Skip to main content

AIX Server (SSH)

Bravura Security Fabric performs operations on AIX Servers using the agtaix_ng or agtaix connector.

agtaix_ng

Connector name

agtaix_ng

Connector type

Python script, agtaix.py and a scripted platform definition file, agtaix_ng.con, that associates the script with the Python connector (agtpython) to access AIX Server via SSH.

Type (UI field value)

Generic AIX Server (SSH)

Connector status / support

Customer-Verified

Clients may contact Bravura Security support for assistance with this connector. Troubleshooting and testing must be completed in the client's test environment as Bravura Security does not maintain internal test environments for the associated target system.

Installation / setup

The agtaix_ng connector for the Generic AIX Server (SSH) target type also has an agtaix_ng_requirements.txt file that is used to install the Python requirements for this connector. To install the Python packages required by the agtaix_ng connector, run the following command from a command prompt:

py -m pip install -r agtaix_ng_requirements.txt

Upgrade notes

The agtaix_ng connector was added for AIX Server NewGen (SSH) in Connector Pack 4.5.0. It was renamed Generic AIX Server (SSH) in 4.7.0. It makes use of more current technologies by using a Python script and agtpython.exe for the integration. This connector should be used instead of the older agtaix connector, which uses a PSLang script and agtssh.exe .

agtaix

Connector name

agtaix

Connector type

PSLang script, agtaix.psl and a scripted platform definition file, agtaix.con, that associates the script with the SSH connector (agtssh) to access AIX Server via SSH.

Type (UI field value)

AIX Server (SSH) (Legacy)

Connector status / support

Customer-Verified

Clients may contact Bravura Security support for assistance with this connector. Troubleshooting and testing must be completed in the client's test environment as Bravura Security does not maintain internal test environments for the associated target system.

Upgrade notes

The agtaix connector is deprecated in favor of agtaix_ng . In Connector Pack 4.5 the agtaix connector was listed in the UI as AIX Server (SSH).

Both AIX connectors can be used to discover SSH public and authorized keys for accounts on AIX servers. This connector can be used to manage temporary SSH trust relationships when granting privileged access to accounts on AIX servers.

The following Bravura Security Fabric operations are supported by this connector (depending on your product license and version):

  • expire password

  • check password expiry

  • administrator reset password

  • administrator reset+expire password

  • user verify password

  • verify+reset password

  • create account

  • delete account

  • disable account

  • enable account

  • expire account

  • create group

  • delete group

  • add user to group

  • delete user from group

  • check account enabled

  • check account expiry

  • unlock account

    Note

    The unlock account operation is only supported if the AIX server is using Trusted Computing Base (TCB) account database files.

  • lock account

  • check account lock

  • get server information

  • unexpire account

  • List:

    • accounts

    • attributes

    • groups

    • members

For a full list and explanation of each connector operation, see Connector operations.

See also

Targeting the AIX Server system

For each AIX Server system, add a target system in Bravura Security Fabric (Manage the system > Resources > Target systems):

  • Type is

    • Generic AIX Server (SSH) (known as AIX Server NewGen (SSH) in Connector Pack 4.5)

      Or

    • AIX Server (SSH) (Legacy) (known as AIX Server (SSH) in Connector Pack 4.5 or earlier).

  • Address uses options described in the table below.

The full list of target parameters is explained in Target system options .

Table 1. AIX Server (SSH) address configuration

Option

Description

Options marked with a redstar.png are required.

Script file redstar.png

Must be set to agtaix.py (Generic AIX Server (SSH) ) or agtaix.psl (AIX Server (SSH) (Legacy) )

(key: script)

Server redstar.png

The IP address/domain name of the AIX Server.

(key: server)

Enable SSH public and authorized key discovery

Default is false, select this option to list all SSH public and authorized keys on the server.

SSH key files must be in OpenSSH format and must be less than 100,000 KB (by default) in order to be listed. To change the file size limit, modify the maximum file size to parse in unix-sshkey.psl.

