Agents Reference

Installing Agents on Computers to be Managed

This section describes the recommended steps for deploying Privilege Control software on the non-Windows computers that you want to add to Active Directory. The chapter also describes the alternatives you can use to install agent packages on non-Windows computers, including using native Linux installers to install Privilege Control packages manually and automatically.

About the Deployment Process

There is no technical requirement that you only work with a subset of computers at a time, but in practice the process of checking computers for potential problems and resolving open issues is more manageable when applied to a subset of computers. It is also more practical to migrate user populations in stages rather than all at once. After you step through the process a few times, you'll be able to anticipate and resolve potential issues more quickly and move into a more rapid deployment model.

Select a Target Set of Computers

As a first step in preparing to install Privilege Control software, you should select a target set of computers on which to deploy. The target set can be based on any criteria you choose. In many organizations, new software must always be installed in the development environment first, then in the pre-production environment, before it can be deployed in the production environment. If your organization has this type of requirement, the first target set of computers would be the computers in the development environment.

Other possible candidates for the target set might be computers that:

  • Have been identified for changes by an audit finding

  • Are in the same physical location, such as a particular data center

  • Share common attributes, such as all Red Hat Linux computers or all of the servers in a Web farm

  • Are used by a particular department, project, or line of business

  • Have a common set of users who need access to the computer resources

After you have identified a target set of computers, you are ready to begin the deployment. You should notify the user community that you are planning to install software on the target set of computers. For example, you may want to notify users by sending out an email message similar to the sample provided in Preliminary software delivery notification email template.

You can use adcheck to check whether those computers have any issues that need to be resolved before you install new software on them. Checking the environment before you install helps to reduce change control issues.

Options for Deploying Privilege Control Agent Packages

You can:

  • Run the agent installation script locally on any computer and respond to the prompts displayed.

  • Create a configuration file and run the installation script remotely on any computer in silent mode.

  • Use the install or update operations in the native package installer for your operating environment.

  • Use a commercial or custom software distribution tool.

If you want to use one of these installation options and need more information, see the appropriate section.

Install Interactively on a Computer

The Privilege Control Agent installation script, install.sh, automatically checks the operating system, disk space, DNS resolution, network connectivity, and other requirements on a target computer before installing. You can run this script interactively on any supported UNIX or Linux computer and respond to the prompts displayed.

To install Privilege Control software packages on a computer interactively:

  1. Log on or switch to the root user if you are installing on a Linux or UNIX.

  2. Change to the appropriate directory that contains the Privilege Control Agent package you want to install.

    For example, to install an agent on a Linux computer from a downloaded Privilege Control ISO or ZIP file, change to the Agent_Linux directory:

    cd Agent_Linux

    Similarly, if you are installing on a Solaris, HP-UX, AIX or other UNIX computer, change to the Agent_Unix directory.

    If you downloaded individual agent packages from the Delinea Download Center, unzip and extract the contents. For example:

    gunzip -d os-arch.tgz
    tar -xf os-arch.tar

  3. Run the install.sh script to start the installation of the agent on the local computer's operating environment. For example:

    ./install.sh

  4. Follow the prompts displayed to select the services you want to install and the tasks you want to perform. For example, you can choose whether you want to:

  • Perform a default installation.

  • Perform a custom installation by selecting the specific packages to install.

  • Join a domain automatically at the conclusion of the installation.

Depending on your selections, you may need to provide additional information, such as the user name and password for joining the domain.

Install Silently Using a Configuration File

Installing without user interaction enables you to automate software delivery and the management of remote computers. If you want to install files without any user interaction, you can run the install.sh script silently invoking the script with the appropriate command-line arguments. You can also customize the packages installed and other options by creating a custom configuration file for the installer to use.

  • To see the install.sh silent mode and other command line options, enter install.sh -h

  • To install Authentication & Privilege default packages and configuration options silently, run: install.sh --std-suite

  • To install Authentication & Privilege and Audit & Monitoring default packages and configuration options, run:
    install.sh --ent-suite

  • To install a customized set of packages that all have the same version number, run:
    install.sh -n

About the Sample Configuration Files Available

You can customize the install.sh execution script. There are two sample configuration files for installing software packages silently. These sample configuration files are located in the same directory as the install.sh script:

centrify-suite.cfg

centrifydc-install.cfg

If you want to customize the packages installed or other configuration options, you can modify the sample centrify-suite.cfg or centrifydc-install.cfg file.

