Skip to main content

Replace the native password program

To effectively intercept all password changes made using the regular password program on Unix (/usr/bin/passwd), you can install a replacement password program and a matching configuration file (psunix.cfg) on every Unix server where users might change their local or NIS/NIS+ passwords. See notes about synchronization in an NIS / NIS+ environment .

The Bravura Security password replacement program (pspasswd ) applies password strength rules defined on the Bravura Pass server to all new password selections. It uses the old, renamed, password program to implement the password change locally on the Unix server, and then forwards a request for synchronization to the Bravura Pass server.

Install pspasswd on the Unix trigger system

To install Bravura Security password replacement program:

  1. Note the communication key (or Master Key).

    The CommKey value is encrypted in Bravura Security Fabric . If you did not record the key in a secure location, copy the idmsetup.inf file from <instance> \ psconfig \ on the Bravura Security Fabric server to the same location as the installer. The installer will extract the Communication Key value from the file.

  2. Note the product administrator and password to connect to the API SOAP Service.

  3. Note the URL of the API SOAP Service.

  4. If you did not select the Unix Installation Packages when you installed the Connector Pack, install the psunix installation package .

  5. Run the installation shell script in:

Install pspasswd interactively

Installing interactively takes less preparation and allows you to specify settings during installation. You can use the idmsetup.inf configuration to pass through some of the information as defaults.

To interactively install pspasswd on the Unix system:

  1. Run the shell script install.sh from the root of the installation package:

    sudo sh install.sh [ -inf <path>/idmsetup.inf ] [ -inst <instancename> ]

    where:

    Option

    Description

    -inf

    Specifies the path to the idmsetup.inf file. If omitted, you must enter communication key (or Master Key) and other information when prompted.

    -inst

    Specifies the instance name for location of the psunix files. If omitted, files are copied to the /usr/local/psunix/default instance .

  2. Follow the instructions displayed by the installer script.

    In the installation process:

    1. Allow system files to be backed up.

    2. Select the "Passwd Transparent Synch" installation option.

    3. If you want to use the configuration options that exist in /etc/psunix.cfg, type Y when asked. If you want to change the values, type n .

      pspasswd-config-options.png

      See Unix Configuration Scripts for more information about the Unix listener.

    4. Enter the target ID of the target used to target this system.

    5. Enter the URL of the API SOAP Service.

    6. Enter a proxy URL if you are using a proxy. Press Enter if you are not using a Proxy.

    7. Enter the proxy user name if you are using a proxy. Press Enter if you are not using a Proxy.

    8. Enter the proxy user name’s password if you are using a proxy. Press Enter if you are not using a Proxy.

    9. If you are using SSL, enter the path holding the CA certificate(s). Press Enter if you are not using SSL.

    10. If you are using SSL, enter the certificate details. Press Enter if you are not using SSL.

    11. Define the [libcurl] path or press Enter to use the system default libcurl library.

    12. Define the [ignore] or press Enter to use the default value.

    13. Define the user name for login to the IDAPI service.

    14. Define the password for the IDAPI user.

The installer renames the old password program to <program name>.bin and replaces it with pspasswd .

Install pspasswd non-interactively

The installer’s non-interactive mode allows you to perform unattended installations. This would be advantageous where you want to install on many systems over SSH, for example. This mode requires you to write a response file that is used with a command line option.

To install pspasswd non-interactively:

  1. Edit the following sections of the psunix-responsefile.cfg in the root of the installation package:

    ###################################################################### 
## general options 
# Prior to installing PSUNIX, the installer allows the option to 
# backup files affected by the installation process. 
  pre-backup = "Y"; 
# By default, if pre-existing configuration file(s) contains all the 
# required options, do not replace them. 
  use-preexisting-cfg = "Y";

  2. Edit < psunix-root>/conf/psunix.cfg to define the communication key (or Master Key) that matches the one set during installation on the Bravura Security Fabric server; for example:

    commkey = "<encrypted commkey value>";

    Optionally, you can pre-configure other options in this file if you want different behavior from the default. See the Unix Configuration Scripts for details.

  3. Edit the pspasswd and pushpass configuration files.

  4. Run the shell script install.sh from the root of the installation package:

    sh install.sh -c 2 -ni [ -inst <instancename> ]

    where - inst specifies the instance name for location of the psunix files. If omitted, files are copied to the /usr/local/psunix/default instance.

pspasswd and non-default instances

The psunix local instance name, defined by the -inst option when running the install.sh script, is not connected to the main Bravura Security Fabric instance name. If specified, it designates a sub-target.

During install/setup, if the instance name is the default, the installer symbolically creates a link from:

  • /usr/local/psunix/<instance>/psunix.d to /etc/psunix.d, and

  • /usr/local/psunix/<instance>/psunix.cfg to /etc/psunix.cfg

The pspasswd binary (due to the fact that only one version can be installed in /usr/bin or /bin) always looks for /etc/psunix.cfg.

If you want to install pspasswd to run in a non-default instance, you must manually create the symbolic links to /etc/psunix.d and /etc/psunix.cfg.

In this section: