Installing Authentication & Privilege Services
This section provides instructions for installing all identity and privilege management components on Windows computers in your network. There are several Windows-based components that enable you to manage the deployment and ongoing operations of Verify Privilege Server Suite software. You should install all of the identity and privilege management components on at least one Windows computer. Depending on the division of responsibilities in your organization, you may want to install different components on more than one Windows computer.
When you install identity and privilege management components, the following features are installed:
- The Privileged Access Service, which enables MFA login, MDM, and other platform services.
- The Privilege Elevation Service and Authentication Service, which together enable computers where Verify Privilege Server Suite software is installed to use the Active Directory infrastructure located on the domain controller, and enable users and zone-joined computers to have elevated privileges. The services include ADUC extensions, GPOE extensions, PowerShell extensions, Verify Privilege Server Suite utilities, and Access Manager.
Access Manager is the administrative console that enables you to create zones and configure rights and roles for Active Directory users running applications on Windows computers.
You should always install the Windows components first before you install the Verify Privilege Server Suite Agent on the non-Windows computers you intend to manage.
About Verify Privilege Server Suite Authentication Service and Privilege Elevation Service
Authentication Service and Privilege Elevation Service, part of the product category IBM SecurityVerify Privilege Server Suite (previously called Centrify Infrastructure Services or Centrify Zero Trust Privilege Services), centralize authentication and privileged user access across disparate systems and applications by extending Active Directory-based authentication, enabling use of Windows Group Policy and Single-Sign-On. With IBM SecurityVerify Privilege Server Suite, enterprises can easily migrate and manage complex UNIX, Linux, and Windows systems, rapidly consolidate identities into the directory, organize granular access and simplify administration. IBM Security Authentication Service, through IBM Security's patented Zone technology, allows organizations to easily establish global UNIX identities, centrally manage exceptions on legacy systems, separate identity from access management and delegate administration. IBM Security's non-intrusive and organized approach to identity and access management results in stronger security, improved compliance and reduced operational costs.
The Upgrade Guide describes the correct order to perform updates such that all packages continue to perform correctly once upgraded.
Delinea software is protected by U.S. Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103; 9,112,846; 9,197,670; 9,378,391 and 9,442,962. (Ref: CS-44575)
Preparing for Installation on Windows
Before installing Verify Privilege Server Suite management components on Windows, you should verify that the computers where you are planning to install meet all of the system requirements and prerequisites and that you have all of the information you need to install and configure the software packages.
At a minimum, you should install the following Verify Privilege Server Suite components on one or more Windows computers during the first stage of deployment:
- Access Manager console
- Zone Provisioning Agent
You can install these components together or independently using the setup program. Alternatively, you can install these components independently without running the setup program by using individual setup programs for each component.
Installing Verify Privilege Server Suite
Access Manager, which is installed when you install Verify Privilege Server Suite, is the primary management console for performing access control and privilege management operations. You typically install Access Manager directly on the computers used by one or more administrators. Alternatively, you can install it on a physical or virtual server accessed remotely by one or more administrators. The most important requirement is that the computer where you install Access Manager must be able to connect to the Active Directory domain and forest.
The Access Manager console can be installed from the setup program or from a standalone executable separate from the setup program. Before you install, you should verify your environment meets the system requirements to ensure a successful deployment.
Preparing Active Directory and DNS
All of the Verify Privilege Server Suite software components rely on critical pieces of Active Directory infrastructure. Before you install:
- Verify Active Directory is installed and you have access to at least one Windows computer acting as a domain controller for the Active Directory forest to which you want to add UNIX computers.
- Check the configuration of DNS and whether you are using a Windows computer as the primary DNS server.
- Verify the DNS server allows secure dynamic updates and your domain controllers are configured to publish updated service locator (SRV) records.
- Verify DNS resolution and network communication between the UNIX computers and the Active Directory domain controller. You can use the ping command to test communication between the domain controller and the UNIX computer.
Identifying the Windows Computer and Log On Credentials
Depending on how you plan to manage Verify Privilege Server Suite properties, you should identify an appropriate Windows computer and the user account credentials you should use. For example:
-
Check whether the Windows computer has Active Directory Users and Computers installed.
If you want to manage Verify Privilege Server Suite properties using Active Directory Users and Computers, the Active Directory Users and Computers MMC snap-in must be available on the local computer.
-
Check whether the Windows computer is a domain computer, such as a Windows XP workstation, or a domain controller.
If you install on a domain controller, you must use your own logon credential to connect to Active Directory. In most cases, you can install on any computer that has access to a domain controller.
-
Verify that the Windows computer can connect to Active Directory.
-
Verify that you have a Windows user account and password with sufficient rights to install software on the local computer and permission to update the Active Directory forest.
After installation, you must be able to create new container objects in the Active Directory forest. Alternatively, an Active Directory administrator can manually configure the environment or temporarily modify your account permissions to enable you to perform setup tasks. For information about the specific rights required to perform tasks in the Setup Wizard, see Permissions required to use the Setup Wizard.
Checking Operating System and Software Requirements
Before installing on Windows, check that you have a supported version of one of the Windows operating system product families. For example, you can use Windows 7 for any console components. Alternatively, you can install components on computers in the Windows Server product family—such as Windows Server 2008 or Windows Server 2012—so that your administrative computer can be configured with additional server roles.
For more detailed information about supported platforms for specific components, see the release notes.
You should also verify that you have the .NET Framework, version 4.5 or later, installed. If the .NET Framework is not installed, the setup program can install it for you. Alternatively, you can download the .NET Framework from the Microsoft Download Center, if needed.
Checking Disk and Memory Requirements
You should also check that the computer where you are installing the Access Manager console meets the following requirements:
For this | You need this |
---|---|
CPU speed | Minimum 550 MHZ |
RAM | 25MB |
Disk space | 100MB |
Running the Setup Program on a Windows Computer
You can install Verify Privilege Server Suite software using the setup program on the CD or included in the download package. The setup program copies the necessary files to the local Windows computer. There are no special permissions required to run the setup program other than permission to install files on the local computer. From the setup program, you can choose which components of you want to install.
If you intend to install the Zone Provisioning Agent using the setup program, you should review the requirements and other information in Installing Zone Provisioning Agent before you proceed, but you can skip the standalone installation instructions in those sections. Use the individual setup programs for components if you want to install a specific component on a specific computer. For example, use the Centrify_Zpaversionwin64.exe program to selectively install Zone Provisioning Agent components on a computer where Access Manager is not installed.
To install Authentication & Privilege on Windows:
-
Log on to the Windows computer and insert the CD or navigate to the directory where you downloaded Verify Privilege Server Suite files.
If the Getting Started page is not automatically displayed, double-click the autorun.exe program to start the installation of the Verify Privilege Server Suite software.
-
On the Getting Started page, click Authentication & Privilege to start the setup program for identity and privilege management components.
If any programs must be updated before installing, the setup program displays the updates required and allows you to install them. For example, you might be prompted to install or update the Microsoft .NET Framework or Microsoft SQL Server Compact edition.
-
At the Welcome page, click Next.
-
Review the terms of the license agreement, click I agree to these terms, then click Next.
-
Type your name and organization, then click Next.
-
Expand and select the IBM Security Administration and IBM Security Utilities components you want to install, then click Next.
If you are managing access to Linux, UNIX, and Mac OS X computers, you should select the following Verify Privilege Server Suite Administration components for deployment:
-
ADUC property page extensions if you want to include Verify Privilege Server Suite profiles when displaying properties in Active Directory Users and Computers.
-
Access Manager if you want to use an administrative console to manage Verify Privilege Server Suite zones and roles.
-
Group Policy Management Editor extension if you want to deploy Verify Privilege Server Suite group policies.
You should also select the following Verify Privilege Server Suite Utilities components for deployment:
-
Zone Provisioning Agent if you want to automatically provision user and group profiles into zones.
If you want to skip the installation of any component on the local computer, click to deselect the item that you want to skip, then click Next. For example, if you want to skip installation of the Verify Privilege Server Suite Reporting Service and its Microsoft SQL Server database, deselect the Verify Privilege Server Suite Reporting Service option, then click Next.
-
-
Accept the default location for installing components, or click Browse to select a different location, then click Next.
-
Review the components you have selected, then click Next.
The setup program begins installing the selected components.
-
When setup is complete for the selected packages, click Finish to close the setup program.
Depending on the components you selected, you might see options to configure reporting service, the Zone Provisioning Agent, or both. You can deselect these options if you want to skip configuration or plan to install the components in a different computer. For details about configuring the Verify Privilege Server Suite reporting service, see the Report Administrator’s Guide. For details about configuring the Zone Provisioning Agent after installing it with the Verify Privilege Server Suite setup program, see Configuring the Zone Provisioning Agent.
Installing Zone Provisioning Agent
The Zone Provisioning Agent enables automated provisioning of user and group accounts into Verify Privilege Server Suite zones. You configure the Zone Provisioning Agent to monitor specific Active Directory groups that are linked to a zone. When you add or remove users or groups from the monitored groups, the Zone Provisioning Agent adds or removes corresponding users or groups in the zone.
You can install the Zone Provisioning Agent with the Verify Privilege Server Suite setup program or as a standalone service separate from the installation of other Verify Privilege Server Suite components. In most cases, it is installed on its own apart from the installation of other Verify Privilege Server Suite components. After the Zone Provisioning Agent is installed, you can configure the business rules for adding and removing groups and how the attributes associated with user or group profiles are automatically generated.
About Zone Provisioning Agent and its Requirements
The Zone Provisioning Agent is intended to run on an ongoing basis on a computer that is always available. It requires a Windows user account with the right to Log on as a service. If you have a single forest, you can install the Zone Provisioning Agent on one or two computers. If you install the Zone Provisioning Agent on two computers, you should only run one instance at a time. The Zone Provisioning Agent on the second computer is intended for standby operation. You should only start the Zone Provisioning Agent on the second computer if the first instance fails.
The business rules that control provisioning are stored in Active Directory. If only one computer has the Zone Provisioning Agent and that computer stops running, the automated provisioning of UNIX users and group is interrupted until the computer and the Zone Provisioning Agent are restarted. Users with existing access to UNIX computers are not affected.
The Zone Provisioning Agent has the following components:
- Zone Property Page Extension must be installed on the same computer as the Access Manager console. This extension adds a tab to the Zone Properties for configuring provisioning rules.
- Provisioning Agent can be installed separately from the property page as a standalone service or on the same computer as Access Manager. The computer where you install the service should be available at all times. In most cases, this Windows service is not installed on the same computer as Access Manager.
- Command Line Utility can be installed separately or on the same computer as Access Manager. The command line utility allows you to write scripts for provisioning tasks or update zones on demand.
If you have more than one forest, you should install a Zone Provisioning Agent in each forest. If you have geographical domains within a single forest, you may want to install a Zone Provisioning Agent in each geographical domain. If you install a second instance of the Provisioning Agent for failover, be sure that only one instance of the Provisioning Agent runs in each forest.
Zone Provisioning Agent account permissions
Account name (suggested) | Type of account | Required permissions | Notes |
---|---|---|---|
Cfy_SVC_ZPA | Active Directory account | Log on as a service | The Zone Provisioning Agent requires permission to create UNIX profiles-- that is, the service connection points in each zone where it needs to perform provisioning operations. The service account that runs the Zone Provisioning Agent requires the Log on as a service right set as a local computer security policy, or in the default domain policy. |
Create a service account for the Zone Provisioning Agent
The Zone Provisioning Agent must run using a valid Windows user account with the right to Log on as a service. In most cases, you should create a dedicated user account, called the service account, for the service to run as rather than use an existing user account.
To create a new service account for the Zone Provisioning Agent:
- Open Active Directory Users and Computers.
- Select the UNIX Service Account organizational unit.
- Right-click, then select New > User.
- Type a display name and logon name for the service account, then click Next.
-
Type and retype a password for the service account and modify the account options as follows, then click Next:
- Uncheck User must change password at next logon
- Check User cannot change password
- Check Password never expires
- Click Finish to add the service account.
Configure the local or domain group policy to allow the account to log on as a service
After you have created the service account, you must edit either a local security policy or the default domain group policy to grant the service account the Log on as a service right.
If you edit the default domain policy, the Zone Provisioning Agent can run on any Windows computer. If you need to move the service from one computer to another, no additional configuration is required.
Alternatively, you can edit the local security policy specifically on the computers that run the Zone Provisioning Agent. If you use the local policy, however, you may need to investigate whether other group policies are applied to the computer running the Zone Provisioning Agent to see if inheritance disables your local policy setting.
To edit the default domain group policy:
- Open the Group Policy Object Editor and navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Log on as a service.
- Right-click Log on as a service, then select Properties.
- Select Define these policy settings, then click Add User or Group.
- Click Browse to search for the service account you created.
- Select the service account, then click OK to add the account and OK again to apply the policy.
Installing the Zone Provisioning Agent on the Access Manager computer
You can install both the Zone Provisioning Agent service and the Zone Property Page Extension on the computer where Access Manager is installed. At a minimum, you should install the Zone Property Page Extension on the same computer as the Access Manager console. The Zone Property Page Extension enables you to configure the Active Directory groups to monitor and the business rules for how to derive each user and group attribute.
If you select the Zone Provisioning Agent when you install components using the Verify Privilege Server Suite setup program, all Zone Provisioning Agent components are installed. If you want to selectively install Zone Provisioning Agent components on a computer, you can install by running the Centrify_Zpaversionwin64.exe program.
To install the Zone Provisioning Agent on the Access Manager computer:
-
Log on to the Windows computer where Access Manager is installed.
-
Double-click the Centrify_Zpaversionwin64.exe file to start the Zone Provisioning Agent setup program.
-
If a User Account Control message is displayed, click Yes.
If necessary, the setup program prompts you to install the IBM Security Common Components.
-
On the Welcome screen, click Next.
-
Accept the licensing agreement, then click Next.
-
Select the features to install, then click Next.
The Zone Property Page Extension is only applicable on the computer where the Access Manager console is installed. Selecting this option adds the Provisioning tab to the Zone Properties for individual zones. You can install or uncheck the other features on the computer where the Access Manager console is installed.
-
Click Next to accept the default location for the Zone Provisioning Agent files, or click Browse to select a different location, then click Next.
-
Click Install to begin installation.
-
Click Finish to complete the installation.
Installing the Zone Provisioning Agent on its own
You can install the Provisioning Agent as a standalone service on a computer with a relatively light load. The computer where you install the Provisioning Agent should be one that is online at all times. If the computer is shut down or suspended, the Provisioning Agent service will be suspended and no provisioning can occur. You can install a second instance of the Zone Provisioning Agent on another computer, and use your existing method of determining if a service has failed to monitor the availability of the first instance. For example, configure monitoring of the Windows Event log to notify you if the Zone Provisioning Agent service stops.
If you install the Provisioning Agent service as a standalone service, you should also install the Command Line Utility on the same computer.
To install the Zone Provisioning Agent as a standalone service:
-
Log on to the Windows computer that has a light load and is rarely shut down or offline.
-
Double-click the Centrify_Zpaversionwin64.exe file to start the Zone Provisioning Agent setup program.
-
If a User Account Control message is displayed, click Yes.
If necessary, the setup program prompts you to install the IBM Security Common Components.
-
On the Welcome screen, click Next.
-
Accept the licensing agreement, then click Next.
-
Select the Provisioning Agent and Command Line Utility features, then click Next.
-
Click Next to accept the default location for the Zone Provisioning Agent files, or click Browse to select a different location, then click Next.
-
Click Install to begin installation.
-
(Optional) Uncheck the Configure and start Zone Provisioning Agent option, then click Finish.
If you leave Configure and start Zone Provisioning Agent selected, you are prompted to provide the service account name and password, then click Start to start the agent service. It is recommended that you configure the monitored containers, polling interval, and logging options, in addition to the service account name and password before starting the service. Therefore, you should open Access Manager to set up the Verify Privilege Server Suite organization structure in Active Directory. For more information about the initial configuration, see Running Access Manager for the first time.
Configuring the Zone Provisioning Agent
By default, the Zone Provisioning Agent monitors all domains in the entire forest. If you use the recommended Verify Privilege Server Suite organizational structure described in Creating recommended organizational units, it is recommended setting the Zone Provisioning Agent to only monitor the top-level Verify Privilege Server Suite organizational unit or the Zones container. These objects are created in the Setup Wizard the first time you open Access Manager. After the initial configuration, you can perform the steps in this section to configure the Zone Provisioning Agent. For more information about the initial configuration, see Running Access Manager for the first time.
The most common reason for monitoring more than one organizational unit is if you have a regional or team-based OU structure in Active Directory, where each region or team is responsible for managing its own UNIX data. In this scenario, a provisioning staff member in Sydney, Australia, wouldn’t be responsible for account fulfillment of a UNIX user in Chicago. To ensure the appropriate separation of duties between the different regions or teams, you would have more than one Verify Privilege Server Suite organizational unit, and you would configure the Zone Provisioning Agent to search each of the regional organizational units.
To configure the Zone Provisioning Agent
-
Open the Zone Provisioning Agent Configuration Panel by clicking Start > All Programs > Verify Privilege Server Suite 2021.1 > Zone Provisioning Agent Configuration Panel.
-
In the Monitored containers section, click Add.
-
Navigate to select the Verify Privilege Server Suite organizational unit or the Zones container, then click OK.
-
Select Entire Forestforest_name from the list of Monitored containers, then click Remove.
-
Set the provisioning polling interval in minutes.
The polling interval controls how often the Zone Provisioning Agent checks monitored containers for changes and processes the business rules for provisioning users and groups into zones. The appropriate interval often depends on the expectations of the user population or on service level agreements that define the provisioning team’s commitments. In general, you should avoid polling more frequently than necessary to reduce the affect the Zone Provisioning Agent has on the performance of your domain controllers.
-
If desired, you can specify which domain controller that the Zone Provisioning Agent uses.
-
To specify the domain controllers, click Advanced.
The Advanced Domain Controller Settings dialog box displays.
-
Click Add to open a separate dialog box in which you can add a domain and pick from a list of domain controllers. Click OK to save your chances.
-
Click Change if you want to change the specified domain controller, or click Remove if you need to remove the specified domain controller.
-
-
Type the service account name or click Browse to locate the service account name, then type the password for the account.
-
Click Apply.
-
Click Start to start the Zone Provisioning Agent.
Whitelisting Domains for the Zone Provisioning Agent
You can configure the Zone Provisioning Agent so that it can connect to trusted domains (whitelisting) by setting the following registry key with a list of trusted domains and/or forests:
HKLM\SOFTWARE\Centrify ZPA\AllowedDomains
Configuring a list of domains this way can be particularly useful and faster when you have a large amount of domains.
For example, to specify a single domain:
HKLM\SOFTWARE\Centrify ZPA\AllowedDomains: "acme.com"
For example, to specify multiple domains:
HKLM\SOFTWARE\Centrify ZPA\AllowedDomains: "acme.com", "foo.com"
Running Access Manager for the First Time
The first time you start the Access Manager console, a Setup Wizard guides you through the initial configuration of the Active Directory forest. This initial setup creates the recommended or a custom deployment structure including the parent containers for Licenses and Zones and sets the permissions for modifying the objects within the containers. These steps are only performed once and can be done manually, if you choose.
Because the Setup Wizard creates container objects, you might need to use a domain administrator account. This requirement depends on the specific permissions your organization has configured for different classes of users. For example, if your organization only permits Domain Admins to create parent and child objects in Active Directory, you need to use an account with those permissions to run the Setup Wizard. For more information about the permissions required to perform specific configuration steps, see Permissions required to use the Setup Wizard.
Access Manager Account Permissions
Account name (suggested) | Type of account | Required permissions | Notes |
---|---|---|---|
n/a | Domain administrator (when running Access Manager for the first time) | domain admin (in most cases) | Because the Setup Wizard creates container objects, you might need to use a domain administrator account. This requirement depends on the specific permissions your organization has configured for different classes of users. For example, if your organization only permits Domain Admins to create parent and child objects in Active Directory, you need to use an account with those permissions to run the Setup Wizard. |
To start the Setup Wizard and update the Active Directory forest
-
Open Access Manager from the desktop shortcut or Start menu.
-
Verify the name of the domain controller displayed is a member of the Active Directory forest you want to update or type the name of a different domain controller if you want to connect to a different forest, then click OK.
- If you want to connect to a different forest, type the name of a domain controller in that forest.
- If you want to connect to the forest with different credentials, select Connect as another user, then type a user name and password to connect as.
-
At the Welcome page, click Next.
-
Select Use currently connected user credentials to use your current log on account or select Specify alternate user credentials and type a user name and password, then click Next.
-
Select Generate the recommended deployment structure if you want to create all of the containers for the recommended deployment structure automatically.
If you select this option, select whether you want to generate the default deployment structure or generate a custom structure, then click Next.
-
If you are generating the default structure, clicking Next enables you to select or create the location for the deployment structure in Active Directory. For example, if you want to create the top of the default deployment structure at the domain level, click Next, then click Browse to select the domain name. After you have selected a location, click OK. then click Next to create the deployment structure.
-
If you are generating a custom structure, clicking Next enables you to export the script that creates the default structure or run a script you have previously written.
If you are generating a default or custom deployment structure, verify the successful execution of the script that creates the structure, then click Next to continue.
-
-
Verify the parent container for licenses is in the top-level Verify Privilege Server Suite container if you are using the default deployment structure or the container of your choice, then click Next.
You can add other Licenses containers in other locations later using the Manage Licenses dialog box.
If you are not using the recommended deployment structure, the default container for license keys is domain_name/Program Data/Centrify/Licenses. To create the parent container in a different location, you can click Browse.
-
Review the permission requirements for the container, then click Yes to continue.
If you don’t want to allow the permissions for the selected container, click No and select a different container to continue.
-
Type or copy and paste the license key you received, then click Add.
If you received multiple license keys, add each key to the list of installed licenses, then click Next. If you received license keys in a text file, click Import to import the keys directly from the file instead of adding the keys individually, then click Next.
You can also add and remove license containers and keys after the initial configuration.
For details about licensing, including how to request new license keys after deployment, check license usage and compliance, and how license counts are determined, see the License Management Administrator’s Guide.
-
Verify that the Create default zone container option is selected and the parent container for zones is in the top-level Verify Privilege Server Suite container or the container of your choice, then click Next.
If you are not using the recommended deployment structure, the default container for zones is domain_name/Program Data/Centrify/Zones. To create the parent container in a different location, you can click Browse.
You can skip creating the parent container in the forest or have more than one Zones parent container. For example, if you have a regional OU structure in Active Directory—where each region is responsible for its own set of zones—each region should have its own top-level organizational unit. For example, if you have separate OU structures for Tucson, AZ, and Newark, NJ, you would have separate deployment structures—SS-AZ and SS-NJ, for example—with separate parent containers for zones under each deployment structures. Users in each region can select the appropriate parent container when they create new zones.
Users must have permission to read and create container objects on the parent Zones container and all child objects. You should verify the appropriate users have the permissions required to create new zones.
-
If you are using the recommended deployment structure, click Next to continue.
This option allows “self-service” join operations for computers in the Computers container. It is only applicable if you are not using the recommended deployment structure. If you want to support “self-service” join operations and are not using the recommended deployment structure, select Grant computer accounts in the Computers container permission to update their own account information, then click Next.
-
If you plan to use Access Manager to manage information stored in Active Directory and maintain data integrity, click Next to continue.
You should select Register administrative notification handler for Microsoft Active Directory Users and Computers snap-in if you want to automatically maintain the integrity of the information in Verify Privilege Server Suite profiles.
This option prevents Verify Privilege Server Suite profile information from being left “orphaned” when changes are made to Active Directory objects such as users and groups. This option is not selected by default because it requires you to have Enterprise Admin or Domain Admin rights for the forest root domain.
-
Select Activate Centrify profile property pages if you want to be able to display Verify Privilege Server Suite profiles in any Active Directory context, then click Next.
Setting this option ensures that displaying the properties for a user, group, or computer always displays the Centrify Profile tab regardless of how you navigate to the Properties dialog box.
-
Review and confirm your configuration settings, click Next, then click Finish.