The centrify-suite.cfg file is used when you run install.sh with the --std-suite or --ent-suite options. If you run install.sh --std-suite or install.sh --ent-suite with a customized version of the centrify-suite.cfg file, you can selectively install compatible add-on packages that do not have the same version number as the core Privilege Control Agent.

Alternatively, you can run install.sh -n with a customized version of the centrifydc-install.cfg file to install the agent and add-on packages if they all have the same version number.

If you run the install.sh script silently and it cannot locate the centrify-suite.cfg or centrifydc-install.cfg file to use, default values defined directly in the script itself are used.

Setting the Parameters in a Custom Configuration File for the Installation Script

If you want to specify values for the install.sh script to use, you should edit the sample centrify-suite.cfg or centrifydc-install.cfg file in its default location before invoking the install.sh script in silent mode.

The parameters in the centrifydc-install.cfg or centrify-suite.cfg file are the same, except that the centrify-suite.cfg file is used when installing a set of services to allow packages with different version numbers to be installed together. Because you should not modify the compatibility defined in the centrify-suite.cfg file, those parameters are not included in the table.

To customize the installation using the centrifydc-install.cfg or centrify-suite.cfg file, you can set the following parameters:

Specify the operation to perform. The valid settings are: Y to install the Privilege Control Agent for *NIX and any other Privilege Control software packages if they are not already installed on the local computer. U to update older versions of the Privilege Control Agent for *NIX and any other Privilege Control packages you have installed. The update option only updates software from one major release version to another. It does not update the software if the major release version is same between packages. R to reinstall or repair the Privilege Control Agent for *NIX and any other Privilege Control packages you have installed. You can reinstall packages that have the same major release version but different build number or repair packages by installing an older version of the package. E to remove the software currently installed. K to keep current software unchanged. Set this parameter to Y to install or to U to update the Privilege Control Agent for *NIX and other packages. If you want to install or update other packages, select the operation to perform for each package. For example to update the Privilege Control Kerberos package and keep the current Privilege Control LDAP proxy service, you might specify the following: CentrifyDC_krb5=”U” CentrifyDC_ldapproxy="K" Note that these additional packages may have dependencies or require a specific version of the Privilege Control Agent for *NIX to be installed. Before installing or updating additional packages silently, you should review the information in the Upgrade and Compatibility Guide. | For example, you can edit the centrifydc-install.cfg or centrify-suite.cfg file to silently install the Privilege Control Agent for *NIX, join the domain, and automatically reboot the computer at the completion of the installation process with a file similar to this:

