Installing Agents on Computers to be Managed

This chapter describes the recommended steps for deploying Verify Privilege Server Suite software on the nonWindows computers that you want to add to Active Directory. The chapter also describes the alternatives you can use to install agent packages on non-Windows computers, including using native Linux installers to install Verify Privilege Server Suite packages manually and automatically.

About the Deployment Process

The steps in this section, and in Preparing to migrate existing users and groups and Migrating existing users to hierarchical zones, are iterative in nature. In most cases, you will select a subset of computers for deployment, and repeat the steps for each target group until you have migrated all of the computers and users in the enterprise into Active Directory.

There is no technical requirement that you only work with a subset of computers at a time, but in practice the process of checking computers for potential problems and resolving open issues is more manageable when applied to a subset of computers. It is also more practical to migrate user populations in stages rather than all at once. After you step through the process a few times, you'll be able to anticipate and resolve potential issues more quickly and move into a more rapid deployment model.

Select a Target Set of Computers

As a first step in preparing to install Verify Privilege Server Suite software, you should select a target set of computers on which to deploy. The target set can be based on any criteria you choose. In many organizations, new software must always be installed in the development environment first, then in the pre-production environment, before it can be deployed in the production environment. If your organization has this type of requirement, the first target set of computers would be the computers in the development environment.

Other possible candidates for the target set might be computers that:

  • Have been identified for changes by an audit finding
  • Are in the same physical location, such as a particular data center
  • Share common attributes, such as all Red Hat Linux computers or all of the servers in a Web farm
  • Are used by a particular department, project, or line of business
  • Have a common set of users who need access to the computer resources

After you have identified a target set of computers, you are ready to begin the deployment. You should notify the user community that you are planning to install software on the target set of computers. For example, you may want to notify users by sending out an email message similar to the sample provided in Preliminary software delivery notification email template.

After you have identified a target set of computers to work with, you can use adcheck to check whether those computers have any issues that need to be resolved before you install new software on them. Checking the environment before you install helps to reduce change control issues.

Options for deploying Verify Privilege Server Suite Agent Packages

You can:

  • Run the agent installation script locally on any computer and respond to the prompts displayed.
  • Create a configuration file and run the installation script remotely on any computer in silent mode.
  • Use the install or update operations in the native package installer for your operating environment.
  • Use a commercial or custom software distribution tool.

If you want to use one of these installation options and need more information, see the appropriate section.

Install Interactively on a Computer

The Verify Privilege Server Suite Agent installation script, install.sh, automatically checks the operating system, disk space, DNS resolution, network connectivity, and other requirements on a target computer before installing. You can run this script interactively on any supported UNIX, Linux, or Mac OS X computer and respond to the prompts displayed.

To install Verify Privilege Server Suite software packages on a computer interactively

  1. Log on or switch to the root user if you are installing on a Linux or UNIX.

    If you are installing on Mac OS X, you can log on with any valid user account.

    On Mac OS X computers, you can install interactively using the graphical package installer or the install.sh script. For information about installing and joining an ActiveDirectory domain using the Mac OS X package installer, see the Mac-specific instructions in the Administrator's Guide for Mac.

  2. Mount the cdrom device using the appropriate command for the local computer's operating environment, if necessary. On most platforms, the CD drive is automatically mounted.

    If you have downloaded the package from an FTP server or website, verify the location and go on to the next step.

    The instructions for mounting the CD drive are platform-specific. For example on Linux, you can use a command similar to the following:

    mount /mnt/cdrom

    To manually mount the CD drive on AIX, run a command similar to the following:

    mount -v cdrfs -o ro /dev/cd0 /cdrom

    To mount the CD drive on HP-UX, run a command similar to the following to display the long file names:

    mount -F cdfs -o rr /dev/dsk/c0t0d0 /mnt/cdrom

  3. Change to the appropriate directory that contains the Verify Privilege Server Suite Agent package you want to install.

    For example, to install an agent on a Linux computer from a downloaded Verify Privilege Server Suite ISO or ZIP file, change to the Agent_Linux directory:

    cd Agent_Linux

    Similarly, if you are installing on a Solaris, HP-UX, AIX or other UNIX computer, change to the Agent_Unix directory. If installing on a Mac OS X computer, change to the Agent_Mac directory.

    If you downloaded individual agent packages from the IBM Security Download Center, unzip and extract the contents. For example:

    gunzip -d centrify-infrastructure-services-VERSION-platform-arch.tgz

    tar -xf centrify-infrastructure-services-VERSION-platform-arch.tar

  4. Run the install.sh script to start the installation of the agent on the local computer's operating environment. For example:

    ./install.sh

  5. Follow the prompts displayed to select the services you want to install and the tasks you want to perform. For example, you can choose whether you want to:

    • Perform a default installation.

    • Perform a custom installation by selecting the specific packages to install.

    • Join a domain automatically at the conclusion of the installation.

      Depending on your selections, you may need to provide additional information, such as the user name and password for joining the domain.

Run the Bundle Installation from a Mounted Network Volume

You can install agents from a mounted network volume using the install-bundle.sh script. This script is available on the agent CD or ISO file that contains all of the supported agent platforms in compressed format. The bundle installation script automatically determines the platform required and extracts the contents of the appropriate TGZ file, then starts the normal installation process.

To use the install-bundle.sh script

  1. Copy the install-bundle.sh script onto a network file system share and mount the shared directory.

  2. Verify that the file is executable and that you have appropriate privileges to run it. For example:

    chmod +x install-bundle.sh

    chmod 755 install-bundle.sh

  3. Run the script without command line options to start the installation or add command line options to install the agent silently.

    For example, to start an interactive installation, type a command similar to this:

    sudo ./install-bundle.sh

    To install the agent silently, type a command similar to this:

    ./install-bundle.sh --std-suite --adjoin_opt="sidebet.org --password pa\$swd sudo ./install-bundle.sh

    zone global --container sidebet.org/UNIX/Servers --server demo.sidebet.org"

    To see complete usage information for the install-bundle.sh script, type:

    ./install-bundle.sh --help

Install Silently Using a Configuration File

Installing without user interaction enables you to automate software delivery and the management of remote computers. If you want to install files without any user interaction, you can run the install.sh script silently invoking the script with the appropriate command-line arguments. You can also customize the packages installed and other options by creating a custom configuration file for the installer to use.

  • To see the install.sh silent mode and other command line options, enter install.sh -h

  • To install Authentication & Privilege default packages and configuration options silently, run:

    install.sh --std-suite

  • To install Authentication & Privilege and Audit & Monitoring default packages and configuration options, run:

    install.sh --ent-suite

  • To install a customized set of packages that all have the same version number, run:

    install.sh -n

About the Sample Configuration Files Available

You can customize the install.sh execution script. There are two sample configuration files for installing software packages silently. These sample configuration files are located in the same directory as the install.sh script:

centrify-suite.cfg

centrifydc-install.cfg

If you want to customize the packages installed or other configuration options, you can modify the sample centrify-suite.cfg or centrifydc-install.cfg file.

The centrify-suite.cfg file is used when you run install.sh with the --std-suite or --ent-suite options. If you run install.sh --std-suite or install.sh --ent-suite with a customized version of the centrify-suite.cfg file, you can selectively install compatible add-on packages that do not have the same version number as the core Verify Privilege Server Suite Agent.

Alternatively, you can run install.sh -n with a customized version of the centrifydc-install.cfg file to install the agent and add-on packages if they all have the same version number.

If you run the install.sh script silently and it cannot locate the centrify-suite.cfg or centrifydc-install.cfg file to use, default values defined directly in the script itself are used.

Setting the Parameters in a Custom Configuration File for the Installation Script

If you want to specify values for the install.sh script to use, you should edit the sample centrify-suite.cfg or centrifydc-install.cfg file in its default location before invoking the install.sh script in silent mode.

The parameters in the centrifydc-install.cfg or centrify-suite.cfg file are the same, except that the centrify-suite.cfg file is used when installing a set of services to allow packages with different version numbers to be installed together. Because you should not modify the compatibility defined in the centrify-suite.cfg file, those parameters are not included in the table.

To customize the installation using the centrifydc-install.cfg or centrify-suite.cfg file, you can set the following parameters:

Specify the operation to perform. The valid settings are: Y to install the Verify Privilege Server Suite Agent for *NIX and any other Verify Privilege Server Suite software packages if they are not already installed on the local computer. U to update older versions of the Verify Privilege Server Suite Agent for *NIX and any other Verify Privilege Server Suite packages you have installed. The update option only updates software from one major release version to another. It does not update the software if the major release version is same between packages. R to reinstall or repair the Verify Privilege Server Suite Agent for *NIX and any other Verify Privilege Server Suite packages you have installed. You can reinstall packages that have the same major release version but different build number or repair packages by installing an older version of the package. E to remove the software currently installed. K to keep current software unchanged. Set this parameter to Y to install or to U to update the Verify Privilege Server Suite Agent for *NIX and other packages. If you want to install or update other packages, select the operation to perform for each package. For example to update the Verify Privilege Server Suite Kerberos package and keep the current Verify Privilege Server Suite LDAP proxy service, you might specify the following: CentrifyDC_krb5=”U” CentrifyDC_ldapproxy="K" Note that these additional packages may have dependencies or require a specific version of the Verify Privilege Server Suite Agent for *NIX to be installed. Before installing or updating additional packages silently, you should review the information in the Upgrade and Compatibility Guide. | For example, you can edit the centrifydc-install.cfg or centrify-suite.cfg file to silently install the Verify Privilege Server Suite Agent for *NIX, join the domain, and automatically reboot the computer at the completion of the installation process with a file similar to this:
Parameter Description
ADCHECK Indicate whether you want to run the adcheck program to check the configuration of a local computer and its connectivity to Active Directory. Note that the install.sh script calls adcheck twice. After the first call, adcheck performs several required pre-installation steps to make sure you can install the Centrify Agent on the host computer. These steps are mandatory and cannot be skipped. However, the second call to adcheck is used to perform post-installation steps to make sure the agent has been installed successfully. The second set of checks is optional and can skipped. Set this parameter to Y if you want to run adcheck after installing. For non-interactive installations, the default is N.
ADLICENSE Indicate whether you want to install licensed features. Set this parameter to Y if you have purchased and installed license keys. If you downloaded and want to install unlicensed Verify Privilege Server Suite Express agents, set this parameter to N.
GLOBAL_ZONE_ONLY Specify whether you want to install the agent in a Solaris 10 global zone and no other zones. Set this parameter to Y only if you are running the install.sh script on a Solaris 10 computer and want to install the agent in the Solaris 10 global zone and none of your non-global zones. In most cases, you only set this parameter to Y if you use sparse root zones. The default setting for this parameter is N so that the agent is installed in all Solaris zones. If the script is not running on a Solaris 10 computer, this parameter is ignored.
ADJOIN Indicate whether you want to attempt to join an Active Directory domain in non-interactive mode. Set this parameter to Y to attempt to join the domain automatically. Set this parameter to N to manually join the domain after installation.
ADJ_FORCE Overwrite the information stored in Active Directory for an existing computer account. Set this parameter to Y to replace the information for a computer previously joined to the domain. If there is already a computer account with the same name stored in Active Directory, you must use this option if you want to replace the stored information. You should only use this option when you know it is safe to force information from the local computer to overwrite existing information.
ADJ_TRUST Set the Trust for delegation option in Active Directory for the computer account. Trusting an account for delegation allows the account to perform operations on behalf of other accounts on the network.
DOMAIN Specify the domain to join, if you set the ADJOIN parameter to Y. Set this parameter to the name of a valid Active Directory domain.
USERID Specify the Active Directory user name to use when connecting to Active Directory to join the domain. Set this parameter to a valid Active Directory user name.
PASSWD Specify the password for the Active Directory user name you are using to connect to Active Directory. Set this parameter to the password for the Active Directory user name specified for the USERID parameter.
COMPUTER Specify the computer name to use for the local host in Active Directory. Set this parameter to the computer name you want to use in Active Directory if you don't want to use the default host name for the computer.
CONTAINER Specify the distinguished name (DN) of the container or Organizational Unit in which you want to place this computer account. The DN you specify does not need to include the domain suffix. The domain suffix is appended programmatically to provide the complete distinguished name for the object. If you do not specify a container, the computer account is created in the domain's default Computers container. Note that the container you specify must already exist in Active Directory, and you must have permission to add entries to the specified container.
ZONE Specify the zone to which you want to add this computer.
SERVER Specify the name of the domain controller to which you prefer to connect. You can use this option to override the automatic selection of a domain controller based on the Active Directory site information.
DA_ENABLE Indicate whether you want to automatically enable the auditing service on the local computer. The valid settings are: Y if you want to enable auditing with the default auditing configuration. N if you don't want to enable auditing. K if you are upgrading and want to keep your current auditing configuration unchanged.
DA_X_ENABLE Indicate whether you want to automatically enable the Linux desktop auditing service on the local computer. The valid settings are: Y if you want to desktop enable auditing with the default auditing configuration. N if you don't want to enable desktop auditing. K if you are upgrading and want to keep your current auditing configuration unchanged
DA_INST_NAME Specify the name of an auditing installation if you set the DA_ENABLE parameter to Y.
REBOOT Indicate whether you want to automatically restart the local computer after a successful installation. Set this parameter to Y if you want to automatically restart the local computer or to N if you don't want the computer restarted automatically.
INSTALL
UNINSTALLSpecify whether you want to forcibly uninstall all installed packages.
ADCHECK="N"  
ADLICENSE="Y"  
# Solaris 10 -G option, installation in global zone only  
GLOBAL_ZONE_ONLY="N"  
ADJOIN="Y"  
ADJ_FORCE="N"  
ADJ_TRUST="N"  
DOMAIN="sample.company.com"  
USERID=administrator  
PASSWD="securepassword123"  
# COMPUTER=my_host_name  
# CONTAINER="my_computers"  
ZONE="global_zone"  
# SERVER=server_name  
DA_ENABLE="N"  
DA_INST_NAME=""  
REBOOT="Y"  
# Install the core agent package  
INSTALL="Y"  

# Skip installation for other packages  
CentrifyDC_nis= 
CentrifyDC_krb5=  
CentrifyDC_ldapproxy=  
CentrifyDC_openssh=  
CentrifyDC_web=  
CentrifyDC_apache=  
CentrifyDC_idmap=  
CentrifyDA=

This sample configuration file does not install any of the Verify Privilege Server Suite add-on packages. You can also use the configuration file to silently install or update selected packages. For example, to update the LDAP proxy service and OpenSSH on a computer, you would modify the configuration file to indicate that you want to update those packages:

CentrifyDC_ldapproxy=”U”  
CentrifyDC_openssh=”U”

Customizing the Return Codes for the Installation Script

Normally, when you run the install.sh script silently, the script returns an exit code of 0 if the operation is successful. If you want the script to return exit codes that indicate whether the operation performed was a successful new installation, a successful upgrade, a successful uninstall, or there were errors preventing installation, you can also use the custom_rc option. For example:

install.sh -n --custom_rc

When you specify this option, the following return codes that are defined in the install.sh script are used to provide more detailed information about the result:

Return code Description
CODE_SIN=0 Successful installation
CODE_SUP=0 Successful upgrade
CODE_SUN=0 Successful uninstallation
CODE_NIN=24 Did nothing during installation
CODE_NUN=25 Did nothing during uninstallation
CODE_EIN=26 Error during installation
CODE_EUP=27 Error during upgrade
CODE_EUN=28 Error during uninstallation
CODE_ESU=29 Error encountered during setup, for example, the UID is not the root user UID, the operating environment is not supported or not recognized, or the script is executed with invalid arguments

Use Other Automated Software Distribution Utilities

You can also install Verify Privilege Server Suite software using virtually any automated software distribution framework. For example, you can use software delivery offerings from HP OpsWare or IBM Tivoli, or features such as Apple Remote Desktop, or software distribution in the Casper Suite to deliver Verify Privilege Server Suite software to remote computers. You can also use any custom software delivery tools you have developed specifically for your organization. If you use a commercial or custom software distribution mechanism, review the release notes text file included with agent package for platform-specific installation details.