pspasswd and non-default instances

The install script automatically finds and updates the inetd.conf or xinetd.conf file and restarts the service.

The script updates the inetd.conf file with:

psunix-<instance> stream tcp nowait root /usr/local/psunix/<instance>/server.<os>.<cpu> server

A new file called psunix–<instance> is placed in the /etc/xinetd.d folder and contains the following:

service psunix-<instance>
{
    socket_type     = stream
    protocol        = tcp
    flags          = IPv4
    port            = 905
    wait            = no
    user            = root
    server          = /usr/local/psunix/<instance>/server.<os>.<cpu>
    server_args     =
    disable         = no
}

On some Unix systems, inetd (or inetutils-inetd ) only listens on IPv6 sockets by default. In that case, if IPv4 operation is required, replace "tcp" with "tcp4" in the psunix line in inetd.conf .

Once changes are made, restart the inetd process.

The psunix local instance name, defined by the -inst option when running the install.sh script, is not connected to the main Bravura Security Fabric instance name. If specified, it designates a sub-target.

All instances are configured to use the default database (/etc/passwd) but they can each be changed to match the logic needed for each sub-target.

It is recommended that you use port 905 and the default name to install the first local instance that targets the Unix server. You can then setup sub-targets with their own configuration (communication key (or Master Key), administration user, database, policies, scripts, and so on).

For example, you could use a PSLang script for psunix to target an application, such as a MySQL database, messaging server, or internal web-based application, while still retaining the default instance to manage the unix users themselves separately.

In another example, when implementing privileged access management, regular users could be served by the default instance, where it would be forbidden to touch administrators, and administrative users would be handled by a separate psunix instance with different credentials, and would be allowed to touch privileged users.

A default configuration file, psunix.cfg , is created for you in the etc directory during the Unix Listener installation. A default directory, /etc/psunix.d/, is also created and contains additional configuration files. You can edit these files to modify the values you entered during installation, or to set additional options.

You may also override account operations, built into the Unix Listener, by adding a PSLang file specified by the pslang-override-path option in psunix.cfg . The conf directory of the psunix archive contains three samples :

See:

The default path for psunix is /usr/local/psunix . At times it might be necessary to change this location in the psunix installer using the -bd option, for example:

 ./install.sh -bd /usr/share/psunix

In addition to this, you need to add an LD_LIBRARY_PATH entry for mtcspi in the service account’s .profile (by default, psadmin).

By default, the directory permissions for /usr/local/psunix are set for root for the user and group ownerships. It may be necessary at times to change this for an alternate administrative account when root is not used for the services.

For example, when the Unix Listener is installed, check to see what user is used to run the xinetd or inetd service for the psunix listener. Another example could be if LDAP Transparent Synch is installed and a different administrative user is used for the directory server service.

If any of these services are not root, you will need to modify the configuration files for psunix for this alternate administrative user, for example:

 chown -R <user>:<usersgroup> /usr/local/psunix