(key: discoverkeys)

Privilege escalation type

Select:

Use ’sudo’ as privileged escalation When this option is selected, the credentials of the target administrator will be used to run the sudo command. Ensure that this user is defined in the /etc/sudoers file.

If the sudo password is configured to be different than the log-in password, add another set of credentials for sudo and select the System password option. The Administrator ID can be arbitrary. This is the default setting.

Use ’su’ as privileged escalation When this option is selected, along with the credentials of the target administrator, you must also specify another set of credentials for the built-in "root" account and select the System password option for this account. This will be used to run the su command.

Use ’dzdo’ as privileged escalation You can use this escalation type if a dzdo package exists for your target operating system and this package has been installed. When this option is selected for a Centrify system, the credentials of the target administrator will be used to run the ’dzdo’ command in a similar manner as the ’sudo’ command. Ensure that this user has role-based access rights for zones stored in Active Directory.

No privileged escalation Operations will be done without elevated privileges.

(key: privEscType)

Advanced

Port

TCP Port number. Default is 22.

(key: port)

Compression

Select to enable data compression for SSH connections. Default is false.

(key: compression)

Action for host keys

Select AllowAppend (default) or DenyUnmatch. For new targets, AllowAppend is recommended.

AllowAppend connects to SSH hosts whose public host keys have been previously recorded and have not been changed, and to SSH hosts whose keys have not been previously recorded. It will reject SSH hosts whose keys were previously recorded but have changed.

DenyUnmatch only connects to SSH hosts whose public host keys have been previously recorded and have not been changed. It will reject SSH hosts whose keys have not been previously recorded or were previously recorded but have changed.

(key: hostkeys)

Host keys file

Specify the name of the public host key file. It must be located in the \<instance>\script\ directory.

The file consists of a KVGroup with an entry that contains the host information as the key and the hostkey as the value. This information can be extracted from the PuTTY registry entries (HKEY_CURRENT_USER \Software\SimonTatham\PuTTY\SshHostKeys) where "Name" corresponds to the key and "Data" corresponds to the value.

(key: file)

Authentication key file

This attribute can be assigned to the administrator’s private key. This key must have a passphrase assigned which will be entered into the credential password field. Managing of this passphrase is not supported.

(key: authkey)

Timeout for connection

Amount of time the connector will wait for a response.

(key: timeout)

Enable SSH v1?

To enable SSH connection via SSH protocol version 1.

(key: enable_ssh_1)

Enter the filenames (comma delimited) to get the public keys from. Must be in the user’s /.ssh directory

The public key files to list from the server. Default is "id_rsa.pub,id_dsa.pub".

(key: pubkeyfiles)

Delete all matching keys upon access revocation

Default is true, deselect this option to remove only one copy of the specified public key upon access revocation.

(key: delallkeys)

Calculate SHA1 hashes of discovered public and authorized keys

Default is true, deselect this option to turn off calculation of hashes for public and authorized keys.

(key: makekeyhashes)

Unprivileged and password management operations only

The passwdAccessOnly option is useful for Bravura Pass and Bravura Privilege implementations where only passwords on Unix systems need to be managed.

When configuring for passwdAccessOnly with sudo escalation, the sudoer file can be secured down to one command: /usr/bin/passwd. With this authorization, the AIX connectors will gain access to list the accounts and administratively reset the user account.

Modification of the sudoer file would look something like the following example for the psadmin user (one line):

psadmin ALL=(ALL) /usr/bin/passwd,/usr/bin/pwdadm,/usr/sbin/lsuser

(key: passwdAccessOnly)

Max read timeout

The maximum time the connector will read data. Default is 6 seconds.

(key: maxReadTimeout)

Max write timeout

The maximum time the connector will write data. Default is 20 seconds.

(key: maxWriteTimeout)

Max read size

The maximum data read size. Default is 16384 characters.