Parameter Description
ADCHECK Indicate whether you want to run the adcheck program to check the configuration of a local computer and its connectivity to Active Directory. Note that the install.sh script calls adcheck twice. After the first call, adcheck performs several required pre-installation steps to make sure you can install the Centrify Agent on the host computer. These steps are mandatory and cannot be skipped. However, the second call to adcheck is used to perform post-installation steps to make sure the agent has been installed successfully. The second set of checks is optional and can skipped. Set this parameter to Y if you want to run adcheck after installing. For non-interactive installations, the default is N.
ADLICENSE Indicate whether you want to install licensed features. Set this parameter to Y if you have purchased and installed license keys. If you downloaded and want to install unlicensed Centrify Express agents, set this parameter to N.
GLOBAL_ZONE_ONLY Specify whether you want to install the agent in a Solaris 10 global zone and no other zones. Set this parameter to Y only if you are running the install.sh script on a Solaris 10 computer and want to install the agent in the Solaris 10 global zone and none of your non-global zones. In most cases, you only set this parameter to Y if you use sparse root zones. The default setting for this parameter is N so that the agent is installed in all Solaris zones. If the script is not running on a Solaris 10 computer, this parameter is ignored.
ADJOIN Indicate whether you want to attempt to join an Active Directory domain in non-interactive mode. Set this parameter to Y to attempt to join the domain automatically. Set this parameter to N to manually join the domain after installation.
ADJ_FORCE Overwrite the information stored in Active Directory for an existing computer account. Set this parameter to Y to replace the information for a computer previously joined to the domain. If there is already a computer account with the same name stored in Active Directory, you must use this option if you want to replace the stored information. You should only use this option when you know it is safe to force information from the local computer to overwrite existing information.
ADJ_TRUST Set the Trust for delegation option in Active Directory for the computer account. Trusting an account for delegation allows the account to perform operations on behalf of other accounts on the network.
DOMAIN Specify the domain to join, if you set the ADJOIN parameter to Y. Set this parameter to the name of a valid Active Directory domain.
USERID Specify the Active Directory user name to use when connecting to Active Directory to join the domain. Set this parameter to a valid Active Directory user name.
PASSWD Specify the password for the Active Directory user name you are using to connect to Active Directory. Set this parameter to the password for the Active Directory user name specified for the USERID parameter.
COMPUTER Specify the computer name to use for the local host in Active Directory. Set this parameter to the computer name you want to use in Active Directory if you don't want to use the default host name for the computer.
CONTAINER Specify the distinguished name (DN) of the container or Organizational Unit in which you want to place this computer account. The DN you specify does not need to include the domain suffix. The domain suffix is appended programmatically to provide the complete distinguished name for the object. If you do not specify a container, the computer account is created in the domain's default Computers container. Note that the container you specify must already exist in Active Directory, and you must have permission to add entries to the specified container.
ZONE Specify the zone to which you want to add this computer.
SERVER Specify the name of the domain controller to which you prefer to connect. You can use this option to override the automatic selection of a domain controller based on the Active Directory site information.
DA_ENABLE Indicate whether you want to automatically enable the auditing service on the local computer. The valid settings are: Y if you want to enable auditing with the default auditing configuration. N if you don't want to enable auditing. K if you are upgrading and want to keep your current auditing configuration unchanged.
DA_X_ENABLE Indicate whether you want to automatically enable the Linux desktop auditing service on the local computer. The valid settings are: Y if you want to desktop enable auditing with the default auditing configuration. N if you don't want to enable desktop auditing. K if you are upgrading and want to keep your current auditing configuration unchanged
DA_INST_NAME Specify the name of an auditing installation if you set the DA_ENABLE parameter to Y.
REBOOT Indicate whether you want to automatically restart the local computer after a successful installation. Set this parameter to Y if you want to automatically restart the local computer or to N if you don't want the computer restarted automatically.
INSTALL  
UNINSTALL Specify whether you want to forcibly uninstall all installed packages.

ADCHECK="N"

ADLICENSE="Y"

# Solaris 10 -G option, installation in global zone only

GLOBAL_ZONE_ONLY="N"

ADJOIN="Y"

ADJ_FORCE="N"

ADJ_TRUST="N"

DOMAIN="sample.company.com"

USERID=administrator

PASSWD="securepassword123"

# COMPUTER=my_host_name

# CONTAINER="my_computers"

ZONE="global_zone"

# SERVER=server_name

DA_ENABLE="N"

DA_INST_NAME=""

REBOOT="Y"

# Install the core agent package

INSTALL="Y"

 

# Skip installation for other packages

CentrifyDC_nis=

CentrifyDC_krb5=

CentrifyDC_ldapproxy=

CentrifyDC_openssh=

CentrifyDC_web=

CentrifyDC_apache=

CentrifyDC_idmap=

CentrifyDA=

This sample configuration file does not install any of the Privilege Control add-on packages. You can also use the configuration file to silently install or update selected packages. For example, to update the LDAP proxy service and OpenSSH on a computer, you would modify the configuration file to indicate that you want to update those packages:

CentrifyDC_ldapproxy=”U”

CentrifyDC_openssh=”U”

Customizing the Return Codes for the Installation Script

Normally, when you run the install.sh script silently, the script returns an exit code of 0 if the operation is successful. If you want the script to return exit codes that indicate whether the operation performed was a successful new installation, a successful upgrade, a successful uninstall, or there were errors preventing installation, you can also use the custom_rc option. For example:

install.sh -n --custom_rc

When you specify this option, the following return codes that are defined in the install.sh script are used to provide more detailed information about the result:

Return Code Description
CODE_SIN=0 Successful installation
CODE_SUP=0 Successful upgrade
CODE_SUN=0 Successful uninstallation
CODE_NIN=24 Did nothing during installation
CODE_NUN=25 Did nothing during uninstallation
CODE_EIN=26 Error during installation
CODE_EUP=2 Error during upgrade
CODE_EUN=2 Error during uninstallation
CODE_ESU=29 Error encountered during setup, for example, the UID is not the root user UID, the operating environment is not supported or not recognized, or the script is executed with invalid arguments

Use Other Automated Software Distribution Utilities

You can also install Privilege Control software using virtually any automated software distribution framework. For example, you can use software delivery offerings from Chef, Puppet, Ansible, SaltStack, etc, to deliver Privilege Control software to remote computers. You can also use any custom software delivery tools you have developed specifically for your organization. If you use a commercial or custom software distribution mechanism, review the release notes text file included with agent package for platform-specific installation details.

About the Files and Directories Installed on the Agent

When you complete the installation, the local computer will be updated with the following directories and files for the core Privilege Control Agent for *NIX:

This directory Contains
/etc/centrifydc The agent configuration file and the Kerberos configuration file.
/usr/share/centrifydc Kerberos-related files and service library files used by the Centrify Agent to enable group policy and authentication and authorization services.
/usr/sbin /usr/bin Command line programs to perform Active Directory tasks, such as join the domain and change a user password.
/var/centrify Directories for temporary and common files that can be used by the agent.
/var/centrifydc Before joining the domain, the directory contains basic information about the environment, such as the IP address of the DNS server and whether you installed licensed or express agent features. After you join the domain, several files are added to this directory to record information about the Active Directory domain the computer is joined to, the Active Directory site the computer is part of, and other details.

Depending on the components you select during installation, additional files and directories might be installed or updated. For example, if you install Enterprise Edition, the computer is updated with additional files and directories for auditing.

Joining an Active Directory Domain at a Later Time

At this point, you have delivered the software to target computers, but not changed their configuration. Users still have exactly the same access as they did before installing Privilege Control software. The computer's configuration changes only happen when the computer joins an Active Directory domain, that is, joining the domain is what "activates" Privilege Control software.

You have the option to automatically join an Active Directory domain when you install Privilege Control Agents the install.sh script. In most cases, however, you should not do so unless you have already planned your user migration and created your initial zones. Typically, it is best to analyze the user population and prepare for migration before joining the domain to ensure minimal disruption of user activity and ease the transition to new software. Over time, as you become more familiar with the migration process and refine your zone design, you can adapt the steps to suit your organization.

If you want to join the domain at the same time you deploy the Privilege Control software, you should do the following before you install files on the UNIX computers:

  1. Download the Privilege Control software for all platforms or the subset of platforms you intend to support.

  2. Analyze existing user and group accounts.

  3. Identify your zone requirements and create the initial zone design.

  4. Migrate users and groups into the appropriate zones and role assignments.

  5. Use the install.sh script or a custom script to install Privilege Control Agents and join the domain.

The additional steps are described in the next sections. You can also manually join a domain at any time after installation by using the adjoin command.

Upgrade the Linux Agent

  1. Log in to your Linux server as root user.

  2. Create a folder (e.g. delinea-agent) and extract the download package to the folder.

    • # mkdir delinea-agent
    • # tar -xzf rhel6-x86_64.tgz -C delinea-agent/

  3. Navigate to the folder that you created above: # cd delinea-agent/

  4. Upgrade the Linux Agent using agent_setup.sh: # ./agent_setup.sh --upgrade

There are several options you can specify if needed. Please refer to the usage of agent_setup.sh: # ./agent_setup.sh --help

Uninstall a Linux Agent

To uninstall a Linux agent:

  1. Log in to your Linux server as root.

  2. Create a folder (for example, delinea-agent) and extract the download package to the folder.

    # mkdir delinea-agent

    # tar -xzf rhel6-x86_64.tgz -C delinea-agent/

  3. Navigate to the folder you created in the previous step:

    # cd delinea-agent/

  4. If the machine is currently joined to a domain, leave the domain.

    # adleave

    If you are joined to a domain, and you do not leave it before proceeding with the uninstall command, a forced local leave will be performed when uninstalling, while the computer account will remain in AD.

  5. Uninstall the Linux Agent:

    # ./agent_setup.sh --uninstall