Migrating Scripts from the CLI Toolkit
The Cloud Client replaces the CLI Toolkit, which was available in previous releases from Privileged Access Service and the Delinea Download Center. If you downloaded and installed the CLI Toolkit from a previous release and have scripts that used the commands included in previous package, you might need to modify the scripts to work with the Cloud Client.
Most of the commands included in the client package are the same as the commands included in the CLI Toolkit, but the options supported by each command might be different. In addition, the client package has two new commands —- cenroll
and cunenroll
—- that replace the cjoin
and cleave
commands in the CLI Toolkit. For details about the options supported for each command, see the man page for that command.
To migrate from the CLI Toolkit to Cloud Client for Linux
-
Run the
cleave
command to unregister the Linux computers where you have installed the CLI toolkit.You can upgrade the CLI toolkit to the client package without removing it from the computer.
-
Download and install the appropriate Cloud Client for Linux package as described in Installing the Cloud Client for Linux Package.
If there are errors, you can review the operation details logged in the
/var/log/centrifycc-install.log
file. -
Upload a publicly-signed certificate for the Linux computer or configure the Linux computer to trust the Privileged Access Service self-signed certificate.
The Cloud Client for Linux communicates with the Privileged Access Servicethrough HTTPS, which requires a trusted root certificate to be available. By default, Linux computers will not trust the Privileged Access Service self-signed certificate.
-
Configure optional client settings, such as a web server proxy using parameters in the
/etc/centrifycc/centrifycc.conf
file. -
Run the
cenroll
command to re-register the Linux computers in the Privileged Access Service after the upgrade by specifying user credentials or an registration code.You must specify either
all
oraapm
for the--feature
option during registration to usecgetaccount
,csetaccount
, andcdelaccount
commands.You can specify an existing system during registration by using the --system-name option to specify the existing system name you want to reuse. However, reusing a system name requires at least one user with sufficient permissions to take over the system. For details about reusing an existing system, see Taking Ownership of an Existing System.
-
Configure permissions after registration.
Setting Permissions for the Service User
After migrating to the Cloud Client for Linux the Active Directory computer account which was used by Delinea CLI Toolkit no longer represents the Linux computer in the Privileged Access Service. Instead, registration creates a new service user account —- such as rhel\$@centrifydemo.vms
—- to represent the Linux computer in the Privileged Access Service.
The permissions that you previously granted to the Active Directory computer account— such as the permission to check out passwords —- are no longer applicable after migrating to the Cloud Client for Linux. Instead, new permissions need to be granted to the service user. This is especially important for application to application password management scenario to ensure remote computers have the permission to check out service passwords.
Application to Application Password Checkout
To allow service accounts on the sles12 computer to check out an account password from the Privileged Access Service to access accounts on the centos-6 computer, the service user for the sles12 computer must have the Checkout permission for the centos-6 account stored in the Privileged Access Service. For example, the sles12\$@cpubs.net
account must be able to check out the password for the root user on the centos-6.cpubs.net computer. In addition, the sles12 computer must have an account in the Privileged Access Service that can run root-level commands locally on the sles12 computer to get the password for the remote account.
Grant Permissions
Users must have the Grant permission for a Privileged Access Service account to grant the Checkout permission to other users, groups, or roles. By default, members of the System Administrator role and the user or role who registered a computer are assigned the Grant permission.
Accounts might also be assigned the Grant permission in the following situations:
- If you add the account to the Privileged Access Service by running the Cloud Client
csetaccount
command, the service user account is assigned the Grant permission. - If you add the account to Privileged Access Service from within the Admin Portal, your logged in user account is assigned the Grant permission.
- If you added the account to Privileged Access Service by running the Delinea CLI toolkit
csetaccount
command, the Active Directory computer account is assigned the Grant permission.
Taking Ownership of an Existing System
As part of the migration from the CLI toolkit to the Cloud Client, you can reuse an existing system name if there is a user with sufficient permissions to take over the ownership of the system. You can migrate a system that was previously added to the Privileged Access Service if you meet one of the following requirements:
- The owner role specified when the registration code was generated or using the --owner option at the command-line has Grant, Edit, and Delete permissions for the system.
- The user credentials used to register at the command-line specify a user who has Grant, Edit, and Delete permissions for the system.
- The user credentials used to register at the command-line specify a user who is a member of the System Administrator role.
How the Linux Client is Different from the CLI Toolkit
The Cloud Client for Linux does not require a connector. However, at least one connector is required to manage the Linux systems and accounts using the Privileged Access Service. The connector also provides a built-in web server proxy to forward HTTPS connection requests to the Privileged Access Service.
The CLI toolkit required Linux computers to be joined to an Active Directory domain and have the adclient process running locally. The Cloud Client for Linux that replaces the CLI toolkit does not require the Linux computer to be joined to a domain or have the adclient process installed.