IBM Tivoli Access Manager for Operating Systems 5.1 SA

Size: px

Start display at page:

Download "IBM Tivoli Access Manager for Operating Systems 5.1 SA"

Ralph Hensley
5 years ago
Views:

1 IBM Tivoli Access Manager for Operating Systems 5.1 SA

3 IBM Tivoli Access Manager for Operating Systems 5.1 SA

5 v v vi vi IBM Tivoli Access Manager for Operating Systems vii vii vii viii viii ix ix ix , msg kosserrs.log XML policy pdosexempt policy InstallShield Multiplatform InstallShield Multiplatform : Tivoli Access Manager : Tivoli Access Manager policy : Tivoli Access Manager policy : Tivoli Access Manager user_create : 1 pdosd : Tivoli Access Manager for Operating Systems 36 2: Tivoli Access Manager for Operating Systems SSL ldapcacert.b LDAP SSL CA LDAP SSL policy.. 43 pdosexempt SSL () AIX policy Copyright IBM Corp. 2001, 2003 iii

6 pdoslpmd policy init Kosseal not avail, rc PAM policyview policy : : policy Tivoli Access Manager for Operating Systems Tivoli Access Manager policy policy ACL policy surrogate-to-root policy Sudo policy : A. Tivoli Access Manager for Operating Systems B. IBM iv IBM Tivoli Access Manager for Operating Systems:

7 IBM Tivoli Access Manager for Operating Systems policy. : IBM Tivoli Access Manager for Operating Systems Tivoli SecureWay Policy Director for Operating Systems( 3.7) Tivoli Policy Director for Operating Systems( 3.8). Tivoli SecureWay Policy Director policy. IBM Tivoli Access Manager for Operating Systems IBM Tivoli Access Manager for Operating Systems.. v UNIX v (HTTP, TCP/IP, FTP, Telnet, SSL) v v v v LDAP(Lightweight Directory Access Protocol) v IBM Tivoli Access Manager Base. v IBM Tivoli Management Environment framework v IBM Tivoli Enterprise Console v IBM Tivoli Directory Server(LDAP) v IBM Tivoli User Administration Copyright IBM Corp. 2001, 2003 v

8 IBM Tivoli Access Manager for Operating Systems. v 1 1. v 3 2, Tivoli Access Manager for Operating Systems. v v 37 4 Tivoli Access Manager for Operating Systems. v 51 5 policy Policy. v v 81 7 IBM Customer Support. v 85 A Tivoli Access Manager for Operating Systems Tivoli Access Manager for Operating Systems. v 319 B IBM,. Tivoli Access Manager for Operating Systems. Tivoli, Tivoli Tivoli. vi IBM Tivoli Access Manager for Operating Systems:

9 IBM Tivoli Access Manager for Operating Systems IBM Tivoli Access Manager for Operating Systems, IBM Tivoli Access Manager. Tivoli Tivoli Tivoli. IBM Tivoli Access Manager for Operating Systems. v IBM Tivoli Access Manager for Operating Systems, SA Tivoli Access Manager for Operating Systems. Tivoli, IBM Tivoli Enterprise Console IBM Tivoli Risk Manager. v IBM Tivoli Access Manager for Operating Systems, SA Tivoli Access Manager for Operating Systems,,. v IBM Tivoli Access Manager for Operating Systems, SA ,,, Tivoli Access Manager for Operating Systems.. v IBM Tivoli Access Manager for Operating Systems, GA Tivoli Access Manager for Operating Systems. v IBM Tivoli Access Manager for Operating Systems Read Me First Card, GA Tivoli Access Manager for Operating Systems.. v IBM Tivoli Access Manager Base, SA v IBM Tivoli Access Manager Base Administration Guide, GC v IBM Tivoli Access Manager for e-business, GA v IBM Tivoli Access Manager for e-business Performance Tuning Guide, SC vii

10 IBM Tivoli Access Manager. v IBM Tivoli Access Manager for e-business Problem Determination Guide, SC Tivoli Access Manager. v IBM Tivoli Access Manager Error Message Reference, SC IBM Tivoli Access Manager, Tivoli Access Manager for Operating Systems Tivoli Access Manager. v IBM Tivoli Access Manager for e-business Command Message Reference, SC Tivoli Access Manager. v Tivoli Software Library,,, Tivoli. Tivoli Software Library. v Tivoli Glossary Tivoli. Tivoli Glossary. IBM Tivoli Access Manager for Operating Systems IBM Tivoli Access Manager for Operating Systems. PDF, HTML Tivoli Software Library. Product manuals., Tivoli Software Information Center. : PDF, Adobe Acrobat ( ). viii IBM Tivoli Access Manager for Operating Systems:

11 ... IBM Tivoli Access Manager for Operating Systems. IBM Tivoli Software Tivoli support IBM Tivoli Software. IBM Software. v v v...,,..,,.,,. [].. ix

12 ...,, Java, HTML XML. x IBM Tivoli Access Manager for Operating Systems:

13 1,. IBM Tivoli Access Manager for Operating Systems. Tivoli Access Manager for Operating Systems policy. policy.,,,.,,,. policy... v v v v. v v v policy v. Tivoli Access Manager for Operating Systems IBM Tivoli Access Manager for Operating Systems.. v v Copyright IBM Corp. 2001,

14 v v v v, v,.. v.. Tivoli Access Manager policy Tivoli Access Manager (LDAP) Tivoli Access Manager for Operating Systems, v Tivoli Access Manager for Operating Systems policy. v pdosbkup Tivoli Access Manager for Operating Systems. v. /var/pdos. ( : policy, )., MB.,. v /var/pdos, ( : ) 100MB. /var/pdos, Tivoli Access Manager for Operating Systems. v Tivoli Access Manager for Operating Systems... v IBM Tivoli Software. v Tivoli Access Manager for Operating Systems Tivoli Access Manager. 2 IBM Tivoli Access Manager for Operating Systems:

15 2, Tivoli Access Manager for Operating Systems,,. Tivoli Access Manager for Operating Systems /var/pdos/log... Tivoli Access Manager for Operating Systems /var/pdos/log. v msg pdosd.log: pdosd. v msg pdosauditd.log: pdosauditd. v msg pdoswdd.log: pdoswdd. v msg pdoslpmd.log: pdoslpmd. v msg pdoscfg.log: pdoscfg, pdosucfg, pdosteccfg pdostecucfg. v msg kosserrs.log:. v msg pdoslrd.log: pdoslrd. Tivoli Access Manager for Operating Systems /var/pdos/pdostecd. v msg pdostecd.log: pdostecd. ID. ID 85 A Tivoli Access Manager for Operating Systems. msg kosserrs.log. v (YYYY-MM-DD:hh:mm:ss.sss[+/-]GMT offset) v 16 v Copyright IBM Corp. 2001,

16 v (FATAL, ERROR, WARNING, NOTICE) v v v v 16 ID v ID v :49: :00I x35A53099 pdosd NOTICE osd pdosd main.c 529 0x AOSSD0153I AZN :49: :00I x35A62197 pdosd NOTICE oss daemon state.c 460 0x AOSSS0407I PDOSD ( ) :14: :00I x357E2003 pdosd WARNING ocs general cas.c x AOSCS0003W Tivoli Access Manager. ( ). FATAL... IBM Customer Support. ERROR... WARNING...,. NOTICE.. NOTICE VERBOSE NOTICE. 4 IBM Tivoli Access Manager for Operating Systems:

17 msg kosserrs.log msg kosserrs.log.. msg kosserrs.log /opt/pdos/sbin/kosserrs kosserrs. STDOUT.. v (HH:MM:SS) v v kosserrs. # kosserrs Date: Mon Dec 17 11:03:59 CST 2001 (CST) 11:03:59 0x340B4004: lost contact with pdosd, err 19 11:04:12 0x340B4006: regained contact with pdosd 11:10:24 0x340B4004: lost contact with pdosd, err 19 11:11:28 0x340B4005: still can not contact pdosd, err 19 11:11:56 0x340B4006: regained contact with pdosd msg kosserrs.log.. pdosd pdosauditd /var/pdos/log /var/pdos/pdosd /var/pdos/pdosauditd.., HP-UX.. (.) debug message. Policy NFS AIX. msg kosserrs.log. 3EE64C93 0x340B4003: AOSOE0003E internal error 4 loc 40:466 Tivoli Access Manager for Operating Systems NFS. 2, 5

18 , Tivoli Access Manager for Operating Systems..,., msg pdosd.log msg pdosd.log.1 msg pdosd.log. msg pdosd.log msg pdosd.log.2.,. 2, msg pdosd.log msg pdosd.log.1.,,. 0 0,. pdoscfg. IBM Tivoli Access Manager for Operating Systems IBM Tivoli Access Manager for Operating Systems..,.... XML Tivoli Access Manager for Operating Systems Tivoli XML,.. v XMLFILE v XMLSTDOUT v XMLSTDERR XML UTF-8 TEXTFILE( TEXT), STDOUT STDERR. XML (ASCII HTML) 6 IBM Tivoli Access Manager for Operating Systems:

19 Tivoli XML., ID. XML Tivoli Access Manager for Operating Systems. XML. XML InstallShield Tivoli Access Manager CD Tivoli Access Manager for Operating Systems. (setup.jar) readme (readme.htm) xmllogviewer. Java, JVM Readme. XML readme. Tivoli Access Manager for Operating Systems....,. Tivoli Access Manager for Operating Systems (pdosd, pdosauditd, pdoswdd, pdoslpmd pdoslrd) pdosobjsig. /opt/pdos/etc/trace. /var/pdos/tracelogs.... component:subcomponent.debuglevel:destination:attributes. component 2, 7

20 subcomponent debuglevel destination.. attributes pdosd. 1. pdosd pdosd ocs cas pdosd ocs isolation policy / pdosd okm general policy pdosd omh authz Authz Msg Handler authz API pdosd owc - pdosd owc net Debuglevels 1-9. STDERR, STDOUT, FILE( TEXTFILE) DISCARD..,. 1.. omh:authz.3:file :/var/pdos/tracelogs/pdosd_%ld.trc 2. STDOUT omh:authz.3:stdout:- 8 IBM Tivoli Access Manager for Operating Systems:

21 (pdosd, pdosauditd, pdoswdd, pdoslpmd pdoslrd). pdosctl -t... pdosctl -t daemon:component:subcomponent.debuglevel:where:attribute. pdosctl -t pdosd:omh:authz.3 (, ): pdosctl -t "pdosd:owc:net.1:file:/tmp/owc.log;okm:useraudit.3:file:/tmp/ \ useraudit.log" pdosctl -t pdosd:omh:authz.0. v (YYYY-MM-DD:hh:mm:ss.sss[+/-]GMT offset) v v DEBUGN (N ) v v v v v ID v. /scratch/test (T[OSSEAL]D) :36: :00I----- pdosd DEBUG2 omh authz /project/oss510/build/oss510/src/oss/azn/mh/authz_fileaccess.c 154 0x e authz_fileaccess: got cred for ID 0, :36: :00I----- pdosd DEBUG2 omh authz /project/oss510/build/oss510/src/oss/azn/mh/authz_fileaccess.c 159 0x e creds = 0x17cc78, cred_flags = 0x10, userauditauthmap 0x4000 2, 9

22 :36: :00I----- pdosd DEBUG1 omh authz /project/oss510/build/oss510/src/oss/azn/mh/authz_api.c 156 0x e authz_callaznapi: calling AZN API with creds for user ID 0, protected object name /OSSEAL/gsosun9/File/scratch/test, operation [OSSEAL]D :36: :00I----- pdosd DEBUG1 omh authz /project/oss510/build/oss510/src/oss/azn/mh/authz_api.c 185 0x e authz_callaznapi: azn_st == AZN_S_COMPLETE, AZN_C_PERMITTED, decision: GRANTED :36: :00I----- pdosd DEBUG1 omh authz /project/oss510/build/oss510/src/oss/azn/mh/authz_api.c 306 0x e authz_callaznapi, authz_data_p->status= 0x0, decision 0x1D :36: :00I----- pdosd DEBUG2 omh authz /project/oss510/build/oss510/src/oss/azn/mh/authz_fileaccess.c 452 0x e authz_fileaccess, err_st = 0, decision :36: :00I----- pdosd DEBUG1 omh authz /project/oss510/build/oss510/src/oss/azn/mh/authz_api.c x e authz_finaldecision, authz_data_p->status = 0x0, decision 0x :36: :00I----- pdosd DEBUG1 omh authz /project/oss510/build/oss510/src/oss/azn/mh/authz_internal.c 421 0x e authz_sendr: AZN File Access MSG stats: queue length 1, queued time 0 secs, cred acq time 0 secs, processing time 0 secs..,.,. kazntrace.,.. kazntrace.. /opt/pdos/sbin kazntrace. STDOUT.,.. /opt/pdos/sbin/kazntrace > /tmp/pdostrace.out. kazntrace -A. kazntrace -D. kazntrace -z. kazntrace -s kwords.. 10 IBM Tivoli Access Manager for Operating Systems:

23 v hh:mm:ss:sss. hh, mm, ss, sss..,. v ID(PID) v. Date: Tue Jan 29 11:23: (CST) privcheck flags 0 procflags 0x1c1 effid 0 realid privcheck result 1 privuid kosseal_syscall rtn code 0, retval 0/0 cd /scratch/test. /opt/pdos/sbin/kazntrace -A -z -s 50 cd /scratch/test /opt/pdos/sbin/kazntrace > /tmp/pdostrace.out /opt/pdos/sbin/kazntrace -D -a main -s 12 -z policy policy ( 5 Policy ). syslog PAM(Pluggable Authentication Modules) syslog. syslog IBM Customer Support.. PAM (Solaris, HP-UX, Linux). 1. PAM. Solaris HP-UX /etc/pam.conf. Linux /etc/pam.d/service. pam_pdos., 0xffffffff., HP-UX auth, /etc/pam.conf login auth required/usr/lib/security/libpam_pdos.1. 2, 11

24 login auth required/usr/lib/security/libpam_pdos.1 0xffffffff 2. /etc/syslog.conf syslog., /var/pdos/lpm.dbg, /etc/syslog.conf. *.debug /var/pdos/lpm.dbg 3. syslog., /var/pdos/lpm.dbg. touch /var/pdos/lpm.dbg 4. HUP syslog syslog.conf., syslog ID 5212,. kill -HUP 5212 AIX 1. AIX policy PAM. PAM. /usr/lib/security/.pdos_debug.. PAM. 2. /etc/syslog.conf syslog. /var/pdos/lpm.dbg, /etc/syslog.conf. *.debug /var/pdos/lpm.dbg 3. syslog., /var/pdos/lpm.dbg. touch /var/pdos/lpm.dbg 4. HUP syslog syslog.conf., syslog ID 5212,. kill -HUP 5212, ( : ) IBM Tivoli Access Manager for Operating Systems:

25 .,.....,.. (pdosctl -a pdosctl -A).,.. 1. Policy(POP) policy. 4.., AuditAuth policy.. 1--/games Tivoli Access Manager for Operating Systems policy ACL, /games/solitaire.. /games policy: pdadmin> object create /OSSEAL/TEST/File/games "" 3 i yes pdadmin> acl create tight pdadmin> acl modify tight set any-other T pdadmin> acl attach modify tight set unauthenticated T pdadmin> acl attach /OSSEAL/TEST/File/games tight pdadmin> acl show tight ACL Name: tight Description: Entries: User sec_master TcmdbsvaBl Any-other T 2, 13

26 Unauthenticated T # pdosctl -a deny:on # /games/solitaire /games/solitaire : cannot execute # pdosctl -a all:off # pdosaudview -l -s now-5 Wed Jul 31 15:46:26 CDT policy. Policy Branch TEST File/games /games/solitaire ID /games/solitaire File/games policy. policy. ACL. 2--policy /tmp/notes, /bin/more. cat. /tmp/notes policy: pdadmin> object create /OSSEAL/TEST/File/tmp/notes "" 3 i yes pdadmin> acl create test pdadmin> acl modify test set any-other T[OSSEAL]rwx pdadmin> acl modify test set attribute Access-Restrictions any-other:r:/bin/more pdadmin> acl attach /OSSEAL/TEST/File/tmp/notes test # pdosctl -a deny:on # cat /tmp/notes cat: Cannot open /tmp/notes. # pdosctl -a all:off # pdosaudview -l -s now-5 Thu Aug 1 08:16:43 CDT IBM Tivoli Access Manager for Operating Systems:

27 policy Access-Restrictions. Policy Branch TEST File/tmp/notes /tmp/notes ID /usr/bin/cat 0 /tmp/notes File/tmp/notes policy. policy. 3--/sensitivedata admin policy.,., admin joe /usr/bin/vi /sensitivedata/file1. admin. policy pdadmin> object create /OSSEAL/Test/AuditAuth/Group/admin/all "" 3 i yes pdadmin> object create /OSSEAL/Test/File/sensitivedata "" 3 i yes pdadmin> acl create sdata pdadmin> acl modify sdata set group admin T[OSSEAL]DKNRUdloprwx pdadmin> acl attach /OSSEAL/Test/File/sensitivedata sdata #/usr/bin/vi sensitivedata/file1 # pdosaudview -l -s now-5 Mon Aug 1 11:51:25 CDT joe joe policy. 2, 15

28 Policy Branch Test File/sensitivedata /sensitivedata/file1 ID /usr/bin/vi 0 /sensitivedata/file1 File/sensitivedata policy.,. IBM Tivoli Access Manager for Operating Systems. pdosexempt pdosexempt policy. policy. policy.., Tivoli Access Manager for Operating Systems. pdosexempt., policy., Tivoli Access Manager for Operating Systems (,, ).,. pdosrevoke. 1. PID.,. #ps-f UID PID PPID C STIME TTY TIME CMD root :45:46 pts/2 0:00 ps -f, PID ps -f PID PID pdosexempt. # pdosexempt -i IBM Tivoli Access Manager for Operating Systems:

29 13478 Tivoli Access Manager for Operating Systems policy. 3. Tivoli Access Manager for Operating Systems,,,. 4., pdosrevoke. # pdosrevoke policy. : Tivoli Access Manager for Operating Systems /var/pdos/ffdc.,,.,. policy policy policy., policy. policy. policy. IBM Tivoli Access Manager for Operating Systems policy.. /opt/pdos/sbin/kossdump.sh,. kossdump.sh, Customer Support.. kossdump.sh [-d dump_image] [-k kernel] [-b] [-h] 2, 17

30 -d systemdump. -k, 2. -b. -h. Tivoli Access Manager for Operating Systems. kossdump.sh -b > /tmp/pdosinfo.out,. kossdump.sh > /tmp/pdosinfo.out,. kossdump.sh -d dump_path -k kernel_path > /tmp/pdosinfo.out, compress gzip. /opt/pdos/sbin ossdump.sh.. ossdump.sh [-g] [-l] [-s] [-V] [-R release/fix level]] [-k K] [-? -h].. -g Tivoli Access Manager for Operating Systems. -l. -s. -k. -K. -V Tivoli Access Manager for Operating Systems. -R Tivoli Access Manager for Operating Systems. -h. ossdump.sh. 18 IBM Tivoli Access Manager for Operating Systems:

31 v Tivoli Access Manager for Operating Systems 2 /var/pdos dir (ls -lisr) Host Lookaside v Tivoli Access Manager for Operating Systems v Uname (ps -elkf) (df) inittab v kossdump.sh -b. v kossdump.sh.. Tivoli Access Manager for Operating Systems, Tivoli Access Manager policy LDAP, /opt/pdos/sbin server_ping.sh. Tivoli Access Manager for Operating Systems.. v bassslcfg -ping Tivoli Access Manager for Operating Systems policy v SSL LDAP ldapsearch -h $LDAPHOST -b "" -s base -v objectclass=* 2, 19

32 v SSL LDAP ldapsearch -h $LDAPHOST -Z -K /var/pdos/certs/pdosd.kdb -b "" -s base -v objectclass=* 20 IBM Tivoli Access Manager for Operating Systems:

33 3. InstallShield Multiplatform InstallShield Multiplatform, Tivoli Access Manager for Operating Systems.,. /tmp/msg amosismp.log /tmp/cdwa.stdout /tmp/cdwa.stderr InstallShield Multiplatform Tivoli Access Manager for Operating Systems CD..,. IBM Tivoli Access Manager for Operating Systems. ISMP.. 23., ,. 2. HP swinstall /var/adm/sw/swinstall.log v v AIX installp smit stderr stdout ${HOME}/smit.log v v Copyright IBM Corp. 2001,

34 2. () Solaris pkgadd stderr stdout v v IBM LDAP v Linux rpm stderr stdout v v IBM LDAP v IBM Tivoli Access Manager for Operating Systems. LDAP. Solaris Sun ONE Directory Server, Sun LDAP Linux nss-ldap. /opt/pdos/ /var/pdos. IBM Tivoli Access Manager for Operating Systems. pdoscfg, pdosucfg, pdosteccfg pdostecucfg Tivoli Access Manager for Operating Systems. /var/pdos/log/msg pdoscfg.log..,. /var/pdos/log/msg pdoscfg.log.... v pdoscfg :09: :00I x357D5011 pdoscfg NOTICE ocf pdoscfg_util pdoscfg_main.c 393 0x pdoscfg. v pdosteccfg. 22 IBM Tivoli Access Manager for Operating Systems:

35 :12: :00I x357D5011 pdosteccfg NOTICE ocf pdoscfg_util pdosteccfg_main.c 318 0x pdosteccfg. v pdoscfg pdoscfg. pdoscfg :09: :00I x357D5012 pdoscfg NOTICE ocf pdoscfg_util pdoscfg_parse_cl.c 561 0x pdoscfg-ldap_ssl_cacert /certs/amosaix5/ldapcacert.b64 -branch test -suffix ou=tivoli,o=ibm,c=us v svrsslcfg :09: :00I x357D5178 pdoscfg NOTICE ocf pdoscfg_trace pdoscfg_common.c 197 0x /opt/policydirector/bin/svrsslcfg -f /opt/pdos/etc/pdosd.conf -config -d /var/pdos/certs -n pdosd -s local -P ******** -S ******** -r C /var/pdos/certs/ldapcacert.b64 -l yes. v pdoscfg. Tivoli Access Manager policy LDAP pdosd. pdosd policy Trusted Computing Base :10: :00I x357D5178 pdoscfg NOTICE ocf pdoscfg_trace pdoscfg_common.c 197 0x /opt/pdos/bin/pdosd -T. InstallShield Multiplatform InstallShield Multiplatform. v v v. InstallShield Java JVM. install_amos_platform. 3 23

36 JVM., JVM.. v v X11 Windows v JVM v Java v JVM JVM JVM.,. InstallShield Wizard Initializing InstallShield Wizard... Searching for Java(tm) Virtual Machine... Error writing file = There may not be enough temporary disk space. Try using -is:tempdir to use a temporary directory on a partition with more disk space., (/tmp /var/tmp),. install_amos_platform -is:tempdir path_to_directory X11 Windows, GUI. DISPLAY,. Can t connect to X11 window server using :0.0 as the value of the DISPLAY variable. DISPLAY X11. DISPLAY=machine.company.com:0 Tivoli Access Manager for Operating Systems InstallShield,. JVM JVM., JVM /opt/java1.3 /usr/java. JVM,. install_amos_platform -is:javahome path_to_jvm Java Java. install_amos_platform -is:javaconsole 24 IBM Tivoli Access Manager for Operating Systems:

37 JVM JVM,. install_amos_platform -is:log /tmp/log.out, Java. java -cp install_amos_setup.jar run...,. Java. "java -Dis.debug=1 -cp install_amos_setup.jar run is.debug InstallShield. InstallShield JVM. JVM, JVM., JVM. -Xmssize install_amos_platform.ja Java JVM., Tivoli Access Manager for Operating Systems.,. /tmp/msg amosismp.log /tmp/cdwa.stdout /tmp/cdwa.stderr,., ( ). install_amos_platform java -cp install_amos_setup.jar run Tivoli Access Manager for Operating Systems. 3 25

38 Tivoli Access Manager for Operating Systems.,. pdoscfg..., /var/pdos/log/msg pdoscfg.log. 1.. v. v Tivoli Access Manager. 2. Tivoli Access Manager policy. v policy. v (LDAP). v Tivoli Access Manager ID,. 3. policy. v SSL. (.arm,.b64) LDAP (.kdb). LDAP. PDMgr policy, PDMgr. 4. osseal policy. osseal policy. /opt/pdos/etc/osseal.once-only /opt/pdos/etc/osseal.per-policy /opt/pdos/etc/osseal.per-machine v LDAP. v LDAP LDAP. v / LDAP Tivoli Access Manager. LDAP. v policy 5. pdosd Trusted Computing Base. 26 IBM Tivoli Access Manager for Operating Systems:

39 v LDAP CA. v Tivoli Access Manager for Operating Systems Tivoli Access Manager. 1: Tivoli Access Manager # pdoscfg -branch Servers -suffix ou=abc,o=xyz,c=us -ldap_ssl_cacert ldapcacert.b64 AOSCF1362E Tivoli Access Manager Runtime. pd.conf. AOSCF0021E. /var/pdos/log/msg pdoscfg.log. Tivoli Access Manager. pdconfig Tivoli Access Manager, pdsocfg. 2: Tivoli Access Manager policy 1: Tivoli Access Manager policy. # pdoscfg -ldap_ssl_cacert /certs/amosaix5/ldapcacert.b64 -branch test -suffix ou=tivoli,o=ibm,c=us.... Security Master. IBM Tivoli Access Manager for Operating Systems. PDOSD. Tivoli Access Manager Policy Server. AOSCF1352E Tivoli Access Manager Policy Server. Tivoli Access Manager Policy Server. AOSCF0021E. /var/pdos/log/msg pdoscfg.log. AOSCF1352E pdoscfg Tivoli Access Manager policy. /var/pdos/log/msg pdoscfg.log ERROR ERROR.., :15: :00I x1354A41E pdoscfg ERROR ivc socket mtsclient.cpp x amosaix :15: :00I x357D5167 pdoscfg NOTICE ocf pdoscfg_trace pdoscfg_ivcommon.c 905 0x ivadmin_context_createdefault :15: :00I x357D5008 pdoscfg NOTICE ocf pdoscfg_util pdoscfg_ivcommon.c x Tivoli Access Manager, 3 27

40 1354a :15: :00I x357D5548 pdoscfg ERROR ocf pdoscfg pdoscfg_ivcommon.c 913 0x AOSCF1352E Tivoli Access Manager Policy Server. Tivoli Access Manager policy. Tivoli Access Manager policy., pdadmin policy., pdoscfg. 2: (LDAP). # pdoscfg -ldap_ssl_cacert /certs/amosaix5/ldapcacert.b64 -branch test -suffix ou=tivoli,o=ibm,c=us.... Security Master. IBM Tivoli Access Manager for Operating Systems. PDOSD. Tivoli Access Manager Policy Server. AOSCF1352E Tivoli Access Manager Policy Server. Tivoli Access Manager Policy Server. AOSCF0021E. /var/pdos/log/msg pdoscfg.log. AOSCF1352E pdoscfg Tivoli Access Manager policy. /var/pdos/log/msg pdoscfg.log ERROR ERROR., :54: :00I x357D5008 pdoscfg NOTICE ocf pdoscfg_util pdoscfg_ivcommon.c x Tivoli Access Manager, :54: :00I x357D5548 pdoscfg ERROR ocf pdoscfg pdoscfg_ivcommon.c 913 0x AOSCF1352E Tivoli Access Manager Policy. (LDAP). LDAP pdoscfg. 3:. # pdoscfg -ldap_ssl_cacert /certs/amosaix5/ldapcacert.b64 -branch test -suffix ou=tivoli,o=ibm,c=us 28 IBM Tivoli Access Manager for Operating Systems:

41 .... dom_admin s. IBM Tivoli Access Manager for Operating Systems. PDOSD. Tivoli Access Manager Policy Server. AOSCF1352E Tivoli Access Manager Policy Server. AOSCF1378E Security Master. Tivoli Access Manager Policy Server. AOSCF0021E. /var/pdos/log/msg pdoscfg.log. AOSCF1352E pdoscfg Tivoli Access Manager policy. AOSCF1378E. sec_master pdoscfg, pdoscfg -admin_name Tivoli Access Manager. pdosd. 3: Tivoli Access Manager policy 1: PDMgr. # pdoscfg -ldap_ssl_cacert /certs/amosaix6/ldapcacert.b64 -branch test -suffix ou=tivoli,o=ibm,c=us.... Security Master. IBM Tivoli Access Manager for Operating Systems. PDOSD. Tivoli Access Manager Policy Server. Tivoli Access Manager Policy Server..... AOSCF1304E 1 Tivoli Access Manager Policy Server. Tivoli Access Manager Policy Server.... Tivoli Access Manager Policy Server. AOSCF0021E. /var/pdos/log/msg pdoscfg.log., Tivoli Access Manager policy. /var/pdos/log/msg pdoscfg.log ERROR ERROR., :09: :00I x357D5151 pdoscfg NOTICE ocf pdoscfg_trace pdoscfg_config.c x Tivoli Access Manager Policy

42 :09: :00I x357D512E pdoscfg NOTICE ocf pdoscfg_trace pdoscfg_common.c 186 0x pdoscfg_popen :09: :00I x357D5178 pdoscfg NOTICE ocf pdoscfg_trace pdoscfg_common.c 197 0x /opt/policydirector/bin/svrsslcfg -f /opt/pdos/etc/pdosd.conf -config -d /var/pdos/certs -n pdosd -s local -P ******** -S ******** -r C /var/pdos/certs/ldapcacert.b64 -l yes :10: :00I x357D5179 pdoscfg NOTICE ocf pdoscfg_trace pdoscfg_common.c 235 0x /opt/policydirector/bin/svrsslcfg -f /opt/pdos/etc/pdosd.conf -config -d /var/pdos/certs -n pdosd -s local -P ******** -S ******** -r C /var/pdos/certs/ldapcacert.b64 -l yes :10: :00I x357D512E pdoscfg NOTICE ocf pdoscfg_trace pdoscfg_common.c 125 0x pdoscfg_cat_log :10: :00I x357D512E pdoscfg NOTICE ocf pdoscfg_trace pdoscfg_common.c 272 0x pdoscfg_open_file :10: :00I x357D512F pdoscfg NOTICE ocf pdoscfg_trace pdoscfg_common.c 285 0x pdoscfg_open_file sec_master.. pdosd.... PDMgr. PDMgr. SSL :10: :00I x357D512F pdoscfg NOTICE ocf pdoscfg_trace pdoscfg_common.c 144 0x pdoscfg_cat_log :10: :00I x357D512F pdoscfg NOTICE ocf pdoscfg_trace pdoscfg_common.c 240 0x pdoscfg_popen :10: :00I x357D5167 pdoscfg NOTICE ocf pdoscfg_trace pdoscfg_config.c x /opt/policydirector/bin/svrsslcfg :10: :00I x357D5518 pdoscfg ERROR ocf pdoscfg pdoscfg_config.c x Tivoli Access Manager Policy Server. PDMgr PDMgr. PDMgr Tivoli Access Manager policy. PDMgr Tivoli Access Manager /var/policydirector/log/msg pdmgrd_utf8.log. PDMgr.. 30 IBM Tivoli Access Manager for Operating Systems:

43 :02: :00I x14C0109C pdmgrd FATAL mgr general PDCertAthority.cpp 329 0x GSKKM_IssueCert() (0x ) :02: :00I x14C0109C pdmgrd FATAL mgr general config.pp 223 0x signcertificate() (0x14c0109). PDMgr stash PDMgr. policy (PDMgr)... Tivoli Access Manager policy,. 365., PDMgr... pdoscfg Tivoli Access Manager policy. 4: Tivoli Access Manager user_create 1:. # pdoscfg -ldap_ssl_cacert /certs/shade/ldapcacert.b64 -branch test -suffix ou=tiv,o=ibm,c=us.... Security Master. IBM Tivoli Access Manager for Operating Systems. PDOSD. Tivoli Access Manager Policy Server. Tivoli Access Manager Policy Server.. IBM Tivoli Access Manager for Operating Systems policy.... AOSCF1353E Tivoli Access Manager user_create. Tivoli Access Manager Policy Server

44 Tivoli Access Manager Policy Server. AOSCF0021E. /var/pdos/log/msg pdoscfg.log. AOSCF1353E policy pdoscfg. var/pdos/log/msg pdoscfg.log ERROR ERROR., :00: :00I x357D5132 pdoscfg NOTICE ocf pdoscfg_trace pdoscfg_ivcommon.c x API user_create :00: :00I x357D5133 pdoscfg NOTICE ocf pdoscfg_trace pdoscfg_ivcommon.c x API user_create :00: :00I x357D5008 pdoscfg NOTICE ocf pdoscfg_util pdoscfg_ivcommon.c x Tivoli Access Manager,. 14c012f :00: :00I x357D512F pdoscfg NOTICE ocf pdoscfg_trace pdoscfg_ivcommon.c 543 0x pdoscfg_execute_ivadmin_command :00: :00I x357D5549 pdoscfg ERROR ocf pdoscfg pdoscfg_ivcommon.c 803 0x AOSCF1353E Tivoli Access Manager user_create. pdoscfg policy. (0x14c012f2).. pdoscfg. 2: LDAP # pdoscfg -ldap_ssl_cacert /certs/shade/ldapcacert.b64 -branch test -suffix ou=test,o=ibm,c=us.... Security Master. IBM Tivoli Access Manager for Operating Systems. PDOSD. Tivoli Access Manager Policy Server. Tivoli Access Manager Policy Server.. IBM Tivoli Access Manager for Operating Systems policy... AOSCF1353E Tivoli Access Manager user_create. Tivoli Access Manager Policy Server.. Tivoli Access Manager Policy Server. AOSCF0021E. /var/pdos/log/msg pdoscfg.log. 32 IBM Tivoli Access Manager for Operating Systems:

45 AOSCF1353E policy pdoscfg. var/pdos/log/msg pdoscfg.log ERROR ERROR., :31: :00I x357D5132 pdoscfg NOTICE ocf pdoscfg_trace pdoscfg_ivcommon.c x API user_create :31: :00I x357D5133 pdoscfg NOTICE ocf pdoscfg_trace pdoscfg_ivcommon.c x API user_create :31: :00I x357D5008 pdoscfg NOTICE ocf pdoscfg_util pdoscfg_ivcommon.c x Tivoli Access Manager, LDAP. 14c :31: :00I x357D512F pdoscfg NOTICE ocf pdoscfg_trace pdoscfg_ivcommon.c 543 0x pdoscfg_execute_ivadmin_comma nd :31: :00I x357D5549 pdoscfg ERROR ocf pdoscfg pdoscfg_ivcommon.c 803 0x AOSCF1353E Tivoli Access Manager user_create. LDAP ACL.. v Tivoli Access Manager ACL. v Tivoli Access Manager, LDAP Tivoli Access Manager ACL. ACL LDAP. IBM Tivoli Access Manager. 3. LDAP LDAP cn=securitygroup,secauthority=default cn=securitygroup,secauthority=domain name, cn=subdomains,secauthority=default cn=ivacld-servers,cn=securitygroups,secauthority=default cn=ivacld-servers,cn=securitygroups,secauthority=domain name, cn=subdomains,secauthority=default v v v 3 33

46 3. LDAP () LDAP cn=remote-acl-users,cn=securitygroups,secauthority=default cn=remote-acl-users,cn=securitygroups,secauthority=domain name, cn=subdomains,secauthority=default v v v ACL pdoscfg. 5: 1 pdosd 1: LDAP SSL CA (ldapcert.b64) Tivoli Access Manager. # pdoscfg -ldap_ssl_cacert /certs/amosaix6/ldapcacert.b64 -branch test -suffix ou=tivoli,o=ibm,c=us.... Security Master. IBM Tivoli Access Manager for Operating Systems. PDOSD. Tivoli Access Manager Policy Server. Tivoli Access Manager Policy Server.. policy.... policy. PDOSD Trusted Computing Base. AOSCF1327E 1 PDOSD. Tivoli Access Manager Policy Server.... Tivoli Access Manager Policy Server. AOSCF0021E. /var/pdos/log/msg pdoscfg.log., pdosd -T. var/pdos/log/msg pdoscfg.log ERROR ERROR., :06: :00I x357D552F pdoscfg ERROR ocf pdoscfg pdoscfg_config.c x AOSCF1327E 1 PDOSD. /opt/pdos/bin/pdosd -T IBM Tivoli Access Manager for Operating Systems:

47 :06: :00I x357E2081 pdosd ERROR ocs cas cas_int.c x AOSCS0129E Tivoli Access Manager. rc = 0x :06: :00I x357E2081 pdosd ERROR ocs cas cas_int.c x AOSCS0129E Tivoli Access Manager. rc = 0x :06: :00I x357E2089 pdosd WARNING ocs cas cas_int.c x AOSCS0137W osseal-admin. 0x357e2003: AOSCS0003W Tivoli Access Manager ( ). (pd / ocs) :06: :00I x35A530B0 pdosd ERROR osd pdosd main.c 256 0x AOSSD0176E (0x357e2003). AOSCS0003W Tivoli Access Manager ( ). (pd / ocs) AOSCS0129E (LDAP). 85 A Tivoli Access Manager for Operating Systems AOSCS0129E. Tivoli Access Manager /var/pdos/certs.. LDAP.,. ldapcacert.b64 /var/pdos/certs. ldapcacert.b64 LDAP ldapcacert.b64.. ldapcacert.b64. ldapcacert.b64 pdoscfg.,.. LDAP SSL 43 LDAP SSL CA LDAP SSL. ldapcacert.b64. check_cert /var/pdos/certs/ldapcacert.b64 client1.abc.com LDAP /var/pdos/certs/ldapcacert.b64 client1.abc.com LDAP. 3 35

48 1: Tivoli Access Manager for Operating Systems 1. client.abc.com. 2. Tivoli Access Manager client.abc.com. 3. pdosucfg client.abc.com. 4. Tivoli Access Manager. 1. client.abc.com Tivoli Access Manager. 2.. svrsslcfg -unconfig -f /dev/null -n pdosd/client.abc.com -P admin password -A admin name -o domain 3. pdoslrd,. svrsslcfg -unconfig -f /dev/null -n pdoslrd/client.abc.com -P admin password -A admin name -o domain 2: Tivoli Access Manager for Operating Systems 1. client.abc.com Tivoli Access Manager for Operating Systems Tivoli Access Manager server.abc.com. 2. server.abc.com. 3. Tivoli Access Manager for Operating Systems.. pdosucfg_local / 36 IBM Tivoli Access Manager for Operating Systems:

49 4 Tivoli Access Manager for Operating Systems.. v Tivoli Access Manager for Operating Systems. Tivoli Access Manager for Operating Systems. Tivoli Access Manager for Operating Systems pdosctl -s.. pdosd. pdoswdd. pdoslpmd. pdoslrd. pdosauditd.,.,. - pdoslpmd pdoslrd, pdosctl -s.. -. /var/pdos/daemon_name. /var/pdos/log. - ps -ef grep pdos... v Tivoli Access Manager for Operating Systems, LDAP Tivoli Access Manager for Operating Systems. ping LDAP Tivoli Access Manager policy. /opt/pdos/sbin/server_ping.sh LDAP Tivoli Access Manager policy. Copyright IBM Corp. 2001,

50 , ps LDAP Tivoli Access Manager., LDAP SSL. Tivoli Access Manager. /opt/policydirector/etc/pd.conf master-host Tivoli Access Manager policy. /var/policydirector/log/msg pdmgrd_utf8.log Tivoli Access Manager policy. policy. pdadmin> server list, policy. v. df -k. -k KB. /,. /var/pdos. :, HP Solaris (Solaris) 90. hpfs ufs. Tivoli Access Manager for Operating Systems osseal. v Tivoli Access Manager policy, (LDAP) Tivoli Access Manager for Operating Systems (7 US ASCII). SSL Tivoli Access Manager for Operating Systems SSL(Secure Sockets Layer) Tivoli Access Manager policy LDAP. SSL. Tivoli Access Manager for Operating Systems SSL CA. 38 IBM Tivoli Access Manager for Operating Systems:

51 v Tivoli Access Manager policy CA (pdcacert.b64) Tivoli Access Manager (PDRTE). Tivoli Access Manager policy, policy. policy, Tivoli Access Manager. /var/policydirector/keytab/pdcacert.b64 policy. 20. v LDAP CA (ldapcacert.b64). Tivoli Access Manager for Operating Systems. LDAP LDAP SSL.kdb. LDAP. : Tivoli Access Manager for Operating Systems LDAP SSL. SSL LDAP IBM Tivoli Access Manager. Tivoli Access Manager for Operating Systems LDAP. policy Tivoli Access Manager for Operating Systems /var/pdos/certs/pdosd.kdb. Tivoli Access Manager for Operating Systems. /var/pdos/certs/pdosd.sth., Tivoli Access Manager for Operating Systems policy policy. policy policy. v Tivoli Access Manager for Operating Systems policy /var/pdos/certs/pdosd.kdb Tivoli Access Manager policy /var/pdos/certs/pdosd.sth. 4 39

52 ,,.. v LDAP. Tivoli Access Manager for Operating Systems.. v policy, IBM Tivoli Access Manager Tivoli Access Manager. policy.. Tivoli Access Manager policy SSL. v Tivoli Access Manager policy /var/policydirector/logs/msg pdmgrd_utf8.log /. Tivoli Access Manager policy. v Tivoli Access Manager for Operating Systems /var/pdos/log/msg pdosd.log.. v pdoscfg 31 4: Tivoli Access Manager user_create. LDAP SSL. v LDAP CA. v,. LDAP. LDAP. 40 IBM Tivoli Access Manager for Operating Systems:

53 Tivoli Access Manager for Operating Systems. rc.osseal stop pdoscfg -ldap_ssl_cacert new certificate name rc.osseal start LDAP CA v Tivoli Access Manager for Operating Systems LDAP CA LDAP. v LDAP CA FTP FTP Windows UNIX, FTP ASCII. v LDAP CA LDAP SSL. 43 LDAP SSL CA LDAP SSL. v LDAP pdoscfg 29 3: Tivoli Access Manager policy. Tivoli Access Manager for Operating Systems (pdosd pdoslrd) policy. 1. Tivoli Access Manager for Operating Systems (pdosd /var/pdos/log/msg pdosd.log, pdoslrd /var/pdos/log/ msg pdoslrd.log) ( ) policy.,. 2. policy (pdmgrd) Tivoli Access Manager for Operating Systems (pdosd pdoslrd). 3.. v pdosd svrsslcfg -chgpwd -f /opt/pdos/etc/pdosd.conf -e pwd_life v pdoslrd svrsslcfg -chgpwd -f /opt/pdos/etc/pdoslrd.conf -e pwd_life 4 41

54 : pwd_life 0,,, 183. ssl ssl-pwd-life. 4.. v pdosd svrsslcfg -chgcert -f /opt/pdos/etc/pdosd.conf -n pdosd -P Tivoli Access Manager admin password v pdoslrd svrsslcfg -chgcert -f /opt/pdos/etc/pdoslrd.conf -n pdoslrd -P Tivoli Access Manager admin password : ssl ssl-cert-life. ssl-cert-life ldapcacert.b64 gsk7cmd ikeyman IBM Tivoli Access Manager GSKit ikeyman. ldapcacert.b64. ldapcacert.b64. (.kdb).kdb.. #!/bin/sh # Usage: prog_name <cert file name> # Example: prog_name /var/pdos/certs/ldapcacert.b64 export JAVA_HOME=/usr/java131 gsk7cmd -keydb -create -db /tmp/temp.kdb -stash -pw temp -type cms -expire 365 gsk7cmd -cert -add -db /tmp/temp.kdb -pw temp -label temp -file $1 gsk7cmd -cert -details -db /tmp/temp.kdb -pw temp -label temp awk /^Valid/ {print; } rm /tmp/temp.kdb tmp/temp.sth /tmp/temp.crl /tmp/temp.rdb Valid From: Mon Feb 04 12:49:37 CST 2002 To: Mon Nov 01 12:49:37 CST IBM Tivoli Access Manager for Operating Systems:

55 , ( :,.) LDAP SSL CA LDAP SSL gsk7cmd ikeyman IBM Tivoli Access Manager GSKit ikeyman. LDAP LDAP ldapsearch SSL LDAP. TEST SSL Connection to LDAP server using LDAP SSL CA certificate #!/bin/ksh # Usage: check_cert cert_file ldap hostname /dev/null 2>/dev/null #For Example: # check_cert /var/pdos/certs/ldapcacert.b64 machine.abc.com export JAVA_HOME=/usr/jdk_base CERT_FILE=$1 LDAP_Host=$2 #Creates a Key Database File echo "Creating a temporary key database file" gsk7cmd -keydb -create -db /tmp/temp.kdb -stash -pw temp -type cms -expire 365 #Add the certificate to the Key Datbase File echo "Adding the certificate to the key database file" gsk7cmd -cert -add -db /tmp/temp.kdb -pw temp -label temp -file $CERT_FILE #Do a ldapsearch using the key database file echo "Connect to the LDAP server using the created key database file" ldapsearch -h $LDAP_HOST -Z -K /tmp/temp.kdb -b "" -s base -v objectclass=* 1>/dev/null/ 2>/dev/null case $? in 0) echo "OK" ;; *) echo "FAILED" ;; esac rm /tmp/temp.kdb /tmp/temp.sth /tmp/temp.crl /tmp/temp.rdb policy policy policy pdmgrd SSL pdosd. policy, pdosd pdmgrd., SSL 90. ssl-io-inactivity-timeout pdmgrd pdosd.,. policy ivmgrd.conf 4 43

56 ssl ssl-io-inactivity-timeout. 0.. policy 120 msg pdosd.log :15: :00I x pdosd NOTICE idb download db_replicated_client.cpp 420 0x HPDDB1057I Received update notification :15: :00I x pdosd NOTICE idb download dalocalpolicy.cpp 483 0x HPDDB1056I Rebuilding local database replica :17: :00I x3591C002 pdosd NOTICE okm general kpcmgr.c 705 0x AOSKM0002I Finished updating policy (version number = ) :17: :00I x pdosd NOTICE idb download db_replicated_client.cpp 448 0x HPDDB1058I Handled update notification :17: :00I x106520F9 pdosd FATAL bas mts mtssecuresocket.cpp 319 0x HPDBA0249E A GSKIT API failed. gsk_secure_soc_write() return (406). policy ivmgrd.conf ssl-io-inactivity-timeout 120 policy. /opt/policydirector/etc/ivmgrd.conf [ssl] ssl-io-inactivity-timeout = 120 pdosexempt pdosexempt policy. policy. 1:., Tivoli Access Manager for Operating Systems. pdosexempt., policy., Tivoli Access Manager for Operating Systems (,, ).,. pdosrevoke. 1. PID.,. #ps-f UID PID PPID C STIME TTY TIME CMD root :45:46 pts/2 0:00 ps -f 44 IBM Tivoli Access Manager for Operating Systems:

57 , PID ps -f PID PID pdosexempt. # pdosexempt -i Tivoli Access Manager for Operating Systems policy. 3. Tivoli Access Manager for Operating Systems ( : ),,. 4., pdosrevoke. # pdosrevoke policy. : Tivoli Access Manager for Operating Systems (,, (Tivoli Access Manager, pdacld)).. pdoslrd. Tivoli Access Manager for Operating Systems ( ),, (, ).. /opt/pdos/etc/pdoslrd.xml. pdoslrd. Tivoli Access Manager for Operating Systems pdacld. pdoscollview. : Tivoli Access Manager for Operating Systems Tivoli Access Manager pdacld pdoscollview.,. 4 45

58 pdoslrd IBM Tivoli Access Manager for Operating Systems 4. pdacld IBM Tivoli Access Manager. pdoslrd. /opt/pdos/etc/pdoslrd.xml (on)., (off). UTF-8. UTF-8.,. en_us, ASCII. pdoslradm., AOSLR :31: :00I x A pdoslrd ERROR olr general mflr_config.cpp x AOSLR0058E Control file error: parse error at line 9 and column 5. /var/pdos/tracelogs/trace pdoslrd.log., :31: :00I----- pdoslrd DEBUG1 olr general /data/oss510/src/oss/mflr/common/mflr_config.cpp x [MFLR_Config::Read] ERROR: An error occurred while parsing the file /opt/pdos/etc/pdoslrd.xml at line 9 and column 5 Unterminated start tag, Channel SSL pdacld Tivoli Access Manager for Operating Systems, /var/pdos/certs/pdoslrd.kdb. Tivoli Access Manager for Operating Systems. /var/pdos/certs/ pdoslrd.sth., IBM Tivoli Access Manager for Operating Systems:

59 pdacld. Tivoli Access Manager for Operating Systems policy /var/pdos/certs/pdoslrd.kdb pdacld /var/pdos/certs/pdoslrd.sth.,,. 40. IBM Tivoli Access Manager Tivoli Access Manager., /var/pdos/log/ msg pdoslrd.log HPDBA022E.. pdacld :20: :00I x106520E pdoslrd FATAL bas mts mtsclient.cpp x d HPDBA0222E The TCP/IP host information could not be determined from the server hostname. Ensure that the server hostname is correct. pdoslrd pdacld Tivoli Access Manager policy pdoslrd pdacld Tivoli Access Manager., pdacld... pdoslrd pdacld, pdoslrd /opt/pdos/etc/pdoslrd.conf ssl-local-domain, pdacld /opt/policydirector/etc/ivacld.conf [ssl] ssl-local-domain., pdoslrd. ( pdoslrd.) 4 47

60 v pdoslrd. -lrd_admin pdoslrd Tivoli Access Manager. # pdoscfg -lrd_config off -lrd_admin_name admin_name -lrd_admin_ admin_pwd v pdoslrd. -lrd_admin Tivoli Access Manager. # pdoscfg -lrd_config on -lrd_admin_name admin_name -lrd_admin_pwd \ admin_pwd -lrd_local_domain domain_name : pdosd pdoslrd Tivoli Access Manager,.. LRD_NetOutput pdoslrd LRD_NetOutput /opt/policydirector/etc/ ivacld.conf [aznapi-configuration] logcfg=remote.channel....,..,., /var/pdos/log/msg pdoslrd.log.. AOSLR0081E :25: :00I x pdoslrd ERROR olr general mflr_writer_ .cpp 139 0x AOSLR0081E Unable to connect to the mail server. :,. LRD_ Output LRD_FileOutput IBM Tivoli Access Manager for Operating Systems:

61 ,.. LRD_ Output (on).. Tivoli Access Manager, Tivoli Access Manager LDAP IBM Tivoli Access Manager Performance Tuning Guide. () TCP/IP pdoscfg. -net_acl_limited policy IBM Tivoli Access Manager for Operating Systems 4. in-kernel (NetIncoming NetOutgoing) policy. policy.,,. Tivoli Access Manager Base. Tivoli Access Manager for Operating Systems, ACL R.,. ACL R. 1. Tivoli Access Manager for Operating Systems policy. /opt/pdos/sbin/policyview -o /tmp/extract -p admin_password 2. ACL policy. grep "acl modify" /tmp/extract.cmd grep -v "attribute" > /tmp/acl_mod.cmd 3. policy R. awk {print $0 "[primary]r"} /tmp/acl_mod.cmd > /tmp/extract.cmd 4 49

62 4. /tmp/extract.cmd. ACL R, /tmp/extract.cmd. acl modify example set any-other TR[OSSEAL]rwx[primary]R 5. Policy. pdadmin -a admin_name -p admin_password -d domain /tmp/extract.cmd AIX AIX SMP Tivoli Access Manager for Operating Systems (, policy, ), pdosd. * AIXTHREAD_SCOPE=S. v Tivoli Access Manager for Operating Systems,.,. export AIXTHREAD_SCOPE=S rc.osseal start unset AIXTHREAD_SCOPE v rc.osseal start.,. AIXTHREAD_SCOPE=S rc.osseal start v AIX SMP /opt/pdos/bin/rc.osseal Start(). export AIXTHREAD_SCOPE=S PDOSD. 50 IBM Tivoli Access Manager for Operating Systems:

63 5 policy policy,,. policy Tivoli Access Manager for Operating Systems ( pdoslpmd ).. PAM(Pluggable Authentication Module) Solaris, HP-UX Linux PAM. Solaris HP-UX, PAM /etc/pam.conf. Linux, PAM PAM /etc/pam.d/service. PAM,. Tivoli Access Manager for Operating Systems. (pam_sm_authenticate). (pam_sm_acct_mgmt). (pam_sm_open_session). (pam_sm_chauthtok). Solaris HP-UX pam.conf. service_name module_type control_flag module_path options service_name PAM (rlogin login). module_type,,. ( ),. Copyright IBM Corp. 2001,

64 Linux PAM Solaris HP-UX pam.conf, service_name. service_name. PAM, pdoscfg service_name/module_type PAM. Tivoli Access Manager for Operating Systems.. v Solaris pam_pdos.so.1, /usr/lib/security. v HP-UX libpam_pdos.1, /usr/lib/security. v Linux pam_pdos.so.1, /lib/security. PAM syslog. 11 policy. AIX AIX Tivoli Access Manager for Operating Systems (PDOS, PDOS2 PDOSPW). policy. v PDOS( ). policy. policy. v PDOS2( ) /.. Tivoli Access Manager for Operating Systems policy (,, ) v PDOSPW( ).. pdoscfg /etc/security/user /usr/lib/security/ methods.cfg. /etc/security/user SYSTEM "PDOS and" "and PDOS2"., SYSTEM = "compat" 52 IBM Tivoli Access Manager for Operating Systems:

65 . SYSTEM = "PDOS and compat and PDOS2" PDOSPW. pwdchecks = /usr/lib/security/pdospw /usr/lib/security/methods.cfg PDOS PDOS2. v PDOS: program = /usr/lib/security/pdos v PDOS2: program = /usr/lib/security/pdos2 AIX syslog. 11 policy. pdoslpmd pdoslpmd policy. pdoslpmd policy. pdoslpmd /opt/pdos/bin. pdoslpmd. pdosctl -t pdoslpmd:olp:*.9 11 policy. policy Tivoli Access Manager for Operating Systems policy policy..,. 1. Tivoli Access Manager for Operating Systems? v policy pdosd pdoslpmd. v pdosd. pdosctl -s pdosd v pdoslpmd. pdosctl -s pdoslpmd v pdosd pdoslpmd. 5 policy 53

66 rc.osseal start 2.? /opt/pdos/etc/lpm. conf policy. lpm.conf,. v pdosd policy policy. /var/pdos/log/msg pdosd.log. v Tivoli Access Manager for Operating Systems policy. v /var/pdos/log/msg pdosd.log policy. (3 ). 3. Tivoli Access Manager policy? v policy / policy., /opt/pdos/etc/lpm.conf. v, Tivoli Access Manager Password- Login-., MaxFailedLogins lpm.conf, Tivoli Access Manager policy Login-MaxFailedLogins. v Tivoli Access Manager policy,.,.,. 4.? v policy,. policy. policy policy. /OSSEAL/branch/Login/UserExceptions/username policy policy. /OSSEAL/branch/Password/UserExceptions/username 54 IBM Tivoli Access Manager for Operating Systems:

67 Tivoli Access Manager for Operating Systems policy., pdoslpadm -r -f userid. pdoslpadm. pdoslpadm IBM Tivoli Access Manager for Operating Systems. Tivoli Access Manager for Operating Systems pdosctl -a deny:on -a logindeny:on 2.. pdosaudview -w deny -l -g Login 3.. pdosaudview -w deny -l -g Password policy Tivoli Access Manager for Operating Systems, Tivoli Access Manager for Operating Systems., IBM Tivoli Access Manager for Operating Systems 4,. policy Tivoli Access Manager for Operating Systems, Tivoli Access Manager for Operating Systems.., AIX /usr/lib/security/methods.cfg,. PAM(Pluggable Authentication Module) UNIX PAM, policy., Tivoli Access Manager for Operating Systems., policy Tivoli Access Manager for Operating Systems. 5 policy 55

68 1. policy. pdoscfg -login_policy off 2. policy. pdoscfg -login_policy on AIX., Tivoli Access Manager for Operating Systems policy Tivoli Access Manager for Operating Systems. 1. CD /usr/lib/security/methods.cfg PDOS PDOS2. 4. /etc/security/user PDOS, PDOS2 PDOSPW. v Change: SYSTEM = "PDOS and compat and PDOS2" To: SYSTEM = "compat" v Change: pwdchecks = /usr/lib/security/pdospw To: pwdchecks = AMOS policy. pdoscfg -login_policy off 7. AMOS policy. pdoscfg -login_policy on init Kosseal not avail, rc Tivoli Access Manager for Operating Systems policy Kosseal. login_policy on autostart off,. init Kosseal not avail, rc Kosseal policy. Tivoli Access Manager for Operating Systems. syslog. Syslog, /etc/syslog.conf 56 IBM Tivoli Access Manager for Operating Systems:

69 ., Solaris auth.notice /etc/syslog.conf change: auth.notice /dev/sysmsg. to: auth.notice /var/log/authlog PAM Tivoli Access Manager for Operating Systems PAM. PAM. v Tivoli Access Manager for Operating Systems PAM required. requisite sufficient, Tivoli Access Manager for Operating Systems policy. v Tivoli Access Manager for Operating Systems PAM_AUTHTOK PAM_OLDAUTHTOK PAM. policy Tivoli Access Manager for Operating Systems. v pdoscfg policy, PAM filename.pdos.sav. policy. policy,., filename.pdos.sav., Tivoli Access Manager for Operating Systems filename.pdos.sav. 5 policy 57

70 58 IBM Tivoli Access Manager for Operating Systems:

71 6 policy. policy.. policy., Tivoli Access Manager for Operating Systems Tivoli Access Manager for Operating Systems , policy.. v.,.,. v. pdoswhoami -l.. v. pdoswhois -l pid ID. v policy. Tivoli Access Manager policy policy. pdadmin /opt/pdos/sbin/policyview ACL ( policy). policy. v policy. /var/pdos/log/msg pdosd.log policy. policy. Copyright IBM Corp. 2001,

72 policy, policy Tivoli Access Manager policy. policy (/var/policydirector/db/master_authzn.db) (/var/pdos/azn/authzn_replica.db ). ( : cksum). Tivoli Access Manager for Operating Systems /opt/policydirector/sbin/pdacld_dump policy /var/pdos/azn/authzn_replica.db /var/pdos/log/msg pdosd.log. pdacld_dump policy. /opt/policydirector/sbin/pdacld_dump -f master_authzn.db -s. Summary for master_authzn.db Dumped 4620 of 4620 objects. DB Sequence number :33121 DB SSL Sequence number :1062 FrequenceCount vs ObjectType vs BasePrefix summary 971:1281:/auth/pobject-map invalid objects were encountered. /var/policydirector/db/ /var/pdos/log/msg pdosd.log policy :01: :00I x3591C002 pdosd NOTICE okm general kpcmgr.c 617 0x AOSKM0002I policy ( = 33121) policy policy, policy. pdadmin> server replicate -server pdosd-hostname, policy. /var/policydirector/log/msg pdmgrd_utf8.log Tivoli Access Manager policy. policy. pdadmin> server list, policy. 60 IBM Tivoli Access Manager for Operating Systems:

IBM Tivoli Access Manager for Operating Systems 5.1 SA

IBM Tivoli Access Manager for Operating Systems 5.1 SA30-1840-01 IBM Tivoli Access Manager for Operating Systems 5.1 SA30-1840-01 ! 353 E. (2003 11 ), IBM Tivoli Access Manager for Operating Systems 5,