PowerBroker Servers Management Console User Guide...Contents Introduction 5...

PowerBroker Servers Management Console

User Guide

Revision/Update Information: May 2018Software Version: PowerBroker Servers Management Console 6.1Revision Number: 0

CORPORATE HEADQUARTERS

5090 N. 40th StreetPhoenix, AZ 85018Phone: 1 818-575-4000

COPYRIGHT NOTICECopyright © 2018 BeyondTrust Software, Inc. All rights reserved.The information contained in this document is subject to change without notice.

No part of this document may be photocopied, reproduced or copied or translated in any manner to anotherlanguage without the prior written consent of BeyondTrust Software.

BeyondTrust Software is not liable for errors contained herein or for any direct, indirect, special, incidental orconsequential damages, including lost profit or lost data, whether based on warranty, contract, tort, or any otherlegal theory in connection with the furnishing, performance, or use of this material.

All brand names and product names used in this document are trademarks, registered trademarks, or trade namesof their respective holders. BeyondTrust Software is not associated with any other vendors or products mentionedin this document.

Contents

Introduction 5

BeyondTrust Product Name Conventions 5Contacting Support 5

Privileged Account Management Support 5

Vulnerability Management Support 5

All other Regions 5

Online 5

Overview 6

Core Features 6

Installing the Console 7

Requirements 7Supported Operating Systems 7Supported Browsers 7

Preparing for Installation 7Installing on Linux 7

RHEL/CentOS 7Debian/Ubuntu 8

Installing on Windows 8Copying ISO files to the Console Server 9

PowerBroker for Unix & Linux 9PowerBroker Identity Services 9PowerBroker for Sudo 9PowerBroker Solr 9

Uninstalling the Console 9RHEL / CentOS 9Debian/ Ubuntu 10Windows 10

Configuring the Console 11

Running the Console 12

Setting up the Console Using the First-Run Wizard 12

Viewing the Dashboard 13

Summary Metrics 13Charts 13

Discovering Hosts 14

Adding Hosts 14Importing Hosts 15

Hosts 16

Contents

User Guide ii © 2018. BeyondTrust Software, Inc.

Using the Hosts Grid 16Status Column 17Install Status 17

PowerBroker Identity Services 17

PowerBroker for Unix & Linux 17

PowerBroker for Sudo 17

PowerBroker Solr 17

Running an Action on Hosts 18Privilege Escalation 18Profile 18Managing PowerBroker for Unix & Linux Hosts 18

REST API Connectivity 19Managing PowerBroker Identity Services Hosts 19Managing PowerBroker for Sudo 20

Installing the PowerBroker for Sudo Policy Server 20Installing the PowerBroker for Sudo Client 20Upgrading the PowerBroker for Sudo Policy Server 21Upgrading the PowerBroker for Sudo Client 21Uninstalling the PowerBroker for Sudo Policy Server 21Uninstalling the PowerBroker for Sudo Client 22Assigning and Unassigning PowerBroker for Sudo Host Alias Groups 22

Managing PowerBroker Solr 22Solr Connectivity 22Installing PowerBroker Solr 23Uninstalling PowerBroker Solr 23Assigning a Log Server 23

Deploy Keyfile 23Delete Host 24Host Details 24

Managing SSH Keys 25

Settings 26

Managing Console Access 26Adding a Console Account 26Editing User Accounts 27Deleting User Accounts 27

PowerBroker Password Safe Integration 27Using Password Safe to Manage Credentials 27Configuring Password Safe 27Importing Password Safe Managed Accounts 28Example 28

Configuring Active Directory 29Configuring PowerBroker for Unix & Linux 29Software 30

Policy Management 31

Contents

User Guide iii © 2018. BeyondTrust Software, Inc.

PBUL Policy Management Overview 31Role Based vs. Script Based Policies 31PowerBroker Servers Management Console Code Editor 31

Version Control 32Change Management 33Role Based Policy Management 33

Roles 33Users and User Groups 35Hosts 36Commands 36Schedules 37

Sudo Policy Management 37File Integrity Monitoring Policy Management 37Script Policy Management 39

Advanced Control and Audit (ACA) 39Viewing PBUL Settings 40

Auditing 42

Event Logs 42Session Replay 42

Recording a Session 42Playing a Session 43

Managing Credentials 44

Adding Credentials 44Deleting credentials 44Editing Credentials 44

Tasks 45

Viewing Tasks 45Task Details 45

Troubleshooting 47

Application logs 47Common Problems and Solutions 47Troubleshooting Password Safe 47

Certificates 47

Contents

User Guide iv © 2018. BeyondTrust Software, Inc.

IntroductionThis guide shows system administrators and security administrators how to configure and use BeyondTrustPowerBroker Servers Management Console. This guide provides an overview of how PowerBroker ServersManagement Console works and instructions for configuration and use.

BeyondTrust Product Name ConventionsThis User Guide uses the following naming conventions for BeyondTrust products:

PowerBroker Servers Management Console PBSMCPowerBroker Password Safe Password SafePowerBroker for Unix & Linux PBULPowerBroker Identity Services PBISPowerBroker for Sudo PBSudoPowerBroker Solr PBSolrFile Integrity Monitoring FIMAdvanced Control and Audit ACA

Contacting SupportFor support, go to our Customer Portal then follow the link to the product you need assistance with.

The Customer Portal contains information regarding contacting Technical Support by telephone and chat, alongwith product downloads, product installers, license management, account, latest product releases, productdocumentation, webcasts and product demos.

Telephone

Privileged Account Management SupportWithin Continental United States: 800.234.9072

Outside Continental United States: 818.575.4040

Vulnerability Management SupportNorth/South America: 866.529.2201 | 949.333.1997

+ enter access code

All other RegionsStandard Support: 949.333.1995

+ enter access code

Platinum Support: 949.333.1996

+ enter access code

Onlinehttp://www.beyondtrust.com/Resources/Support/

Introduction

User Guide 5 © 2018. BeyondTrust Software, Inc.

http://www.beyondtrust.com/Resources/Support/

http://www.beyondtrust.com/Resources/Support/

OverviewPowerBroker Servers Management Console is a web-based tool that you can use to:

• Install, upgrade, and uninstall PowerBroker Identity Services, PowerBroker for Unix & Linux and PowerBrokerfor Sudo.

• Remotely assess the suitability of a remote host's state by running a profile. After a profile is complete, installs,uninstalls, domain joins, and other actions can be performed on remote hosts.

• Manage PowerBroker for Unix & Linux licenses on Policy Servers.

• Manage PowerBroker for Unix & Linux Script, Sudo, File Integrity Monitoring (FIM) and Role-based Policies.

• Manage Sudo host groups and FIM Policy host assignment.

Core Features• Hosts – The central page of the console. On the Hosts page, you can profile targets, install and uninstall PBUL,

PBIS, PBSudo, and PBSolr. Additionally you can remove hosts, upgrade software, join hosts to domains, manageSSH fingerprints, and assign log servers to be indexed by PBSolr. This also allows Sudo host group assignmentand FIM policy assignment.

• Policy Management – Allows for management of PBUL FIM, Sudo, Role-Based and Script-Based policies onPBUL policy servers.

• Tasks – Provides details about results and status of any remote actions performed by the console.

• Discover – Is the first stage of adding any remote hosts to be managed by the console. Hosts available via SSHwill be added.

• Dashboard – Provides visual insight into host and software metrics.

• Credentials – Manage user credentials for remote assets (typically ssh credentials).

• Settings – Configuration settings available to the end user, including integration settings for products likePassword Safe.

• Audit – View PBUL Event and IO logs. IO logs can be replayed as they occurred. Users can add comments onthe logs.

Overview


Installing the ConsoleYou can install the console on Windows or Linux operating systems.

Requirements• System firewall configured to allow access on port 4443 (default)

Supported Operating SystemsThe following operating systems are supported by PBMSC:

• Windows 2012

• Windows 2012 R2

• RHEL/CentOS 5 or later

• Debian/Ubuntu 12.04 or later

Supported BrowsersThe following browsers are supported:

• Safari 9 or later

• Chrome 52 or later

• FireFox 48 or later

• Edge

Preparing for Installation• You must run the install using an account with root or administrator privileges.

• Copy the installers for Servers Management Console, PowerBroker for Unix & Linux, PowerBroker IdentityServices and PowerBroker for Sudo packages to the server.

• If deploying to an HP-UX server ensure gzip is in /usr/bin or /bin. Create a symlink if it is not:

ln –s /usr/contrib/bin/gzip /usr/bin/gzip

Installing on Linux

RHEL/CentOS

# install, where {version} is the current versionrpm -i pbsmc-{version}.rpm# optional: verify software is running

Installing the Console


service pbsmc status

# configure firewall using OS version appropriate command:# RedHat Enterprise Linux/CentOS 7:firewall-cmd --zone=public --add-port=4443/tcp --permanentfirewallcmd --reload

# or, RedHat Enterprise Linux/CentOS 6:iptables -A INPUT -p tcp -m tcp --dport 4443 -j ACCEPTservice iptables save

Debian/Ubuntu

# install, where {version} is the current versiondpkg -i pbsmc-{version}.deb

# optional: verify software is runningservice pbsmc status

# configure firewall using OS version appropriate command:# for ubuntu 14+:ufw allow 4443

# or other versions:

iptables -A INPUT -p tcp -m tcp --dport 4443 -j ACCEPTservice iptables save

Installing on WindowsRun the msi package and follow the install wizard.

After you go through the wizard, configure the firewall:

1. Open the Control Panel.2. Open System and Security and then choose Windows Firewall.3. Click Advanced Settings.4. Click Inbound Rules.5. Click New Rule in the Actions window.6. Click Rule Type of Port and click Next.7. On the Protocol and Ports page - click TCP.8. Select Specific Local Ports and type a value of 4443 and click Next.9. On the Action page click Allow the connection and click Next.10. On the Profile page click the appropriate options for your environment and click Next.11. On the Name page enter a name for PowerBroker Service Management Console (TCP on port 4443). Click

Finish.



Copying ISO files to the Console ServerYou must copy and extract the ISO files for the PowerBroker for Unix & Linux, PowerBroker Identity Services andPowerBroker for Sudo installers.

Note: The installer path folder structures must not be modified.

PowerBroker for Unix & LinuxOn Windows:

C:\Program Files (x86)\BeyondTrust\PBSMC\software\pbul

On Unix:

/usr/local/bin/software/pbul/

PowerBroker Identity ServicesOn Windows:

C:\Program Files (x86)\BeyondTrust\PBSMC\software\pbis

On Unix:

/usr/local/bin/software/pbis/

PowerBroker for SudoOn Windows:

C:\Program Files (x86)\BeyondTrust\PBSMC\software\pbsudo

On Unix:

/usr/local/bin/software/pbsudo/

PowerBroker SolrOn Windows:

C:\Program Files (x86)\BeyondTrust\PBSMC\software\solr

On Unix:

/usr/local/bin/software/solr/

Uninstalling the Console

RHEL / CentOSIn an escalated shell session:

# removerpm -e pbsmc



# optional: remove config and dbrm -rf /etc/pbsmcrm -rf /usr/share/pbsmc/

Debian/ UbuntuIn an escalated shell session:

# removedpkg --r pbsmc

# optional: remove config and dbrm -rf /etc/pbsmcrm -rf /usr/share/pbsmc

Windows1. Open the Control Panel button.2. Click the Add or Remove Software icon.3. Remove PowerBroker Servers Management Console.4. Configuration and database files can be manually deleted in the %ProgramFiles%\PBSMC\ directory.



Configuring the ConsoleYou can customize the console using the pbsmc.toml.default file located in:

• /etc/pbsmc on Linux

• %ProgramFiles%\PBSMC directory on Windows

Create a copy of the file using the name pbsmc.toml. You can then include only the settings that you want tocustomize.

Be sure to include the section title in the pbsmc.toml. For example, if you want to change the default port number,the text will look similar to the following:

[server]port="4443"

Note: Apply proper security settings on the .toml file. The file owner requires Read and Write.

You can configure the following settings:

• SSL – The console supports encrypted HTTPS connections by default using automatically generated self-signedcertificates. The console will serve only HTTPS traffic on the configured port unless explicitly configured to fallback to insecure HTTPS via the pbsmc.html configuration file. A custom certificate pair may also be providedand set in the configuration file.

• Port – By default, the console runs on port 4443. Stop the service before changing this value.

• Database – By default, the console creates a sqlite database in /atc/pbsmc/pbsmc.sqlite or in%ProgramFiles%\pbsmc on Windows. This can be changed to another location.

• Pool – Console tasks are run in a concurrent pool of processes. The default number of processes running at atime is 20. You can increase the pool size to allow jobs to complete faster. However, the server performancemight lag. Decreasing the pool size will have the opposite affect.

Note: You must restart the service to apply changes.

Configuring the Console


Running the Console1. Log on to the console using a supported browser: https://localhost:4443

If this is the first time that you are logging on the first-run wizard starts.

Note: If the wizard starts, and this is not the first time the console has been run, do not go through thewizard again. All data in the system will be lost! Contact BeyondTrust Technical Support.

Setting up the Console Using the First-Run Wizard1. If this is the first time you are logging on to the console, then go through the wizard to configure system

settings, including:– Administrator account – Create the account that you will use to log on to the console.

Do not lose the password!

– Active Directory connection – Configure a connection to an Active Directory forest. Active Directory usersand groups can be used in PowerBroker for Unix & Linux policy and can log on to the console.

– Settings – Configure defaults settings, including default policy type, authentication timeout values, andsecurity level.

– Credentials – Create credentials for remote hosts. The credentials are used to connect to the remotehosts.

2. Review the settings and save.You can now log on to the console using the administrator account you created in the wizard.

Running the Console


Viewing the DashboardThe Dashboard is the default launch page after your first profile is completed.

The Dashboard provides an easy to read visual summary of the console data metrics. If there are no profiled hosts,the Discovery page will be the default page and the Dashboard will not be available.

Summary MetricsThe top section of the Dashboard displays the following details:

• Software Installations – Lists the products and the number of hosts where the product is installed.

• Discovered – The number of discovered and available hosts.

• Profiled – The number of successfully profiled hosts.

• Solr Assigned Log Servers – The number of log servers using Solr indexing.

• Domain Joins – The number of hosts joined to a domain.

ChartsThe following statistics are provided:

• Operating Systems – Percentage of the most common operating systems discovered on the network.

• Domain Joins – Percentage of and what domains discovered hosts have been joined to.

• PBUL Roles – Percentage of PBUL roles discovered on hosts.

Viewing the Dashboard


Discovering HostsOn the Discover page, you can find hosts that are accessible via SSH. Discovered assets are stored as hosts and canbe managed on the Hosts page.

This stage does not require a credential. It performs a port scan to test for a SSH connection.

Hosts are discovered in parallel batches to avoid saturating the network connection. The default size is 20. This canbe configured by changing the pool settings option. For more information, see Configuring the Console.

Hosts can be discovered through two methods: providing the addresses directly or by importing from a CSV.

Adding HostsIP addresses can be added using one of the following formats:

• Single IP – To discover a single host type the IP address. For example 10.1.100.15.

• IP Range – Discover any hosts in the range. For example, 10.1.100.15–10.1.100.20.

• CIDR Notation – Discover hosts in a CIDR block. For example 10.100.1.10/24.

To manually discover hosts:

1. Enter the IP addresses using one of the accepted formats.2. Enter an SSH port. The value should map to the SSH port for the host provided; if none is provided the default,

22, is used. Note that each discovery scan uses a single port regardless of the number of machines.

3. When discovering a single host, you can enter an SSH fingerprint using sha256 format. if the value matches thereceived fingerprint the host will be automatically accepted.

4. Select the SSH fingerprints check box to accept all SSH keys for discovered hosts. If the host already exists inthe system, the SSH key is ignored.

Discovering Hosts


Importing HostsTo import hosts, create a comma separated value (CSV) file with a host address and port per line. Do not useheaders in the file.

A valid file may look like the following:

10.100.3.6,2210.100.3.7,2210.100.3.8,2210.100.3.9,22

Note that the CSV file can contain fingerprints in the sha256 format. When the fingerprint matches the SSH key isaccepted.

To import a CSV file:

1. On the Discover page, click Upload File in the Import Hosts panel.Alternatively, drag the file on to the targeted area.

2. Select the SSH check box to automatically accept discovered keys.3. Find the file, and then click Open.

Discovering Hosts


HostsOn the Hosts page, you can manage hosts and software deployments. A smart form assists in generating actions torun on one or many hosts. You are notified when actions are complete. For more information, see Tasks.

Most actions require that credentials be provided so that the console can authenticate with the selected host(s).Credentials are managed on the Credentials page. For more information, see Managing Credentials.

Using the Hosts GridThe Hosts page displays all the assets found during a discovery (see Discovering Hosts for information on addinghosts).

Select the filter icon to refine the data displayed on the page. Click on a header to sort and refresh the grid. Toquickly select all of the hosts in a grid click the check box in the header row. To clear applied filters, select the Clearoption. Click i on the host row to view more details about the host.

Columns can be added or removed using the Column Picker tool located at the top right of the grid.

Note that the IP, Up, and OS columns are hidden by default.

The available columns are:

• Hostname – The DNS name of the host.

• IP – The IP address of the host.

• Up – The availability status of a host. Available hosts are marked with a green circle. Unavailable hosts aremarked with a gray ‘unavailable’ icon and are by default filtered from view.

• Profiled – A green circle indicates that the Profile action has been run on the host. A gray ‘unavailable’ icondenotes otherwise. Software cannot be managed on a host until a profile has been run.

• Install Status – The current known status of software deployments on the host. See Install Status.

• OS – The name of the host Operating System.

• OS Version – The version of the host Operating System.

• Updated – The last time data related to the host changed.

Hosts


• Action – View details about a host or run an action on the selected host.

Status ColumnThree status outcomes are possible:

Primary Indicates Primary License servers.

Error Indicates a critical issue with the host.

Warning Indicates a problem with the host.

More information can be found in the Host Details section.

Install StatusThe Install Status provides information on the components installed.

PowerBroker Identity ServicesIf PowerBroker Identity Services is installed the column displays the software version number and

• Agent: Indicates if the agent is installed.

• Joined: Domain join status, which will either be ‘not joined’ or the domain the host is joined to.

PowerBroker for Unix & LinuxIf PowerBroker for Unix & Linux is installed the Install Status column will display the version number and an icon foreach feature / role the host has enabled:

• Policy: Policy server

• Log: Log server

• Client: Submit or run host

• FIM: FIM policy applied to the server

• License: License server

PowerBroker for SudoIf PowerBroker for Sudo is installed the Install Status column will display the version number and feature / role thehost has enabled:

• Policy: Sudo Policy Server

• Log: Log Server

• Client: Sudo Client

PowerBroker Solr• Server: Solr Server

• Client: Client (indexed machine)

Hosts


Running an Action on HostsOn the Hosts page, the following actions are available. Additional configuration settings are displayed when anaction is selected.

• Profile

• PowerBroker Identity Services

• PowerBroker for Unix & Linux

• PowerBroker for Sudo

• PowerBroker Solr

• Deploy Keyfile

• Delete Host

Privilege EscalationMost actions require that a credential be supplied in the Servers Management Console. This is the account that thePowerBroker Servers Management Console will authenticate as on the selected server(s). This account might nothave sufficient privileges to execute the required commands. The PowerBroker Servers Management Consoleallows the user to use choose a Delegation Tool to escalate user privileges. Selecting sudo su, su, or pbrun requiresthe user to choose a second credential to delegate to.

ProfileRun a profile on a host to gather pre-install check information. This check ensure that a host is prepared forsoftware installs.

Profiling requires a credential that is a valid SSH user for a selected host. This credential does not require superuser privileges, but the credential must have write permission on the host’s /tmp folder.

Managing PowerBroker for Unix & Linux HostsNote: To access the hosts, a valid SSH credential with Administrative rights on the host is required.

1. Go to the Hosts page, and then select Perform an Action.2. From the Perform an Action list, select PowerBroker for Unix & Linux.3. From the Secondary Action list, select the action:

– Upgrade: Upgrade PowerBroker for Unix & Linux software to the version loaded in the console.

– Uninstall: Remove PowerBroker for Unix & Linux software.

– Install: Install PowerBroker for Unix & Linux software from the version loaded in the console. Furtherconfiguration is required:

– Role: This option sets which Roles this install will configure. The options are:

– Policy and Log Server Only: The host is configured as a Policy and Log server. Installs the policyserver and log server.

– Submit and Run Host Only: The host is configured as a Submit and Run host.

Hosts


– All Components: All four options above.

– Policy Server: The Policy Server this host should use. The Current Host option selects itself as thePolicy Server.

– Log Server: The Log Server this host should use. The Current Host option selects itself as the LogServer.

– Primary License Server: Select the server to get licensing from. If current host is selected, this serverwill be a Primary License server.

Select the Install License Server check box to make this host a secondary license server when usedwith a selected primary.

– Host credential: Enter the valid SSH credential with Administrative rights on the host.

– Delegation: Select one of the following to run the action with escalated privileges: pbrun, sudo, su,sudo su. This may require choosing a second credential.

– Assign File Integrity Monitoring Policy: Assign a FIM policy to selected host. Choose a FIM policy serverthat has the policy to be assigned from the drop down menu. The host list will be filtered to display hoststhat connect to that policy server. Next, select the policy, then select hosts from the grid.

– Unassign File Integrity Monitoring Policy: Unassign a FIM policy from a host. Select Unassign File IntegrityMonitoring Policies and select the Policy Server with the FIM policy. Lastly, choose the Hosts.

4. Click Go.Software is installed with default configuration values. The installer generates network and REST encryption keys ifnot detected during the install. All future PowerBroker Unix & Linux installations will use these keys. The keys canbe managed on the Settings page.

PowerBroker Servers Management Console does not integrate with BeyondInsight event logging.

REST API ConnectivityPBSMC automatically configures a REST connection to PowerBroker for Unix & Linux policy servers.

Note the following when using the REST API:

• REST API connections can only be made to a policy server with PowerBroker for Unix & Linux v 9.4 (or later).

• REST connectivity does not open any firewall ports. This must be done by the user.

• By default PBUL uses self-signed certificates. PBSMC does not verify a Certificate Authority.

To assist in sourcing errors and troubleshooting connections, a task displays on the Tasks page. Additionaltroubleshooting information may be available on the Host Details page.

Managing PowerBroker Identity Services HostsNote: To access the hosts, a valid SSH credential with Administrative rights on the host is required.

To manage PowerBroker Identity Services hosts:

1. Go to the Hosts page, and then select Perform an Action.2. From the Primary Action list, select PowerBroker Identity Services.3. From the Secondary Action list, select the action:

– Upgrade: Upgrade PowerBroker Identity Services software to the version loaded in the console.

Hosts


– Uninstall: Remove PowerBroker Identity Services software.

– Install: Install PowerBroker Identity Services software.

– Domain Join: Join the selected hosts to a domain. Provide the following information:

– Domain Join Arguments: The CLI arguments to join the domain.

– AD Credential: The credential for the Active Directory domain.

– Host credential – Enter the valid SSH credential with Administrative rights on the host.

– Delegation – Select one of the following to run the action with escalated privileges: pbrun, sudo, su, sudosu. This may require choosing a second credential.

4. Click Go.

Managing PowerBroker for SudoTo manage PowerBroker for Sudo hosts:

1. Go to the Hosts page, and then select Perform an Action.2. From the Primary Action list, select PowerBroker for Sudo.3. Choose the action to perform and then follow the procedures in this section.

Note: For installation, a policy server must be provided. This policy server list is filtered to known policyservers with working REST credentials.

Installing the PowerBroker for Sudo Policy ServerTo install PowerBroker for Sudo policy server:

1. Go to the Hosts page, and then select Perform an Action.2. From the Primary Action list, select PowerBroker for Sudo.3. From the Secondary Action list, select Install.4. Select Server from the Role menu.5. Select a Policy server from the menu or select Current Host to set this server to the Policy server.6. Select a Log server from the menu or select Current Host to set this server to the Log server.7. Select the server to get licensing from. If the current host is selected, this server will be a Primary License

server.Select the Install License Server check box to make this host a secondary license server when used with aselected primary.

8. Select a valid SSH credential with Administrative rights on the host from the host credential menu.9. Select one of the following from the delegation tool menu to run the action with escalated privileges: pbrun,

sudo, su, sudo su. This may require choosing a second credential.10. Click GO.

Installing the PowerBroker for Sudo ClientTo install PowerBroker for Sudo software on the client:

1. Go to the Hosts page, and then select Perform an Action.2. From the Primary Action list, select PowerBroker for Sudo.3. From the Secondary Action list, select Install.

Hosts


4. Select Client from the Role menu.5. Select a Policy server from the menu. This is the server the policies will be revised from.6. Select a Sudo Alias Group from the PowerBroker for Sudo Alias Group menu or select Create New Alias or

Use Self from the menu if desired.7. Select a valid SSH credential with Administrative rights on the host from the host credential menu.8. Select one of the following from the delegation tool menu to run the action with escalated privileges: pbrun,


Upgrading the PowerBroker for Sudo Policy ServerTo upgrade the policy server to the version loaded in the console:

1. Go to the Hosts page, and then select Perform an Action.2. From the Primary Action list, select PowerBroker for Sudo.3. From the Secondary Action list, selectUpgrade.4. Select Server from the Role menu.5. Select a valid SSH credential with Administrative rights on the host from the host credential menu.6. Select one of the following from the delegation tool menu to run the action with escalated privileges: pbrun,


Upgrading the PowerBroker for Sudo ClientTo upgrade the sudo client to the version loaded in the console:

1. Go to the Hosts page, and then select Perform an Action.2. From the Primary Action list, select PowerBroker for Sudo.3. From the Secondary Action list, selectUpgrade.4. Select Client from the Role menu.5. Select a valid SSH credential with Administrative rights on the host from the host credential menu.6. Select one of the following from the delegation tool menu to run the action with escalated privileges: pbrun,


Uninstalling the PowerBroker for Sudo Policy ServerTo remove the policy server:

1. Go to the Hosts page, and then select Perform an Action.2. From the Primary Action list, select PowerBroker for Sudo.3. From the Secondary Action list, selectUninstall.4. Select Server from the Role menu.5. Select a valid SSH credential with Administrative rights on the host from the host credential menu.6. Select one of the following from the delegation tool menu to run the action with escalated privileges: pbrun,


Hosts


Uninstalling the PowerBroker for Sudo ClientTo remove the sudo client:

1. Go to the Hosts page, and then select Perform an Action.2. From the Primary Action list, select PowerBroker for Sudo.3. From the Secondary Action list, selectUninstall.4. Select Client from the Role menu.5. Select a valid SSH credential with Administrative rights on the host from the host credential menu.6. Select one of the following from the delegation tool menu to run the action with escalated privileges: pbrun,


Assigning and Unassigning PowerBroker for Sudo Host Alias GroupsPowerBroker for Sudo provides a Host Alias Group feature that allows multiple hosts to share a policy.

You can create a host alias group:

• During the installation of PowerBroker for Sudo clients

• When assigning hosts to an alias group using the Assign PowerBroker for Sudo Alias Groups action.

If a Host Alias Group is created and there is no policy file available a default empty Sudo policy file will be createdfor the group.

To assign a Sudo host to an Alias group:

1. Go to the Hosts page, and then select Perform an Action.2. From the Primary Action menu, select PowerBroker for Sudo.3. From the Secondary Action menu, select Assign PowerBroker for Sudo Alias Groups.4. Select a Policy server.5. From the PowerBroker for Sudo Alias Group menu, select one of the following:

– Create New Alias

– Use Self

6. If you are creating an alias group, enter a name.7. Click GO.

To unassign a Sudo host from an Alias group:

1. From the Perform an Action menu, selectUnassign PowerBroker for Sudo Alias Groups.2. Select a Policy server.3. Click GO.

Managing PowerBroker Solr

Solr ConnectivityCertificates must be used to communicate between the Solr server and the log servers.

PBSMC is a certificate signing authority. The console can generate and distribute the required certificates.

Hosts


Solr must be installed using the Servers Management Console; otherwise, there is no way to communicate to theSolr server.

Installing PowerBroker SolrTo install PowerBroker Solr:

1. Go to the Hosts page, and then select Perform an Action.2. From the Primary Action list, select PowerBroker Solr.3. From the Secondary Action list, select Install.4. The Detect Java Home check box is selected by default. PBSolr will try to detect the location of the Java

enviroment on the server. Otherwise, you can clear the check box and enter the Java Home details.5. Select a valid SSH credential with Administrative rights on the host from the Host credential menu.6. Select one of the following from the delegation tool menu to run the action with escalated privileges: pbrun,


Uninstalling PowerBroker SolrTo remove PowerBroker Solr:

1. Go to the Hosts page, and then select Perform an Action.2. From the Primary Action menu, select PowerBroker Solr.3. From the Secondary action menu, selectUninstall.4. Select a valid SSH credential with Administrative rights on the host from the host credential menu.5. Select one of the following from the delegation tool menu to run the action with escalated privileges: pbrun,


Assigning a Log ServerThe log servers that you select here will be indexed by the selected Solr server.

To assign :

1. Go to the Hosts page, and then select Perform an Action.2. From the Primary Action menu, select PowerBroker Solr.3. From the Secondary Action menu, select Assign Log Server.4. Select a Solr server from the list.5. Select log servers from the list displayed.6. Select a host credential and delegation tool from the lists.7. Click Go.

Deploy KeyfileThe Deploy Keyfile action uses the network and encryption keys configured on the Settings page.

To deploy keyfiles:

1. Go to the Hosts page.2. Choose Deploy Keyfile from the primary action list.3. Select a valid SSH credential with Administrative rights on the host from the host credential menu.

Hosts


4. Select one of the following from the delegation tool menu to run the action with escalated privileges: pbrun,sudo, su, sudo su. This may require choosing a second credential.

5. Click GO.

Delete HostThe Delete action can be selected from the primary action list on the Hosts page. It removes the selected hostsfrom the console database. No action is taken on the host nor on any credentials the console may have stored forit.

Host DetailsYou can view more information about host servers including errors and warnings for particular products deployed.

On the PBUL details pane, you can manage the following settings:

• Configure the PBUL Rest Time Skew (the acceptable time offset between PBSMC and the PBUL host inseconds).

• Apply licenses and view license details. For PBUL versions 9.4.5 (and earlier) the license is entered in a textbox; in 10.0 (and later) the user can upload a license file.

To view more information about a host:

1. On the Hosts page, select the Details menu for a server:

2. Select General Details to view IP address, host name, OS, default gateway, and architecture.3. Select a product name in the list to view details about the host collected by the Servers Management console.

Details on errors and warnings are included here.

Hosts


Managing SSH KeysYou can accept or reject SSH keys. Keys are retrieved when PowerBroker Servers Management Console connectsto a host. Communication is not established with the host until a key is accepted.

A key can be in one of the following states:

• Unknown - The key must be reviewed.

• Accepted - The key passed review.

• Rejected - The key was rejected and the host is not trusted.

To review SSH keys:

1. Select Hosts from the menu.2. Click SSH Keys.3. Click a key to open the details:

4. Click Allow to trust the key.

Managing SSH Keys


SettingsOn the Settings page you can configure the following:

• Console access - Manage user accounts for PowerBroker Servers Management Console

• Integration - Set up Password Safe, Active Directory, and PowerBroker for Unix & Linux.

• View Currently Managed Software

• System Settings

Managing Console Access

Adding a Console AccountYou can configure additional accounts in the console.

Note: The ‘admin’ account is created during installation and cannot be removed. It is recommended that youupdate the password after the initial login.

To add an account:

1. Select the Settingsmenu.2. Click Console Access.3. Click Add Users and Groups.

4. Select Local User or Active Directory.5. For Active Directory accounts, search the forest and domain to find the user or group that you want to add.6. Enter the following information if you select Local User:

– User Name – This will be used to authenticate the account in the console and must be unique in thesystem. Once the User Name has been saved, it can not be changed.

– First name – The user first name.

– Last name – The user last name.

– Email – The user email address.

– Password – The user password. Used to authenticate the account in the console. Must be at least 8characters.

– Confirm Password – Must match the password value.

7. Click Add Account.

Settings


Editing User AccountsYou can only change the account settings for a local user. You cannot change Active Directory account information.

To change account information:

1. Select the Settingsmenu.2. Click Console Access.3. Locate the account, and then click the menu and select Edit Account.4. Change the information as needed, and then click Update Account.

Deleting User AccountsYou can delete local user accounts and Active Directory accounts.

To change account information:

1. Select the Settingsmenu.2. Click Console Access.3. Locate the account, and then click the menu and select Delete Account.4. Click OK to delete.

PowerBroker Password Safe Integration

Using Password Safe to Manage CredentialsYou can use Password Safe to manage the credentials. Then, when you run actions on your hosts, passwords areretrieved at runtime from Password Safe (rather than storing the passwords locally).

This section provides Password Safe configuration information within the console. For more information onconfiguring Password Safe, refer to the Password Safe documentation.

Configuring Password SafeConfigure the settings for the Password Safe server.

To configure Password Safe integration:

1. In the console, select the Settingsmenu, and then click Integration.

2. Enter the following information:

Settings


– Password Safe Server – the location of the Password Safe server. This should not have a trailing slash, forexample, https://pbps_server

– API key – The API key generated in BeyondInsight.

– RunAs User – The BeyondInsight account under which the requests will be made. This Password Safe usermust be in a User Group with API access and with an Access Policy that has auto-approve enabled forAccess.

– Description – Free text entry to provide any additional details; not required.

– Verify Certificate – Disabling this option will bypass certificate validation.

3. Click Update Settings.

Importing Password Safe Managed AccountsA Password Safe managed account must be imported as a PowerBroker Server Management Console credential.

Note: After you import a managed account, the Password Safe details cannot be changed in the console. TheManaged Account password is never stored in the console system; it is retrieved at runtime as required.

To import a managed account:

1. In the console, go to Settings and click Integration.2. Click the Show Accounts button.3. Select the Managed Accounts from the list of results that the console can access and select Save Account.

You can now view the credentials (or managed account) on the Credentials page in the console.

Note that a status 200 might be displayed if the selected Managed Account already exists as a consolecredential.

ExampleThis example is intended to provide a high-level configuration and is provided only as an overview.

In this example the goal is to use an account called pbsmc_user on a host at 10.100.10.10 to perform a Profileaction. BeyondInsight / Password Safe is running at https://my_pbps.

1. Enable pbsmc_user in the Password Safe API.– In BeyondInsight, add the 10.100.10.10 asset if required, then choose the Add/ Edit Password Safe option

for 10.100.10.10 in the Assets grid.

– On the Local Accounts tab select Add then provide the details for pbsmc_user. Ensure that the Enable forAPI Access option is selected.

2. Get an API Key and whitelist PowerBroker Servers Management Console:– In BeyondInsight, go to Configure/ Password Safe / Application API Registration.

– Create a new registration.

– Add the PowerBroker Server Management Console IP address to the source addresses list.

– Disable the certificate required option.

– An API key will be generated when the registration is saved. This key will be used in console.

3. Configure an Access Policy in BeyondInsight:– Go to Configure/ Password Safe/ Access Policies.

Settings


– Create a policy.

– In the Access section ensure that Approvers is set to auto-approve.

4. Configure an API User Group In BeyondInsight:– Go to Configure/ Accounts.

– Create a group. Ensure the Enable API Application option is selected and the application registered in step2 is selected.

– In Smart Rules select the Roles option for the All Managed Accounts rule, choose Requestor underPassword Safe and select the access policy created in step 3 as the access policy.

5. Create an API User in BeyondInsight:– Go to Configure/ Accounts Add an account. Ensure it belongs to the group created in step 4.

6. Configure Password Safe in PowerBroker Server Management Console:– Go to Settings and choose the Password Safe tab.

– Enter the details for the Password safe server. The Key was obtained in step 2 and the Runas user is theaccount created in step 5. The URL would be https://my_pbps.

7. Add pbsmc_user to PowerBroker Server Management Console:– Go to Settings and select the Password Safe tab.

– Select Show Accounts.

– In the list select pbsmc_user and choose Save Account.

8. Use the pbsmc_user in the console:– Choose Profile then pbsmc_user (PBPS) from the Credential drop down. Select 10.100.10.10 from the

Hosts list and run the action.

Configuring Active DirectoryCreate a connection to Active Directory. You can only create a connection to one Active Directory forest.

To create the connection:

1. In the console, select the Settingsmenu, and then click Integration.2. Enter the domain name.3. Enter a service account name and password. It is recommended to use a Enterprise Domain account.4. Select the Use Secure Connection check box to secure communication using SSL.5. Select the Verify certificate check box to validate the certificates with the CA. Clear the check box if you are

using self-signed certificates.

Configuring PowerBroker for Unix & LinuxUpload key files to confirm the files on the host are synchronized with the keys used by the console.

Note that if no keyfiles are present then the console will create them during the next installation of PowerBrokerfor Unix & Linux 9.4.5 or later.

To configure PowerBroker for Unix & Linux:

1. In the console, select the Settingsmenu, and then click Integration.2. Turn on Verify SSL to validate the certificate CA.

Settings


3. Upload network or REST key files to the console.

SoftwareThe Software page details the software managed by PowerBroker Servers Management Console, where it uslocated and what version is currently installed if it is found. Select Refresh Software to update the list.

Settings


Policy Management

PBUL Policy Management OverviewThe Policy Management section allows the user to manage creating, updating and deleting PowerBroker for Unixand Linux Policies for the following:

• Sudo

• FIM

• Script Policy

• Role-Based Policy

To manage policies the user must first choose the type of policy they wish to manage and then select the policyserver on which the policy resides. The policy server list is made of known policy servers with working RESTconnections. If a server is listed in grey, that server has an unsupported version of PowerBroker for Unix and Linuxinstalled and should be upgraded to enable policy management.

For more information on policies, refer to the PowerBroker for Unix and Linux Administration and thePowerBroker for Unix and Linux Language Specification documentation.

Role Based vs. Script Based PoliciesA PowerBroker for Unix and Linux Policy server is either in Role-Based or Script-Based policy mode. A server inRole-Based mode only uses Role-Based Policy and ignores all Script Policies. A server in Script Policy mode onlyuses Script Policies.

If the user chooses to manage a Script Policy on a server which is in Role-Based policy mode, they will be notifiedthat the feature is disabled and given an option to switch the server mode. Users will also be notified whenchoosing to manage a Role-Based Policy that is in a Script Policy mode. When the server mode is switched, theserver will ignore all policies associated with the disabled mode.

PowerBroker Servers Management Console Code EditorThe PowerBroker Servers Management Console provides an editor component with a number of features to assistwith writing code:

• syntax highlighting

• line numbering

• font size control

• formatting

• find/replace tools

• soft wrapping

• diff tool

Different toolbar options may be available based on the type of script in the editor.

Policy Management


Most of the features are available in the toolbar and keyboard shortcuts can also be used. The editor is used in thePolicy Management section where applicable.

Using the Diff ToolUse the diff tool to compare different versions of a policy. The policy must have change management turned onand versions of the policy must exist in the database.

To use the diff tool:

1. Select the policy and then click the Compare Versions toolbar button.2. Select a version to compare.

The differences are calculated and highlighted.

3. Change the content in the current policy, if needed.4. Click Close Diff.

Version ControlSome of the policy types support version control. Each time a policy is changed its version is incremented. Thepolicy with the highest version is the one that is applied.

Each time a policy is changed it's version is incremented. For policies that support version control a version menu isavailable to allow the user to choose a specific version to edit.

Note: Saving a policy will make it the most recent version which makes it the active policy. Care should be takenwhen saving older versions of the files.

Policy Management


Change Management

The Servers Management Console allows users to enable Change Management in the console.

If Change Management is not enabled on the server selected, the option to enable Change Management is availablein the console. Once it is enabled it cannot be turned off.

Role Based Policy ManagementNote: Script Policy Management will be disabled on hosts configured to use Role-Based Policy. See "Role Based

Policy Management"

A PBUL Role Based Policy defines Who (Users) can do What (Commands), Where (Hosts) and When (Schedule).These Role Entities are then associated to a Role. A User, Host, Command, and Schedule entity can be used inmultiple Roles, allowing the user to create a single definition and share it. The Role Based Policy editor is dividedinto sections allowing for the management of Roles and each of the Role Entities.

Choose the PBUL Role Based Policy option and an appropriate policy server from the selection lists to load the RoleBased Policy Management editor. To manage a particular entity type choose that type from the top navigation.Roles will be selected by default.

RolesA list of available Roles will show the existing entities. This list is searchable and can be filtered by DISABLED,ENABLED, or ALL options. Selecting the + option will create a role. Choosing a role or creating a new one will openthe Role Editor. Choosing the Save Changes button will update the Role properties and all of the Role Relationships;similarly, discard reverts the Role and it’s Relationships to their original state.

The following options are available:

Policy Management


• Role Name: This should be unique on the policy server.

• Enabled: Whether or not the role is active (default true).

• Action: Whether this should trigger an accept or reject action (default accept).

• Risk Level: The perceived risk level of the policy.

• Record Session Data: Whether to log session data (default no).

• Session Recording File Location: where to store session data, if enabled.

• Script: Whether to include a custom script (default disabled). If enabled, a Code Editor instance will becomeavailable to set the script content.

Managing Role to Entity RelationshipsEach role can have zero to many relationships with each Entity Type. This is managed via the lists matching theappropriate entity.

• Who: defines which Users the policy applies to. This item is divided into two user types: Submit User(s) andRun User(s). These lists will contain the User and Users entities.

• What: defines which Commands the policy applies to. This list will contain the Command entities.

• Where: defines with Hosts the policy applies to. This item is divided into two user types: Submit Hosts and RunUser Hosts. These lists will contain the Host entities.

• When: defines with Schedule the policy applies to. This list will contain the Schedule entities.

Policy Management


Role OrderingThe order in which Role-Based Policies are applied can be set by ordering the Roles in the list of available Roles.Choose the down arrow option to move a Role lower in the priority order and the up arrow to increase. Changes torole-order will be saved automatically.

Users and User GroupsThere are three types of user and group:

• Secure – A user or group not associated with any system. The name and credential are added to the policy.

• System – The users and groups are retrieved from the selected host. System roles are only available withPowerBroker for Unix & Linux v. 9.4.4 or later.

• Active Directory – The usersand groups are retrieved from Active directory. Create a connection to ActiveDirectory on the Settings page.

To add a user or user group:

1. Select Policy Management from the menu.2. Select a policy server. Note that if script based policy is selected for that server then role based policy is not

available.3. Click Role Based Policy.4. Click Add User and Groups.

Note: A list of available Users and User Groups is displayed on the Users and Groups page. This list issearchable and can be filtered by DISABLED, ENABLED, or ALL.

5. On the Add Users and Groups pane, select the type of user or group to add:

The settings vary depending on the type of user or group selected.

Note: If a wildcard character (*) is in the user name, the user will be treated as a group.

6. Enter the information as needed:– Secure user – Enter a user name and password.

– Secure group – Enter a user group name and description. Add users.

– Active Directory – Select forest and domain properties. Enter search criteria to find the user or group.

7. Click Save Changes.

Policy Management


Hosts

The Host section allows you to manage host groups. A host group is a collection of Assets. To create :

1. Select the addition icon or select an existing Host group. Delete by selecting the trash can icon on the selectedHost Group.

2. When you create a host group you need to provide a Host Group Name, Description and then add the assets.3. Select Save.

Commands

A Command Group is a list of acceptable commands. To create :

1. Select the addition icon or select an existing Command group. Delete by selecting the trash can icon on theselected Command Group.

2. When you create a Command group you need to provide a Command Group Name, Description and then addthe commands.

3. When adding a Command to the list, you must enter Command Submitted which is the command a PBUL usertypes. Optionally, you can enter Command Executed which will be executed in place of the CommandSubmitted.

Policy Management


4. Select Save.

Schedules

When adding a schedule there are two types of dates you can create in your schedule:

Date/Time Range - Choose a specific date range. If the end date is not specified, the range defaults to continuous.If the start date is not specified, the default will be to start immediately.

Recurring Schedule - Choose active blocks of time per day. Choose a range of 15 minute blocks per each day, for afull calendar week.

Sudo Policy ManagementSudo policy supports version control.

To manage Sudo policies:

1. Select the Sudo Policy option and a policy server from the selection lists to load the Sudo Policy editor.A list of available sudo policies is displayed.

2. Select a policy to open it for editing in the code editor window.Alternatively, click + to create a policy.

3. If you are creating a policy, enter a host name and file path.The File Path can be a relative or absolute path. If a relative path is provided, the path will be preceeded by/etc/.

4. Click Save Changes to save the file to the policy server.

File Integrity Monitoring Policy ManagementCreate file integrity policy definitions to monitor for file changes. A policy definition includes a target that identifiesthe type of object that you want to monitor. Some of the target types include: directory, device, symbolic link,script, executable.

You can assign attributes to the target type. An attribute is an action that you want to monitor and includes thefollowing examples: file moves, file ownership changes, date and time changes.

A policy definition can contain more than one target.

To manage FIM policies:

Policy Management


1. Select the File Integrity Monitoring option and a policy server from the selection lists to load the File IntegrityMonitoring editor.

2. Click + and enter a name for the policy.Alternatively, select an existing policy and click the clone button.

3. Click + to create a policy definition.4. Select a target type, and set attributes that you want to monitor.5. A risk rating value can be assigned. The accepted values are between 1—10. A risk rating weights the severity

of the monitored actions configured for the targets.Click Add Target to add more targets to the definition.

After you create a policy definition, select the definition when defining the paths to include or exclude in themonitoring.

6. Enter a path and select a policy definition in the Include section. Optionally, select the check boxes: MonitorSub Folders, Follow Symlinks, and Follow Off Device.The policy will apply to all files in the path.

7. Enter paths that you do not want to monitor in the Exclude section.8. Click Save Policy.

Policy Management


Script Policy ManagementNote: Script Policy Management will be disabled on hosts configured to use Role-Based Policy. See "Script Policy

Management"

To manage script policies:

1. Select Policy Management from the menu.2. Select Script Based Policy.3. Select a policy server from the list to display list of script policies.

4. Click + to create a script policy. Select a script to open it in the Editor. Choose an existing policy to open it forediting in the code editor window or choose the addition icon to create an empty document.

5. After you edit the script, select Check Syntax from the toolbar. This will verify that script syntax is correct. If anerror is found, a notification displays in red stating that the file syntax is invalid. Also note that only syntax ischecked, not the actual policy definition, and that included policies, if any, are not checked.

Note: Script policies can reside in either the file system under the folder defined as the policydir in PBULsettings or as objects in the change management database. Files that are in the database support versioncontrol. Files that are not in the database can be added by choosing the check in option under the ScriptEditor.

The Script Policy editor uses the Code Editor to assist the user managing the policy.

Discard will revert the document to its original state. Save will write the file changes, either to the file system or thedatabase depending on the origin.

Advanced Control and Audit (ACA)The ACA Editor allows users to configure an ACA Statement. It is available on the Code Editor Tool Bar.

Policy Management


1. Select the ACA button in the Script Editor. This will open the ACA Editor.2. Define the following:

– Target - The target contains the files and folders that the ACA policy rules will apply to.

– Session History - If either Audit Command History and Continue On Error are enabled, Enable SessionHistory is added to the ACA Statement.

– Default Log Level - Assign a number for the log level to use as a default.

– File System Operations - Select the check box for the file system operation that you want to audit.Selecting an operation allows you to then set if the operation is allowed or blocked. Additionally, a loglevel can be configured for an operation. System operations that are not assigned a log level areautomatically assigned the default log level.

Note: File operations that are not selected are not audited.

After configuring your ACA policy, select the Insert button under the ACA Policy preview to add the statement tothe policy.

For more information on ACA please refer to the PowerBroker for Unix and Linux Language Guide.

Viewing PBUL Settings

You cannot change the settings.

1. Select Host Configuration > PBUL settings.2. Select a policy server.

Policy Management


Policy Management


AuditingOn the Audit page, you can:

• Event logs

• View and replay IO logs

• Leave feedback on IO logs

Event LogsYou can view high level details of the log, search for a specific detail, and download the file.

To view event logs:

1. Select the Audit menu.2. Click Event Log.3. Select a log server and a date range.

By default, the log files created in the last 30 days are found.

4. Select the log file to view the contents.Note: PBUL 10.0 is required. In earlier PBUL versions, download the log files.

5. Select a log file to display the event log details.6. Optionally, click the download icon to save the file to the computer.

Event logs can be searched using the query builder tool.

Session ReplayUsing session replay, you can view and replay IO logs.

To use session replay:

• Solr must be deployed using Servers Management Console

• Log servers must be indexed by Solr

Recording a SessionTo turn on session recording:

1. Select the Audit menu.2. Click Session Replay.3. Select the record button on the toolbar.

4. Select a location for the log file.Optionally warning messages can be enabled and log file limits can be set.

5. Select the check boxes to choose the values will generate the log file name.6. Use the Insert option to add the logs to policy.

Auditing


Playing a SessionTo play an IO log session:

1. Select the Audit menu.2. Click Session Replay.3. Select a Solr server if there is more than one server.

Logs indexed by Solr are displayed.

Use filters and search to find a log.

4. Click the information icon to display activity and user feedback.5. Select the Play icon to start the log player.6. On the Log Play Back page, select one of the following modes:

– File - File displays the contents of an IO log immediately.

– Playback - Playback replays the IO log in real time as the events occurred so an administrator can viewwhat the user entered.

On the Log Play Back page, you can view the session in full screen mode, set the speed, select a font size,and stop/ pause/ play the session.

If ACA policy is enabled and configured a command history is displayed that allows you to navigate to specificevents in an IO Log.

7. Optionally, enter feedback on a log. For example, enter a comment or set a flag to warn of a problem or toapprove the content.

Auditing


Managing CredentialsOn the Credentials page, you can manage remote host access credentials. A credential is locally persisted accountinformation (local or domain account) that can be used to authenticate a remote session on a given host, usually inthe form of Secure Shell (ssh) credentials. Console credentials and remote credentials are not synchronized.Changes to credentials in the console are not propagated to hosts. When an action runs, an error is displayed onthe Tasks page when console credentials and credentials on the host do not match.

Types of credentials:

• Host credentials – Credentials that can access a host. Username and password are saved locally. Typically, sshcredentials.

• Password Safe credentials – You cannot change the Password Safe credentials on the Credentials page.Passwords are not saved in the console. For more information, see Importing Password Safe ManagedAccounts.

Adding CredentialsOn the Credentials page:

1. Select Add New Record.2. Click Add New Credential.3. Enter the following required information:

– Username

– Description

– Password

– Confirm Password

4. Click Save this Credential

Deleting credentialsOn the Credentials page:

1. Locate the credential to be removed in the grid.

2. Select the trashcan icon.

3. Click OK to delete.

Editing CredentialsOn the Credentials page:

1. Find the credential that you want to change.2. Select the edit (pencil icon).3. After you change the information, click Edit Record.

Managing Credentials


TasksActions on hosts are organized and grouped on the Tasks page.

Viewing TasksThe task details grid include the following:

• Type – The type of task that was run. Options include Profile, Discovery, Install, Remove and Upgrade or eachof PowerBroker for Unix & Linux and PowerBroker Identity Services.

• Tasks – The number of hosts the operation was performed on.

• Pending – The number of tasks that have yet to be run.

• Succeeded – The number of tasks that completed successfully.

• Failed – The number of tasks that completed unsuccessfully.

• Updated – The most recent time the task entry has been updated.

• Key Retrieval – Keys retrieved by PowerBroker for Unix & Linux.

• Key Deployment – Keys deployed by PowerBroker for Unix & Linux.

To view task details:

1. In the console, select Tasks from the menu.

2. Select a task. A Task Summary is displayed.3. Click the View Task Details button from the Task Summary.

Task DetailsThis page provides detailed output of individual tasks. Information is presented in an easy to read manner to helpwith troubleshooting.

Tasks


Tasks


Troubleshooting

Application logsApplication logs are available. The location differs based on the OS:

• On machines use systemd run journalctl -u pbsmc

• On SysV or Upstart machines the log is at /var/log/pbsmc.log

• On Windows machines the log is at ProgramFiles (x86)\PBSMC\pbsmc.log

Common Problems and SolutionsDashboard not available.

– Ensure that at least one host has been Discovered and Profiled.

Hosts section displays Credential error when selecting actions.

– If there are no Credentials stored in PBSMC and an action is chosen that requires authentication an error isdisplayed.

‘Oops, No Products Found’ displayed on Hosts page.

– PBSMC cannot locate either the PBUL or the PBIS software to deploy. See Copying ISO Files to the ConsoleServer.

Unable to install PBUL, PBIS or PBSudo. Check the Tasks page for more information.

Discover does not locate a host.

– Ensure that the host is available and reachable from the network and has SSH enabled on the portprovided.

Unable to connect to PBUL via REST. Check the Tasks page for more information. Most commonly the port is notavailable. Check the REST port on the Host Details Page and ensure your firewall accepts connections.

Troubleshooting Password Safe

CertificatesPassword Safe is installed with a self-signed certificate. If this is not changed to a trusted issuer than the certificateshould be added to the PowerBroker Servers Management Console systems certificate store to be trusted. Thefollowing provides high-level steps on importing certificates.

1. Copy the public certificate from the Password Safe server to the PowerBroker Servers Management Consoleserver. This should be a .crt file.

2. Install the .crt to the system key store. The process is different depending on the OS.

Mac OSX1. Open Keychain Access and drag the .crt file in the System node.2. Double-click to open and expand the Trust leaf.3. Select Always Trust.

Troubleshooting


Windows1. Click Start and type MMC.2. From the File menu, select Add/ Remove Snap-In > Certificates > Add.3. Select Computer Account, click Next, and then select Local Computer.4. After the snap-in is added, expand Certificates and right-click Trusted Root Certification Authorities.5. Select All Tasks > Import and add the .crt file.

CentOS / Red Hat Linux1. If not available install ca-certificates:

you install ca-certificates2. Enable dynamic configuration:

update-ca-trust force-enable3. Copy the .crt:

cp <cert.crt> /etc/pki/ca-trust/source/anchors/4. Update the trusted list:

update-ca-trust extract

Debian / Ubuntu1. Copy the .crt file:

cp <cert.crt> /usr/local/share/ca-certificates2. Update the cert list:

sudo update-ca-certificates3. Refresh the cert list:

sudo update-ca-certificates --fresh

For other systems or for more in-depth information refer to the appropriate system documentation.

Troubleshooting


PowerBroker Servers Management Console User Guide...Contents Introduction 5...

Documents

Transcript of PowerBroker Servers Management Console User Guide...Contents Introduction 5...