Installing IBM Security Agents

This section provides step-by-step instructions for installing the IBM Security Agent on a computer and joining the computer to the Active Directory domain.

Selecting a Deployment Option

The agent must be installed on each computer you want to manage. You must also specify an Active Directory domain for the agent to join either during the installation process or after the agent files are installed.

You can install and manage agent packages independently by running an installation script, package management program, or software distribution tool locally or remotely on individual computers.

For more information, see Options for Deploying Agent Packages.

Installing and Using IBM Security Verify Privilege Server Suite Free

IBM Security Verify Privilege Server Suite Free provides a Windows-based MMC console and a self-contained database that stores information about the computers and accounts discovered on the network or in the cloud.

Minimum Hardware Requirements

You can install Verify Privilege Server Suite Free on a single Windows computer with a 64bit operating system.

In general, IBM Security recommends the following minimum hardware configuration:

  • 2 GB RAM
  • 1 GB free disc space
  • 2 GHz processor

Network Connectivity Requirements

To download and deploy software, you must have network connectivity or an Internet connection between the Windows computer where Access Manager is installed and the computers where you want to deploy the agent. IBM Security recommends that you install Access Manager on a computer that allows outbound Internet connections and connectivity between the Windows computer and each computer you want to manage.

Account Credential Requirements

To install software on remote computers and join Active Directory domains, you must have access to an account with appropriate permissions:

  • To run privileged commands, you should have access to the root account, the local Administrator account, or an account that has been granted escalated privileges using su or sudo and settings in a sudoers configuration file.
  • To join a domain, you need an Active Directory account and password that has permission to add computers to the domain.

Depending on your organization, the Active Directory account might be required to be a member of the Domain Admins group. If you are not sure whether you have permission to add computers to the domain using your own Active Directory account, check with the Active Directory administrator for your site.

Download the Software and Run the Setup Program

If you have a computer that meets the requirements and the appropriate account information, you can download Verify Privilege Server Suite Free.

To download and install IBM Security Verify Privilege Server Suite Free:

  1. Go to the IBM Security website and register an account, if you have not previously registered
  2. Click the Download link.
  3. Open the downloaded file to start the setup program.
  4. Follow the prompts displayed to accept the license agreement and select a location for program files.
  5. Install the agents on the desired computers. For details, see "Options for deploying agent packages" on page 37.

Options for Deploying Agent Packages

You can download individual IBM Security Agent packages for the platforms you support and install the software in one of the following ways:

  • Run the installation script (install-express.sh) locally on any computer and respond to the prompts displayed.
  • Create a configuration file and run the installation script remotely on any computer in silent mode.
  • Use the install or update operations in the native package installer for your operating environment.

If you want to use one of these installation options and need more information, see the appropriate section.

Install Interactively on a Computer

You must install a platform-specific agent on each computer you want to manage through Active Directory.

The installation script automatically checks the operating system, disk space, DNS resolution, network connectivity, and other requirements on a target computer before installing. You can run this script interactively on any supported UNIX, Linux, or Mac computer and respond to the prompts displayed.

To install agent packages on a computer interactively:

  1. Go to the IBM Security website and download the IBM Security Verify Privilege Server Suite Free agent for the platform you want to support.

  2. Select the file you downloaded and unzip and extract the contents using the appropriate operating system commands. For example:

    gunzip -d centrify-package-platform-arch.tgz

    tar -xf centrify-package-platform-arch.tar

  3. Run the install-express.sh script to start the installation on the local computer. For example:

    ./install-express.sh

  4. Follow the prompts displayed to check the computer for potential issues, install the agent, and join a domain automatically at the conclusion of the installation.

    If the adcheck program finds potential issues, you might see warning or error messages. Depending on the issue reported, you might have to make changes to the computer before continuing or after installation.

    For most prompts, you can accept the default by pressing Enter. When prompted for the Active Directory domain, type the fully qualified name of the Active Directory domain to join.

    You must also type the user name and password for an Active Directory user with permission to add computers to the domain.

  5. After you have responded to all of the prompts displayed, review your selections, and then enter Y to continue with the installation and reboot the computer.

Using Other Programs to Install

If you want to manually install a software package using a native installation program instead of the installation script, use the installation commands and options that are appropriate for the local operating environment. For example, if your operating system supports a package installer, such as Red Hat Package Manager (rpm), SMIT or YAST programs, you can use any of those programs to install the agent.

IBM Security recommends that you use the installation script to automatically check a computer for issues and join the computer to a domain.

To install an agent using a native installation program

  1. Log on as or switch to the root user.

  2. If the software package is a compressed file, unzip and extract the contents. For example, on Red Hat Linux:

    gunzip -d centrify-*-rhel5-x86_64.tgz

    tar -xf centrify-*-rhel5-x86_64.tar

  3. Run the appropriate command for installing the package based on the local computer’s operating system or package manager you want to use. For example, on Red Hat Linux:

    rpm -Uvh centrifydc-*-rhel5-x86_64.rpm

  4. Disable licensed features by running the adlicense --express command:

    adlicense --express

    You must run the adlicense command to set the agent to run in Express mode. Express mode is used for the Verify Privilege Server Suite Free product.

  5. Join the domain by running the adjoin --workstation command, which connects you to Auto Zone:

    adjoin --workstation domainName

    If you do not specify the --workstation option, the join operation will fail because adjoin will attempt to connect you to a specific zone rather than Auto Zone.

Verifying the Installation

When a computer is joined to Active Directory, all Active Directory users and groups defined for the forest, as well as any users defined in a two-way trusted forest, are valid users or groups for the joined computer. Therefore, after running the agent and joining the computer to a domain, you can log on as any Active Directory user.

  1. Log on using an Active Directory user account.

    When a user logs in for the first time, the agent automatically creates a home directory for the new user.

  2. Run the adinfo command to see information about the Active Directory configuration for the local computer. You should see output similar to the following:

    Local host name: QA1  

    Joined to domain: sales.acme.com  
    Joined as: QA1.sales.acme.com  
    Pre-win2K name: QA1  
    Current DC: acme-dc1.sales.acme.com  
    Preferred site: Default-First-Site  
    Zone: Auto Zone  
    Last password set: 2014-04-01 12:01:31 PST  
    CentrifyDC mode: connected  
    Licensed Features: Disabled

    Note that licensed features are disabled and that the zone is Auto Zone. Creating actual zones requires a licensed copy of IBM Security software.

Troubleshooting adcheck Errors

You can run adcheck before, during, or after installation to verify that your computer is configured properly. This utility performs three sets of checks that are controlled by the following options:

  • -t os checks the operating system, disk size, and Perl and Samba installations.
  • -t net checks DNS to verify that the local computer is configured correctly and that the DNS server is available and healthy.
  • -t ad includes the -t net checks and verifies that the domain has a valid domain controller.

Correcting Errors for the Operating System Check

The -t os option performs a series of checks that verify operating-system basics for the computer on which you are installing the agent. If your computer fails one of these checks, upgrade the computer with a new operating system version, required patch, a new Perl or Samba version, or free up sufficient disk space.

Correcting Warnings and Errors for the Network Check

The -t net option performs a series of checks that verify that DNS is correctly configured on your local computer and that the DNS server is running properly. There is also a check to verify that you are running a supported version of OpenSSH.

A supported version of OpenSSH is not automatically installed. You must choose to install it during a custom installation.

Because the agent uses DNS to locate the domain controllers for the Active Directory forest, the appropriate DNS nameservers need to be specified in the local /etc/resolv.conf file on each computer before the computer can join the domain. If you receive errors or warnings from these checks, you need to correct them before joining a domain. Each warning or error message provides some help to resolve the problem.

Correcting errors for the domain controller check

The -t ad option locates each domain controller in DNS and then does a port scan and DNS lookup of each. The checks for this option also verify the global catalog and verify clock and domain synchronization.

If you receive errors or warnings from these checks, you need to correct them before joining a domain. Each warning or error message provides some help to resolve the problem.

Joining a Domain After Installation

When you install the agent using installexpress.sh, you can automatically join that computer to an Active Directory domain. If you do not join the domain when you run the installation script, or if you leave a domain and want to rejoin, you can manually join a domain by using the adjoin command.

To manually join a domain, you must use the --workstation option to connect to Auto Zone.

To join an Active Directory domain manually on a Linux or UNIX computer:

  1. Log in as or switch to the root user.

  2. Run adjoin to join an existing Active Directory domain. You should join the domain using a fully-qualified domain name. You must specify the --workstation option.

    For example, to join the sales.acme.com domain with the user account dylan:

    adjoin --user dylan --workstation sales.acme.com

    The user account you specify must have permission to add computers to the specified domain. In some organizations, this account must be a member of the Domain Admins group. In other organizations, the account simply needs to be a valid domain user account. If you don’t specify a user with the --user option, the Administrator account is used by default.

  3. Type the password for the specified user account.

If the agent can connect to Active Directory and join the domain, a confirmation message is displayed. All Active Directory users and groups defined for the forest, as well as any users defined in a two-way trusted forest are valid users or groups for the joined computer.

Restarting Services

You may need to restart some services on computers where you have installed the agent so that those services will reread the name switch configuration file. For example, if you typically log on to the computer through a graphical desktop manager such as gdm, you need to either restart the gdm service or reboot the workstation to force the service to read the updated configuration before Active Directory users can log on.

The most common services that need to be restarted are sshd and gdm. If you are using these services, you should restart them. For example, to restart sshd:

/etc/init.d/sshd restart

As an alternative to restarting individual services, you can reboot the system to restart all services.

Because the applications and services on different servers may vary, IBM Security recommends you reboot each computer to ensure all of the applications and services on the system read the configuration changes at your earliest convenience.

Upgrading IBM Security Verify Privilege Server Suite Free

To take advantage of features that are part of Verify Privilege Server Suite—- for example to define roles that control access rights and apply group policies to computers and users—you must upgrade from IBM Security Verify Privilege Server Suite Free to a licensed copy of Verify Privilege Server Suite. Upgrading to a licensed version of the product is a three-stage process that involves:

  • Installing and upgrading components on Windows.
  • Upgrading the agent to enable licensed features on managed UNIX and Linux computers.
  • Adding optional packages that are not included in IBM Security Verify Privilege Server Suite Free.

Upgrading Windows Components

If you are upgrading to a licensed version of Verify Privilege Server Suite, there are several additional components available for you to install depending on the services you want to deploy. For example, there are console extensions that enable you to edit group policies and manage NIS maps through Active Directory.

To install and upgrade licensed components on Windows:

  1. Obtain a license key and media for IBM Security Management Services.

    You can also download an evaluation copy directly from the IBM Security website, but you must have a license key to use the software for more than a limited period of time.

  2. On a Windows computer that is joined to the Active Directory domain, connect to the distribution media.

    If you received the software on a CD, the Getting Started page is displayed automatically or when you double-click the autorun.exe program.

  3. Click Authentication & Privilege to start the setup program for authentication and privilege elevation components.

  4. Follow the prompts displayed to accept the license agreement, select the components to install, and a location for files.

  5. When setup is complete for the selected packages, click Finish to close the setup program.

Upgrading Agents on Managed Computers

To upgrade agents to a licensed product, you must run a command line program to enable licensed features on each managed computer.

To enable licensed features on managed computers:

  1. Log on to the computer that is running a IBM Security Verify Privilege Server Suite Free agent.

  2. Run the following command to search the Active Directory forest for the license key and to enable licensed features.

    adlicense --licensed

  3. Run the following command to verify that licensing has been enabled:

    adinfo

    Local host name: qa1  
    Joined to domain: acme.com  
    Joined as: qa1.acme.com  
    Pre-win2K name: qa1  
    Current DC: acme-dc1.acme.com  
    Preferred site: Default-First-Site  
    Zone: Auto Zone  
    Last password set: 2014-04-01 12:01:31 PST  
    CentrifyDC mode: connected  
    Licensed Features: Enabled
    After enabling licensed features, the computer is still connected to Auto Zone. If you are not using zones to migrate existing user populations or define role-based access controls, you can leave the computer in Auto Zone. If you want to take advantage of zones, you must:
    • Create at least one zone using Access Manager, adedit, or another tool.
    • Run adleave to leave the Active Directory domain and Auto Zone.
    • Run adjoin to rejoin the Active Directory domain and a specified zone.

For information about creating and managing zones, using group policies, and other features, see the Planning and Deployment Guide and the Administrator’s Guide for Windows.

Adding Optional Packages After Installation

Depending on the services you choose to deploy, there are several optional packages that might be available for you to use. To add these packages, you must rerun the installation script and select which packages to install.

To add optional packages on computers where the agent is installed:

  1. Change to the appropriate directory on the CD or to the directory where you have copied or downloaded the agent package.

  2. Run the standard installation script for the agent and follow the prompts displayed:

    ./install.sh

  3. When you are prompted whether to keep, erase, or reinstall the currently installed packages:

    • Accept the default (K, keep) for the currently installed packages.
    • Type Y (Y, yes) for each package you want to add.

  4. Follow the prompts displayed to set installation options, such as the option to run adcheck and reboot the computer after installation.

    The computer remains joined to the domain you previously joined, your existing /etc/centrifydc/centrifydc.conf file is backed up, and any modifications you have made to the file are migrated to the new version of the file.

  5. Restart running services, such as login, sshd, or gdm, or reboot the computer to ensure all services use the updated configuration.

Removing IBM Security Verify Privilege Server Suite Free

On most managed computers, you can remove the agent and related files by running the uninstall.sh script. The uninstall.sh script is installed by default in the /usr/share/centrifydc/bin directory on each managed computer.

To remove the agent on a managed computer:

  1. Log on to the computer where the agent is installed.

  2. Run the uninstall.sh script. For example:

    /bin/sh /usr/share/centrifydc/bin/uninstall.sh

    The uninstall.sh script will detect whether the agent is currently installed on the local computer and will ask you whether you want to uninstall your current installation.

  3. To uninstall, enter Y when prompted.

If you cannot locate or are unable to run the uninstall.sh script, you can use the appropriate command for the local package manager or operating environment to remove the agent and related files.