Upload
david-hung-nguyen
View
81
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Eval Guide
Citation preview
Centrify Suite 2012
Evaluation GuideNovember 2011
Centrify Corporation
Legal notice
This document and the software described in this document are furnished under and are subject to the terms of a license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or non-disclosure agreement, Centrify Corporation provides this document and the software described in this document as is without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions; therefore, this statement may not apply to you.
This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Centrify Corporation may make improvements in or changes to the software described in this document at any time.
2004-2011 Centrify Corporation. All rights reserved. Portions of Centrify DirectControl are derived from third party or open source software. Copyright and legal notices for these sources are listed separately in the Acknowledgements.txt file included with the software.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the governments rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.
Centrify, DirectAudit, DirectControl and DirectSecure are registered trademarks and DirectAuthorize and DirectManage are trademarks of Centrify Corporation in the United States and other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and other countries.
Centrify Suite is protected by U.S. Patents 8,024,360 and 7,591,005.
The names of any other companies and products mentioned in this document may be the trademarks or registered trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies, organizations, domain names, people and events herein are fictitious. No association with any real company, organization, domain name, person, or event is intended or should be inferred.
Join UNIX computer to a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Log in to the UNIX computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Make machine-level adjustments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Show Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Contents
About this guide 5
Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Conventions used in this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Where to go for more information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Contacting Centrify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 1 Start Here 11
What is Centrify Suite? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
How Centrify Suite Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
How to deploy Centrify Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Chapter 2 Setting up the evaluation environment 29
Windows requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
UNIX requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Site Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Software installation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Stage 1: Windows system software installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Stage 2: UNIX system(s) software installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Reboot UNIX computer(s). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Chapter 3 A&A: Basic Authentication and Authorization 55
Create and delegate OU for UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
First time setup with the Administrator Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Add UNIX users and create Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Create groups, add users, assign role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Chapter 4 A&A: Just in time provisioning 83
Create admin groups and add users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Create new privileges, roles and assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Create computer role and assign group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Delegating Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Making Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Where to next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Chapter 5 A&A: Administrator Console reports 97
Understanding DirectControl Administrator Console reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Running DirectControl Administrator Console reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Creating and modifying report definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Chapter 6 A&A: DirectManage UNIX adtools 103
Centrify Suite UNIX adtools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
ADEdit overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Script Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Inside the script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Chapter 7 A&A: Active Directory Group Policy Controls 113
Using AD group policies for UNIX users and computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Understanding Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Adding Centrify Suite group policies for UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Group Policy Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Chapter 8 Audit: Set up the evaluation environment 123
Evaluation System Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Installing the DirectAudit components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Replay example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Chapter 9 Audit: Session replay and management 133
Enable audit on the UNIX systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Auditor Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Direct Audit UNIX Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Evaluation Guide 2
Windows Start-menu utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Administrator Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Close sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Where to next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Chapter 10 Completing the evaluation 145
Using the evaluation checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Appendix A Using Centrify Suite with SSH 151
Configuring SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Testing SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Appendix B DirectControl Network Information Service 155
Creating and importing NIS maps in the default zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Starting the adnisd daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Testing adnisd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Appendix C Remove Centrify Suite components 159
Remove agents, NIS and OpenSSH from UNIX computer(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Remove DirectAudit from Windows systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Remove DirectManage components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Index 165Contents 3
Evaluation Guide 4
This book is intended for system and network administrators tasked with assessing the suitability of the Centrify Suite to their environment.
The guide assumes you have a working knowledge of Windows Server and Active Directory and are familiar with Active Directory features, functionality, and terminology. This guide About this guide
The Centrify Suite 2012 enables centralized, secure management of a heterogeneous network through Microsoft Active Directory. The software extends the Active Directory authentication, authorization, directory service, and Group Policy capabilities to enable a single identity store for managing authentication and authorization to UNIX, Linux, and Mac OS X computer resources
Web applications and application servers, such as Apache, Tomcat, JBoss, and WebLogic
databases such as DB2, and
enterprise applications such as SAP.
Centrify Suite is composed of an integrated set of software components you install on a Windows workstation and on each UNIX/Mac OS/Linux/AIX/HP UX/... computer. The services and tools automatically route login attempts to the UNIX computers through the Active Directory domain controller and give administrators the ability to create escalated privileges, define roles and provision rights to the UNIX systems. The Centrify Suite provisioning model uses a simple, natural method that simplifies the on-going administration and maintenance and assures highly granular delegate administration.
The broad business benefits include: One management framework: Centralizes the administration of complex environments
into a well-organized management framework built on Active Directory.
Simplified day-to-day access and privilege administration: Natural integration of the UNIX systems into existing support processes and work flows.
Fine security granularity: Enforces a Least Access policy, granting limited access based on business requirements only, to protect sensitive systems and information.
Separation of duties: Granular delegation based on Active Directory access control policies and security boundaries.
Rapid deployment/integration: Integrated tools that automate UNIX system discovery and analysis, software installation and joining to the Active Directory domain.
Intended audience5
Conventions used in this guidealso assumes you are familiar with your UNIX-based systems and how to perform common administrative tasks.
Conventions used in this guideThe following conventions are used in this guide: UNIX is used as a generic term to refer to all variants of UNIX. Centrify supports a wide
variety of UNIX platforms including, Mac OS X, AIX, HP UX, and many Linux implementations.
Fixed-width font is used for sample code, program names, program output, file names, and commands that you type at the command line. When italicized, the fixed-width font is used to indicate variables. In addition, in command line reference information, square brackets ([ ]) indicate optional arguments.
Bold text is used to emphasize commands, buttons, or user interface text.
The variable release is used in place of the specific release number in the file names for individual Centrify Suite software packages. For example, centrifydc-release-sol8-sparc-local.tgz in this guide refers to the specific release of the Centrify Suite Agent for Solaris on SPARC available on the Centrify Suite CD or in the Centrify Suite download package. On the CD or in the download package, the file name indicates the Centrify Suite version number. For example, for a 3.0.0 package, the file is centrifydc-3.0.0-sol8-sparc-local.tgz.
Using this guideThe purpose of this book is to give you a hands-on experience with Centrify Suite. The exercises highlight the features designed to simplify the integration of your UNIX systems and user identities into Active Directory, centralize access and privilege management and provide full user session auditing.
The chapters cover the complete installation and configuration of the software either in a physical or virtual environment. Step-by-step exercises follow that introduce the key features of the DirectControl, DirectAuthorize and DirectAudit products.
This book does NOT take you through every option, nuance and feature. However, by the end, you will have a configuration in place and sufficient understanding to try out scenarios that would more closely mimic your own needs.
The chapters are organized as follows: Chapter 1, Start Here: Start with this section to learn about the components and the
Centrify model to managing UNIX machines and users in an Active Directory environment.Evaluation Guide 6
Using this guide Chapter 2, Setting up the evaluation environment: Continue with this chapter to install the Centrify Suite software on your Windows workstation and UNIX computer(s).
Chapter 3, A&A: Basic Authentication and Authorization: This chapter begins the configuration of the evaluation system. In this chapter, the instructions guide you through several exercise that end with users logging on to the UNIX computer(s) in your network using Active Directory accounts.
Chapter 4, A&A: Just in time provisioning: This chapter continues the configuration.The exercises in this chapter demonstrate how to use Active Directory groups and Centrify Suite tools and features to generalize user and group rights and roles where you can and apply them with fine, granular precision where you need to.
Chapter 5, A&A: Administrator Console reports: This chapter describes the Administration Console reports available to display and generate hardcopy on your system configuration.
Chapter 6, A&A: DirectManage UNIX adtools: Thus far, the exercises used the Windows workstations Active Directory and Centrify Suite console interfaces. This chapter describes the UNIX tools, including a powerful, command-line interface utility, included in the suite.
Chapter 7, A&A: Active Directory Group Policy Controls: Centrify Suite supports the use of Active Directory Group Policy objects for the UNIX computers. This chapter shows how to use the Microsoft Management Console Group Policy Object Editor to enable several Centrify Suite policies.
Chapter 8, Audit: Set up the evaluation environment: The Centrify Suite Enterprise Edition includes the DirectAudit auditing tool. This chapter introduces the DirectAudit architecture and features and describes how to install the software on the Windows and UNIX nodes you want to monitor.
Chapter 9, Audit: Session replay and management: This chapter describes the DirectAudit consoles interfaces and session management tools.
Chapter 10, Completing the evaluation: Theres a lot to consider for your evaluation and a lot is offered in Centrify Suite. This chapter helps you approach the analysis systematically.
Appendix A, Using Centrify Suite with SSH: Although many UNIX systems have an sshd server installed, many are older implementations that do not support Kerberos. Centrify Suite includes a compiled version of the latest OpenSSH distribution with Kerberos support. This appendix explains how to use it.
Appendix B, DirectControl Network Information Service: For computers and applications that submit lookup requests directly to a NIS server listening on the NIS port, Centrify Suite includes its own DirectControl Network Information Service. This appendix tells you how to install and test it.About this guide 7
Where to go for more information Appendix C, Remove Centrify Suite components: This appendix describes how to remove the Centrify Suite components from the Windows and UNIX computers.
Where to go for more informationAll the information you need to set up the evaluation system is provided in this book. We expect, though, that some of the exercises will spark your curiosity about specific tools and services. The following books provide the full description of the Centrify Suite software components. Go to the Documentation directory in the DirectManage package for the latest version of these books. Centrify Suite Planning and Deployment Guide (DeploymentGuide.pdf): Provides guidelines,
strategies, and best practices to help you plan for and deploy Centrify Suite 2012 in a production environment. This guide covers issues you should consider in planning a Centrify Suite deployment project.
Centrify Suite Administrators Guide (AdminGuide.pdf): Provides information on how to perform administrative tasks using the Centrify Suite Administrator Console and UNIX command line programs. The Administrators Guide focuses on managing your environment after deployment.
Centrify Suite ADEdit Programmers Guide (ADEditGuide.pdg): This Evaluation Guide introduces the adedit UNIX command-line tool. Scan through this book to learn about all of adedits features and functions.
Centrify DirectAudit Administrator Guide (DA_AdminGuide.pdf) DirectAudit helps you comply with regulatory requirements by collecting detailed audit and log records of user activity on UNIX and Windows systems. This book explains in detail how to install, configure and use DirectAudit.
For more information about DirectAudit, you should also visit the Centrify DirectAudit web page: www.Centrify.com/DirectAudit
We also recommend the following books in the Centrify Suite if you have questions or need for a more comprehensive view: Centrify Suite Group Policy Guide (GroupPolicy.pdf): Contains instructions on the use of the
Centrify Suite group policies to customize user-based and computer-based configuration settings.
Centrify Suite Configuration Parameters Reference Guide (ConfigParameters.pdf): Provides the reference information about the Centrify DirectControl configuration parameters that enable you to customize your environment. Many of these settings can also be controlled through group policies.
DirectControl for Web Applications Authentication Guide for Apache (Web_Apache.pdf): Describes how to use the Centrify Suite with Apache Web servers and applications to provide single sign on authentication and authorization services through Active Directory. Evaluation Guide 8
Contacting Centrify DirectControl for Web Applications Authentication Guide for Java Applications (Web_Java.pdf): Describes how to use Centrify Suite with J2EE applications to provide single sign on authentication and authorization services through Active Directory. If you are using Centrify Suite with Java servlets, such as Tomcat, JBoss, WebLogic, or WebSphere, you should refer to this supplemental documentation for details about how to configure your applications to use Centrify Suite and Active Directory.
A number of other manuals are also provided in the Documentation directory, including release notes and the documentation for the Centrify versions of the Samba and PuTTY programs and Network Information Service (NIS). The UNIX utilities also included comprehensive man pages.
In addition, check out the Centrify Resource Center at http://www.centrify.com/resources/overview.asp helpful technical videos, application notes, white papers and other materials to help you become more familiar with the Centrify Suite solutions.
Contacting CentrifyIf you have a problem during Centrify Suite software installation or configuration, need help with Active Directory configuration, or want clarification on best practices contact your Centrify System Engineer or Technical Support. Go to www.centrify.com/support and login for the Technical Support contact information.About this guide 9
Contacting CentrifyEvaluation Guide 10
Chapter 1
comprehensive policy templates that let you use the Microsoft Management Console to
set up Group Policy Objects with policies for the UNIX computers. Start Here
This chapter introduces the Centrify Suite components and methods for managing the UNIX users, tools and machines via Active Directory.
The following topics are covered: What is Centrify Suite?
How Centrify Suite Works
How to deploy Centrify Suite
Next Steps
What is Centrify Suite?Centrify Suite enables Enterprise IT organizations to centralize the identity, access and privilege management of UNIX, Linux and Mac systems leveraging Active Directory. All of the unique aspects of UNIX user, authentication protocols and access privileges, including UIDs and GIDs, escalated privileges and limited roles, are implemented within the standard Active Directory object classes and attributes.
The following figure illustrates the scope of control provided by the Centrify Suite components. UNIX user and group administration is centralized entirely within Active Directory.
This enables you to use existing Active Directory management tools or more sophisticated identity management solutions leveraging your existing Active Directory investment.
Centrify Suite includes a Windows-based Administrator Console to create UNIX user, group and computer privileges and roles. UNIX command line tools are also included so that you can create and manage the UNIX users and groups in Active Directory entirely from a UNIX terminal.
Centrify Suite uses standard Active Directory objects and their attributes to store UNIX user and group profile data; there are no supplementary ID repositories on any Windows systems or UNIX computers. In addition, Centrify Suite includes 11
What is Centrify Suite? Centrify Suite software is available for a wide variety of platforms and supports Active Directory authentication via PAM for userID and password as well as GSSAPI for Kerberos. In addition, it offers options that support single sign on for Web applications, Java and popular databases and access to file shares on a UNIX server using Samba for native Windows SMB protocol support.
The Centrify Suite also pays particular attention to managing the administration complexities that accrete over time on UNIX systems. For example, many of our customers have users with a different user ID on each UNIX computer. It is also common for some users, for example a dba, to have escalated privileges because it was inconvenient to define just the rights required to do the job. Evaluation Guide 12
What is Centrify Suite?Once in place, the Centrify Suite provides the following benefits: Simplicity: You have one ID repository for Windows and UNIX users. Using Active
Directory for everyone has several big advantages:
UNIX users can have a single, globally unique user ID.You adjust UNIX user and group attributes centrally.You use the same every day tools and user and group objects to manage the UNIX and Windows users, groups and machines.
Security: The Centrify Suite approach to UNIX user privileges supports granularity, delegation and inheritance so that you can assign access rights broadly as appropriate and finely to enforce a least access policy.
Flexibility: The Centrify Suite hierarchical approach to users, computers, groups and roles lets you construct a security model that aligns with your current practices. You will find that your model is easily updated as users change roles, servers are added or repurposed, and re-organizations shift people into new departments and roles.
Protection and compliance: The Centrify Suite DirectAudit option captures and stores UNIX user sessions and GUI activity from Windows sessions. Auditors and network administrators can view or replay session activities to spot suspicious behaviors or troubleshoot problems.
Centrify Suite Components
This section introduces the Centrify Suite components and how they work. The Centrify Suite components are installed on a Windows workstation and each UNIX computer in the domain. Broadly, the software on the Windows workstation is used for administration, and the agent on the UNIX computers redirects the login requests to the Active Directory domain controller.
The Centrify Suite of solutions helps you improve IT efficiency, strengthen regulatory compliance initiatives, and centrally secure your heterogeneous computing environment. The Centrify Suite is composed of the following products: DirectControl: Centralized authentication and access control
Centrify DirectControl delivers secure access control and centralized identity management by seamlessly integrating your UNIX and Mac systems and applications with Microsoft Active Directory. In addition, DirectControl enables you to secure that system using the same authentication and Group Policy services you use for your Windows systems.
DirectAuthorize: Role-based authorization and privilege management
Centrify DirectAuthorize provides centralized, role-based privilege management features that help you manage and enforce fine-grained control over user access and privileges on UNIX and Linux systems. In many organizations, UNIX systems inherently lack a scalable and simple model for administrative delegation. As a result, administrators Chapter 1 Start Here 13
What is Centrify Suite?tend to give too many users root permission, run unnecessary security risks, and invariably fail audits. By controlling how users access systems and what they can do, DirectAuthorize enables you to lock down sensitive systems and eliminate uncontrolled use of root accounts and passwords.
DirectManage: Centralized management
Centrify DirectManage is an integrated set of tools that centralize the discovery, management and user administration of UNIX and Mac systems through integration into Active Directory-based tools and processes. The tools address both sets of global tasks for managing UNIX users in Active Directory: Migrating identities into Active Directory, managing policies, and generating reports. Deploying, configuring and managing the Centrify Suite solutions.The DirectManage tools also include several utilities you can run from a UNIX computer for querying status and managing Active Directory accounts directly.
DirectAudit: Detailed auditing of user activity
Centrify DirectAudit helps you comply with regulatory requirements, perform in-depth troubleshooting, and protect against insider threats. DirectAudit's detailed logging strengthens your compliance reporting and helps you spot suspicious activity by showing which users accessed what systems, what commands they executed, and what changes they made to key files and data. With DirectAudit you can also perform immediate, in-depth troubleshooting by replaying and reporting on user activity that may have contributed to system failures. In addition, its real-time monitoring of user sessions enables you to spot suspicious activity.See User session auditing on page 17 for an introduction to DirectAudit.
DirectSecure: Secure sensitive information
Centrify DirectSecure is a policy-based software solution that secures sensitive information by dynamically isolating and protecting cross-platform systems and enabling optional end-to-end encryption of data in motion. DirectSecure leverages your existing Active Directory infrastructure and the native IPsec support to block untrusted systems from communicating with trusted systems without changing the network or applications.
In this book you install the DirectControl, DirectAuthorize, DirectManage and DirectAudit products. For more information about DirectSecure contact your sales representative.
The following figure illustrates where and how the Centrify Suite components fit in your enterprise network.Evaluation Guide 14
What is Centrify Suite?On the UNIX computers, the DirectControl Agent redirects login attempts for validation against Active Directory accounts. The DirectManage UNIX tools enable a UNIX user with permissions to query the status and makes changes to the Active Directory user accounts, Centrify Zones, access rights, roles, etc. The DirectAudit Agent gathers comprehensive user session activity.
On the Windows system, administrators use the Active Directory tools to manage users and groups on a day to day basis. When they need to update the configuration, they use the Administrator Console to manage users UNIX properties, Centrify Zones, access
rights, user roles and user/group assignments and generate reports.
Deployment Manager to manage Centrify Suite software.
DirectManage tools to modify group policies.
As needed, auditors use DirectAudit to replay Windows or UNIX user sessions, monitor sessions, troubleshoot, and extract sessions that meet certain criteria.
DirectManage Components
The DirectManage tools for Windows centralize the discovery, management and user administration of the UNIX systems. Once the configuration is complete, however, you Chapter 1 Start Here 15
What is Centrify Suite?perform your day-to-day, user and group administrative tasks using the Active Directory Users and Consoles and MMC for account and group policy management.
The DirectManage tools for Windows include the following: Administrator Console: Use to create the Centrify global and child zones and
computer roles AND the individual rights and logical roles (for example, backup operator, application developer, QA tester) you assign to the Active Directory users and groups. You also use the Administrator Console to configure a users UNIX profile and manage computer properties. You make extensive use of the Administrator Console in Chapter 3, A&A: Basic Authentication and Authorization and Chapter 4, A&A: Just in time provisioning.
Note The Administrator Console is the Windows interface to the services provided by DirectControl and DirectAuthorize.
Deployment Manager: Use to discover the UNIX systems on the network, and download and deploy the Centrify Suite packages. You can also use Deployment Manager to join computers to the Active Directory domain controller and manage local accounts and groups. You use the Deployment Manager in Chapter 2, Setting up the evaluation environment.
Zone Provisioning Agent: Use to automatically provision users with their Zone privileges. The Zone Provisioning Agent is a service you install on the Windows system that allows you to set up Active Directory groups that correspond to the set of access rights you want users to have within a Centrify Zone. As you add a user to that Active Directory groups, the Zone Provisioning Agent automates provisioning that users rights. You use the Zone Provisioning Agent in Chapter 3, A&A: Basic Authentication and Authorization.
Audit Center: Use to replay, review and query user sessions. The DirectAudit Agent collects detailed logs of user activities on UNIX and Windows systems. The Audit Center provides an interface for auditors to replay individual sessions, catalog sessions for review and analysis, develop queries to filter sessions, etc. The Audit Center also provides an administrator interface for delegating auditor privileges and turning audit sessions on and off. You use the Auditor interface to replay and manage sessions in Chapter 9, Audit: Session replay and management.
Group Policy Object Editor: Adds policies you can enable in Group Policy objects to manage the UNIX users and computers. The DirectManage also gives you the ability to create your own policies through standard administrative templates for policy definition and Perl scripts. You add the DirectManage group policies and enable several policies in Chapter 7, A&A: Active Directory Group Policy Controls.
Report Center: Use to generate pre-defined reports that answer the most common questions asked by compliance auditors and create custom reports. The Report Center is implemented inside the Administrator Console. It provides detailed, global visibility Evaluation Guide 16
What is Centrify Suite?to access rights, privileges, and security policies. You use the Report Center in Chapter 5, A&A: Administrator Console reports.
UNIX command-line tools: A set of tools UNIX administrators can use to view status, join the computer to an Active Directory domain, query Active Directory for UNIX user and group attributes and update records, and make changes to Active Directory accounts. See Chapter 6, A&A: DirectManage UNIX adtools, for the description of the command line tools.
Centrify-enabled PuTTY: A popular, open-source client for Windows systems that provides access to remote UNIX machines. Centrify has added robust Kerberos authentication support to PuTTY in order to provide Single Sign-On to UNIX and Linux systems even in complex environments where fully qualified DNS host names may not match the Active Directory computer name. Additionally, Centrify enables GSSAPI Key Exchange to eliminate the need to manage SSH keys across your server population. PuTTY use is demonstrated in Chapter 3, A&A: Basic Authentication and Authorization.
User session auditing
DirectAudit captures privileged user session activity including a full motion video of the user activity and all of the events that occurred including applications launched, text entered and displayed results. The recorded user sessions can be searched to discover policy violations, user errors and to monitor third part access to systems. User sessions of interest can be replayed in high fidelity to discover detailed activity that may have led to a service degradation or outage.
The information is collected in real time and then digested and stored in a SQL Server database for query and playback. The data indicates what systems were accessed, what commands were executed, what processes were launched, and what changes were made to key files and data. On UNIX computers you can set up sessions that capture input from all shells on a node or select specific shells,
that filter for the use of specific commands, or
capture the activity of a single user.
On Windows servers, the DirectControl Agent captures all user input, activity and output including the resulting GUI display updates and changes.
The following figure illustrates the DirectAudit components you would find in a medium-sized installation.Chapter 1 Start Here 17
What is Centrify Suite?DirectAudit Components
Audited systems: Any UNIX platform supported by Centrify Suite or Windows-based system that has the DirectAudit Agent installed. All audited systems must be joined to the Active Directory domain controller, in the same forest or a trusted forest.
Collectors: Intermediate services that receive, compress and index the data in real time. Multiple collectors for each audit store are supported to ensure that auditing is always active and provide redundancy that ensures session capture cannot be interrupted. If all collectors are down, data is cached on the audited system until a collector is back on line.
Audit Store: Repository for the compressed and indexed session data. Designed to provide massive scalability and efficient use of network resources, Audit Stores help scale session databases to multiple instances on separate hosts.
Audit Server: Service that provides central management and enforcement of Audit Roles and execution of distributed queries across the Audit Stores. Audit Servers also centrally control, monitor and report on audit stores, audit collectors and audited systems. Evaluation Guide 18
What is Centrify Suite? DirectAudit Console: User interface for searching and replaying captured user sessions and generating reports. Users access the data in the Audit Stores indirectly through the Audit Server. There are two DirectAudit consoles:
Auditor: Enables auditor to search and replay user sessions, retrieve data from captured sessions and generate reports. The administrator can create different auditor roles to limit any one auditors access rights and privileges.
Administrator: Enables user to view and administer the configuration of the audited systems, collectors, and audit stores and assign audit roles.
Both consoles (which can be on the same or separate machines) connect to the other installation components through an audit server.
Chapter 8, Audit: Set up the evaluation environment describes how to install and configure DirectAudit Agent. For more information go to Chapter 9, Audit: Session replay and management to see what you can do when the system is in place.
Centrify Suite Packaging
Centrify Suite components are available in several packages. The following table lists the options:
* The Express versions of DirectManage and DirectControl do not support centralized management, Zones, or group policy. Contact your sales representative for more information.
Package Options
Component Express Standard Enterprise Platinum
DirectManage
Centralized management and administration
X* X X X
DirectControl
Centralized authentication and access control
X* X X X
DirectAuthorize
Role-based authorization and privilege management
X X X
Direct Audit
Detailed auditing and user activity
X X
DirectSecure
Server isolation and protections of data-in-motion
XChapter 1 Start Here 19
How Centrify Suite WorksHow Centrify Suite WorksThe Centrify Suite standards-based architecture extends your existing Active Directory infrastructure without disrupting existing systems. The DirectManage tools install on a Windows workstation and let you administer all aspects of the UNIX computers user access controls through a single interface. The DirectControl Agent integrates seamlessly with the UNIX authentication processes to redirect login requests to the Active Directory Domain controller.
Administration on Windows and UNIX
The DirectManage Administrator Console is the user interface system administrators use to create and manage the UNIX computers, user identities, and escalated privileges. The graphical interface combines the entire hierarchy of parent and global zones and their UNIX data (users and group identities) and authorizations (right and role definitions and assignments) into a familiar tree structured view.
This view, for example, shows the UNIX user identities in the global Zone. In each Zone tree, you can also see the computers joined and the Zones Authorization rights, roles and assignments that control user access.
You use the same window to create Zones, define custom rights, build new roles based on the rights you have created and assign those roles to groups or individual users.
Alternatively, Centrify Suite also provides a comprehensive set of UNIX command-line tools designed to enable administrators to manage Active Directory accounts and groups. These command-line tools have also been carefully crafted to support different output options so that they can be integrated with in-house automation or provisioning scripts. For example, you can run the ADEdit Active Directory editing tool from a UNIX computer in the network. ADEdit is designed for administrators who have traditionally administered their systems from UNIX scripts or UNIX CLI and includes a scripting language so administrators can build their own sets of commands. Evaluation Guide 20
How Centrify Suite WorksUNIX Agent
The DirectControl Agent package is composed of a daemon, a library of dynamically-loaded code modules, and Kerberos services. After the computer is joined to the domain controller, the Agent handles the following tasks: Communicates with Active Directory to authenticate users logging on to the UNIX
computer and caches credentials for offline access.
Enforces Active Directory authentication and password policies.
Enforces Active Directory Group Policy to manage UNIX system configuration and security settings.
Provides a Kerberos environment so that existing Kerberos applications automatically work transparently with Active Directory.
Maintains time synchronization with Active Directory.
Supports single sign on through the Active Directory account for Java- and Web-based applications.
Note The Agent package also includes DirectManage tools you run from a UNIX console. See Chapter 6, A&A: DirectManage UNIX adtools for the description.
DirectAuthorize is tightly integrated into DirectControl and Active Directory; no additional servers or infrastructure is required. DirectAuthorize stores its role and rights data securely in Active Directory Authorization Manager's existing rights-based logical model and data storage schema found in Windows 2003 and later. The Active Directory property extensions are displayed in a separate tab when you select user and group properties. No Active Directory schema extensions are made when you install and use DirectAuthorize.
DirectAuthorize meets compliance-driven requirements for "least access" management by allowing organizations to centrally define logical roles (backup operator, DBA, web developer, application administrator, etc.) that carry with them a specific set of rights. You use DirectAuthorize to create the rights, define roles and define the rights available for each role.
Rights describe both the access method and privileges, specifically: PAM (Pluggable Authentication Module) identify specific PAM-enabled interfaces and
applications the user can access, such as FTP, Telnet, SSH, or Informix.
Privileged commands identify specific commands the user can run and whether those commands can be run under the user's own account or as another user account.
Restricted environments provide strictly controlled access to a defined subset of commands in a DirectAuthorize shell (dzsh). In effect, this grants users access to whitelisted applications only, and automatically grants privilege execution where authorized.Chapter 1 Start Here 21
How Centrify Suite WorksActive Directory users or groups can be assigned to one or more roles. A role assignment can apply to all computers in a Centrify Zone or to just a specific computer. For example, in the Engineering Zone the user Chris could be assigned the system administrator role for all computers, and also be assigned a DBA role for a single database server. Thus, roles are a flexible and scalable method for defining users' access methods and privileges for a specific set of systems.
Administrator Console Elements
This section describes the DirectManage Administrator Console tree structure and explains how you use the elements to manage the Active Directory users UNIX identity and control their access to the UNIX computers.
Hierarchical Zones
Zones enable migration and management of the most complex UNIX environments to a centralized directory. For example, centralizing the management of multiple UNIX identities that a user may have across an environment with multiple UNIX and Linux systems into a common directory is one of the most pressing problem facing organizations. The Centrify hierarchical Zones support for inheritance simplifies the migration process and enables you to setup a sustainable identity and access management framework within Active Directory that supports different user identities, rights and roles on the UNIX computers.
This unique approach enables an enterprise to Define a new, rationalized identity namespace for new hires and new systems in a global
Zone.
Integrate and centrally manage existing systems supporting legacy, disjointed namespaces through Zone or computer level attribute overrides.
Delegating administration with finer granularity, leveraging native Active Directory object and group ACLs.
Enforcing a least access rights model where a role assignment via DirectAuthorize is required to grant access or privileges.
Zone inheritance lets you define of a set of user rights once that are available for role assignment on the parent and all child Zones. Separately you assemble different sets of rights into logical roles (for example, DBA, backup operator, or system administrator) that are inherited down the Zone structure; roles defined higher in the tree can be used within the child Zones.
Users and groups do not get access until a role assignment is made. As above, assignments made in the parent give the users the access privileges to all the computers in the parent and child Zones.Evaluation Guide 22
How Centrify Suite WorksThe following figure illustrates a Zone tree structure in the Administrator Console. The Zone hierarchy is composed of a single global [Parent] and two child Zones: FIN [Finance department] and MKTG [Marketing department].
Each Zone has its own set of branches for Computers, UNIX Data (User, Groups, and NIS maps) and Authorization (Role Assignments, Computer Roles, Role Definitions, and Right Definitions). The right hand pane in this figure also illustrates some Commands (right definitions) created. This rights are only available within the FIN Zone.
Computers
The Computers branch shows all the computers joined to that Zone. The Zone UNIX data and authorizations only apply to the computers listed here. For example, users in the MKTG Zone, do not have access to the redhat computer. If you wanted users in both FIN and MKTG Zones to have access to redhat, it would have been joined to the global zone.
UNIX Data
This branch shows all of the users and groups in the Zone. Each user has a full UNIX identity: UID, GID, home directory, GECOS, and default shell. Similarly, the groups have a unique GID.
Note For practical purposes, users are seldom members of a child Zone. Instead, all users are in the global Zone. This makes it easier to view and manage all of the UNIX users. The exercises in the next section illustrate this best practice
The UNIX Data branch also includes NIS maps. See Appendix B, DirectControl Network Information Service for more information.Chapter 1 Start Here 23
How Centrify Suite WorksAuthorization: Right and Role Definitions and Role Assignments
In this branch you define the granular access rights, the user roles, the role assignments and computer roles, which give you another level of precision for assigning rights.
You use a right definitions to specify an escalated privilege in the same way you use define rights in a sudoer file in UNIX computers. This feature lets you centralize escalated rights and limit their application to a specific set of computers. For example, rights defined in the FIN Zone are not available in the MKT zone
You use roles to assemble a set of rights to support a groups specific access requirements. For example, the above picture as four roles FinDSA, a role created just for the Finance Zone department system administrators
FinWSA, a role created just for the Finance Zone for Web system administrators
listed, a default role in all Zones to grants no privileges but allows a user account to remain in the system, for example, after it has been terminated
login, a default role provides login privilege
You make the role assignment at the level to which it applies to grant the rights with very granular precision.The following figure illustrates how role assignments limit the users rights.Evaluation Guide 24
How Centrify Suite WorksUsers do not get access to a computer in the Zone until they have their rights assigned. This can be done individually, however, the most common practice is to assign a role to a group.
The exercises in the next chapters show you how to define the rights, create roles and assign roles to groups.
Computer Roles
Often, administrators want the ability to create a set of computers within a Zone to which they can define a unique set of access rights. For example, consider a department running an Oracle database: the system administrator wants to grant the Oracle DBAs escalated privileges to just those computers, but they do not want to grant them the same privileges to other computers in the Zone.
Computer roles let you assign user and group rights to just the computers in a defined role. You define the computer role, put the member machines in the computer role and then assign the users and groups to the user role.
For example, in the following figure the FIN child Zone has the FinApache computer role defined. In that computer role, only members of the FinWeb(@Demo group can use the rights defined in the FinWSA role.
How to define rights and roles and assign them in zones and computer roles is described in Chapter 4, A&A: Just in time provisioning.
Machine Zone
A Machine Zone is a set of user, group and role assignments for a specific computer. The main reason behind Machine Zones is the frequent management problem in organizations that have multiple, legacy UNIX computers in which the same user has different UNIX properties (UID, GID, shell, home directory, GECOS) on each UNIX computer. Less Chapter 1 Start Here 25
How to deploy Centrify Suiteoften: you may have a computer or small set of computers, that you cannot assemble into a Computer Role on which you need to have a unique set of rights and roles.
You use a machine zone to set user attributes and apply access rights at the machine level. For example, in Make machine-level adjustments on page 79 the instructions show you how to define a new UID for a user that applies to a specific computer; on all other computer the user has the UID assigned at the global level.
How to deploy Centrify SuiteSoftware deployment is simple and straightforward; you conduct the entire deployment from a single Windows system. First you install the DirectManage tools on a Windows system. To get started, go to
Stage 1: Windows system software installation on page 35.
Second, you install the DirectControl Agent on the UNIX computers.
The DirectManage package includes the Deployment Manager to automate and manage Agent deployment across your entire network. This tool is useful to deploy the agent in complex environments with many UNIX computers based on multiple operating systems. Go to page 38 to use Deployment Manager.For simple environments with just a few UNIX computers, all with the same operating system, many experienced UNIX administrators find it more convenient to just download the Agent package and install it using UNIX commands. Go to page 51 to install the Agent manually.
After the DirectManage and Agent software are installed, deployment is complete. Once installed, you can begin creating Zones, adding UNIX user identities and centralizing the UNIX users access control in Active Directory.
The remainder of this section expands on the Centrify Suite component descriptions and introduces DirectAudit. If you are eager to get started, confirm that your physical or virtual system meet the configuration requirements (see page 30) and proceed to the pages shown above.
Next StepsThe purpose of this book is to install the Centrify Suite software in your evaluation environment and guide you through a series of configuration steps that demonstrate its major features and advantages.
There are two parts to this book:
Authentication and authorization: The chapter titles in this part are preceded by A&A. These chapters cover the following topics:
Software installation on your evaluation systemEvaluation Guide 26
Next Steps Adding accounts, groups and UNIX computers to the Active Directory and basic authentication
Creating rights and roles and assigning roles to groups Generating configuration queries and reports Centrify Suite command-line tools and scripting language Centrify Suite group policy templates and creating Group Policy Objects
Audit: The chapter titles in this part are preceded by Auditing. There are two chapters in this part:
Software installation on your evaluation system and component configuration Replaying and managing sessions
Proceed to next chapter to install the Centrify Suite software on your Windows systems and UNIX computers.Chapter 1 Start Here 27
Next StepsEvaluation Guide 28
Chapter 2Setting up the evaluation environment
In this chapter you install the Centrify Suite software on the computers in your evaluation environment. The following figure illustrates the minimum components required for the evaluation and the location of the Centrify Suite software.
The following platforms were used to create the screen captures that illustrate the exercises: Windows computer: Windows 7 and Windows XP
Windows Server: Windows Server 2008
UNIX Computer: Red Hat Enterprise Linux
The chapter is organized as follows: Windows requirements
UNIX requirements
Site Preparation
Software installation overview
Stage 1: Windows system software installation
Stage 2: UNIX system(s) software installation29
Windows requirementsWindows requirementsBefore installing Centrify Suite in the Windows environment, check the following basic requirements for your Windows workstation and Active Directory server:
The Windows workstation should have the following minimum configuration:
UNIX requirementsThe Centrify Suite DirectControl Agent needs to be installed on each UNIX computer you want to manage through Active Directory. Centrify Suite is supported on a wide variety of platforms, including the following: AIX Debian Intel architecture 32- and 64-bit HPUX Itanium MacOS Red Hat Enterprise Linux Intel architecture 32- and 64-bit and PowerPC Solaris SPARC and Intel architecture 32-bit SuSE Intel architecture 32- and 64-bit and PowerPC Ubuntu Intel architecture 32- and 64-bit
For this You need this
Windows Server Active Directory domain controller
Windows Server 2003 R2 or later. (Active directory must support IETF RFC 2307. This feature was introduced in Windows Server 2003 R2)
Windows Server 2008
Separate versions of the Centrify Suite software are provided for 32- and 64-bit systems.
Windows system Windows XP Professional
Windows Vista
Windows 7
Separate versions of the Centrify Suite software are provided for 32- and 64-bit systems.
The .NET Framework must be installed on the workstation. If it is not, the Centrify Suite setup program will install it for you.
For this You need this
CPU speed Minimum 550 MHZ
RAM 25MB
Disk space 1.5GBEvaluation Guide 30
Site PreparationFor the full list, go to the Centrify Download Center and click on the Choose System link at the bottom of the Centrify Suite 2012 options.
Note You must have an account and password to get access to the Centrify Download Center. If you do not already have any account please talk to your support representative and get one. It, for example, has the most up-to-date, Agent packages available for immediate download and an Evaluation Center to help with installation and assessment.
Site PreparationAre you going to install the Centrify Suite software in a physical lab or a virtual environment? For the purpose of site preparation, it doesnt matter - the requirements for the virtual machines are the same as physical machines. However, there are some additional considerations for virtual environments. In addition to the following site preparation instructions see Using a virtual environment to evaluate Centrify Suite on page 32.
To prepare for the evaluation, you need the following: A Windows Server computer that is an Active Directory domain controller and has been
assigned a DNS Server role.
At least one Windows workstation that is already joined to the Active Directory domain. The workstation also must have the following console snap ins:
Active Directory Users and Computer (dsa.msc): You use this to add the UNIX users to and create the UNIX groups in Active DirectoryIf dsa.msc is not already installed, it is available free from Microsoft. Download and install it at this time.
Microsoft Management Console (mmc): You use this to add the Group Policy Object Editor console snap in, add and remove Centrify Settings, and enable group policies.
Confirm that the target domain functional level is at least Windows Server 2003. To determine a domains functional level, launch dsa.msc and select the domain. In the Action menu, click Raise domain functional level ... and select Windows Server 2003 or higher.
An Administrator account and password for the Active Directory forest root domain.
Note The forest root Administrator account is the account created when you installed the first Windows server in a new Active Directory site. If you are setting up a separate Active Directory environment for testing purposes, you should have this account information. If you are using an existing Active Directory forest that was not expressly created for this evaluation, you should identify the forest root domain and ensure you have an account on the Windows workstation that is a member of the Domain Admins group to ensure you have all the permissions you need to perform the tests in this evaluation. Chapter 2 Setting up the evaluation environment 31
Site Preparation At least one UNIX or Linux computer connected to the same network as the domain controller.
All of the computers must be able to ping each other.
Checking the DNS environment
Centrify Suite is designed to perform the same set of DNS lookups that a typical Windows workstation performs in order to find the nearest domain controller for the local site. Like a Windows computer, the DirectControl Agent on the UNIX computer looks for service locator (SRV) records in the DNS server to find the appropriate domain controller for the domain it has joined.
In most cases, when you configure the DNS Server role on a Windows computer, you configure it to allow dynamic updates for Active Directory services. This ensures that the SRV records published when a domain controller comes online are available in DNS. If your DNS Server is configured to prevent dynamic updates, however, or if you are not using the Window computer as the DNS server, the DirectControl Agent may not be able to locate the domain controller.
Do the following to ensure the UNIX computer can look up the SRV records in the DNS server for the evaluation environment: Configure the DNS Server role on the Windows computer to Allow secure dynamic
updates.
Make sure that each UNIX or Linux computer you are testing with includes the Windows DNS server as a nameserver in the /etc/resolv.conf file.
When you configure the DNS Server, you should configure it to perform both forward and reverse lookups and to allow secure dynamic updates.
Using a virtual environment to evaluate Centrify Suite
To simplify the hardware requirements for testing the Centrify DirectControl Suite, you may find it useful to set up your own evaluation environment using either Microsoft Virtual PC or VMware Workstation. By using Virtual PC or VMware, you can create a virtual environment to simulate three physical computers running different operating systems.
To set up a virtual environment for evaluating Centrify Suite, you need a computer with enough CPU, RAM, and available disk space to run three virtual machines simultaneously. Centrify recommends the following minimum configuration: CPU: at least 1.70 GHz
RAM: at least 4 GB
Available disk space: 15 GB
The virtual environment should also be configured to run as an isolated evaluation environment using Local/Host-only or Shared/NAT networking. Evaluation Guide 32
Software installation overviewFor example, this book was tested using the following virtual environment; this would be a good minimum configuration: One Windows Server 2008 (or Windows Server 2003) virtual machine image with 256-
384 MB RAM, a 4 GB disk image, and using a network address translation (NAT) network connection.
One Windows 7 virtual machine with 1GB RAM, a 60 GB disk image, and using a network address translation (NAT) network connection
One Red Hat Enterprise Linux virtual machine image with 256-384 MB RAM, a 4 GB disk image, and using a network address translation (NAT) network connection.
In addition, because the virtual environment runs as an isolated network, each virtual machine should be manually assigned its own static TCP/IP address and host name.
After you create the Windows Server virtual machine, you need to configure the server roles for the computer. To evaluate Centrify Suite, the Windows Server virtual machine needs to be configured as: An Active Directory Domain Controller
A DNS master server
When you configure the DNS Server role for the Windows Server virtual machine, you should configure it to perform both forward and reverse lookups and to allow secure dynamic updates.
Software installation overviewYou run the installation process from the Windows workstation. Installation is conducted in two stages: Windows system software installation: In this stage, you use the install the
DirectManage components on the Windows system.
UNIX system(s) software installation: You can use the Deployment Manager to automatically select the appropriate Agent package and install it on your UNIX computer(s), or you can download the Agent package from the Centrify Customer Download Center, extract the package yourself, and run the install.sh script from the UNIX console. Both methods are described below.
Note This chapter describes installing the DirectManage components only. The Direct Audit installation steps are done separately in Chapter 8, Audit: Set up the evaluation environment.
The process begins from the Centrify Suite DVD or iso image. If you do not have the Centrify DVD, go to the Centrify Customer Download Center.
You get to the Customer Download Center from the home page. You enter through the Support tab. Select the Customer Support Portal. Chapter 2 Setting up the evaluation environment 33
Software installation overviewYou are immediately prompted to enter the email address and a password for your account. After your credential are validated you get to the portal page. Select the Customer Download Center link.
The following figure illustrates the Customer Download Center page.
Two areas on this page are for people building an evaluation system: Evaluating Centrify Solutions: This page offers step-by-step download and
installation instructions that parallel this book. (Use one or the other, do not try to use both.)
If you need to download the Centrify Suite DirectManage package, start here. Go to Step 2. Download Centrify Suite 2012 and select the iso or zip file for your 32- or 64-bit Windows platform.
This page does not, however, offer the Agent packages you install on your UNIX computer(s).Evaluation Guide 34
Stage 1: Windows system software installation Centrify Suite 2012: This page offers for download the same Centrify Suite DirectManage packages available from the Evaluating Centrify Solutions page. For the evaluation system be sure to download the DirectManage Enterprise Edition, rather than the Standard Edition. As above, click on the link corresponding to your Windows platform processor architecture.
In addition, use the links at the bottom of the box to get the Agent package. Choose Agents Disk to download a zip file/iso image that contains all of the Agent packages. Alternatively, click Choose System to just download the package for a single UNIX platform. You will need to install the package manually on each UNIX computer if you choose this option.
Notes
If you are installing on a Windows workstation running in a virtual machine, it is handy to download the iso image file and then use it as a virtual CD/DVD drive. For example, in VMware go to the Virtual Machine Settings. In the Hardware tab select the CD/DVD (IDE) device and select the Use ISO image file radio button and browse for the iso file you downloaded. Be sure to check the Device status boxes too.
During the installation, you are prompted to enter your license key. A 30-day license option is available free as a part of the installation program. Alternatively, a Centrify representative may have emailed a license key separately. When prompted, cut and paste the license key from the email into the form.
Stage 1: Windows system software installationIn this step you install the DirectManage software on the Windows system from the DVD or the file you downloaded from the Centrify Customer Download Center. The file name is one of the following :
Centrify-Suite-2012-mgmt-ent-win32
Centrify-Suite-2012-mgmt-ent-win64
If you have not already done so, extract the files from the .zip version, burn a DVD from the iso image, or mount the iso image file as a virtual disk on your virtual machine. Chapter 2 Setting up the evaluation environment 35
Stage 1: Windows system software installation1 To begin, launch autorun from the DVD/iso..
2 Click the Centrify DirectManage (nn-bit) icon.
3 Centrify DirectManage: Click Next to proceed.
4 Review License Agreement: Click the I agree to these term radio button and Next to accept the licensing terms.
5 User Registration: Enter your User Name (note that it defaults to the current account name) and Company Name and click Next.
6 Select Components: For the evaluation configuration select all of the components. Evaluation Guide 36
Stage 1: Windows system software installationClick Next.
7 Choose Destination Folder: For the evaluation system, use the default. Click Next.
8 Disable Publisher Evidence Verification: For convenience, leave the default setting (disable verification). Click Next.
9 Confirm Installation Settings: Click Next.
10 Click Finish to end the setup.
The installation takes a couple of minutes and adds two icons to your desktop: Centrify DirectControl: The DirectManage Administrator Console Deployment Manager: The program you use to manage the Centrify Suite software in
the UNIX systems on the network.
11 Click Exit to close DirectManage installation. You will install the DirectAudit software in Chapter 8, Audit: Set up the evaluation environment.
This completes the Windows system DirectManage components installation stage. Do not start up the Administrator Console right now. Instead, proceed to Stage 2.Chapter 2 Setting up the evaluation environment 37
Stage 2: UNIX system(s) software installationStage 2: UNIX system(s) software installationIn this section, you install the Centrify Suite DirectControl Agent, DirectAudit Agent and DirectManage UNIX tools on the UNIX computer(s). There are two alternative paths to complete this stage: Use the Deployment Manager to automatically find your UNIX computers on the
network, determine which Agent to install, download the software and install the Agents and tools. The instructions follow immediately below.
Manually, download the Agent package from the Centrify Customer Download Center, copy the file to your UNIX computer(s) and run the install.sh script. Go to page 51 for the instructions.
If you are installing the Agent software on a single UNIX computer, the manual method can be more expeditious, especially for UNIX administrators. The result is the same to both procedures.
Deployment Manager path
The just-installed Deployment Manager does the complete installation from identifying the UNIX computers on the network and the platform and processor in each one to installing the appropriate Agent. Deployment Manager can also join each computer to the Active Directory domain, however, you should skip that step at this time.
Before you run Deployment Manager, confirm that all of the UNIX computers you want to use in the evaluation can be pinged. In addition, if you are running the installation from the Internet (rather than a DVD), be sure your computer is on-line.
This stage is composed of several phases, all performed by Deployment Manager: Build computer list: During this step you specify upon which computers to load the
software. You can either specify the computers directly or let Deployment Manager discover and build a list of prospective targets. From that list, you then select which UNIX computers to use in the evaluation.
Download Centrify Software: In this step you either download the platform packages from the Internet or specify the DVD source to your system.
Analyze Your Environment: In this step, Deployment Manager analyzes your target computer environment(s) to confirm that they are Centrify Suite-ready and determine which package to use.
Deploy Centrify Software: In this step, Deployment Manager installs the Centrify Suite package on your selected platformsEvaluation Guide 38
Stage 2: UNIX system(s) software installationTo load Deployment Manager double click on the icon.
The Deployment Manager Welcome window displays the four deployment phases.
Note The Deployment Manager is designed as a production system tool to help administrators with the ongoing maintenance and update of their Centrify-enabled UNIX systems. This eliminates the complexity for large scale systems but adds a few more steps to the evaluation system deployment process.
Step 1. Build computer list
In this phase, you select the target UNIX computers.
1 In Build Computer List, click the Add Computers ... button.Chapter 2 Setting up the evaluation environment 39
Stage 2: UNIX system(s) software installation2 The program asks you to specify a list or have Deployment Manager find them for you.
Click the Discover computers from the network radio button and Next to have DirectManage identify all of the prospective UNIX computers in your environment.
Alternatively, click the Add a single computer radio button to enter each computer individually.
3 The next screen lets you define the scope of the search.
By default, the program selects the subnet based on the Windows workstations IP address for the search. Click the other radio buttons to use different criteria.
4 It takes a couple of minutes (depending upon the size of your network) to discover the computers. The program lists the UNIX computers it found (those it could ping) with the range of addresses you selected. (In my case, I have just one.)
Check the box for each UNIX computer upon which you want to install the Centrify Suite software.Evaluation Guide 40
Stage 2: UNIX system(s) software installation5 The next window lists any other computers it found in the subnet. Scan the list to see if there were any other UNIX computers found. (Disregard any Windows computers it found; the sole purpose of the Deployment Manager is to identify and service the UNIX computers.) If other UNIX computers were found and you want to include them in the evaluation system, check the corresponding box.
This window also lists all of the IP addresses in the subnet. If you know of any UNIX computers in the subnet that were not found (most often the cause is the machine is offline or turned off) AND you want to install the Centrify Suite package, check the corresponding IP address box to register each one in Deployment Manager. Deployment Manager only services the registered UNIX computers.
Note You can run Deployment Manager at any time to find UNIX computers and deploy the Centrify Suite package. You do not need to install them all at this time.
Click Next to proceed.
6 The program prompts you to specify the name of an account on the target computer(s) that has sufficient privilege to make system changes. If that account does not have root privileges, check the box to specify a privilege command (see figure for an example), select su from the drop down menu, and enter the root password.
In the next window, enter the password for the user name you specified. Click Next to finish each window.Chapter 2 Setting up the evaluation environment 41
Stage 2: UNIX system(s) software installation
If you specify multiple computers, Deployment Manager prompts you for the user name, privilege command, root password and user password separately for each computer.
Deployment Manager then finishes its interrogation of the machine and updates the home page with the list of computers found. It takes a couple of minutes to finish. During the operation, Deployment Manager covers the affected icon with an hour glass; this is your indication that the procedure has not finished. For example, in this instance the hour glass is imposed upon the Computer icon (see the following figure.) Deployment Manager uses the same icon during the other phases.
Click Finish when prompted.
Deployment Manager updates the Computer Statistics pane with an icon representing each UNIX computer and its operating system. Double-click on the icon to get the full information found.
Deployment Manager also updates the All Computers branch with the host name (Redhat in my case). If you have more then one UNIX computer, double-click All Computers for the full list along with their information.Evaluation Guide 42
Stage 2: UNIX system(s) software installationDeployment Manager also looks in Active Directory for the users and groups in the computer and other UNIX properties. There are none at this point, but as you go through the exercises, open Deployment Manager to see how the tree is filled out. In a production system, Deployment Manager is a convenient tool to get a configuration summary from a variety of perspectives.
This concludes the Build Computer List phase.Chapter 2 Setting up the evaluation environment 43
Stage 2: UNIX system(s) software installationStep 2. Download Centrify software
In this phase, you load the following Centrify Suite components into Deployment Manager. The DirectControl Agent: There is a separate Agent package for each combination of
platform (for example, Red Hat Enterprise Linux, AIX, HP UX, etc) and processor architecture (x86 32-bit, x86 64-bit, PPC, SPARC, etc.).
The Analysis Tool (adcheck): You use adcheck from a UNIX console to perform operating system, network, and Active Directory tests to verify that a machine is ready to join the specified Active Directory domain. The output from adcheck includes, notes, warnings, and fatal errors, including suggestions on how to fix them.
Note This book does not illustrate use of adcheck. See the Administrators Guide for the description or just try it out after you have installed the software on the UNIX computer.
The Agent packages are not included in the Centrify-Suite-2012-mgmt-ent-Win... file you installed earlier. They are provided separately. The Deployment Manager gives you two options for loading the packages: Customer Download Center: The Deployment Manager prompts you to enter your
account and password. Then it looks at the UNIX computers found in Step 1 and automatically downloads the corresponding Agent and Analysis Tool. If you plan to use this option go right to step 1 on the next page.
Agents DVD: Deployment Manager prompts you to enter the location (directory or drive) that has the full catalog of the Agent and Analysis Tool packages for every combination of UNIX platform and processor.
If you plan to use the Agents DVD option AND you do not have the physical disk, download the iso image or a zip file from the Centrify Customer Download Center before you begin Step 2. Use the following procedure to download the file and import the catalog.
a Go to the Customer Download Center (from the Centrify home page click on the Support tab, select Customer Support Portal and then click the Customer Download Center link) and select AgentsDisk. Evaluation Guide 44
Stage 2: UNIX system(s) software installationb Click the blue download button to select either the zip or iso package. c Copy the zip file to the Windows system on which you are running Deployment
Manager and extract the files or map the iso file to a logical disk accessible by the Deployment Manager.
d Import the catalog of files into Deployment Manager. In the Deployment Manager window, right-click the Centrify Deployment Manager node in the left hand pane and select Import Centrify Product Catalog ... from the menu.
Change directories to the drive (logical or physical) or directory that has the unzipped files or virtual drive with the iso file, select the file centrify-product-catalog-offline and click Open.The import process begins immediately. It takes several minutes. When it is complete, a window pops up indicating Centrify Product Catalog imported. Click OK.
Use the following instructions to load the Agent package(s) and Analysis Tool(s) into Deployment Manager.
1 In the Deployment Manager home screen, click the Step 2: Download Software ... button.
2 The first window gives you the following options: Download from the Centrify Download Center: To use this option, enter the
email address and password for support center account. Then click Next>.The rest is automatic. Deployment Manager downloads just the Agent package and Analysis Tool corresponding to your UNIX computer(s) platform and processor.
Copy from network or local drive: To use this option click the radio button and browse to the DVD drive (physical or logical) or directory with the unzipped files and click Next.The next window displays all the files that will be copied. Click Finish.Deployment Manager loads the Analysis Tools and Centrify Suite software for all of the options in the catalog onto your Windows system and updates the Download Centrify Software pane to show the software downloaded and platforms supported.
This concludes software download. You can see a list of the files downloaded by expanding the Software node in the left hand pane.Chapter 2 Setting up the evaluation environment 45
Stage 2: UNIX system(s) software installationStep 3: Analyze your environment
In this phase, Deployment Manager analyzes the selected UNIX computers to ensure it has the privileges to install software and determine if there is already any Centrify software installed.
The following figure illustrates the state of my machine at this point. My Redhat computer is listed in Computers Not Analyzed.Unless you have Centrify software already installed (for example, you are upgrading from a previous version), your UNIX computers should be listed in this category.
Note Recall that Deployment Manager is a system administrator tool. In production environment, the categories, fields and messages become quite useful for understanding and managing the state of systems.
Click the Analyze ... button to proceed.
Enter the Active Directory domain name and click OK.(You can ignore the Number of domain controllers to analyze to set up the evaluation system, it will not affect performance.)Evaluation Guide 46
Stage 2: UNIX system(s) software installationThis takes a minute or two. The hour glasses covering the All Computers and RedHat in the Computers branch tell you that Deployment Manager is analyzing.
When Deployment Manager is done it updates the home page with the results of the analysis. Your results should look similar to the following figure with the exception your computers are more likely listed under Ready to Install rather than Ready to Install with Warnings. Chapter 2 Setting up the evaluation environment 47
Stage 2: UNIX system(s) software installationNote You can continue to install the software on computers that are Ready to Install with Warnings. If you are curious about the warnings, click the chevron to list the candidate computers warning issue(s) and double click the issues to find out whats wrong.
If the Analysis does NOT update the display, click on the History node in the tree for a list of the analysis sessions and right click on the most recent. Click the Trace tab for the details.
This completes the Analysis phase.
Step 4: Deploy Centrify Software
In this phase, Deployment Manager deploys the Centrify Suite packages to the selected UNIX computers and installs the DirectControl Agent.
1 Check the UNIX computers listed under Ready to Install you want to use in the evaluation system.
2 Deployment Manager displays a series of windows to refine which software to deploy. In the first window, select the Centrify Suite Enterprise Edition. Take the defaults in the next two. HOWEVER, when prompted to Join Computer to Zone After Install UNCHECK the box. You join the UNIX computers in another exercise.
3 Click Next to proceed through the Select Edition and Select Suite windows.
4 In the Select Components window, you want Centrify DirectControl and Centrify DirectAudit checked. The other boxes are optional: Evaluation Guide 48
Stage 2: UNIX system(s) software installation OpenSSH: The package includes a compiled version of the latest OpenSSH distribution to make it easy for you to install and use SSH with Centrify Suite for secured authentication to Active Directory using Kerberos. This option is selected by default. It is, however, optional. If you do select it, the installation process configures the computer to use the Centrify OpenSSH in place of any existing OpenSSH already installed on the computer. See Appendix A, Using Centrify Suite with SSH for the configuration and testing instructions.If you do NOT want to install the Centrify OpenSSH, uncheck the box.
Centrify NIS: The DirectControl Network Information Service is an optional addition to the DirectControl Agent. Once installed and running, it functions just like a standard NIS server, however it responds to NIS client lookup requests using the information stored in Active Directory.This option is NOT checked by default. If you want to evaluate the NIS support, check this box and see the instructions in Appendix B, DirectControl Network Information Service.
Click Next after you have made your selections to proceed.
5 In the Join Computer to Zone After Install window UNCHECK the Add the computers into Active Directory after install. You add the computer(s) late