(key: maxReadSize)

Max read lines

The maximum number of lines to read. Default is 50000 lines.

(key: maxReadLines)

Trace Logging

Provides detailed multiline logging for connectors. Default is None. Other options include Low, Medium, and High.

(key: trace)



Note

The EnableOnUnlock option is not available for AIX Server target systems because reset and unlock are separate operations on AIX systems. EnableOnReset is not available because reset does not affect the status of AIX accounts as it does on other UNIX systems. As a result, password reset will always maintain the account status (enabled/disabled).

Trace logging

The Trace Logging option provides detailed multi-line logging for the connectors and exposes a way to engage trace logging to a file. Trace logging are things that are generally multi-line such as input/output kvg options, http request/response data, and generally verbose data for diagnosing and troubleshooting issues. It provide a simple mechanism to redirect multi-lined information to an output file.

A trace log file is created within the <Program Files path>\Bravura Security\Bravura Security Fabric\Logs\<instance> directory and has a format of trc-<connector-name>-<unix-time>-<process-id>.log.

The Trace Logging option can be found in the advanced section when modifying the target system address configuration page for individual target systems. It can be set to the following values:

None

Default value. Log no trace information and no trace log file is created.

Low

Contains kvgroup data for the Input KVG and for the Output KVG.

Medium

Telemetry data for Http Post/Get request/response data.

High

Not yet used, to be implemented in a future release.

(key: trace)

Managing administrative credentials

To allow Bravura Privilege to manage the administrative credentials on AIX 6.1 systems, you must activate SecPolicy roles for the user. On the command line:

  1. Change the user’s role and default role to SecPolicy:

    chuser roles=SecPolicy default_roles=SecPolicy pamadmin

  2. Confirm the role has been changed for the user:

    rolelist -u pamadmin

  3. Add the user to security group:

    usermod -G security pamadmin

  4. Switch to this user:

    su - pamadmin

  5. List effective active role authorizations:

    rolelist -ea

  6. Make sure there is "aix.security.passwd" authorization.

Creating a template account

Bravura Security Fabric uses template accounts as models or "blueprints" for creating new accounts on AIX Server.

Consult the documentation included with your specific application to learn how to create an account to use as a template in Bravura Identity . You can then add account attributes to determine how new accounts should be created based on the template account’s parameters.

Note

Bravura Security Fabric still requires a template account, even though attributes may or may not be copied from the template account, for example, if the configured action for all account attributes is Set.

Handling account attributes

You can view the complete list of attributes that Bravura Security Fabric can manage, including native and pseudo-attributes, using the Manage the system (PSA) module. To do this, select Generic AIX Server (SSH) or AIX Server (SSH) (Legacy) from the Manage the system > Resources > Account attributes > Target system type menu.

This section describes the pseudo-attributes that Bravura Security Fabric uses to compose values, set flags, or control behavior on an AIX Server.

_skeldir This pseudo-attribute is used for specifying the source directory when creating the home directory for a new account. By default, this pseudo-attribute is ignored on account creation and Bravura Security Fabric uses the system’s skeleton directory as the source.

To specify a different source directory, configure skeldir and set the value to either:

  • TEMPLATE - to copy the structure and contents of the template account’s home directory

  • A valid path to a directory - to copy the structure and contents of an existing directory on the target

_deleteHomeDir There are three possible options for deleting the user’s home directory when the account is deleted off the system:

  • always - delete the home directory when the account is deleted.

  • whensafe - only delete the home directory if it matches the user name and no other accounts use it.

  • never - keep the home directory when the account is deleted.

Bravura Security Fabric will not delete the home directory if the account is not the owner. If no action is defined for _deleteHomeDir , the default action is never.

_archiveHomeDir Specifies a valid path on the target where the account’s home directory will be archived when the account is deleted.

If an invalid path was specified or no action is defined for _archiveHomeDir , the account’s home directory will not be archived.

In this section: