Editing psunix configuration files
Bravura Security Fabric add-ons that you install on a Unix-based server use a configuration file to define interaction between the add-on, the Unix server, and the Bravura Security Fabric server. By default, this file is /etc/psunix.cfg ; however, most add-ons allow you to specify an alternate file.
When you install Bravura Security Fabric add-on on Unix using an installer script (for example, install.sh ), the installer creates a psunix.cfg file and configures the required values. You can later edit this file to configure additional options or change your settings.
The psunix.d configuration directory contains several configuration files that contain the settings for the various psunix add-ons, including the pushpass file, which contains settings for transparent password synchronization.
See Unix Configuration Scripts for more information.
passwd utility configuration
The pspasswd file specifies the passwd utility used to perform an operation on a non- Bravura Security Fabric users password. Usually, this option specifies operating system’s passwd command. The native password operation is executed if the user is contained in the [restricted-user-list] option, or is contained in the ignore list on the Bravura Security Fabric server. The options are as follows:
passwd-cmd-reset A reset operation is less strict than a change operation since it does not validate the users old password first. Most native passwd commands do both change and reset operations depending on who is running the command and the arguments passed on the command line. Generally, running the passwd command as superuser is considered a password reset operation.
This option accepts
psunixtextual replacement strings, notably the "%u" keyword indicating the username.Example:
passwd-cmd-reset = "/bin/passwd.bin %u";
passwd-cmd-change A change operation is more strict than a reset operation since it validates the users old password first. Most native passwd commands do both change and reset operations depending on who is running the command and the arguments passed on the command line. Generally, running the passwd command as a non-privledged user is considered a password change operation.
This option accepts
psunixtextual replacement strings, notably the "%u" keyword indicating the username.Example:
passwd-cmd-change = "/usr/bin/yppasswd %u";
Exit status codes
The following table outlines the pspasswd exit status codes:
Error code | Description |
|---|---|
0 | Success. |
1 | Syntax error in PSLang override script. |
2 | Failed to acquire password policy from remote |
3 | Failed to reset password using native command line tool. |
4 | Failed to reset password. |
API SOAP Service configuration
The idapi file is used to configure the connection to API SOAP Service (idapisoap). The options are as follows:
targetid If you are using aliasing, this option is used to specify the ID of the target.
Example:
targetid = "UNIXSERVER";
url The url that API SOAP Service is listening on.
Example:
url = "http://hipmserver/default/idapi";
user The product administrator used to connect to the API SOAP Service.
Example:
user = "_API_USER";
psw The product administrator password used to connect to the API SOAP Service. idaptool can be used to provide an encyrpted form of the password.
Example:
psw = "{AES}xdWShI2f+fM7Bd0SRhIi9kHvdhM9Y0fVxvKjpIbHfp4T47X2IAjLakoNitoSfu4Z" ;libcurl In order to communicate to the API SOAP Service over SSL, the libcurl is required. If the full path is specified, then the library can be loaded when connecting over SSL. If no libcurl is avalable and plain HTTP is used, the value can be set to ’0’. If empty, the system default is used.
Example:
libcurl = "0";
capath When communicating to the API SOAP Service over SSL, a certificate check will be made unless ignore is set to "1". If the CA certificate is not installed on the system default paths, a path can be specified.
Example:
capath = "/etc/certs";
cert When communicating to the API SOAP Service over SSL, a client-side certificate can be provided. If there is a passphrase as part of the certificate it needs to be specified as well.
Example:
cert = "/etc/certs/hipmcert.pem:apassphrase";
ignore When communicating to the API SOAP Service over SSL, the certificate check can be ignored. If 0, the check is not ignored. If 1, the check is ignored.
Example:
ignore = "1";
language The language set in this value will be used when fetching the password rules. By default is it is en-us. The language packs must be installed in order to retrieve rules in other languages.
Example:
language = "fr-fr";
fail -if-unavailable Specifies the action to take if the password operation fails and the Password Manager service cannot be contacted. The default behavior is to fail the operation if the Password Manager service is unavailable.
Example:
fail-if-unavailable = "true";
Password Manager Service configuration (idpm )
The pushpass file is used to configure the Password Manager service (idpm ). The options are as follows:
targetid If you are using aliasing, this option is used to specify the ID of the target.
Example:
targetid = "UNIXSERVER";
hostname The hostname option is used to specify the location of the Password Manager service service to be used by
pspasswd. This can either be an IP address or a hostname.Example:
hostname = "UNIXSERVER";
port The port option is used to specify the port that the Password Manager service is running on. The default value for the Password Manager service is 3333.
Example:
port = "3333";
timeout Specifies the timeout (in seconds) that should be used when communicating with Password Manager service. The default value is set to 10 seconds.
Example:
timeout = "10" ;
fail-if-unavailable Specifies the action to take if the password operation fails and the Password Manager service cannot be contacted. The default behavior is to fail the operation if the Password Manager service is unavailable.
Example:
fail-if-unavailable = "true";