords
for the “Admin” account and Local Users who are members of the SonicWALL Administrators group.
Log onto the Dell SonicWALL NSA Web management interface using the admin account, or a local account with
full administrative privileges.
Create a new local user, in this case we are using funcacct. Enter a password that conforms to any policy you
have configured on the firewall.
From the Group tab, add the account to the SonicWALL Administrators group.
TPAM 2.5
Client Setup Guide
69
Click the OK button to save the changes.
Add System to TPAM
deployment plan.
TPAM 2.5
Client Setup Guide
70
field.
Dell SonicWALL Network Security Appliances use password authentication for the functional account. Select the
Password option and provide the current valid password for the account.
Click the Save Changes button. Click the Test button.
TPAM 2.5
Client Setup Guide
71
22
Sybase Adaptive Server Enterprise (ASE)
•
•
TPAM Commands for Sybase
•
•
•
Add System to TPAM
By default, an ODBC connection to ASE does not secure the login packet, meaning the clear text password is
sent across the network. TPAM specifies password encryption for the connection, so the password is never sent
in clear text during authentication. After authentication, however, all information sent between the client and
server is unencrypted. s a result, the change password issued from TPAM (or any other application) sends not
only the password of the account being changed in clear text, but also the password of the TPAM functional
account. The parameters for the sp_password system stored procedure in ASE requires the caller’s (with
sso_role) password to execute. Sybase does provide a mechanism to enable SSL Encryption of the data stream,
and this can be set up to listen on a selected port only, allowing some connections to be encrypted and others
using the default that is not encrypted. TPAM can now be configured to communicate with this encrypted port,
ensuring that no clear text passes between TPAM and the Sybase data server.
TPAM Commands for Sybase
•
•
Check Password -TPAM opens a connection to the database server using the username/password of the
connects to the database using the functional account and queries master..syslogins for the existence of
the account. If the account exists, it is reported that there is a password mismatch, if it does not, the
error indicates that the account does not exist, and if this connection cannot be established, then an
“unable to connect” message is returned.
•
account and executes the sp_password system stored procedure for the account. The authentication is
encrypted, but the text of the SQL to execute the stored procedure is sent in clear text, by default. This
means that the password that is being set for the account and the TPAM functional account can be
sniffed from the wire
It is recommended to configure a secure port on all Sybase instances for use with TPAM. Consult your Sybase
documentation or DBA to set up the secure listening port at the data server. The instructions can be found in
TPAM 2.5
Client Setup Guide
72
Secure Sockets Layer (SSL) in Adaptive Server, under Security Administration in the System Administrator’s
Guide of the Sybase documentation.
Create a login ID on Sybase that uses database authentication (not integrated).
Assign the ID a password.
Example: exec sp_addlogin ‘questtpam’,’password’
Grant Security Officer privileges to the account.
Example: grant role sso_role to questtpam
Add System to TPAM
Select “Sybase” as the platform.
The commands NOT allowed in the Extra DB Connection string are:
•
password
•
pwd
•
uid
•
host
•
port
•
sslcafile
•
data source
•
encryption
•
trustedfile
•
dsurl
Select the Connection tab to configure the details for the functional account, and other communication
options.
TPAM 2.5
Client Setup Guide
73
Specify the functional account used on the SQL Server (i.e. ‘questtpam’), and enter the password for the
account.
If you plan on checking the Use SSL option, you must get your System Administrator to install the Trusted Root
Certificate first through the config interface.
The Tunnel DB Connection through SSH option provides the ability to securely connect to a remote database.
Enter the Account Name that you will use to connect to the remote system. If SSH is not listening on port 22
please provide the correct port you want the connection forwarded to.
connections.
managed system.
TPAM 2.5
Client Setup Guide
74
23
HP NonStop Tandem
•
Introduction
•
Server Setup
•
Add the Functional AccountAdd the Functional Account
•
TPAM Client Setup
•
Test Connectivity
Introduction
TPAM uses a functional account created on the managed host with administrative privileges to manage
privileged accounts. There is no agent to be configured on the managed server.
Server Setup
To make sure the TPAM server can communicate with the HP NonStop Tandem server please do the following:
•
Obtain the Telnet package from HP, install, and configure it to run on the default port of 23, or any other
desired port.
•
Make sure any interim firewalls will allow Telnet traffic between the TPAM appliance and the HP NonStop
Tandem server.
•
Set up the functional account. See Add the Functional Account.
Create a new account on the HP NonStop Tandem server (the name funcacct is used in this example).
The Tandem elevated account, super, which has group ID 255 and userID 255 or (255,255) or a group manager id
with group id 255, can use the TACL ADDUSER command as in the example below:
ADDUSER SUPER.FUNCACCT,255,n
n is an integer from 0 - 255 that uniquely identifies the user funcacct within the group.
If using the Safeguard command interpreter Safecom, then the super ID can use the ADD USER command as in
the example below:
ADD USER super.funcacct,255,n
n is an integer from 0 - 255 that uniquely identifies the user funcacct within the super user group.
TPAM 2.5
Client Setup Guide
75
TPAM Client Setup
To add a HP NonStop Tandem system to TPAM:
1
Select Systems, Accounts, & Collections | Systems | Add System.
2
Enter the System Name and Network Address. (this can be either IP or DNS Name).
3
Select HP Non-Stop from the platform list.
4
Leave the Enable Automatic Password check box selected to manage password for this system.
5
Enter tacl in the initial command field. TPAM will use this to access the logon command.
6
Click the Connection tab.
7
If the default port of 23 is not used enter an alternate port number.
8
Enter the name and password of the functional account that has been created on the database. This
account must have administrative privileges required to manage other database accounts.
9
Test Connectivity
Telnet access may be checked from a machine with Telnet client software installed, provided any intervening
firewalls allow the traffic through.
A test from a windows command prompt can check this by running the following command, replacing <NonStop
IP> with the HP NonStop server IP address:
telnet < NonStop IP > 23
A test can also be run from the TPAM client /parconfig interface:
/parconfig> Net Tools> TelnetTest>
Network Address to test: <NonStop IP>
Port:
23 (default) or designated alternative port
Timeout:20s (default)
TPAM 2.5
Client Setup Guide
76
24
Teradata
•
Introduction
•
Define a Data Source
•
•
Add System to TPAM
Introduction
This section highlights instructions for configuring Teradata® systems to be managed by TPAM. The steps
involved are:
•
Create/Define Datastore Connection(s)
•
Create Teradata User Account(s)
•
Configure functional account and testing
•
Create managed system on TPAM
•
Create managed account(s) and testing
Define a Data Source
To define a data source via the Teradata Administrator Utility program:
1
From the main window, click File | Define Data Source.The ODBC Data Source Administrator dialog box
appears and displays the User DSN tab by default.
2
Click the Drivers tab, and ensure the required ODBC driver is installed on your system.
3
Click the System DSN tab or User DSN tab.
4
Click the Add button.The Create New Data Source dialog box appears.
5
Select the Teradata ODBC driver, and then click Finish.
6
The ODBC Driver Setup for Teradata Database dialog box appears. Enter the following fields:
NOTE: For in depth information refer to the ODBS Driver for Teradata User Guide.
•
Name - Name for the data source.
•
Type a unique description such as Payroll or Accounts Payable.
•
[Optional] Description - Descriptive text about this data source.
•
Name(s) and IP address(es) - Name or IP address of the server of your Teradata Database to
connect to.
•
Do not resolve alias name to IP address - Select to not resolve alias names during set up. Clear
this check box to allow aliases to be resolved whenever connecting to a database.
TPAM 2.5
Client Setup Guide
77
7
•
Use Integrated Security - Select to connect to the database through Single Sign On (SSO). The
Mechanism, Parameter, Username and Password boxes are unavailable and your logon
information is authenticated by network security when logging on to your computer.
•
[Optional] Mechanism - If a security mechanism is in place, select the authentication mechanism.
•
[Optional] Parameter - If a mechanism is selected, enter the applicable authentication string.
•
[Optional] Username - User name to use to log on to the Teradata Database.
•
[Optional] Password - Password for the user name.
•
[Optional] Default Database - Database to work in by default. Use unqualified object names only
in this database; qualify all other objects using the database name. If this field is left blank, the
default database is your username.
•
[Optional] Account String - Account string associated with the user name.
•
Session Character Set - Specify the default character set for the session. To use a different
character set, select from the pull-down menu. The default is ASCII.
Click OK twice.
IMPORTANT: When connecting to Teradata Database V2R6.2.x or earlier, do not use UTF8 or UTF16 session
character sets if the system contains Kanji object names. If any Kanji Database or User names exist on the
system, the initial loading of the database tree fails.
IMPORTANT: When connecting to Teradata Database 12.0 or later, do not choose ASCII if any Kanji
Database or User names exist on the system. Choose UTF8 or UTF16 session character sets so the
information displays correctly on the page.
To create or modify a user account:
1
Choose one of the following options:
•
To create a new user with no shared specifications from an existing one, click Tools | Create |
User.
•
To create a new user either identical or closely related to an existing one, highlight the user to be
cloned in the main window, and then click Tools | Clone User.
•
To modify an existing user, first highlight the user to be modified in the main window, and then
click Tools | Modify User.
2
Define the attributes and options as indicated in Create User and Modify User Dialog Box Description
section of the Teradata Administrator Manual.
3
Click Create or Modify.
Add System to TPAM
deployment plan.
TPAM 2.5
Client Setup Guide
78
Note that the option exists to specify a TCP port other than port 1025 (Default port for Teradata is 1025). If the
system to be managed is configured to communicate on a port other than 1025, specify the port in the Alternate
Port field.
Teradata uses password authentication for the functional account, select the Password option and provide the
Enter the following fields.
•
Alternate Port: (if applicable)
•
Connection Timeout: Default [20] Seconds.
•
Functional Account to be used: [administrator level account required]
•
Password: (Must match password supplied in Add the Functional Account section)
TPAM 2.5
Client Setup Guide
79
25
Tru64 Enhanced Security
•
Introduction
•
•
Using sudo
•
SSH2 Daemon
•
Add System to TPAM
•
•
Introduction
This section provides step by step instructions for configuring the Secure Shell Daemon (sshd2) for Tru64 systems
to be managed by TPAM. The steps involved are verification that the sshd2 daemon is enabled and configured,
creation and modification of the functional account, and if necessary Secure Shell key installation and
configuration. Administrative knowledge of Tru64 and familiarity with the vi editor are assumed.
Log on to the Tru64 system as root (or root equivalent account) and create the functional account. In our
examples, the functional account is named funcacct.
Using sudo
Instead of using a root equivalent account to manage the account on the Tru64 system, the functional account
can leverage sudo. Log into the Tru64 system as root (or root equivalent account) and use visudo to edit the
sudoers file and add the following lines under the “User privilege specifications” section of the file:
funcacct ALL=(root) NOPASSWD: /bin/grep
funcacct ALL=(root) NOPASSWD: /bin/passwd
You will also need to add the following line so that sudo does not require a tty for the functional account.
Defaults:funcacct!requiretty
SSH2 Daemon
Verify that the Tru64 system is configured to run the Secure Shell daemon (sshd2) and if necessary edit the sshd2
configuration file (/etc/ssh2/sshd2_config) to ensure that both password and public key authentication are
permitted:
AllowedAuthentications
publickey,password
TPAM 2.5
Client Setup Guide
80
If changes are made to the sshd2_config file, restart sshd to re-read the configuration:
/etc/init.d/sshd restart
Add System to TPAM
the system and network address (this can be either IP address or DNS name). Run the “rcmgr get SECURITY”
command on the Tru64 system to determine the security configuration and set the Platform type accordingly -Tru64 Untrusted for BASE security, or Tru64 Enhanced Sec. for ENHANCED security. If automatic password
deployment plan.
In order to manage the accounts the functional account can leverage sudo. This can be done by entering sudo as
the Delegation Prefix.
field.
current valid password for the account. To use public key authentication, select the DSS option and click the
Get Sec SSH button to download the TPAM Sec SSH Key. Follow the steps outlined in the next section to
complete the public key authentication configuration on the Tru64 System.
Log into the Tru64 system as the funcacct user, and create a .ssh2 directory under the user's home directory:
TPAM 2.5
Client Setup Guide
81
mkdir .ssh2
Copy the TPAM Sec SSH Key (e.g. id_dsa.export) to the .ssh2 directory created above (see instructions in the
previous section to download the TPAM Sec SSH key). Once the key is on the Tru64 system, convert it to from a
UNIX® compatible text file:
cd .ssh2
/usr/bin/mtools/dos2unix
id_dsa.export
Authorize the TPAM SSH key, by creating a Key entry in the .ssh2/authorization file:
echo Key id_dsa.export >> authorization
A placeholder account can be created on a Tru64 system to allow a domain account PSM access. Add the account
TPAM 2.5
Client Setup Guide
82
26
Linux® and UNIX® Systems
•
Introduction
•
•
Create and Modify the Public Key
•
Add System to TPAM
•
Introduction
This section provides step by step instructions for configuring OpenSSH for Linux®/Unix® systems to be managed
by TPAM. The steps involved are functional account creation and modification and SSH key installation and
configuration. Administrative knowledge of Linux®/Unix® and familiarity with the vi editor are assumed.
CAUTION: Modification to the /etc/passwd file can result in irreparable damage to the system. Only
experienced system administrators should perform this function, after taking proper backup
precautions.
Create a new account on the Linux® server and modify its properties. (the account name funcacct is used in this
example).
1
useradd -c "Functional Account" -m funcacct
2
Use visudo to edit sudoers file and add the following lines:
•
*Linux® and most UNIX® systems
funcacct ALL=(root) NOPASSWD: /bin/grep
funcacct ALL=(root) NOPASSWD: /usr/bin/passwd
•
*AIX® systems
funcacct ALL=(root) NOPASSWD: /bin/sed
funcacct ALL=(root) NOPASSWD: /usr/bin/passwd
funcacct ALL=(root) NOPASSWD: /usr/bin/pwdadm
TIP: Different versions of Linux® and UNIX® may have these commands placed in different
locations, so the paths may vary. Please consult a Linux®/UNIX® system administrator for
assistance.
3
Press the Esc key, type :wq! to save the file and exit visudo.
TPAM 2.5
Client Setup Guide
83
Create and Modify the Public Key
Create the .ssh directory for the funcacct account:
cd ~funcacct
mkdir .ssh
Copy the public key (id_dsa.pub) from TPAM to the .ssh directory created above, as the file authorized_keys.
Log on to the admin interface via HTTPS and select Keys | Manage SSH Keys from the menu. One method of
accomplishing this is to download the key to a workstation and then transfer it to the remote host via secure
FTP or similar method.
Change ownership of the .ssh directory to the functional account:
chown -R funcacct~funcacct
Edit the sshd configuration file on the client system (/etc/ssh/sshd_config) to include the following in the
“Authentication” section:
PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys
NOTE: Different versions of Linux® and UNIX® may require slightly different parameters for SSH
configuration. Consult a Linux®/UNIX® system administrator for assistance.
Restart the sshd daemon:
Linux®: service sshd restart
-ORUNIX®: kill –HUP [pid]
Add System to TPAM
To add system to TPAM:
1
Log onto the admin interface of TPAM.
2
Select Systems, Accounts, & Collections | Systems | Add System from the menu.
3
Enter the system name, network address (can either be IP address or DNS name).
4
Select the Enable Automatic Password Management? check box if desired.
5
On the Management tab, set the change settings according to your deployment plan.
6
There is a Delegation Prefix field available on the Information tab so that you can preface the commands
that TPAM uses to manage passwords. In order to manage the accounts the functional account can
leverage sudo. Enter sudo as the Delegation Prefix.
TPAM 2.5
Client Setup Guide
84
7
Click on the Connection tab.
8
Note that the option exists to specify a TCP port other than port 22 (the default SSH port). If the system
to be managed is configured to communicate on a port other than 22 for SSH, specify the port in the
Alternate Port field.
9
To use the key that has been imported from the preceding steps, select the DSS option. If password
authentication will be used for the functional account, select the Password option and provide the
For more detailed information regarding these and other options for configuring the managed systems, please
consult the Administrator Guide.
A placeholder account can be created on a *nix system to allow a domain account PSM access. Add the account
TPAM 2.5
Client Setup Guide
85
27
VMware vSphere 4
•
Introduction
•
•
Add System to TPAM
Introduction
This section provides step by step instructions for configuring a VMware® vSphere® 4 server to be managed by
TPAM. The steps involved are creation and modification of the functional account. Administrative knowledge of
VMware vSphere 4 is assumed.
Following the steps below, create the functional account on the vSphere 4 server and modify its properties (the
account “funcacct” is used in this example). Log on to the vSphere server using the vSphere Client.
Once authenticated to the server from the vSphere Client menu select View | Administration | Roles.
Click Add Role.
TPAM 2.5
Client Setup Guide
86
You will then need to provide a name for the new role, in this example we’ll use “FuncRole”. The ONLY privilege
the functional account will need is “Manage user groups”, which is found under Host | Local operations.
In order to create the functional account on the vSphere you will need to switch to the Inventory View. From the
vSphere Client menu select View | Inventory. From there click on the Users & Groups tab.
Right-click in the area listing the users and select Add.
Provide the Login “funcacct”, the User Name “Functional Account”, type the password, retype to confirm, and
make the user a member of the users group. Click the OK button.
Next click on the Permissions tab. Right-click in the area listing the users, and select Add Permission.
Under Users and Groups, add “funcacct” and under Assigned Role, select the “FuncRole” that you created
earlier from the list. Click the OK button.
You’ve successfully created the functional account on the vSphere server and assigned it a role which will allow
it to manage the passwords of other users on the server.
Add System to TPAM
deployment plan.
TPAM 2.5
Client Setup Guide
87
field.
TPAM 2.5
Client Setup Guide
88
28
Windows Active Directory
•
Introduction
•
Add System to TPAM
Introduction
The concepts for managing domain level accounts or local system accounts with a domain account are
essentially the same as for standalone systems. The difference is the scope of authority for the functional
account used by TPAM, and some of the underlying mechanisms.
Add System to TPAM
The first step is to add a system in TPAM to represent the domain. The first step is to create a system in TPAM to
represent the domain. This is done in the same manner as any managed system, by selecting Systems,
Accounts, & Collections | Systems | Add System from the menu.
TPAM will query DNS for the SRV records of the domain controllers associated with the DNS name of the Active
Directory domain populated in the network address box.
Click the Connection tab to configure the details for the domain, functional account, and other communication
options:
•
Enter the fully qualified domain name (i.e. saturn.planets.network.net). This cannot be a ‘substitute’
name, but must be the real DNS name for the domain. (Required) This is not the Domain Controller,
but the only the Domain Name.
•
Enter the NetBIOS name for the domain. (Required)
•
Specify the functional account created in the domain that TPAM will use to manage system accounts.
This account must belong to the Domain Administrators group. Provide the initial password for the
functional account.
•
If the Non-Privileged Functional Account check box is selected then any password changes for accounts
on this system will use the account’s current password to log in and make the password change instead of
using the functional account password.
TPAM 2.5
Client Setup Guide
89
If you do not select the Allow Functional Account to be Requested for password release check box then the
password will only be accessible to an ISA.
The special permissions on the functional account can be either:
•
Read all properties
•
Write all properties
•
Read permissions
•
Reset password
•
Reset password
•
Account restrictions (read/write)
•
LockoutTime (read/write)
OR
NOTE: If the Windows Net Logon service is not running a password check will be reported as “host
unreachable”. A password checked through the DPA with invalid functional account credentials can be
successful, but if checked through TPAM will result in “host unreachable”.
TPAM 2.5
Client Setup Guide
90
29
Windows Systems
•
Introduction
•
•
Add System to TPAM
•
Test System
•
Troubleshoot System Connectivity
•
Add Windows Domain Member System to TPAM
Introduction
This section provides step by step instructions for configuring Windows 2000/2003 or domain systems. The steps
involved are functional account creation and modification and system creation on TPAM. .
On the Windows system, create a new user account to be the functional account for TPAM. This account must be
added into the Administrators group. It is highly recommended that this account be given a strong password,
and immediately placed under TPAM management. If the account being created is in an Active Directory, the
same steps apply with the additional scope of Domain Administrator privilege.
TIP: The account name does not have to called “questtpam”, as long as the managed system and TPAM
both use the same account name for the system being managed. Using a standard account name is simply
a way to reduce management complexity.
TPAM 2.5
Client Setup Guide
91
It is recommended that the Password Never Expires check box is selected. Once configured in TPAM, this
account can be auto-managed to keep the password secure.
Add System to TPAM
To add system to TPAM:
1
Log onto the admin interface of TPAM.
2
Select Systems, Accounts, & Collections | Systems | Add System from the menu.
3
Enter the system name, network address (can either be IP address or DNS name).
4
Select the Enable Automatic Password Management? check box if desired.
5
On the Management tab, set the change settings according to your deployment plan.
TPAM 2.5
Client Setup Guide
92
6
The Computer Name box on the Information tab is required for password management and also uses
TPAM’s auto logon feature. If this field is not populated, TPAM will attempt to determine the system’s
computer name when the system is tested and update the field.
TIP: PSM customers have the option to have TPAM log the user into the remote system using the
Computer Name\USERID format. This will prevent any incorrect logon if the default domain is
saved as the DOMAIN name versus the Local Workstation. If Use Windows Domain Account is
selected on the Session Authentication sub-tab of the PSM Details tab, the user credentials will be
passed as DOMAIN\USERID. You will notice with both options that the DOMAIN field is grayed out at
login.
TIP: PSM sessions to Windows machines using an RDP proxy connection type can be configured on
the Windows machine to use SSL/TLS security for RDP connections. Note that the computer name
set in TPAM for the system may need to be uppercase for the connections to succeed.
7
Click on the Connection tab to set the properties of the functional account that was created on the
Windows system in the steps above.
8
Enter the name of the functional account and its initial password. For Windows systems, the use of DSS
authentication is not available, as it is not natively supported by the OS.
IMPORTANT: Managed accounts on Windows systems need to be given the user right of Access this
computer from the network which can be defined via a Windows policy.
When the appliance checks a managed account’s password it connects to the managed Windows system as the
managed account to verify the validity of the stored password. If an authentication error is reported the
appliance views it as a password mismatch. In most cases this error is caused by the managed accounts not
having the right to “access this computer from the network”.
NOTE: If the Windows Net Logon service is not running a password check will be reported as “host
unreachable”. A password checked through the DPA with invalid functional account credentials can be
successful, but if checked through TPAM will result in “host unreachable”.
Test System
To test the system connectivity to TPAM:
1
Select Systems, Accounts, & Collections | Systems | Manage Systems from the menu.
2
Enter the system name on the Filter tab.
3
Click on the Listing tab.
4
Select the system in the listing.
5
A successful test result indicates that the remote system is now ready to be managed by TPAM.
TPAM 2.5
Client Setup Guide
93
The most common causes of failure are connectivity with the system, or a problem with the functional account.
It is recommended that any errors at this level be fixed before proceeding to add managed accounts, etc.
Connectivity:
•
Are there security rules on the network (firewalls, routers, etc.) that might be preventing this
traffic?
•
Is traffic from TPAM routable to the network address of the system to be managed?
•
Are there any problems with cables, hubs or switches, etc.?
Functional Account:
•
Is the functional account properly authorized to access the system? In a common setup, sudo is
used to elevate the functional account’s privileges on the system.
•
Has the functional account been locked out or disabled?
•
Is the functional account configured to allow remote logon?
A good troubleshooting method to use for failed test situations is to try to access the system to be managed
from another system (not TPAM) remotely, using the same functional account. Problems with the configuration
of the functional account on the remote system should exhibit the same problems from alternate access points.
Add Windows Domain Member System to
TPAM
Creating Windows systems that are members of an Active Directory domain is only slightly different than a
standalone system. The difference is in selecting the functional account used to manage the system.
•
Enter the system name, address, etc. as with any new system.
•
Select Windows as the platform.
•
Enter the Computer Name.
Click on the Connection tab to configure the functional account and other communication options.
TPAM 2.5
Client Setup Guide
94
•
To use an existing domain level functional account (rather than a local functional account), select the
Use Domain Account check box.
•
Select the domain/account from the list of available choices. All configured domain accounts will appear
in the list, so there may be several.
The Domain Account field will be populated with the selected information. No further configuration of the
functional account is required.
IMPORTANT: The functional account is a member of the Administrators group, but there are some
privileges that only belong to the single Administrator account. If the password policy on the Windows
system has specific length and character requirements, then the password rule in TPAM must meet those
requirements. If this is not done, there can be a password change failures. The reason is because accounts
in the Administrators group (such as the TPAM functional account) cannot override password policy. Only
the Administrator account can override this password policy when setting a password.
TPAM 2.5
Client Setup Guide
95
30
Test and Troubleshoot
•
Test System
•
Test System
To test the system connectivity to TPAM:
1
Select Systems, Accounts, & Collections | Systems | Manage Systems from the menu.
2
Enter the system name on the Filter tab.
3
Click on the Listing tab.
4
Select the system in the listing.
5
A successful test result indicates that the remote system is now ready to be managed by TPAM.
The most common causes of failure are connectivity with the system, or a problem with the functional account.
It is recommended that any errors at this level be fixed before proceeding to add managed accounts, etc.
Connectivity:
•
Are there security rules on the network (firewalls, routers, etc.) that might be preventing this
traffic?
•
Is traffic from TPAM routable to the network address of the system to be managed?
•
Are there any problems with cables, hubs or switches, etc.?
Functional Account:
•
Is the functional account properly authorized to access the system? In a common setup, sudo is
used to elevate the functional account’s privileges on the system.
•
Has the functional account been locked out or disabled?
•
Is the functional account configured to allow remote logon?
A good troubleshooting method to use for failed test situations is to try to access the system to be managed
from another system (not TPAM) remotely, using the same functional account. Problems with the configuration
of the functional account on the remote system should exhibit the same problems from alternate access points.
TPAM 2.5
Client Setup Guide
96
About Dell
Dell listens to customers and delivers worldwide innovative technology, business solutions and services they
trust and value. For more information, visit www.software.dell.com.
Contacting Dell
Technical Support:
Online Support
Product Questions and Sales:
(800) 306-9329
Email:
[email protected]
Technical Support Resources
Technical support is available to customers who have purchased Dell software with a valid maintenance
contract and to customers who have trial versions. To access the Support Portal, go to
https://software.dell.com/support/.
The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a
day, 365 days a year. In addition, the portal provides direct access to product support engineers through an
online Service Request system.
The site enables you to:
•
Create, update, and manage Service Requests (cases)
•
View Knowledge Base articles
•
Engage in community discussions
•
Chat with a support engineer
TPAM 2.5
Client Setup Guide
97

Add System to TPAM

Transcription

Similar documents

Setting up my WiFi - Alaska Communications

Accessing the SE EMS Online Education Modules

Clik here to open the Sterkinekor Moviestop: Membership Card Guide

Fifth Grade Textbooks - Duneland School Corporation

DVU Log-in Credentials

How to Get Tennis Channel Everywhere for Desktop

Teacher Pages

4. Select the “My Lexile Range” drop down. Now, click search. 2

New to Neat Repeatz? Get Started in 2 Easy Steps!

Laxmi Khattri [email protected]