The psunix configuration directory
The psunix.d configuration directory contains several configuration files that contain the settings for the various psunix components:
The configuration files are written using Key-Value (KVGroup) syntax.
File | Description |
|---|---|
idarchive | Settings for Bravura Privilege Client Service. |
listener | Settings for Unix Listener Service. See Unix Listener configuration |
pam | Settings for password authentication module (PAM). See PAM and password policy configuration |
psldap | Settings for password policies. See passwd utility configuration |
idapi | Connection settings used for transparent synchronization with |
pushpass | Settings for transparent synchronization with PAM. See Transparent synchronization configuration (PAM) |
Bravura Privilege Client Service configuration
The idarchive file is used to configure the options for the Bravura Privilege Client Service if installed.
The options are as follows:
cgipath Path used by the Bravura Privilege Client Service when connecting to an Bravura Privilege server via HTTP.
Example:
cgipath = "instance/psw.exe";
defaultgroup The name of the managed system policy that the Bravura Privilege Client Service automatically adds to Bravura Privilege on the initial connection. This is typically the same managed system policy that produced the installation key.
Example:
defaultgroup = "PULL_SVC_GRP";
serverlist A comma separated list of Bravura Privilege servers used by the Bravura Privilege Client Service to obtain user information.
Example:
serverlist = "10.0.0.1, 192.168.1.1";
port Port number used by the Bravura Privilege Client Service when connecting to a Bravura Privilege server via HTTP.
Example:
port = "80";
polltime Interval (in seconds) between update requests to the Bravura Privilege servers. A small value is not recommended since an update request can be a CPU and time intensive process. The default value is set to 3600 seconds.
Example:
polltime = "3600";
HttpTimeout Timeout (in seconds) that should be used when communicating with the Bravura Privilege HTTP service. The default value is set to 300 seconds.
Example:
HttpTimeout = "300";
waittime Wait time (in seconds) to wait after establishing connection to Bravura Privilege Client Service. The default value is set to 60 seconds.
Example:
waittime = "60";
Unix Listener service configuration
The listener file is used for Unix Listener service configuration. The options are as follows:
admin-user Administrative user, used for authentication in Bravura Security Fabric operations.
Example:
admin-user = "administrator";
timeout The timeout (in seconds) that should be used when communicating with the Unix Listener. The default value is set to 10 seconds.
Example:
timeout = "10";
PAM and password policy configuration
The pam file is used for configuring the password authentication module. The psldap file is used for configuring password policies. Both files currently have the same options. The options are as follows:
strength-check-only If this option is set to true, the password reset operation will not occur. The default value is set to true.
Example:
strength-check-only = "true";
passwd utility configuration
The pspasswd file specifies the passwd utility used to perform an operation on a non- Bravura Security Fabric users password. Usually, this option specifies operating system’s passwd command. The native password operation is executed if the user is contained in the [restricted-user-list] option, or is contained in the ignore list on the Bravura Security Fabric server. The options are as follows:
passwd-cmd-reset A reset operation is less strict than a change operation since it does not validate the users old password first. Most native passwd commands do both change and reset operations depending on who is running the command and the arguments passed on the command line. Generally, running the passwd command as superuser is considered a password reset operation.
This option accepts psunix textual replacement strings, notably the "%u" keyword indicating the username.
Example:
passwd-cmd-reset = "/bin/passwd.bin %u";
passwd-cmd-change A change operation is more strict than a reset operation since it validates the user's old password first. Most native passwd commands do both change and reset operations depending on who is running the command and the arguments passed on the command line. Generally, running the passwd command as a non-privileged user is considered a password change operation.
This option accepts psunix textual replacement strings, notably the "%u" keyword indicating the username.
Example:
passwd-cmd-change = "/usr/bin/yppasswd %u";
Exit status codes
The following table outlines the pspasswd exit status codes:
Error code | Description |
|---|---|
0 | Success. |
1 | Syntax error in PSLang override script. |
2 | Failed to acquire password policy from remote |
3 | Failed to reset password using native command line tool. |
4 | Failed to reset password. |
Transparent synchronization configuration (passwd)
The idapi file is used to configure the connection to API SOAP Service (idapisoap). The options are as follows:
targetid If you are using aliasing, this option is used to specify the ID of the target.
Example:
targetid = "UNIXSERVER";
url The url that API SOAP Service (idapisoap) is listening on.
Example:
url = "http://hipmserver/default/idapi";
user The product administrator used to connect to the API SOAP Service.
Example:
user = "_API_USER";
psw The product administrator password used to connect to the API SOAP Service. idaptool can be used to provide an encyrpted form of the password.
Example:
psw = "{AES}xdWShI2f+fM7Bd0SRhIi9kHvdhM9Y0fVxvKjpIbHfp4T47X2IAjLakoNitoSfu4Z" ;libcurl In order to communicate to the API SOAP Service over SSL, the libcurl is required. If the full path is specified, then the library can be loaded when connecting over SSL. If no libcurl is avalable and plain HTTP is used, the value can be set to ’0’. If empty, the system default is used.
Example:
libcurl = "0";
capath When communicating to the API SOAP Service over SSL, a certificate check will be made unless ignore is set to "1". If the CA certificate is not installed on the system default paths, a path can be specified.
Example:
capath = "/etc/certs";
cert When communicating to the API SOAP Service over SSL, a client-side certificate can be provided. If there is a passphrase as part of the certificate it needs to be specified as well.
Example:
cert = "/etc/certs/hipmcert.pem:apassphrase";
ignore When communicating to the API SOAP Service over SSL, the certificate check can be ignored. If 0, the check is not ignored. If 1, the check is ignored.
Example:
ignore = "1";
language The language set in this value will be used when fetching the password rules. By default is it is en-us. The language packs must be installed in order to retrieve rules in other languages.
Example:
language = "fr-fr";
fail-if-unavailable Specifies the action to take if the password operation fails and the Password Manager service (idpm ) cannot be contacted. The default behavior is to fail the operation if the Password Manager service is unavailable.
Example:
fail-if-unavailable = "true";
Transparent synchronization configuration (PAM)
The pushpass file is used to configure the Password Manager service (idpm). The options are as follows:
targetid If you are using aliasing, this option is used to specify the ID of the target.
Example:
targetid = "UNIXSERVER";
hostname The hostname option is used to specify the location of the Password Manager service service to be used by pspasswd . This can either be an IP address or a hostname.
Example:
hostname = "UNIXSERVER";
port The port option is used to specify the port that the Password Manager service is running on. The default value for the Password Manager service is 3333.
Example:
port = "3333";
timeout Specifies the timeout (in seconds) that should be used when communicating with Password Manager service. The default value is set to 10 seconds.
Example:
timeout = "10" ;
fail-if-unavailable Specifies the action to take if the password operation fails and the Password Manager service cannot be contacted. The default behavior is to fail the operation if the Password Manager service is unavailable.
Example:
fail-if-unavailable = "true";