Skip to main content

Preparation

The sections that follow describe how to prepare a Unix target system before adding them in Bravura Security Fabric , including:

  • Configuring a target system administrator.

  • Creating at least one template account.

  • Installing the Unix Listener.

  • Writing server scripts for NIS systems.

    Note

    Bravura Security Fabric does not support plus (+) or minus (-) entries in UNIX local passwd and group files to incorporate NIS. Instead, you can use /etc/nsswitch.conf to incorporate NIS.

Configuring a target system administrator

Bravura Security Fabric requires a designated account (for example, psadmin) on the Unix target system in order to perform operations. Bravura Security Fabric uses the account’s credentials to verify that it is the authorized Bravura Security Fabric server on the network. It is only used for authentication purposes to allow the operations to run on the Bravura Security Fabric server.

Set up the designated account on the Unix system with no privileges. Set the account’s shell to /bin/false and the home directory to /tmp .

Ensure that you set and note the account’s password. You will be required to enter the login ID and password when you add the target system to Bravura Security Fabric .

Creating a template account

Bravura Security Fabric uses template accounts as models or "blueprints" for creating new Unix accounts. The following is an overview of a typical procedure for creating a (template) Unix account:

  1. Add the account to the system.

  2. Add the groups.

    It is recommended that you do not add template accounts to Bravura Security Fabric managed groups. Managed group memberships should be handled by including them in roles.

  3. Create the account’s home directory.

The detailed procedure for adding an account to your system varies depending on your specific Unix implementation.

Some systems include command-line utilities to help you create new accounts. For example, Debian Linux includes the useradd program. Other systems may require you edit the passwd file, shadow file , and set the password directly.

Note

It is recommended that you use the proper administrative tools to add or delete users. If the /etc/passwd and /etc/shadow files do not have corresponding entries, agtunix will only allow listing and deleting of the faulty records.

See your Unix documentation or man pages for more information.

Setting up the Unix Listener

You must install the Unix Listener on each Unix system where Bravura Security Fabric performs operations. To do this:

  1. Determine requirements

  2. If you did not select the Unix Installation Packages when you installed the Connector Pack, install the psunix installation package

  3. Run the installation shell script in:

Requirements

Before you begin:

  • Ensure that the xinetd or inetd service is configured.

    The Unix Listener requires an Internet services daemon for operation, and the installer checks for xinetd/inetd configuration prior to installation. If either service is installed but not configured, the installer will configure the service. If neither service is installed, the installer will inform you that the Unix Listener requires either xinetd or inetd for operation. The xinetd server is the preferred server and is chosen by default if both inetd and xinetd are available.

    Bravura Security Fabric supports xinetd versions 2.3.4 and newer.

  • Have the following information available:

    • The local administrative account that will be used to authenticate the Unix Listener

      This is the same account that you use as credentials when adding the target in Bravura Security Fabric .

    • The port the Unix Listener will be listening on; the default is 905.

    • The encrypted communication key (COMMKEY), or a copy of the idmsetup.inf configuration file.

      The idmsetup.inf configuration file is located on the <instance>\psconfig\ directory.

    Tip

    After copying idmsetup.inf, the best practice is to remove all unrequired data from the file before use.

    You will be prompted to enter these values during the Unix Listener installation.

    Bravura Security Fabric does not support plus (+) or minus (-) entries in UNIX local passwd and group files to incorporate NIS. Instead, you can use /etc/nsswitch.conf to incorporate NIS.

Installing the Unix Listener interactively

Installing interactively takes less preparation and allows you to specify settings during installation. You can use the idmsetup.inf configuration to pass through some of the information as defaults.

Ensure that you have met the requirements.

To interactively install the Unix Listener on the Unix system:

  1. Run the shell script install.sh from the root of the installation package:

    sudo sh install.sh [ -inf <path>/idmsetup.inf ] [ -inst <instancename> ]

    where:

    Option

    Description

    -inf

    Specifies the path to the idmsetup.inf file. If omitted, you must enter communication key (or Master Key) and other information when prompted.

    -inst

    Specifies the instance name for location of the psunix files. If omitted, files are copied to the /usr/local/psunix/default instance. See Determining the psunix instance for more information about the instance location.

  2. Follow the instructions displayed by the installer script.

    In the installation process:

    • Allow system files to be backed up.

    • Select the Listener Service.

    • Submit the Communication Key.

    • Submit the local administrative account. This is the same account that you use as credentials when adding the target in Bravura Security Fabric .

    • Note the port number that was assigned to Bravura Security Fabric by the installation shell script. It is normally 905, but may be different on your system.

      You need this port number when adding the Unix target system to Bravura Security Fabric , as described in Targeting a Unix system .

      On systems where /etc/services defines port 905/tcp to be reserved, the installer will consider that port as unavailable. To make it available, first make sure it is not in use, then comment out the 905/tcp line in /etc/services . This can be done while the installer is waiting for a new port number to be input.

Installing the Unix Listener non-interactively

The installer’s non-interactive mode allows you to perform unattended installations. This would be advantageous where you want to install on many systems over SSH, for example. This mode requires you to write a response file that is used with a command line option.

Ensure that you have met the requirements.

To install the Unix Listener non-interactively:

  1. Edit the following sections of the psunix-responsefile.cfg in the root of the installation package:

    ###################################################################### 
## general options 

# Prior to installing PSUNIX, the installer allows the option to 
# backup files affected by the installation process. 

  pre-backup = "Y"; 

# By default, if pre-existing configuration file(s) contains all the 
# required options, do not replace them. 

  use-preexisting-cfg = "Y"; 

###################################################################### 
## listener options 

# The port that the PSUNIX listener binds to and listens on.  The 
# default is port "905". 

  listener-port = "905";

  2. Edit the <psunix-root>/conf/psunix.d/listener configuration file to specify the administrative user that the Listener will authenticate against.

  3. Edit <psunix-root>/conf/psunix.cfg to define the communication key (or Master Key) that matches the one set during installation on the Bravura Security Fabric server; for example:

    commkey = "<encrypted commkey value>";

    Optionally, you can pre-configure other options in this file if you want different behavior from the default. See Unix Configuration Scripts for details.

  4. Run the shell script install.sh from the root of the installation package:

    sh install.sh -c 1 -ni [ -inst <instancename> ]

    where:

    Option

    Description

    -inst

    Specifies the instance name for location of the psunix files. If omitted, files are copied to the /usr/local/psunix/default instance. See Determining the psunix instance for more information about the instance location.

pspasswd and non-default instances

The psunix local instance name, defined by the -inst option when running the install.sh script, is not connected to the main Bravura Security Fabric instance name. If specified, it designates a sub-target.

During install/setup, if the instance name is the default, the installer symbolically creates a link from:

  • /usr/local/psunix/<instance>/psunix.d to /etc/psunix.d, and

  • /usr/local/psunix/<instance>/psunix.cfg to /etc/psunix.cfg

The pspasswd binary (due to the fact that only one version can be installed in /usr/bin or /bin) always looks for /etc/psunix.cfg.

See also

Configuring the inetd.conf and xinetd.conf files

The install script automatically finds and updates the inetd.conf or xinetd.conf file and restarts the service.

The script updates the inetd.conf file with:

psunix-<instance> stream tcp nowait root /usr/local/psunix/<instance>/server.<os>.<cpu> server

A new file called psunix–<instance> is placed in the /etc/xinetd.d folder and contains the following:

service psunix-<instance>
{
    socket_type     = stream
    protocol        = tcp
    flags          = IPv4
    port            = 905
    wait            = no
    user            = root
    server          = /usr/local/psunix/<instance>/server.<os>.<cpu>
    server_args     =
    disable         = no
}

On some Unix systems, inetd (or inetutils-inetd ) only listens on IPv6 sockets by default. In that case, if IPv4 operation is required, replace "tcp" with "tcp4" in the psunix line in inetd.conf .

Once changes are made, restart the inetd process.

Determining the psunix instance

The psunix local instance name, defined by the -inst option when running the install.sh script, is not connected to the main Bravura Security Fabric instance name. If specified, it designates a sub-target.

All instances are configured to use the default database (/etc/passwd) but they can each be changed to match the logic needed for each sub-target.

It is recommended that you use port 905 and the default name to install the first local instance that targets the Unix server. You can then setup sub-targets with their own configuration (communication key (or Master Key), administration user, database, policies, scripts, and so on).

For example, you could use a PSLang script for psunix to target an application, such as a MySQL database, messaging server, or internal web-based application, while still retaining the default instance to manage the unix users themselves separately.

In another example, when implementing privileged access management, regular users could be served by the default instance, where it would be forbidden to touch administrators, and administrative users would be handled by a separate psunix instance with different credentials, and would be allowed to touch privileged users.

Editing the Unix Listener configuration file

A default configuration file, psunix.cfg , is created for you in the etc directory during the Unix Listener installation. A default directory, /etc/psunix.d/, is also created and contains additional configuration files. You can edit these files to modify the values you entered during installation, or to set additional options.

You may also override account operations, built into the Unix Listener, by adding a PSLang file specified by the pslang-override-path option in psunix.cfg . The conf directory of the psunix archive contains three samples :

  • pslang-override-sample – a generic sample framework

  • pslang-override-passwd – for calling passwd interactively, using the PSLang popen call

  • pslang-override-nis – for use with NIS servers

See:

Relocating psunix

The default path for psunix is /usr/local/psunix . At times it might be necessary to change this location in the psunix installer using the -bd option, for example:

 ./install.sh -bd /usr/share/psunix

In addition to this, you need to add an LD_LIBRARY_PATH entry for mtcspi in the service account’s .profile (by default, psadmin).

Modifying directory permissions for psunix

By default, the directory permissions for /usr/local/psunix are set for root for the user and group ownerships. It may be necessary at times to change this for an alternate administrative account when root is not used for the services.

For example, when the Unix Listener is installed, check to see what user is used to run the xinetd or inetd service for the psunix listener. Another example could be if LDAP Transparent Synch is installed and a different administrative user is used for the directory server service.

If any of these services are not root, you will need to modify the configuration files for psunix for this alternate administrative user, for example:

 chown -R <user>:<usersgroup> /usr/local/psunix

Writing NIS server scripts

In order to target an NIS system, you must create or modify the following script files:

Configuring the psunix.cfg file

An NIS server derives its password database NIS maps from NIS source files. You must configure psunix so that it can locate and update the NIS source files.

In the psunix.cfg configuration file, configure passwd-path, group-path, shadow-path, and grpshadow-path to point to the NIS source files. A typical NIS instance does not use a shadow or gshadow file; this section may be commented out. The following is a sample excerpt from the psunix.cfg file for an NIS target system:

 database = {
   user = {

# Specifies an alternate path to the password database file where all
# user information is stored.  If it is not specified (default
# behavior), the location is /etc/passwd.
#

      passwd-path = "/var/yp/maps/passwd";

          };

      group = {

# Specifies an alternate path to the group database file where all
# group information is stored.  If it is not specified (default
# behavior), the location is /etc/group.
#
   

      group-path = "/var/yp/maps/group";

     };
    };

For transparent synchronization (pspasswd ) the configuration will be taken from the system (nsswitch.conf) since pspasswd uses system calls to get user credentials and set passwords, it does not use the specified configuration lines found in psunix.cfg.

Adding the PSLang override option

Copy the provided pslang-override-nis.psl file located inside the conf directory in the psunix archive, into /usr/local/psunix/<instance>/. Edit the file to suit your requirements.

In the psunix.cfg file, add a pslang-override-path option that points to the PSLang override file:

# This option allows users to script pslang code that either:
# 1) overrides builtin psunix operations, or
# 2) adds pre/post operations that augement the builtin operations.
#
# Please refer to the psunix conf/pslang-override-sample.psl for a
# general example.
#
# Please refer to the psunix conf/pslang-override-nis.psl for a
# NIS example.
#
      pslang-override-path = "/usr/local/psunix/<instance>/pslang-override-nis.psl";

Adding a script to build the NIS maps

An NIS server builds the NIS maps using the make utility. Copy the following script into /usr/local/psunix/<instance>/make-nis.sh and edit accordingly. Ensure that the script includes the "hashbang" (#!) line with the full path to the interpreter program.

#!/bin/sh
# This script runs make to build the nis maps.
   

# Change the NISDIR to the path of the NIS makefile.

NISDIR=/var/yp/maps/
NISTARGET=passwd
   

# Change the NISTARGET to the make target(s) of interest.

cd $NISDIR
/usr/bin/make $NISTARGET

Ensure that the script has execution rights:

chmod u+x /usr/local/psunix/<instance>/make-nis.sh

Test the script to ensure it works.

In this section: