Tivoli Policy Director for Operating Systemspublib.boulder.ibm.com/tividd/td/ITAMOS/GC32-0796-00/en...Chapter 2, “Planning to Install” on page 9 Provides planning and prerequisite

Tivoli® Policy Directorfor Operating SystemsInstallation GuideVersion 3.8 GC32-0796-00

Tivoli® Policy Directorfor Operating SystemsInstallation GuideVersion 3.8 GC32-0796-00

Tivoli Policy Director for Operating Systems Installation Guide

Copyright Notice

© Copyright IBM Corporation 2000, 2001 All rights reserved. May only be used pursuant to a Tivoli Systems Software LicenseAgreement, an IBM Software License Agreement, or Addendum for Tivoli Products to IBM Customer or License Agreement. Nopart of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any computerlanguage, in any form or by any means, electronic, mechanical, magnetic, optical, chemical, manual, or otherwise, without priorwritten permission of IBM Corporation. IBM Corporation grants you limited permission to make hardcopy or other reproductions ofany machine-readable documentation for your own use, provided that each such reproduction shall carry the IBM Corporationcopyright notice. No other rights under copyright are granted without prior written permission of IBM Corporation. The document isnot intended for production and is furnished “as is” without warranty of any kind. All warranties on this document are herebydisclaimed, including the warranties of merchantability and fitness for a particular purpose.

U.S. Government Users Restricted Rights-Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBMCorporation.

Trademarks

AIX, IBM, RS/6000, SecureWay, Tivoli, Tivoli Enterprise Console, and the Tivoli logo are trademarks or registered trademarks ofInternational Business Machines Corporation or Tivoli Systems Inc. in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Other company, product, and service names may be trademarks or service marks of others.Notices

References in this publication to Tivoli Systems or IBM products, programs, or services do not imply that they will be available inall countries in which Tivoli Systems or IBM operates. Any reference to these products, programs, or services is not intended toimply that only Tivoli Systems or IBM products, programs, or services can be used. Subject to valid intellectual property or otherlegally protectable right of Tivoli Systems or IBM, any functionally equivalent product, program, or service can be used instead ofthe referenced product, program, or service. The evaluation and verification of operation in conjunction with other products, exceptthose expressly designated by Tivoli Systems or IBM, are the responsibility of the user. Tivoli Systems or IBM may have patents orpending patent applications covering subject matter in this document. The furnishing of this document does not give you any licenseto these patents. You can send license inquiries, in writing, to the IBM Director of Licensing, IBM Corporation, North Castle Drive,Armonk, New York 10504-1785, U.S.A.

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiWho Should Read This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

What This Guide Contains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Tivoli Policy Director for Operating Systems Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Prerequisite Publications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Accessing Publications Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Ordering Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Providing Feedback about Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Contacting Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Conventions Used in This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Typeface Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Operating System-dependent Variables and Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Platform-specific Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Chapter 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1What Is Tivoli Policy Director for Operating Systems? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

What Are Its Features? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

How Does It Work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

What Does the Package Contain? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Native Installation Package CD Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Tivoli Installation Package CD Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Language Support (Native Installation Package) CD Contents . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Language Support (Tivoli Installation Package) CD Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Enabling Language Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

For More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 2. Planning to Install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Migrating from Tivoli Access Control Facility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Hardware and Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Installation Decisions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Type of Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Policy Branch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Before You Install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Directories Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

iiiTivoli® Policy Director for Operating Systems Installation Guide

Users and Groups Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Upgrade Considerations Before Installing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Chapter 3. Installing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Types of Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Installing On All Platforms Using Easy Install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Installing on AIX Using Native Install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Installing on AIX Using SMIT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Installing on AIX From the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Installing on HP-UX Using Native Install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Installing on HP-UX Using swinstall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Installing on HP-UX From the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Installing on Solaris Using Native Install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Installing on Solaris Using Admintool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Installing on Solaris From the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Installing on Linux Using Native Install. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Installing on Linux From the Command Line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Installing Using the Tivoli Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Installing Tivoli Policy Director for Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Installing the Tivoli Policy Director for Operating Systems Management Tasks. . . . . . . . . . . . . 35

Installing the Tivoli Policy Director for Operating Systems Enterprise Console Integration . . . . 36

Upgrade Considerations After Installing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Chapter 4. Configuring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Planning to Configure Tivoli Policy Director for Operating Systems. . . . . . . . . . . . . . . . . . . . . . . . . 39

Usage of Configuration Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Configuring from the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Configuring Using a Response File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Creating a Response File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Using a Response File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Mapping Command Line Options to Attributes in Response File . . . . . . . . . . . . . . . . . . . . . . . 46

Chapter 5. Configuring the PDOSTECD Daemon . . . . . . . . . . . . . . . . . . . . . . . . . 49Planning to Configure the PDOSTECD Daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Configuring from the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Chapter 6. Starting and Stopping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Starting Tivoli Policy Director for Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

iv Version 3.8

Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Autostart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Protection Against Errors During Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Confirming Tivoli Policy Director for Operating Systems Is Running . . . . . . . . . . . . . . . . . . . . . . . . 52

Stopping Tivoli Policy Director for Operating Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Starting and Stopping the PDOSTECD Daemon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Chapter 7. Unconfiguring the PDOSTECD Daemon . . . . . . . . . . . . . . . . . . . . . . 53Planning to Unconfigure the PDOSTECD Daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Unconfiguring from the Command Line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Chapter 8. Unconfiguring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Planning to Unconfigure Tivoli Policy Director for Operating Systems . . . . . . . . . . . . . . . . . . . . . . . 55

Usage of the Unconfiguration Command Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Unconfiguration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Using a Response File for Unconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Creating a Response File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Using a Response File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Mapping Command Line Options to Attributes in Response File . . . . . . . . . . . . . . . . . . . . . . . 57

Unconfiguring Associated Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Chapter 9. Uninstalling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Uninstalling on AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Uninstalling on AIX Using SMIT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Uninstalling on AIX Using the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Uninstalling on HP-UX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Uninstalling on HP-UX Using swremove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Uninstalling on HP-UX Using the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Uninstalling on Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Uninstalling on Solaris Using ADMINTOOL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Uninstalling on Solaris Using the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Uninstalling on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Uninstalling on Linux Using the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Uninstalling Associated Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

HP-UX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Solaris. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

vTivoli® Policy Director for Operating Systems Installation Guide

Appendix A. Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Appendix B. Unconfiguration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Appendix C. Migrating from Tivoli Access Control Facility . . . . . . . . . . . . . . 71Overview of the Migration Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Planning to Migrate to Tivoli Policy Director for Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . 72

Inherited and Noninherited ACL Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Centralized and Distributed Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Migration Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Pre-migration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Migration Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

se2pdos Translation Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

ACL Permissions and Namespace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Script Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

vi Version 3.8

Preface

The Tivoli Policy Director for Operating Systems Installation Guide provides information onplanning, installing, and configuring Tivoli Policy Director for Operating Systems.

Who Should Read This GuideThe book is intended for system administrators who have some knowledge of these topics:

¶ UNIX® operating system

¶ Internet protocols, including HTTP, TCP/IP, FTP, TELNET, SSL

¶ Security management

¶ Directory services

¶ Authentication

¶ Authorization

¶ Tivoli Policy Director

Supplementary information that system administrators may find useful includes knowledgeof the following topics:

¶ Tivoli Management Environment Framework

¶ Tivoli Distributed Monitoring

¶ Tivoli Enterprise Console®

¶ Tivoli Risk Manager

¶ Tivoli Security Manager

¶ Tivoli User Administration

What This Guide ContainsThe Tivoli Policy Director for Operating Systems Installation Guide contains the followingsections:

¶ Chapter 1, “Introduction” on page 1

Provides an overview of Tivoli Policy Director for Operating Systems, its functions, andthe contents of the Tivoli Policy Director for Operating Systems.

¶ Chapter 2, “Planning to Install” on page 9

Provides planning and prerequisite information needed for installing Tivoli PolicyDirector for Operating Systems.

¶ Chapter 3, “Installing” on page 13

Describes installing Tivoli Policy Director for Operating Systems using easy install,native install, or the Tivoli desktop.

¶ Chapter 4, “Configuring” on page 39

Describes planning to configure Tivoli Policy Director for Operating Systems,configuration options, and configuration from the command line and from a responsefile.

viiTivoli® Policy Director for Operating Systems Installation Guide

¶ Chapter 5, “Configuring the PDOSTECD Daemon” on page 49

Describes configuring the PDOSTECD daemon.

¶ Chapter 6, “Starting and Stopping” on page 51

Explains how to start and stop Tivoli Policy Director for Operating Systems, and how todetermine if Tivoli Policy Director for Operating Systems is running.

¶ Chapter 7, “Unconfiguring the PDOSTECD Daemon” on page 53

Describes unconfiguring the PDOSTECD daemon.

¶ Chapter 8, “Unconfiguring” on page 55

Describes planning to unconfigure Tivoli Policy Director for Operating Systems,unconfiguration options, and unconfiguration from the command line and from aresponse file.

¶ Chapter 9, “Uninstalling” on page 59

Describes uninstalling Tivoli Policy Director for Operating Systems using nativeuninstallation utility and using the command line.

¶ Appendix A, “Configuration Options” on page 65

Defines the configuration options and gives their minimum, maximum, and defaultvalues.

¶ Appendix B, “Unconfiguration Options” on page 69

Defines the unconfiguration options and gives their minimum, maximum, and defaultvalues.

¶ Appendix C, “Migrating from Tivoli Access Control Facility” on page 71

Describes the information needed to migrate from the Tivoli Access Control Facility toTivoli Policy Director for Operating Systems.

PublicationsThis section lists publications in the Tivoli Policy Director for Operating Systems library andany other related documents. It also describes how to access Tivoli publications online, howto order Tivoli publications, and how to make comments on Tivoli publications.

Tivoli Policy Director for Operating Systems LibraryThe following documents are available in the Tivoli Policy Director for Operating Systemslibrary:

¶ Tivoli Policy Director for Operating Systems Installation Guide

Provides information about installing Tivoli Policy Director for Operating Systems.

¶ Tivoli Policy Director for Operating Systems Administration Guide

Provides information on using Tivoli Policy Director for Operating Systems and includesa reference of the commands available.

¶ Tivoli Policy Director for Operating Systems Release Notes

Provides late-breaking information about Tivoli Policy Director for Operating Systems.

Prerequisite PublicationsTo be able to use the information in this guide effectively, you must have some prerequisiteknowledge, which you can get from the following books:

What This Guide Contains

viii Version 3.8

¶ Tivoli SecureWay® Policy Director Base Administration Guide, Version 3.8

¶ Tivoli SecureWay Policy Director Base Installation Guide, Version 3.8

¶ Tivoli SecureWay Policy Director Release Notes, Version 3.8

Accessing Publications OnlineYou can access many Tivoli publications online at the Tivoli Customer Support Web site:

http://www.tivoli.com/support/documents/

These publications are available in PDF or HTML format, or both. Translated documents arealso available for some products.

Ordering PublicationsYou can order many Tivoli publications online at the following Web site:

http://www.ibm.com/shop/publications/order

You can also order by telephone by calling one of these numbers:

¶ In the United States: 800-879-2755

¶ In Canada: 800-426-4968

¶ In other countries, for a list of telephone numbers, see the following Web site:

http://www.tivoli.com/inside/store/lit_order.html

Providing Feedback about PublicationsWe are very interested in hearing about your experience with Tivoli products anddocumentation, and we welcome your suggestions for improvements. If you have commentsor suggestions about our products and documentation, contact us in one of the followingways:

¶ Send an e-mail to [email protected].

¶ Complete our customer feedback survey at the following Web site:

http://www.tivoli.com/support/survey/

Contacting Customer SupportIf you have a problem with any Tivoli product, you can contact Tivoli Customer Support.See the Tivoli Customer Support Handbook at the following Web site:

http://www.tivoli.com/support/handbook/

The handbook provides information about how to contact Tivoli Customer Support,depending on the severity of your problem, and the following information:

¶ Registration and eligibility

¶ Telephone numbers and e-mail addresses, depending on the country you are in

¶ What information you should gather before contacting support

Conventions Used in This BookThis book uses several conventions for special terms and actions, operatingsystem-dependent commands and paths, and margin graphics.

Publications

ixTivoli® Policy Director for Operating Systems Installation Guide

Typeface ConventionsThe following typeface conventions are used in this book:

Bold Lowercase and mixed-case commands, command options, and flags thatappear within text appear like this, in bold type.

Graphical user interface elements (except for titles of windows and dialogs)and names of keys also appear like this, in bold type.

Italic Variables, values you must provide, new terms, and words and phrases thatare emphasized appear like this, in italic type.

Monospace Commands, command options, and flags that appear on a separate line, codeexamples, output, and message text appear like this, in monospace type.

Names of files and directories, text strings you must type, when they appearwithin text, names of Java methods and classes, and HTML and XML tagsalso appear like this, in monospace type.

Operating System-dependent Variables and PathsThis book uses the UNIX convention for specifying environment variables and for directorynotation.

When using the Windows command line, replace $variable with %variable% forenvironment variables and replace each forward slash (/) with a backslash (\) in directorypaths.

Note: If you are using the bash shell on a Windows system, you can use the UNIXconventions.

Platform-specific InformationInformation on the supported platforms can be found in the Tivoli Policy Director forOperating Systems Release Notes.

Conventions Used in This Book

x Version 3.8

Introduction

This chapter provides a brief overview of Tivoli Policy Director for Operating Systems,including information about the following topics:

¶ What is Tivoli Policy Director for Operating Systems?

¶ What are its features?

¶ How does it work?

¶ What does the Tivoli Policy Director for Operating Systems package contain?

This chapter also contains sources to consult for additional information.

Before you install Tivoli Policy Director for Operating Systems, it is suggested that you readthis book and Tivoli Policy Director for Operating Systems Administration Guide, Version3.8.

What Is Tivoli Policy Director for Operating Systems?Tivoli Policy Director for Operating Systems provides a layer of authorization policyenforcement in addition to that provided by the native operating system. An administratordefines additional authorization policy by applying fine-grained access controls that restrictor permit access to key system resources. Controls are based on user identity, groupmembership, the type of operation, the time of day or the day of the week, and the accessingapplication. An administrator can control access to specific file resources, login and networkservices, and changes of identity. These controls can also be used to manage the executionof administrative procedures and to limit administrative capabilities on a per user basis. Inaddition to authorization policy enforcement, Tivoli Policy Director for Operating Systemsprovides mechanisms to verify defined policy and audit authorization decisions.

What Are Its Features?Tivoli Policy Director for Operating Systems enhances UNIX security by using Tivoli PolicyDirector core function in the following ways:

¶ Provides fine-grained access control to network services

¶ Provides fine-grained access control to files and commands

¶ Provides fine-grained control of login services

¶ Can limit the privileges of the root user

¶ Is uniform across platforms

¶ Provides for centralized management of authorization policy

1

1Tivoli® Policy Director for Operating Systems Installation Guide

1.In

trod

uctio

n

How Does It Work?Tivoli Policy Director for Operating Systems is invoked immediately after the UNIX-basedoperating system has completed its initialization and places hooks in system services thatneed to be protected. These hooks pass control to Tivoli Policy Director for OperatingSystems before the service being requested is performed. When a user requests a systemservice for an object that is being protected, Tivoli Policy Director for Operating Systemsaccesses the policy information associated with the object to determine whether the user ispermitted to perform the requested operation. The decision to allow or deny access is basedon the access rules and policies that are defined in the Tivoli Policy Directory database bythe system administrator.

Figure 1 shows a graphical representation of the interaction between Tivoli Policy Directorfor Operating Systems, Tivoli Policy Director, and the IBM SecureWay Directory Server (theLDAP Server in the diagram) when a user request is made..

What Does the Package Contain?The Tivoli Policy Director for Operating Systems package consists of the following CDs.

¶ Tivoli Policy Director for Operating Systems (128-BIT), Version 3.8 (Native InstallationPackage)

¶ Tivoli Policy Director for Operating Systems (128-BIT), Version 3.8 (Tivoli InstallationPackage)

User

Request

Policy

Director

Server

LDAP

Server

Replicated Policy

Director DB

User

Registry

Policy

Director

DB

Credential Cache

PDOS

Processes

PDOS Kernel Interception

Native OS Services

User Mode

Kernel Mode

Figure 1. Tivoli Policy Director for Operating Systems Architecture

How Does It Work?

2 Version 3.8

¶ Tivoli Policy Director for Operating Systems, Version 3.8, Language Support (NativeInstallation Package)

¶ Tivoli Policy Director for Operating Systems, Version 3.8, Language Support (TivoliInstallation Package)

¶ Tivoli Policy Director for Operating Systems, Version 3.8, Documentation

¶ Tivoli SecureWay Policy Director Base for AIX and Linux (128-BIT), Version 3.8

¶ Tivoli SecureWay Policy Director Base for Windows (128-BIT), Version 3.8

¶ Tivoli SecureWay Policy Director Base for Solaris and HP-UX (128-BIT), Version 3.8

¶ Tivoli SecureWay Policy Director Web Portal Manager (128-BIT), Version 3.8

Native Installation Package CD ContentsThe contents of the Tivoli Policy Director for Operating Systems (Native InstallationPackage) CD is as follows.

Table 1. Contents of Native Installation CDPlatform

(Directory)Component Package

AIX (/usr/sys/inst.images)

IBM Global Security Toolkit 4.0.3.197 gskit.rte

IBM SecureWay Directory 3.2.1 Client with efix4 applied ldap.client

IBM SecureWay Directory 3.2.1 Max Crypto Client ldap.max_crypto_client

IBM SecureWay Directory 3.1.1.5 Client (used on AIX4.3.1 and AIX 4.3.2)

ldap3115.client

IBM SecureWay Directory 3.1.1.5 Max Crypto Client(used on AIX 4.3.1 and AIX 4.3.2)

ldap3115.max_crypto_client

Tivoli Policy Director 3.8.0 Runtime Environment withFix Pack 2 (3.8-POL-0002) applied

PD.RTE

Tivoli Policy Director for Operating Systems 3.8.0Runtime Environment

PDOS.rte

HP-UX (/hp) IBM Global Security Toolkit 4.0.3.168 gsk4bas

IBM SecureWay Directory 3.2.1 Client LDAP


PDRTE


PDOSrte

Solaris (/solaris) IBM Global Security Toolkit 4.0.3.197 gsk4bas

IBM SecureWay Directory 3.2.1 Client with efix4 applied IBMldapc


PDRTE


PDOSrte

What Does the Package Contain?


1.In

trod

uctio

n

Table 1. Contents of Native Installation CD (continued)Platform


Linux (/linux) IBM Global Security Toolkit 4.0.3.197 gsk4bas-4.0-3.197.i386.rpm

IBM SecureWay Directory 3.2.2 Client ldap-clientd-3.2-2.i386.rpm


PDRTE-PD-3.8.0-2.i386.rpm


PDOSrte-PDOSruntime-3.8.0-0.i386.rpm

All Platforms(/doc)

Tivoli Policy Director for Operating Systems InstallationGuide Version 3.8.0 (PDF)

pdos38_install.pdf

Tivoli Policy Director for Operating SystemsAdministration Guide Version 3.8.0 (PDF)

pdos38_admin.pdf

Tivoli Policy Director for Operating Systems ReleaseNotes Version 3.8.0 (PDF)

pdos38_relnotes.pdf

Tivoli Installation Package CD ContentsThe Tivoli Policy Director for Operating Systems (Tivoli Installation Package) CD containsall the prerequisite products provided on the Native Installation Package CD, packaged forthe Tivoli installation tools, plus the additional components listed in Table 2.

Table 2. Additional Contents of Tivoli Installation CDDirectory Component Package

PDOS.cdrom Tivoli Policy Director for Operating Systems, Version3.8

PDOS.IND

Tivoli Policy Director for Operating SystemsManagement Tasks, Version 3.8

PDOSTASK.IND

Tivoli Policy Director for Operating SystemsEnterprise Console Integration, Version 3.8

PDOSTEC.IND

Tivoli Security Manager Endpoint Installation Tool,Version 3.8

SECCLNT.IND

PDOSU.cdrom Tivoli Policy Director for Operating Systems, Upgradefrom Version 3.7 to Version 3.8

PDOS38.IND

Tivoli Policy Director for Operating SystemsManagement Tasks, Upgrade from Version 3.7 toVersion 3.8

PTASK38.IND

Tivoli Policy Director for Operating SystemsEnterprise Console Integration, Upgrade from Version3.7.1 to Version 3.8

PDTEC38.IND

doc Tivoli Policy Director for Operating SystemsInstallation Guide Version 3.8.0 (PDF)

pdos38_install.pdf

Tivoli Policy Director for Operating SystemsAdministration Guide Version 3.8.0 (PDF)

pdos38_admin.pdf

Tivoli Policy Director for Operating Systems ReleaseNotes Version 3.8.0 (PDF)

pdos38_relnotes.pdf

Native Installation Package CD Contents

4 Version 3.8

Language Support (Native Installation Package) CD ContentsThe Tivoli Policy Director for Operating Systems Version 3.8 Language Support (NativeInstallation Package) CD contains the following packages.

Table 3. Contents of Language Support (Native Installation Package) CDPlatform


AIX (/usr/sys/) IBM SecureWay Directory 3.2.1 Messages ldap.msg.xx_XX

Tivoli Policy Director for Operating Systems 3.8.0Messages

PDOS.msg.xx_XX

HP-UX (/hp) Tivoli Policy Director for Operating Systems 3.8.0Messages

PDOSmsg.xx_XX

Solaris (/solaris) Tivoli Policy Director for Operating Systems 3.8.0Messages

PDOSxxXX

Linux (/linux) Tivoli Policy Director for Operating Systems 3.8.0Message

PDOSmsg-xx-XX-3.8.0-0.i386.rpm

Substitute the appropriate locale for xx_XX or xxXX in the package name using theinformation found in the tables in “Enabling Language Support” on page 6.

For example, the Tivoli Policy Director for Operating Systems Version 3.8 Messagespackage for US English for each supported platform would be:

AIX PDOS.msg.en_US

HP/UXPDOSmsg.en_US

SolarisPDOSenUS

Linux PDOSmsg-en_US-3.8.0-0.i386.rpm

Note: Unlike Tivoli Policy Director for Operating Systems, the other products packaged onthe installation media might not have a separately-installable US English languagepackage. In these cases, the US English language support is provided by default inthe base installation package.

Language Support (Tivoli Installation Package) CD ContentsThe Tivoli Policy Director for Operating Systems Version 3.8 Language Support (TivoliInstallation Package) CD contains the following packages.

Table 4. Contents of Language Support (Tivoli Installation Package) CDDirectory Component Package

PDOSNLS.cdrom Tivoli Policy Director for Operating Systems MessageCatalogs, Version 3.8

PDOSMSG.IND

Tivoli Policy Director for Operating Systems MessageCatalogs, Upgrade, Version 3.7 to Version 3.8

PDMSG38.IND

Language Support (Native Installation Package) CD Contents


1.In

trod

uctio

n

Table 4. Contents of Language Support (Tivoli Installation Package) CD (continued)Directory Component Package

TIVTASK.cdrom Tivoli Policy Director for Operating SystemsManagement Task, Version 3.8 [de] German language

PDOS_DE.IND

Tivoli Policy Director for Operating SystemsManagement Task, Version 3.8 [es] Spanish language

PDOS_ES.IND

Tivoli Policy Director for Operating SystemsManagement Task, Version 3.8 [fr] French language

PDOS_FR.IND

Tivoli Policy Director for Operating SystemsManagement Task, Version 3.8 [it] Italian language

PDOS_IT.IND

Tivoli Policy Director for Operating SystemsManagement Task, Version 3.8 [ja] Japanese language

PDOS_JA.IND

Tivoli Policy Director for Operating SystemsManagement Task, Version 3.8 [ko] Korean language

PDOS_KO.IND

Tivoli Policy Director for Operating SystemsManagement Task, Version 3.8 [pt_BR] BrazilianPortuguese language

PDOS_PTB.IND

Tivoli Policy Director for Operating SystemsManagement Task, Version 3.8 [zh_CN] SimplifiedChinese language

PDOS_ZHC.IND

Tivoli Policy Director for Operating SystemsManagement Task, Version 3.8 [zh_TW] TraditionalChinese language

PDOS_ZHT.IND

Enabling Language SupportTivoli Policy Director for Operating Systems is translated into the following languages,where available:

¶ Brazilian Portuguese

¶ Chinese (simplified)

¶ Chinese (traditional)

¶ U.S. English

¶ French

¶ German

¶ Italian

¶ Japanese

¶ Korean

¶ Spanish

To enable these languages, install the appropriate language support package. Be sure to setyour locale based on your operating system procedures. You can also install multiplelanguage support packages for a single product.

The following tables show the package name for the Tivoli Policy Director for OperatingSystems message package as it relates to code page and language for each operating systemplatform.

Language Support (Tivoli Installation Package) CD Contents

6 Version 3.8

Table 5. AIX Language SupportLanguage Package Name

Brazilian Portuguese PDOS.msg.pt_BR

Simplified Chinese (EUC) PDOS.msg.zh_CN

Simplified Chinese (GBK) PDOS.msg.Zh_CN

Traditional Chinese PDOS.msg.zh_TW

T-Chinese (big5) PDOS.msg.Zh_TW

U.S. English PDOS.msg.en_US

French PDOS.msg.fr_FR

French (IBM-850) PDOS.msg.Fr_FR

German PDOS.msg.de_DE

German (IBM-850) PDOS.msg.De_DE

Italian PDOS.msg.it_IT

Italian (IBM-850) PDOS.msg.It_IT

Japanese (IBM-eucJP) PDOS.msg.ja_JP

Japanese PDOS.msg.Ja_JP

Korean PDOS.msg.ko_KR

Spanish PDOS.msg.es_ES

Spanish (IBM-850) PDOS.msg.Es_ES

Table 6. HP-UX Language SupportLanguage Package Name

Simplified Chinese (EUC) PDOSmsg.zh_CN

Traditional Chinese PDOSmsg.zh_TW

T-Chinese (big5) PDOSmsg.Zh_TW

U.S. English PDOSmsg.en_US

French PDOSmsg.fr_FR

German PDOSmsg.de_DE

Italian PDOSmsg.it_IT

Japanese (IBM-eucJP) PDOSmsg.ja_JP

Japanese PDOSmsg.Ja_JP

Korean PDOSmsg.ko_KR

Spanish PDOSmsg.es_ES

Table 7. Solaris Language SupportLanguage Package Name

Brazilian Portuguese PDOSptBR

Simplified Chinese (EUC) PDOSzhCN

Traditional Chinese PDOSzhTW

T-Chinese (big5) PDOSZhTW

U.S. English PDOSenUS

French PDOSfrFR

Enabling Language Support


1.In

trod

uctio

n

Table 7. Solaris Language Support (continued)Language Package Name

German PDOSdeDE

Italian PDOSitIT

Japanese (IBM-eucJP) PDOSjaJP

Japanese PDOSJaJP

Korean PDOSkoKR

Spanish PDOSesES

Table 8. Linux Language SupportLanguage Package Name

Brazilian Portuguese PDOSmsg-pt_BR-3.8.0-0.i386.rpm

Traditional Chinese (see Note) PDOSmsg-Zh_TW-3.8.0-0.i386.rpm

U.S. English PDOSmsg-en_US-3.8.0-0.i386.rpm

French PDOSmsg-fr_FR-3.8.0-0.i386.rpm

German PDOSmsg-de_DE-3.8.0-0.i386.rpm

Italian PDOSmsg-it_IT-3.8.0-0.i386.rpm

Japanese (eucjp) PDOSmsg-ja_JP-3.8.0-0.i386.rpm

Spanish PDOSmsg-es_ES-3.8.0-0.i386.rpm

Note: Traditional Chinese is not available on Red Hat Linux Version 6.2.

For More InformationFor general information about Tivoli Policy Director for Operating Systems, customersupport (including a discussion forum), product news, and education, visit this Web site:

http://www.tivoli.com/products/index/

Enabling Language Support

8 Version 3.8

Planning to Install

This chapter discusses planning and prerequisites needed to install Tivoli Policy Director forOperating Systems.

Migrating from Tivoli Access Control FacilityIf you are currently using Tivoli Access Control Facility for enforcing policy, whether in aTivoli Security Manager environment or not, you should read the information inAppendix C, “Migrating from Tivoli Access Control Facility” on page 71 in addition to theinformation in this chapter.

Hardware and Software RequirementsThe hardware and software requirements for Tivoli Policy Director for Operating Systemscan be found in the Tivoli Policy Director for Operating Systems Release Notes. Ensure thatyou are running a supported version of your operating system and that you have installed theproper patches before proceeding.

PrerequisitesBefore you install and configure Tivoli Policy Director for Operating Systems, you need toknow some information about your environment and your environment needs to be in acertain state:

1. The Tivoli Policy Director management server, Version 3.8, should be installed andconfigured to use the LDAP User Registry.

2. Both the Tivoli Policy Director management server and the LDAP server should berunning.

3. You should have your base64 encoded LDAP SSL CA certificate file from the LDAPserver machine.

Note: If you used the ezinstall_ldap_server script to install and configure your LDAPserver and you chose to use the default LDAP SSL CA certificate file provided byTivoli Policy Director, you must obtain the /etc/gsk/pd_ldapcert.arm file fromthe LDAP server and use that file during Tivoli Policy Director for OperatingSystems install and configuration.

4. You should know your LDAP User Registry suffix.

5. You should know the name of the policy branch under which you are configuring.

6. You should know the Tivoli Policy Director security master password.

2


2.P

lann

ing

toIn

stall

Information on installing and configuring the Tivoli Policy Director management server andthe LDAP User Registry, as well as creating an SSL certificate file, can be found in theTivoli SecureWay Policy Director Base Installation Guide, Version 3.8. If you create aself-signed certificate for SSL communications, be sure to set a suitable lifetime, such as3650 days, to ensure that the certificate does not expire prematurely. The default certificatelifetime is only 365 days.

Installation DecisionsThere are a few basic installation decisions that you should make to assist you in yourplanning and deployment.

Type of InstallationTivoli Policy Director for Operating Systems can be installed in one of the following threeways.

Easy InstallEasy Install is the recommended way to initially install or to upgrade an existingsystem with Tivoli Policy Director for Operating Systems installed. The Easy Installprocedure involves running a single script which installs and configures TivoliPolicy Director for Operating Systems and also installs or upgrades all theprerequisite software residing on the system.

Tivoli Desktop InstallTivoli Desktop Install provides a set of packages that can be installed and configuredusing the Tivoli desktop. The prerequisite software needed by Tivoli Policy Directorfor Operating Systems is also installed or upgraded as needed. This method assumesfamiliarity with the Tivoli desktop and prior experience with installing Tivolisoftware.

Native InstallNative Install not only provides the most flexibility in choosing how to install orupgrade Tivoli Policy Director for Operating Systems but also requires the greatestamount of technical expertise. You are responsible for installing or upgrading theprerequisite software on the system and applying the necessary patches. Nativeinstallation utilities are used to install the desired software packages on the system.After installing all the necessary software, you must manually configure TivoliPolicy Director for Operating Systems before starting it.

Choose the installation type that best matches your environment and expectations. Theinstallation and upgrade instructions are dependent on the type of installation chosen. See“Types of Installation” on page 13 and “Upgrade Considerations Before Installing” onpage 12 for more details.

Policy BranchYour environment probably has several systems that are used for the same or similarpurposes and that require the same or similar authorization policy. Tivoli Policy Director forOperating Systems enables you to group systems together by placing them within a policybranch. Systems in the same policy branch are subject to the same authorization policy.

The policy branch is defined on the Tivoli Policy Director management server in the/OSSEAL/policy-branch namespace, where policy-branch is your user-defined policybranch name. For instance, if you wanted to group your systems based on whether they areservers, graphics workstations, or development workstations, you might choose to call yourpolicy branches:

Prerequisites

10 Version 3.8

/OSSEAL/Servers/OSSEAL/Graphics/OSSEAL/ProdDev

If your Tivoli Policy Director management server does not yet have an /OSSEAL branch, andtherefore no Tivoli Policy Director for Operating Systems systems configured, you mustconfigure the first system by itself, which also configures the management server database.When you subsequently create a new policy branch, such as the /OSSEAL/Servers one usedin the previous example, you must configure the first system in that policy branch by itselfas well.

After one system has been configured within a policy branch, other systems can beconfigured in parallel under that branch.

Before You InstallTo install Tivoli Policy Director for Operating Systems you must:

¶ Have root permission

¶ Ensure that sufficient space is available in the /opt and /var filesystems.

The files associated with the product are installed in the following directories:

/opt/pdos/var/pdos

Do not change the target installation directory.

¶ Uninstall any other LDAP clients installed on the system. This includes the NetscapeiPlanet Directory client, the Sun LDAP client, which is commonly installed on Solarissystems, and nss_ldap, which is commonly installed on Red Hat Linux 7.1 systems.

¶ Verify that you have installed the necessary operating system patches. This informationcan be found in the Tivoli Policy Director for Operating Systems Release Notes.

¶ If you are upgrading from a previous version of Tivoli Policy Director for OperatingSystems, see “Upgrade Considerations Before Installing” on page 12 before installing.

Directories UsedTivoli Policy Director for Operating Systems stores authorization policy information, auditlogs, and error logs in the various directories under /var/pdos. It is strongly recommendedthat /var/pdos be created as a separate file system in order to ensure that user activity thatmay cause /var to become full does not impact the ability to enforce authorization policy. Itis also advisable to make /var/pdos/log and /var/pdos/audit separate file systems aswell.

You should carefully monitor the space usage of the /var/pdos, /var/pdos/log, and/var/pdos/audit directories and take the appropriate action if available free space islimited.

Users and Groups UsedTivoli Policy Director for Operating Systems relies on the existence of an osseal user ID andthe osseal and ossaudit groups. If an osseal or ossaudit group entry does not exist at thetime Tivoli Policy Director for Operating Systems is installed, the groups are created.Similarly, if an osseal user ID does not exist, one is created during installation. The ossealuser ID created has a primary group of osseal.

Installation Decisions


2.P

lann

ing

toIn

stall

In NIS environments, the osseal user ID and the osseal and ossaudit groups must be createdlocally and not reside in NIS. However, when installing on a system configured to use NIS,the user creation mechanisms used by Tivoli Policy Director for Operating Systems canresult in these groups and user ID being created after the + entry in the /etc/passwd and/etc/group files. You must reorder the entries in these files to ensure that the users andgroups created by Tivoli Policy Director for Operating Systems appear before the + in thesefiles. Otherwise, the osseal user ID and the osseal and ossaudit groups are not usable if theNIS server is unavailable and Tivoli Policy Director for Operating Systems does not start.

Upgrade Considerations Before InstallingIf you are upgrading from a previous version of Tivoli Policy Director for OperatingSystems, please do the following before installing this new version.

1. Verify that you have installed the necessary operating system patches and have sufficientspace to install the product. This information can be found in the Tivoli Policy Directorfor Operating Systems Release Notes.

2. Configure Tivoli Policy Director for Operating Systems so that the daemons do notautostart on reboot by logging in as root and entering the following command:pdoscfg -autostart off

3. If you have applied patch 3.7.1-SEC-0003 or later to your Tivoli Policy Director forOperating Systems system and have configured your system to send events to the TivoliEnterprise Console, you must stop the PDOSTECD daemon and prevent it fromautostarting as well by entering the following commands:pdosteccfg -autostart offrc.pdostecd stop

4. Stop Tivoli Policy Director for Operating Systems, by entering the following command:rc.osseal stop

5. Shut down and reboot the system. Verify that Tivoli Policy Director for OperatingSystems is not active by entering the following command:pdosctl -s

Note: If Tivoli Policy Director for Operating Systems has been active at anytime sincethe last reboot, the system must be rebooted before installing and starting this newversion. Rebooting ensures that the Tivoli Policy Director for Operating Systemscomponents that run in the user level application space and those that run in theUNIX kernel are at the same level. After this new version is installed, if aprevious version of the kernel components are still loaded, attempts to start TivoliPolicy Director for Operating Systems will fail until the system is rebooted.

6. Ensure that the Tivoli Policy Director management server used in your environment is atversion 3.8 with Fix Pack 2 (3.8-POL-0002), or later, applied.

7. Install Tivoli Policy Director for Operating Systems following the procedure described inChapter 3, “Installing” on page 13. If you are installing using Native Install, ensure thatyou are upgrading or applying the appropriate patches to the prerequisite software on thesystem.

After installing, see “Upgrade Considerations After Installing” on page 37.

Before You Install

12 Version 3.8

Installing

This chapter explains how to install Tivoli Policy Director for Operating Systems on AIX,HP-UX, Solaris, and Linux.

Types of InstallationTivoli Policy Director for Operating Systems can be installed on a system in one of thefollowing three ways:

Easy InstallUsing the Tivoli Policy Director for Operating Systems (128-BIT), Version 3.8(Native Installation Package) CD, you run the ezinstall_pdosrte script to install andinitially configure Tivoli Policy Director for Operating Systems and all theprerequisite software residing on this system. If a previous version of Tivoli PolicyDirector for Operating Systems and its prerequisites are configured, the scriptautomatically updates your installation to the new version. See “Installing On AllPlatforms Using Easy Install” on page 14 for details.

Easy Install also performs the initial configuration of Tivoli Policy Director forOperating Systems using the policy defaults provided with the product.

Native InstallUsing the Tivoli Policy Director for Operating Systems (128-BIT), Version 3.8(Native Installation Package) CD, you use the native software installation utilityprovided with your operating system to install Tivoli Policy Director for OperatingSystems. This method assumes you are familiar with the native installation utilityand have used it to install software in the past.

The Tivoli Policy Director runtime environment must be installed and configured onthe same machine that Tivoli Policy Director for Operating Systems is installed.

You also must install the necessary prerequisites for Tivoli Policy Director forOperating Systems, including upgrading to the appropriate levels and installing thenecessary patches, before performing a native install. These prerequisities, as well asan overview of the installation process itself, are provided in the following sections,based on your operating system platform:

¶ “Installing on AIX Using Native Install” on page 15

¶ “Installing on HP-UX Using Native Install” on page 17

¶ “Installing on Solaris Using Native Install” on page 19

¶ “Installing on Linux Using Native Install” on page 22

3


3.In

stalling

After installing Tivoli Policy Director for Operating Systems, you must configure itbefore use. See Chapter 4, “Configuring” on page 39 for details.

Tivoli Desktop InstallUsing the Tivoli Policy Director for Operating Systems (128-BIT), Version 3.8(Tivoli Installation Package) CD, you use the Tivoli desktop to install and initiallyconfigure Tivoli Policy Director for Operating Systems. Installation using thismethod is described in “Installing Using the Tivoli Desktop” on page 23.

If a previous version of Tivoli Policy Director for Operating Systems and itsprerequisites are configured, Tivoli desktop install automatically updates yourinstallation and the prerequisite software residing on this system, to the new version.See “Installing Using the Tivoli Desktop” on page 23 for details. Tivoli DesktopInstall also performs the initial configuration of Tivoli Policy Director for OperatingSystems using the policy defaults provided with the product.

Note: Care must be taken if you are planning to install Tivoli Policy Director for OperatingSystems on the same system as the Tivoli Policy Director management server or theIBM SecureWay Directory server. If you intend to install Tivoli Policy Director forOperating Systems in this environment using either Easy Install or Tivoli DesktopInstall, you must first upgrade the Tivoli Policy Director management server and theIBM SecureWay Directory server to the level supported by Tivoli Policy Director forOperating Systems. You may then install using Easy Install or Tivoli Desktop Install.

If you have a previous version of Tivoli Policy Director for Operating Systems installed, youmust have performed the steps outlined in “Upgrade Considerations Before Installing” onpage 12 before continuing. After upgrading Tivoli Policy Director for Operating Systems onyour system, see “Upgrade Considerations After Installing” on page 37 for additional tasksthat need to be performed.

Installing On All Platforms Using Easy InstallThe ezinstall_pdosrte script is provided to install and initially configure Tivoli PolicyDirector for Operating Systems with a minimum amount of effort. The script identifies thecomponents that are already installed, locates the components that need to be installed on theinstallation media, and then installs and configures them.

To install using Easy Install, do the following.

1. Insert the Tivoli Policy Director for Operating Systems (128-BIT), Version 3.8 (NativeInstallation Package) CD into the CD-ROM drive.

2. Log in as root.

3. Mount the CD-ROM drive based on the mounting procedure for your operating systemplatform.

Note: On HP-UX, remember that the pfs_mount command requires the pfs_mountdand pfsd daemons to already be running.

4. Change to the CD-ROM directory.

5. Run the script by entering the appropriate command on the command line, based on youroperating system platform:

Linux./ezinstall_pdosrte.linux

All other platforms

Types of Installation

14 Version 3.8

./ezinstall_pdosrte

Easy Install prompts you for the information it needs as it runs. After the script completes,Tivoli Policy Director for Operating Systems, as well as the prerequisite software residingon the same machine, have been installed and configured.

Note: Easy Install does not upgrade the language packages installed on the system. Youmust install the necessary language support using the procedures outlined in either theNative Install or Tivoli Desktop Install sections.

Installing on AIX Using Native InstallTivoli Policy Director for Operating Systems can be installed on AIX using SMIT, or it canbe installed from the command line.

The following prerequisite products, located on the Native Installation CD, must be installedand configured before installing Tivoli Policy Director for Operating Systems:

¶ IBM Global Security Toolkit

¶ IBM SecureWay Directory Client

¶ IBM SecureWay Directory Max Crypto Client

¶ Tivoli Policy Director runtime environment

Refer to Table 1 on page 3 for package names, version numbers, and patch levels.Documentation for installing these products can be found in the /doc directory on the TivoliPolicy Director Base for AIX and Linux (128-BIT), Version 3.8 CD. Information onapplying the efix4 patch to the IBM SecureWay Directory Client can be found on the TivoliPolicy Director for Operating Systems (128-BIT) Version 3.8 (Native Installation Package)CD in the /usr/sys/inst.images/patches/ldap_efix4/Readme file and information onapplying Fix Pack 2 (3.8-POL-0002) to Tivoli Policy Director Version 3.8 can be found inthe /doc/3.8-POL-0002.README file on the same CD.

Depending on your system settings, prerequisite products might be pulled in as part of theTivoli Policy Director for Operating Systems installation process.

Installing on AIX Using SMITUse these steps to install Tivoli Policy Director for Operating Systems on AIX using SMIT:

1. Insert the Tivoli Policy Director for Operating Systems (128-BIT), Version 3.8 (NativeInstallation Package) CD into the CD-ROM drive.

2. Log in as root.

3. Enter the following command at the command line:smit

The System Management Interface Tool window is displayed.

4. From the System Management menu, click Software Installation and Maintenance.

5. From the Software Installation and Maintenance menu, click Install and UpdateSoftware.

6. From the Install and Update Software menu, click Install and Update from LATESTAvailable Software. The Install and Update LATEST Available Software pop-uppanel is displayed.

Installing On All Platforms Using Easy Install


3.In

stalling

7. Specify the INPUT device / directory for the software by entering the name of thedirectory where the Tivoli Policy Director for Operating Systems package is located:/dev/cd0. Click OK.

8. The Install and Update from LATEST Available Software pop-up panel is displayed.

9. By the SOFTWARE to install selection, click List. The Multi-select List pop-up panelis displayed. Highlight 3.8.0.0 Tivoli Policy Director for Operating Systems Runtime.Click OK.

10. The Install and Update from LATEST Available Software window is redisplayed.Click OK.

11. You are asked to confirm your installation choices. Click OK.

12. During installation, the Install and Update from LATEST Available Softwarewindow displays a split screen that shows the install command and the output log forthe installation.

13. When installation is complete, click Done.

14. Close the Install and Update from LATEST Available Software pop-up panel. TheSystem Management Interface Tool window is displayed.

15. Eject the CD from the CD-ROM drive.

16. Insert the Tivoli Policy Director for Operating Systems, Version 3.8 Language Support(Native Installation Package) CD into the CD-ROM drive.

17. From the System Management menu, click Software Installation and Maintenance.

18. From the Software Installation and Maintenance menu, click Install and UpdateSoftware.

19. From the Install and Update Software menu, click Install and Update from ALLAvailable Software. The Install and Update ALL Available Software pop-up panel isdisplayed.

20. Specify the INPUT device / directory for the software by entering the name of thedirectory where the Tivoli Policy Director for Operating Systems language supportpackage is located: /dev/cd0. Click OK.

21. The Install and Update from ALL Available Software pop-up panel is displayed.

22. By the SOFTWARE to install selection, click List. The Multi-select List pop-up panelis displayed. Highlight 3.8.0.0 Tivoli Policy Director for Operating Systems MessageCatalog for the desired locale and language. Information on the different languagepackages available can be found in Table 5 on page 7. Click OK.

23. The Install and Update from ALL Available Software window is redisplayed. ClickOK.

24. You are asked to confirm your installation choices. Click OK.

25. During installation, the Install and Update from ALL Available Software windowdisplays a split screen that shows the install command and the output log for theinstallation.

26. When installation is complete, click Done.

27. Close the Install and Update from ALL Available Software pop-up panel. TheSystem Management Interface Tool window is displayed.

Installing on AIX Using Native Install

16 Version 3.8

28. Close the System Management Interface Tool window.

After installing Tivoli Policy Director for Operating Systems, you must configure it beforeuse. See Chapter 4, “Configuring” on page 39 for details.

Installing on AIX From the Command LineTo install Tivoli Policy Director for Operating Systems on AIX from the command line, usethese steps:

1. Insert the Tivoli Policy Director for Operating Systems (128-BIT), Version 3.8 (NativeInstallation Package) CD.

2. Log on as root.

3. Enter the following command on the command line, replacing /dev/cd0 with the mountpoint of the CD-ROM drive to install the Tivoli Policy Director for Operating Systemsruntime.installp -c -a -g -X -d /dev/cd0 PDOS.rte


5. Insert the Tivoli Policy Director for Operating Systems , Version 3.8 Language Support(Native Installation Package) CD.

6. Enter the following command on the command line, replacing language with theappropriate locale and language being installed and /dev/cd0 with the mount point ofthe CD-ROM drive.installp -c -a -g -X -d /dev/cd0 PDOS.msg.language

Informaton on the different language packages available can be found in Table 5 onpage 7

For example, the command to install the US English messages is:installp -c -a -g -X -d /dev/cd0 PDOS.msg.en_US


Installing on HP-UX Using Native InstallTivoli Policy Director for Operating Systems can be installed on HP-UX using swinstall, orit can be installed from the command line. The files must be installed in the /opt/pdos and/var/pdos directories. Do not change the target from /.





Refer to Table 1 on page 3 for package names, version numbers, and patch levels.Documentation for installing these products can be found in the /doc directory on the TivoliPolicy Director Base for Solaris and HP-UX (128-BIT), Version 3.8 CD. Information onapplying Fix Pack 2 (3.8-POL-0002) to Tivoli Policy Director Version 3.8 can be found onthe Tivoli Policy Director for Operating Systems (128-BIT) Version 3.8 (Native InstallationPackage) CD in the /doc/3.8-POL-0002.README file.

Installing on AIX Using Native Install


3.In

stalling

Installing on HP-UX Using swinstallTo install Tivoli Policy Director for Operating Systems on HP-UX, complete the followingsteps:


2. Log on as root.

3. Start pfs_mountd and then pfsd, if they are not running. Mount the CD with thepfs_mount command. For example, enter the following command at the command line:pfs_mount /dev/dsk/c0t0d0 /cd-rom

where /dev/dsk/c0t0d0 is the CD-ROM device and /cd-rom is the mount point.

4. At the command line, typeswinstall

Press Enter. The SD Install – Software Selection window and Specify Source pop-uppanel are displayed. Select Local CDROM from Source Depot Type list. For the SourceDepot path, enter /cd-rom/hp where cd-rom is the mount point for the CD. Click OK.The SD Install - Software Selection window is displayed.

5. From the SD Install – Software Selection window, mark the software you want toinstall by selecting the Tivoli Policy Director for Operating Systems package PDOSrte.Click the Actions menu and select Mark for Install.

6. Click Actions menu and select Install (analysis). The Install Analysis pop-up panel isdisplayed. When status is Ready, click OK. The Confirmation pop-up window isdisplayed. Click Yes.

7. The Install Window pop-up panel displays the status of the installation process. Whenstatus is Completed, click Done.

8. Close the SD Install – Software Selection window.

9. Unmount and then eject the CD from the CD-ROM drive.

10. Insert the Tivoli Policy Director for Operating Systems, Version 3.8 Language Support(Native Installation Package) CD.

11. Mount the CD with the pfs_mount command. For example, enter the followingcommand at the command line:pfs_mount /dev/dsk/c0t0d0 /cd-rom

where /dev/dsk/c0t0d0 is the CD-ROM device and /cd-rom is the mount point.

12. At the command line, typeswinstall

Press Enter. The SD Install – Software Selection window and Specify Source pop-uppanel are displayed. Select Local CDROM from Source Depot Type list. For the SourceDepot path, enter /cd-rom/hp where cd-rom is the mount point for the CD. Click OK.The SD Install - Software Selection window is displayed.

13. From the SD Install – Software Selection window, mark the software you want toinstall by selecting the Tivoli Policy Director for Operating Systems packagePDOSmsg.language, where language is the language you want to install. Click theActions menu and select Mark for Install.

Installing on HP-UX Using Native Install

18 Version 3.8

14. Click Actions menu and select Install (analysis). The Install Analysis pop-up panel isdisplayed. When status is Ready, click OK. The Confirmation pop-up window isdisplayed. Click Yes.

15. The Install Window pop-up panel displays the status of the installation process. Whenstatus is Completed, click Done.

16. Close the SD Install – Software Selection window.


Installing on HP-UX From the Command LineTo install Tivoli Policy Director for Operating Systems on HP-UX from the command line,use these steps:


2. Log on as root.

3. Start pfs_mountd and then pfsd, if they are not running. Mount the CD with thepfs_mount command. For example, at the command line type:pfs_mount /dev/dsk/c0t0d0 /cd-rom

where /dev/dsk/c0t0d0 is the CD-ROM device and /cd-rom is the mount point. PressEnter.

4. Enter the following command at the command line:swinstall -s /cd-rom/hp PDOSrte

where /cd-rom/hp is the directory.

5. Unmount and then eject the CD from the CD-ROM drive.

6. Insert the Tivoli Policy Director for Operating Systems , Version 3.8 Language Support(Native Installation Package) CD.

7. Mount the CD with the pfs_mount command. For example:pfs_mount /dev/dsk/c0t0d0 /cd-rom

where /dev/dsk/c0t0d0 is the CD-ROM device and /cd-rom is the mount point. PressEnter.

8. Enter the following command at the command line:swinstall -s /cd-rom/hp PDOSmsg.language

where language is the locale and language being installed and /cd-rom/hp is thedirectory. Informaton on the different language packages available can be found inTable 6 on page 7.

For example, the command to install the US English messages is:swinstall -s /cd-rom/hp PDOSmsg.en_US


Installing on Solaris Using Native InstallTivoli Policy Director for Operating Systems can be installed on Solaris using Admintool, orit can be installed from the command line.

Installing on HP-UX Using Native Install


3.In

stalling





Refer to Table 1 on page 3 for package names, version numbers, and patch levels.Documentation for installing these products can be found in the /doc directory on the TivoliPolicy Director Base for Solaris and HP-UX (128-BIT), Version 3.8 CD. Information onapplying the efix4 patch to the IBM SecureWay Directory Client can be found on the TivoliPolicy Director for Operating Systems (128-BIT) Version 3.8 (Native Installation Package)CD in the /solaris/patches/ldap_efix4/Readme file and information on applying FixPack 2 (3.8-POL-0002) to Tivoli Policy Director Version 3.8 can be found in the/doc/3.8-POL-0002.README file on the same CD.

Installing on Solaris Using AdmintoolUse these steps to install Tivoli Policy Director for Operating Systems on Solaris usingAdmintool:


2. Log on as root.

3. Enter the following command at the command line:admintool

The Admintool: Users window is displayed.

4. In Admintool: Users Browse menu, select Software. The Admintool: Softwarewindow is displayed.

5. Click Edit and select Add. The Admintool: Set Source Media window is displayed.

6. Select CD with Volume Management from the Software Location list and type/cdrom/cdrom0/solaris in the CD Path field. Click OK. The Admintool: AddSoftware window is displayed.

7. From the Admintool: Add Software window, select Tivoli Policy Director forOperating Systems runtime. Click Add.

8. Confirmation messages are displayed before packages are installed. The order that theyare displayed depends on the order that the packages are installed. The confirmationmessage, ″Do you want to install this package?″ is displayed for each package. TypeYes when it is displayed. Press Return.

9. A confirmation message is displayed after one of the packages has been installed: ″Doyou want to continue with installation?″ Type Yes when it is displayed. Press Return.

10. A confirmation message is displayed after one of the packages has been installed andyou have indicated that you want to continue with installation: ″Do you want to installthese conflicting files?″ Type Yes when it is displayed. Press Return.

11. A confirmation message and other information is displayed for the runtime package,″The following files are being installed with setuid and/or setgid permissions,″ a list offiles, and the question ″Do you want to install these as setuid/setgid files?″ Type Yes.Press Return.

Installing on Solaris Using Native Install

20 Version 3.8

12. Another confirmation message is displayed for the runtime packages ″This packagecontains scripts which will be executed with super-user permission during the processof installing this package. Do you want to continue with installation of package name?″Type Yes. Press Return.

13. After installation is complete, press Return. The Admintool: Software window isdisplayed.


15. Insert the Tivoli Policy Director for Operating Systems, Version 3.8 Language Support(Native Installation Package) CD

16. On the Admintool: Software window, click Edit and select Add. The Admintool: SetSource Media window is displayed.

17. Select CD with Volume Management from the Software Location list and type/cdrom/cdrom0/solaris in the CD Path field. Click OK. The Admintool: AddSoftware window is displayed.

18. From the Admintool: Add Software window, select the appropriate language packagefor Tivoli Policy Director for Operating Systems. Information on the different languagepackages available can be found in Table 7 on page 7. Click Add.

19. Confirmation messages are displayed before packages are installed. The order that theyare displayed depends on the order that the packages are installed. The confirmationmessage, ″Do you want to install this package?″ is displayed for each package. TypeYes when it is displayed. Press Return.

20. A confirmation message is displayed after one of the packages has been installed: ″Doyou want to continue with installation?″ Type Yes when it is displayed. Press Return.

21. A confirmation message is displayed after one of the packages has been installed andyou have indicated that you want to continue with installation: ″Do you want to installthese conflicting files?″ Type Yes when it is displayed. Press Return.

22. Another confirmation message is displayed for the language package: ″This packagecontains scripts which will be executed with super-user permission during the processof installing this package. Do you want to continue with installation of package name?″Type Yes. Press Return.

23. After installation is complete, press Return. The Admintool: Software window isdisplayed. Close this window.


Installing on Solaris From the Command LineTo install Tivoli Policy Director for Operating Systems on Solaris from the command line,use these steps:


2. Log on as root.

3. Enter the following command at the command line:pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pdosdefault PDOSrte



3.In

stalling

where /cdrom/cdrom0/solaris is the directory, and/cdrom/cdrom0/solaris/pdosdefault is the script in the same directory as the desiredpackage.

4. Eject the CD from the CD-ROM drive by entering the following at the command line:eject


6. Enter the following command at the command line:pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pdosdefault PDOSlanguage

where language is the locale and language being installed, /cdrom/cdrom0/solaris isthe directory, and /cdrom/cdrom0/solaris/pdosdefault is the script in the samedirectory as the Tivoli Policy Director for Operating Systems package. Informaton on thedifferent language packages available can be found in Table 7 on page 7.

For example, the command to install the US English messages is:pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pdosdefault PDOSenUS

7. When the installation process is complete for each package, this message is displayed:″Installation of package successful.″


Installing on Linux Using Native InstallTivoli Policy Director for Operating Systems can be installed on Linux from the commandline.





Refer to Table 1 on page 3 for package names, version numbers, and patch levels.Documentation for installing these products can be found in the /doc directory on the TivoliPolicy Director Base for AIX and Linux (128-BIT), Version 3.8 CD. Information onapplying the efix4 patch to the IBM SecureWay Directory Client can be found on the TivoliPolicy Director for Operating Systems (128-BIT) Version 3.8 (Native Installation Package)CD in the /linux/patches/ldap_efix4/Readme file and information on applying Fix Pack2 (3.8-POL-0002) to Tivoli Policy Director Version 3.8 can be found in the/doc/3.8-POL-0002.README file on the same CD.

Installing on Linux From the Command LineTo install Tivoli Policy Director for Operating Systems on Linux from the command line,use these steps:


2. Log on as root.

3. Mount the CD-ROM drive from the command line using a command such as:


22 Version 3.8

mount /mnt/cdrom

4. Enter the following command at the command line:rpm -i /mnt/cdrom/PDOSrte-PDOSruntime-3.8.0-0.i386.rpm



7. Mount the CD-ROM drive from the command line using a command such as:mount /mnt/cdrom

8. Enter the following command at the command line:rpm -i /mnt/cdrom/PDOSmsg-xx_XX-3.8.0-0.i386.rpm

substituting the appropriate language for xx_XX using the information from Table 8 onpage 8.

For example, the command to install the US English messages is:rpm -i /mnt/cdrom/PDOSmsg-en_US-3.8.0-0.i386.rpm


The installation utility only provides messages if an error condition is encountered.


Installing Using the Tivoli DesktopTivoli Policy Director for Operating Systems can be installed and initially configured usingthe Tivoli desktop and subsequently managed by Tivoli Security Manager, if desired.

Tivoli Security Manager Endpoint Installation Tool, Version 3.8This product must be installed on the Tivoli management region server. It is used toinstall Tivoli Policy Director for Operating Systems on UNIX endpoints.

Tivoli Policy Director for Operating Systems, Version 3.8This product must be installed on all UNIX managed nodes and endpoints to enforcesecurity policy.

Tivoli Policy Director for Operating Systems Message Catalog, Version 3.8This product must be installed on the same set of machines as the Tivoli PolicyDirector for Operating Systems, Version 3.8 component.

If you intend to manage Tivoli Policy Director for Operating Systems from the Tivolidesktop, you must install:

Tivoli Policy Director for Operating Systems Management Tasks, Version 3.8This product must be installed on the Tivoli management region server. Thiscomponent provides the PDOS Tasks task library, which enables you to manage theTivoli Policy Director for Operating Systems runtime on UNIX endpoints andmanaged nodes from the Tivoli desktop.

If you intend to use Tivoli Enterprise Console or Tivoli Risk Manager with Tivoli PolicyDirector for Operating Systems, you must install:

Installing on Linux Using Native Install


3.In

stalling

Tivoli Policy Director for Operating Systems Enterprise Console Integration, Version3.8 This product must be installed on the Tivoli management region server, the Tivoli

Enterprise Console server, and on gateways managing Tivoli Policy Director forOperating Systems endpoints. This component should be installed after TivoliEnterprise Console has been installed. This component uses the Tivoli EnterpriseConsole logfile adapter to send security events that are critical to securityadministrators. The adapter formats and forwards events to Tivoli Enterprise Consoleor to Tivoli Risk Manager. A set of rules and associated actions is provided, whereappropriate, for the supported events.

After installing the necessary components through the Tivoli desktop, Tivoli Policy Directorfor Operating Systems, as well as the prerequisite software residing on the same machine,have been installed and configured.

Installing Tivoli Policy Director for Operating SystemsYou can install the Tivoli components necessary for Tivoli Policy Director for OperatingSystems from either the Tivoli desktop or the command line.

DesktopUse the following steps to install the necessary Tivoli components from the Tivoli desktop:

1. Select the Install -> Install Product... option from the Desktop menu to display theInstall Product dialog.

Installing Using the Tivoli Desktop

24 Version 3.8

2. Click the Select Media... button to display the File Browser dialog.

The File Browser dialog enables you to identify or specify the path to the installationmedia.

If you already know the path to the CD image:

a. Enter the full path in the Path Name field.

b. Click the Set Path button to change to the specified directory.

c. Click the Set Media & Close button to save the new media path and return to theInstall Product dialog. The dialog now contains the patch that is available forinstallation.

If you do not know the exact path to the CD image:

a. From the Hosts scrolling list, choose the host on which the install media is mounted.Choosing a host updates the Directories scrolling list.

b. From the Directories scrolling list, choose the directory containing the install media.

c. Click the Set Media & Close button to save the new media path and return to theInstall Product dialog. The dialog now contains the patch that is available forinstallation.

3. From the Select Product to Install scrolling list, select one of the following:

Tivoli Policy Director for Operating Systems Management Tasks, Version 3.8Must be installed on the Tivoli management region servers to enable them toperform remote Tivoli Policy Director for Operating Systems management tasks.

Tivoli Security Manager Endpoint Installation Tool, Version 3.8Must be installed on the Tivoli management region servers so you can installTivoli Policy Director for Operating Systems on UNIX endpoints.

Tivoli Policy Director for Operating Systems, Version 3.8Must be installed on all UNIX managed nodes and endpoints that you want tomanage. You can use the Tivoli Security Manager Endpoint Installation Tool orTivoli Software Installation Service to install this module on endpoints.



3.In

stalling

Tivoli Policy Director for Operating Systems Message Catalog, Version 3.8Must be installed on the same set of machines as the Tivoli Policy Director forOperating Systems, Version 3.8 component.

Tivoli Policy Director for Operating Systems Enterprise Console Integration,Version 3.8

Must be installed on the Tivoli Policy Director management server, the TivoliEnterprise Console event server and on gateways managing Tivoli PolicyDirector for Operating Systems endpoints.

4. To specify the Tivoli management region servers or gateways on which you want toinstall the selected component, use the arrow keys to move the machine names betweenthe Clients to Install On scrolling list and the Available Clients scrolling list.

5. Click the Install button to begin the component installation.

The installation process prompts you with a Product Install dialog. This dialog providesthe list of operations that will take place during the installation process. It also warnsyou of any problems that you may want to correct before you install the component.

6. Click the Continue Install button to begin the installation process and display theProduct Install status dialog. The Product Install status dialog presents statusinformation as the installation proceeds.

When the installation is complete, the Product Install dialog will return a completionmessage.

7. Click the Close button to close the dialog.

8. Repeat steps 3 through 7 until you have installed the Tivoli components on all themachines where you have to install them.

Command LineThe following example command installs the Tivoli components needed for Tivoli PolicyDirector for Operating Systems. See the Tivoli Framework Reference Manual for moreinformation about the winstall command.

winstall –c cdrom_dir –i comp_name node1 node2

where:

–c cdrom_dir Specifies the path to the CD-ROM image.

–i comp_name Specifies the index file from which the Tivoli Security Manager componentis installed. The comp_name argument can be any of the following:

PDOSTASK.INDInstalls the Tivoli Policy Director for Operating SystemsManagement Tasks, Version 3.8 component.

SECCLNT.INDInstalls the Tivoli Security Manager Endpoint InstallationTool, Version 3.8 component.

PDOS.IND Installs the Tivoli Policy Director for Operating Systems,Version 3.8 component.

PDOSMSG.INDInstalls the Tivoli Policy Director for Operating SystemsMessage Catalog, Version 3.8 component.


26 Version 3.8

PDOSTEC.INDInstalls the Tivoli Policy Director for Operating SystemsEnterprise Console Integration, Version 3.8 component.

node1 node2 Specifies the names of the Tivoli management region servers or gateways toinstall the component on. If no machine is specified, the installation runs onall the clients of the current region.

Installing on UNIX Managed Nodes and EndpointsThe Tivoli Policy Director for Operating Systems module must be installed on each UNIXmanaged node and endpoint that you want to secure.

Note: The following precautions must be followed when installing Tivoli Policy Directorfor Operating Systems to endpoints or managed nodes: If your Tivoli Policy Directormanagement server does not yet have a /OSSEAL branch, and therefore no TivoliPolicy Director for Operating Systems endpoints, then you must configure the firstmachine by itself, which also configures the Tivoli Policy Director managementserver database. After that, you can perform parallel configurations. If you arecreating a new /OSSEAL branch, such as /OSSEAL/testlab, you must configure thefirst machine by itself. Then, the other machines can be configured in parallel underthat branch.

Perform the following tasks to protect UNIX managed nodes and endpoints:

1. Install the Tivoli Security Manager Endpoint Installation Tool module on the Tivolimanagement region server to enable you to install Tivoli Policy Director for OperatingSystems on UNIX endpoints.

2. Install Tivoli Policy Director for Operating Systems on UNIX managed nodes.

3. Install Tivoli Policy Director for Operating Systems on the UNIX endpoints that youwant to secure.

Note: You must install the Tivoli Security Manager Endpoint Installation Tool module priorto installing the Tivoli Policy Director for Operating Systems module on UNIXendpoints.

Installing on Managed NodesYou can install Tivoli Policy Director for Operating Systems on UNIX managed nodes fromeither the Tivoli desktop or the command line. The process is similar to installing otherTivoli modules. To install Tivoli Policy Director for Operating Systems on UNIX endpoints,refer to “Installing on UNIX Endpoints” on page 33.

DesktopThe following steps will install Tivoli Policy Director for Operating Systems on managednodes from the Tivoli desktop. You can also install Tivoli Policy Director for OperatingSystems from the command line using the winstall command. For more information aboutthe winstall command, see the Tivoli Management Framework Reference Manual.



3.In

stalling

1. Select the Install –> Install Product... option from the Desktop menu to display theInstall Product dialog.

If Tivoli Policy Director for Operating Systems, Version 3.8 is not listed in theSelect Product to Install scrolling list, proceed to step 2. If Tivoli Policy Director forOperating Systems, Version 3.8 is listed, skip to step 3.

2. Click the Select Media... button to display the File Browser dialog.

The File Browser dialog enables you to identify or specify the path to the installationmedia.

3. If you already know the path to the CD image, do the following:

a. Enter the full path in the Path Name field.

b. Click the Set Path button to change to the specified directory.


28 Version 3.8

c. Click the Set Media & Close button to save the new media path and return to theInstall Product dialog. The dialog now contains a list of modules that are availablefor installation.

4. If you do not know the exact path to the CD image, do the following:

a. From the Hosts scrolling list, choose the host on which the installation media ismounted. Choosing a host updates the Directories scrolling list to display thedirectories of the selected host.

b. From the Directories scrolling list, choose the directory that contains the installationmedia.

c. Click the Set Media & Close button to save the new media path and return to theInstall Product dialog. The dialog now contains a list of modules that are availablefor installation.

5. Select Tivoli Policy Director for Operating Systems, Version 3.8 from the SelectProduct to Install scrolling list. If this is the first time Tivoli Policy Director forOperating Systems has been installed, the Install Options dialog will be displayedautomatically. If this is not the first time Tivoli Policy Director for Operating Systemshas been installed, you can click the Install Options... button to display the InstallOptions dialog.

The Install Options dialog sets characteristics about Tivoli Policy Director forOperating Systems and its components. Use the following steps to set thesecharacteristics:

a. LDAP server hostname (LDAP_NAME) This option is used to specify the name ofthe LDAP server. It is used during the configuration of the Tivoli Policy DirectorRuntime Environment. It accepts input in the form of <hostname>[+<port_num>].The default port number is 389. The following is an example for specifying adifferent port number:hostname+9999



3.In

stalling

b. LDAP Suffix for user registry (LDAP_SUFFIX) This option is used to specify theLDAP suffix that is used for the Tivoli Policy Director User Registry. It is used bythe Tivoli Policy Director for Operating Systems configuration program.

c. PD Server hostname (PDOS_PD_SERVER_NAME) This option is used to specifythe name of the Tivoli Policy Director management server that will be controllingthe endpoint. It is used by the Tivoli Policy Director Runtime Environmentconfiguration program. It accepts input in the form of <hostname>[+<port_num>].The default port number is 7135. The following is an example for specifying adifferent port number:hostname+9999

d. Policy Director Policy Name (POLICY_NAME) This option is used to specify thename of the branch under which the endpoint will reside in the Tivoli PolicyDirector database. It is used by the Tivoli Policy Director for Operating Systemsconfiguration program.

e. PD Security Master Password (PD_PWD) This option is used to specify thesecurity master password. It is used by the Tivoli Policy Director for OperatingSystems configuration program.

f. PDOS SSL Listening Port (SSL_P) This option is used to specify the port thatTivoli Policy Director for Operating Systems will use to listen for updates from theTivoli Policy Director Server.

g. Comma separated list of User login name(s) of PDOS Administrators (P_A)This option is used to specify additional logins that can administer the Tivoli PolicyDirector for Operating Systems runtime. Do not put spaces between the commas. Ifthis field is left blank, only the root and osseal user IDs are allowed to administerthe Tivoli Policy Director for Operating Systems runtime.

h. PD Server certificate (PDOS_PDRTE_CERT_LOC) This option is used to specifythe location of the Tivoli Policy Director Runtime digital certificate that wasgenerated during the install of your initial Tivoli Policy Director Runtimeenvironment. It is used by the PDRTE configuration program. This field can be leftblank if the Tivoli Policy Director Server has been configured to allowauto-download of the certificate.

i. LDAP Server SSL Certificate name (PDOS_LDAP_CERT_LOC) This option isused to specify the location of the LDAP SSL digital certificate that is being used byyour LDAP server for SSL communications. It is used by the Tivoli Policy Directorfor Operating Systems configuration program.

j. PDOS Installation Images Temp Directory (PDOSBIN) This option specifies alocation for copying the native installation package used during the installation andconfiguration of an endpoint. The packages and digital certificates are removed fromthe endpoint if the installation and configuration is successful.

6. By default, all servers and managed nodes in the current Tivoli management region arelisted in the Clients to Install On scrolling list. Install the Tivoli Policy Director forOperating Systems module on those UNIX nodes that you want to protect. To move amanaged node to the Available Clients scrolling list, double-click the name. Theselected machine is moved from the Clients to Install On scrolling list to theAvailable Clients scrolling list.

7. Click the Install button to begin the module installation. The installation processprompts you with a Product Install dialog.


30 Version 3.8

This dialog provides the list of operations that take place during the installation process.It also warns you of any problems that you should correct before you install themodule.

8. Click the Continue Install button to continue the installation process and display theProduct Install status dialog. The Product Install status dialog presents statusinformation as the installation proceeds.

When the installation is complete, the Product Install dialog displays a completionmessage.


10. Ensure that the Framework oserv daemon process has been started with a full path. If ithas not, shut down the Framework and restart it. This starts the oserv with a full path.Restarting the Framework is not necessary for any machines on which you upgradedand restarted the Framework.

You can use the UNIX ps command to determine if oserv has been started with a fullpath. If a full path name is shown (for example, if the path is similar to/opt/Tivoli/bin/hpux10/bin/oserv rather than just oserv), oserv was startedcorrectly. If the full path was not specified, run the following commands from theTivoli management region server to restart the Framework on all the machines in theTivoli management region:odadmin shutdown all/etc/Tivoli/oserv.rc startodadmin start all

Command LineThe following example command installs Tivoli Policy Director for Operating Systems ontospecified UNIX managed nodes, and specifies the names of the LDAP and Tivoli PolicyDirector servers.winstall –c /cdrom –i PDOS.IND \PDOS_LDAP_SERVER_NAME=ldaphostname \LDAP_SUFFIX="o=Tivoli,c=US" \PDOS_PD_SERVER_NAME=pdoshostname POLICYNAME=TSSM \PD_PWD=password PDOS_PDRTE_CERT_LOC=/tmp/pdrte_cert.b64 \PDOS_LDAP_CERT_LOC=/tmp/ldap_cert.b64 \PDOSBIN=/opt/inst.images muffin cookie

where:

–c /cdrom Specifies the path to the installation media.

–i PDOS.IND Specifies the index file from which to install this module.

LDAP_NAME=...This option is used to specify the name of the LDAP server. It is usedduring the configuration of the Tivoli Policy Director Runtime Environment.It accepts input in the form of <hostname>[+<port_num>]. The default portnumber is 389. The following is an example for specifying a different portnumber:hostname+9999

LDAP_SUFFIX=...This option is used to specify the LDAP suffix that is used for the TivoliPolicy Director User Registry. It is used by the Tivoli Policy Director forOperating Systems configuration program.



3.In

stalling

PDOS_PD_SERVER_NAME=...This option is used to specify the name of the Tivoli Policy DirectorManagement Server that will be controlling the endpoint. It is used by theTivoli Policy Director Runtime Environment configuration program. Itaccepts input in the form of <hostname>[+<port_num>]. The default portnumber is 7135. The following is an example for specifying a different portnumber.hostname+9999

POLICY_NAME=...This option is used to specify the name of the branch under which theendpoint will reside in the Tivoli Policy Director database. It is used by theTivoli Policy Director for Operating Systems configuration program.

PD_PWD=... This option is used to specify the Security Master password. It is used bythe Tivoli Policy Director for Operating Systems configuration program.

SSL_P=... This option is used to specify the port that Tivoli Policy Director forOperating Systems will use to listen for updates from the Tivoli PolicyDirector Server.

P_A=... This option is used to specify additional logins that can administer the TivoliPolicy Director for Operating Systems runtime. Do not put spaces betweenthe commas. If this field is left blank, only the root and osseal user IDs areallowed to administer the Tivoli Policy Director for Operating Systemsruntime.

PDOS_PDRTE_CERT_LOC=...This option is used to specify the location of the Tivoli Policy DirectorRuntime digital certificate that was generated during the install of yourinitial Tivoli Policy Director Runtime environment. It is used by the PDRTEconfiguration program. This field can be left blank if the Tivoli PolicyDirector Server has been configured to allow auto-download of thecertificate.

PDOS_LDAP_CERT_LOC=...This option is used to specify the location of the LDAP SSL digitalcertificate that is being used by your LDAP server for SSL communications.It is used by the Tivoli Policy Director for Operating Systems configurationprogram.

PDOSBIN=... This option specifies a location for copying the native installation packageused during the installation and configuration of an endpoint. The packagesare removed from the endpoint if the installation and configuration issuccessful.

muffin cookie Specifies the names of the UNIX managed nodes on which to install TivoliPolicy Director for Operating Systems. In this example, the names aremuffin and cookie. As an alternative, rather than specifying individualnames, you can use the –n argument with the winstall command to installthe module on all managed nodes on which the module is not currentlyinstalled.


32 Version 3.8

Installing on UNIX EndpointsEnsure that the Tivoli Security Manager Endpoint Installation Tool has already been installedbefore you attempt to install Tivoli Policy Director for Operating Systems on UNIXendpoints. See “Installing on Managed Nodes” on page 27 for more information.

Install Tivoli Policy Director for Operating Systems on all UNIX endpoints you want toprotect. You can install Tivoli Policy Director for Operating Systems on UNIX endpointsfrom either the Tivoli desktop or the command line using the winstpdos command.

DesktopUse the following steps to install Tivoli Policy Director for Operating Systems on UNIXendpoints from the Tivoli desktop. The starting point for this procedure is the Tivoli desktopon which the policy region icons for your site are displayed.

1. Double-click the Security Install Region icon on the Tivoli desktop.

2. Double-click the Installation icon to display the Install Product dialog.

Continue with the steps for installing Tivoli Policy Director for Operating Systems ontomanaged nodes, with the following exception: Select the names of UNIX endpoints onwhich to install Tivoli Policy Director for Operating Systems, rather than the names ofUNIX managed nodes (see “Installing on Managed Nodes” on page 27).

Command LineThe following example command installs Tivoli Policy Director for Operating Systems ontospecified UNIX endpoints, and specifies the names of the LDAP and Tivoli Policy Directorservers.winstpdos –c /cdrom –i PDOS.IND \PDOS_LDAP_SERVER_NAME=ldaphostname \LDAP_SUFFIX="o=Tivoli,c=US" \PDOS_PD_SERVER_NAME=pdoshostname POLICYNAME=TSSM \PD_PWD=password PDOS_PDRTE_CERT_LOC=/tmp/pdrte_cert.b64 \PDOS_LDAP_CERT_LOC=/tmp/ldap_cert.b64 \PDOSBIN=/opt/inst.images ruby diamond

where:



3.In

stalling


–i PDOS.IND Specifies the index file from which to install this module.

LDAP_NAME=...This option is used to specify the name of the LDAP server. It is usedduring the configuration of the Tivoli Policy Director Runtime Environment.It accepts input in the form of <hostname>[+<port_num>]. The default portnumber is 389. The following is an example for specifying a different portnumber:hostname+9999

LDAP_SUFFIX=...This option is used to specify the LDAP suffix that is used for the TivoliPolicy Director User Registry. It is used by the Tivoli Policy Director forOperating Systems configuration program.

PDOS_PD_SERVER_NAME=...This option is used to specify the name of the Tivoli Policy DirectorManagement Server that will be controlling the endpoint. It is used by theTivoli Policy Director Runtime Environment configuration program. Itaccepts input in the form of <hostname>[+<port_num>]. The default portnumber is 7135. The following is an example for specifying a different portnumber.hostname+9999

POLICY_NAME=...This option is used to specify the name of the branch under which theendpoint will reside in the Tivoli Policy Director database. It is used by theTivoli Policy Director for Operating Systems configuration program.

PD_PWD=... This option is used to specify the Security Master password. It is used bythe Tivoli Policy Director for Operating Systems configuration program.

SSL_P=... This option is used to specify the port that Tivoli Policy Director forOperating Systems will use to listen for updates from the Tivoli PolicyDirector Server.

P_A=... This option is used to specify additional logins that can administer the TivoliPolicy Director for Operating Systems runtime. Do not put spaces betweenthe commas. If this field is left blank, only the root and osseal user IDs areallowed to administer the Tivoli Policy Director for Operating Systemsruntime.

PDOS_PDRTE_CERT_LOC=...This option is used to specify the location of the Tivoli Policy DirectorRuntime digital certificate that was generated during the install of yourinitial Tivoli Policy Director Runtime environment. It is used by the PDRTEconfiguration program. This field can be left blank if the Tivoli PolicyDirector Server has been configured to allow auto-download of thecertificate.

PDOS_LDAP_CERT_LOC=...This option is used to specify the location of the LDAP SSL digitalcertificate that is being used by your LDAP server for SSL communications.It is used by the Tivoli Policy Director for Operating Systems configurationprogram.


34 Version 3.8

PDOSBIN=... This option specifies a location for copying the native installation packageused during the installation and configuration of an endpoint. The packagesare removed from the endpoint if the installation and configuration issuccessful.

ruby diamondSpecifies the names of the UNIX endpoints on which to install Tivoli PolicyDirector for Operating Systems. In this example, the names are ruby anddiamond.

Installing the Tivoli Policy Director for Operating SystemsManagement Tasks

To maintain the Tivoli Policy Director for Operating Systems environment from the Tivolidesktop, you should install the PDOS Management Tasks on the Tivoli management regionserver.

DesktopTo install the PDOS Management Tasks, perform the following steps:


2. Select Tivoli Policy Director for Operating Systems Management Tasks, Version 3.8from the Select Product to Install scrolling list.

3. Select the managed nodes and servers on which to install the module. This shouldinclude the Tivoli management region server. The target machines are displayed in theClients to Install On scrolling list.

4. Click the Install button to begin installing the module. The installation process promptsyou with a Product Install dialog.

This dialog provides the list of operations that take place during the installation process.It also warns you of any problems that you should correct before you install the module.




Command LineThe following example command installs the PDOS Management Tasks. See the TivoliManagement Framework Reference Manual for more information about the winstallcommand.winstall –c /cdrom –s colby –i PDOSTASK.IND

where:


–s colby Specifies the managed node in the Tivoli region to use as the module’sinstallation server. Normally, the module’s server is the Tivoli managementregion server, and that is the default setting. In this example, the server nameis colby.



3.In

stalling

–i PDOSTASK.INDSpecifies the index file from which this module is installed.

Installing the Tivoli Policy Director for Operating Systems EnterpriseConsole Integration

The Tivoli Policy Director for Operating Systems Enterprise Console Integration, Version 3.8component provides a logfile event adapter that allows Tivoli Policy Director for OperatingSystems events to be sent to the Tivoli Enterprise Console.

Note: Refer to the Tivoli Enterprise Console documentation to determine the operatingsystem requirements that must be met to run Tivoli Enterprise Console. The TivoliPolicy Director for Operating Systems Enterprise Console Integration component canbe installed on any supported Tivoli Enterprise Console system.

To take advantage of this component, you need to install Tivoli Enterprise Console beforeinstalling Tivoli Policy Director for Operating Systems Enterprise Console Integration. If youinstall Tivoli Enterprise Console after you have installed Tivoli Policy Director for OperatingSystems Enterprise Console Integration, you must reinstall Tivoli Policy Director forOperating Systems Enterprise Console Integration.

The Tivoli Policy Director for Operating Systems Enterprise Console Integration packagemust be installed on the Tivoli management region server and the Tivoli Enterprise Consoleevent server, as well as on any managed node that is a gateway to a Tivoli Policy Directorfor Operating Systems endpoint.

On the Tivoli management region server, tasks are installed to allow you to install the logfileadapter on the endpoint. On the managed nodes, files for distribution to the Tivoli PolicyDirector for Operating Systems endpoints are installed.

On the Tivoli Enterprise Console server, the appropriate configuration files are installed toallow the Tivoli Enterprise Console to recognize and process Tivoli Policy Director forOperating Systems events. An adapter configuration profile name, PDOS-ACPROF orPDOS-RISKMGR-ACPROF, is created in the profile manager and a tecad_logfile_pdos ortecad_logfile_pdos_riskmgr record is added to that profile to configure the logfile adapteron the endpoint. More information on installing a Tivoli Enterprise Console event server andusing the adapter configuration facility can be found in the Tivoli Enterprise Console User’sGuide.

Note: You must configure the Tivoli Enterprise Console logfile adapter before using it.Refer to the Tivoli Policy Director for Operating Systems Administration Guide fordetails.

DesktopTo install Tivoli Policy Director for Operating Systems Enterprise Console Integration,Version 3.8, perform the following steps on the Tivoli management region server, the TivoliEnterprise Console Server, and on the Tivoli Policy Director for Operating Systemsendpoints.


2. Select Tivoli Policy Director for Operating Systems Enterprise Console Integration,Version 3.8 from the Select Product to Install scrolling list.

3. Select the managed nodes and servers on which to install the module. This list shouldinclude the Tivoli management region server, the Tivoli Enterprise Console event server,


36 Version 3.8

and any managed node that acts as a gateway for a Tivoli Policy Director for OperatingSystems endpoint. The target machines are displayed in the Clients to Install Onscrolling list.

4. Click the Install button to begin installing the module. The installation process promptsyou with a Product Install dialog.

This dialog provides the list of operations that take place during the installation process.It also warns you of any problems that you should correct before you install the module.




Command LineThe following example command installs the Tivoli Policy Director for Operating SystemsEnterprise Console Integration, Version 3.8.winstall –c /cdrom –s monterey –i PDOSTEC.IND

where:


–s monterey Specifies the managed node where the component is to be installed.Normally, the module’s server is the Tivoli server, and that is the defaultsetting. In this example, the node name is monterey.

–i PDOSTEC.INDSpecifies the index file from which this module is installed.

Upgrade Considerations After InstallingIf you have just upgraded a previous version of Tivoli Policy Director for Operating Systemsto this version, do the following:

1. If you disabled autostart of the Tivoli Policy Director for Operating Systems daemonsbefore upgrading, re-enable it by logging in as root and entering the following command:pdoscfg -autostart on

2. If you were using the PDOSTECD daemon to send events to Tivoli Enterprise Consoleand had the daemon enabled for autostart before upgrading, re-enable it by entering thefollowing command:pdosteccfg -autostart on

Changes were made to the initial Tivoli Policy Director for Operating Systems policy. Thisis the policy that is defined by default when the first Tivoli Policy Director for OperatingSystems system is initially configured and when the first system of each new policy branchis configured.

The changes made in this version help establish more distinct roles for Tivoli PolicyDirector for Operating Systems runtime administrators and auditors. These changes alsomake it possible to establish native non-root users as Tivoli Policy Director for OperatingSystems runtime administrators and auditors and to remove the native root user from being aTivoli Policy Director for Operating Systems runtime administrator or auditor.



3.In

stalling

These changes were not automatically applied during your upgrade of Tivoli Policy Directorfor Operating Systems. You should review the changes and then apply them to your existingenvironment.

There are two files provided that contain the policy updates. They each contain a set ofTivoli Policy Director pdadmin commands that make the necessary changes to upgrade thepolicy. The files are:

osseal.once-only.u3800Contains the policy changes that need to be applied once to each Tivoli PolicyDirector management server domain.

osseal.per-policy.u3800Contains the policy changes that need to be applied to each policy branch.

3. Review the osseal.once-only.u3800 and osseal.per-policy.u3800 files in the/opt/pdos/etc directory to understand the nature of the changes being made. Thedefault policy established by Tivoli Policy Director for Operating Systems ensures thatthe system functions properly and maintains a secure environment. The existing defaultpolicy should not be modified.

Note: If you use Tivoli Security Manager to manage the Tivoli Policy Director forOperating Systems security policy and you have changed any of the policyinitially defined when Tivoli Policy Director for Operating Systems, Version 3.7was installed and configured, you should review these policy upgrades andincorporate them into your security profiles as appropriate.

4. Apply the changes to your existing policy that affect the Tivoli Policy Directormanagement server region by running the pdos_defpolicy_update script on any systemthat has Tivoli Policy Director for Operating Systems Version 3.8 installed andconfigured:pdos_defpolicy_update -f /opt/pdos/etc/osseal.once-only.u3800

You are prompted for the Tivoli Policy Director security master password.

5. Apply the changes to your existing policy that affect each policy branch by running thepdos_defpolicy_update script:pdos_defpolicy_update -f /opt/pdos/etc/osseal.per-policy.u3800 -branch branch-name

where branch-name is the name of the policy branch. If you run the script on a systemthat is configured to use the policy branch, you do not need to specify the -branchoption. You are prompted for the Tivoli Policy Director security master password.

6. After updating the default policy in each Tivoli Policy Director management serverregion and in every policy branch, restart Tivoli Policy Director for Operating Systemsby entering the following command:rc.osseal start

Note: If Tivoli Policy Director for Operating Systems has been active at anytime since thelast reboot, the system must be rebooted before starting this new version. Rebootingensures that the Tivoli Policy Director for Operating Systems components that run inthe user level application space and those that run in the UNIX kernel are at the samelevel. After this new version is installed, if a previous version of the kernelcomponents are still loaded, attempts to start Tivoli Policy Director for OperatingSystems will fail until the system is rebooted.

Upgrade Considerations After Installing

38 Version 3.8

Configuring

This chapter explains how to configure Tivoli Policy Director for Operating Systems onAIX, HP-UX, Solaris, and Linux.

If you installed using native install, you must configure Tivoli Policy Director for OperatingSystems as described in this chapter before using it. If you installed using either Easy Installor Tivoli Desktop Install, Tivoli Policy Director for Operating Systems has been initiallyconfigured for you, but you might want to review that initial configuration and makechanges to suit your environment.

The configuration command is pdoscfg. Some configuration options are required; others areoptional. This command can also be used to reconfigure certain configuration optionswithout first unconfiguring Tivoli Policy Director for Operating Systems on a system.

The following sections include information about:

¶ Planning to configure Tivoli Policy Director for Operating Systems

¶ Usage of Tivoli Policy Director for Operating Systems configuration command options

¶ Configuration options

¶ Configuring from the command line

¶ Configuring using a response file

Planning to Configure Tivoli Policy Director for OperatingSystems

Before you configure and run Tivoli Policy Director for Operating Systems on a system, youshould carefully consider how the authorization policy will be set up and which policybranch name this machine will be configured to use. To ensure that the authorization policyis correctly enforced, careful consideration should be given to how the local user name spacemaps to the Tivoli Policy Director User Registry name space. For more information, see theTivoli Policy Director for Operating Systems Administration Guide.

Before you configure Tivoli Policy Director for Operating Systems, your environment needsto be in a certain state and you need to know some information about your system:

1. The Tivoli Policy Director management server, Version 3.8, should be configured to usethe LDAP User Registry.

2. The Tivoli Policy Director management server and LDAP User Registry should berunning.

3. The Tivoli Policy Director Runtime Environment must be installed and configured on thesame machine that Tivoli Policy Director for Operating Systems is installed.

4


4.C

on

figu

ring

4. You should have your base64 encoded LDAP SSL CA certificate file from the LDAPserver machine.

Note: If you used the ezinstall_ldap_server script to install and configure your LDAPserver and you chose to use the default LDAP SSL CA certificate file provided byTivoli Policy Director, you must obtain the /etc/gsk/pd_ldapcert.arm file fromthe LDAP server and use that file during Tivoli Policy Director for OperatingSystems configuration.

5. You should know your LDAP User Registry suffix.

6. You should know the name of the policy branch under which you are configuring.


Additionally you should review the options that can be used with the configurationcommand to determine which ones you might want to customize to your particular situation.

Certain options must be specified on initial configuration. These mandatory configurationoptions are:

¶ branch

¶ suffix

¶ ldap_ssl_cacert

If you do not supply the Tivoli Policy Director security master password, you will beprompted for it. After you configure Tivoli Policy Director for Operating Systems, you muststart it. See Chapter 6, “Starting and Stopping” on page 51 for information on doing this.

Usage of Configuration Command OptionsTivoli Policy Director for Operating Systems configuration command options are used withthe configuration command pdoscfg. Options that are not required are in square brackets;options without square brackets are required when initially configuring Tivoli PolicyDirector for Operating Systems.

If you want to reconfigure the –branch, and –suffix options, you must first unconfigureTivoli Policy Director for Operating Systems and then run the configuration command again.If you want to reconfigure the –ssl_listening_port and –ldap_ssl_cacert options, you muststop Tivoli Policy Director for Operating Systems before running the configurationcommand.

Planning to Configure Tivoli Policy Director for Operating Systems

40 Version 3.8

Configuration OptionsOptions for the configuration command are described in this section. The definition anddefault, if applicable, for each option is given. Information about minimum and maximumvalues is given in the appendix on Appendix A, “Configuration Options” on page 65.

–admin_cred_refreshRefresh interval of administrator’s credentials in minutes.

Default: 360

–audit_levelA comma-separated list of audit levels. The levels are all, none, permit, deny,loginpermit, logindeny, admin, verbose, info, trace_exec, and trace_file.

Default: none

–audit_log_entriesNumber of PDOSAUDITD log entries before rolling over to a new log. The default0 means never roll over to a new log.

Default: 0

pdoscfg| [–admin_cred_refresh number_of_minutes]| [–audit_level (all | none | permit | deny | loginpermit || logindeny | admin | verbose | info || trace_exec | trace_file)]| [–audit_log_entries number_of_log_entries]| [–audit_logflush number_of_seconds]| [–audit_logs number_of_logs]| [–audit_log_size number_of_bytes]| [–autostart (on | off)]| –branch policy_branch_name| [–cred_hold number_of_minutes]| [–delete (comma_delimited_list_of_options)]| [–dns (on | off)]| [–help]| [–kmsg_hnd_threads number_of_threads]| –ldap_ssl_cacert ldap_certificate_file_name| [–login_policy (on | off)]| [–operations]| [–pdosd_log_entries number_of_log_entries]| [–pdosd_logs number_of_logs]| [–pdoswdd_log_entries number_of_log_entries]| [–pdoswdd_logs number_of_logs]| [–refresh_interval number_of_minutes]| [–rspfile file_name]| [–sec_master_pwd security_master_password]| [–ssl_listening_port port_to_listen_for_notification]| –suffix policy_director_suffix| [-tcb_ignore_ctime (on | off)]| [–tcb_interval number_of_minutes]| [–tcb_max_file_size number_of_megabytes]| [–tcb_monitor_threads number_of_threads]| [-tcb_nocrc_on_exec (on | off)]| [–uid (on | off)]| [–usage]| [–user_cred_refresh number_of_minutes]| [–version]| [–warning (on | off)]| [–?]

Figure 2. pdoscfg Command

Configuration Options


4.C

on

figu

ring

–audit_logflushInterval in seconds to flush the audit log buffers.

Default: 5

–audit_logsNumber of PDOSAUDITD log files to use before recycling log files. A value of 0indicates that log files should never be recycled. Setting logs to a nonzero value hasan effect only if audit_log_entries is nonzero.

Default: 0

–audit_log_sizeMaximum size in bytes of log file before the log rolls over to a new log.

Default: 1000000

–autostartAutomatically start Tivoli Policy Director for Operating Systems when the systemstarts.

Default: on

–branchName of the policy branch to which this machine subscribes.

–cred_holdMaximum amount of time in minutes that a nonadministrator credential is cachedwithout being accessed. This value must be greater than or equal to theadmin_cred_refresh value and the user_cred_refresh value.

Default: 10080

–deleteComma-separated list of options to remove from configuration files. Supportedoptions are admin_cred_refresh, audit_level, audit_log_entries, audit_logflush,audit_logs, audit_log_size, cred_hold, dns, kmsg_hnd_threads, pdosd_log_entries,pdosd_logs, pdoswdd_log_entries, pdoswdd_logs, refresh_interval, tcb_interval,tcb_max_file_size, tcb_monitor_threads, uid, user_cred_refresh, and warning.

–dns Enables Tivoli Policy Director for Operating Systems to store the IP address to hostname mapping information.

Default: on

–help Displays help for all of the options. To display help for one option, type –help–option.

–kmsg_hnd_threadsNumber of threads used to handle authorization requests. Must be a positive integer.

Increasing this value on multi-processor systems with more than 8 processors canreduce the time authorization requests take and improve performance. On systemswith more than 8 processors, specify a value equal to the number of processors inthe system, otherwise leave the default value. The maximum recommended numberof threads at this time is 24.

Default: 8

–ldap_ssl_cacertThe CA certificate of the LDAP server that contains the Tivoli Policy Director User


42 Version 3.8

Registry. This certificate is required for the mutual authentication that occursbetween Tivoli Policy Director for Operating Systems and the LDAP server.

If you used the ezinstall_ldap_server script to install and configure your LDAPserver and you chose to use the default LDAP SSL CA certificate file provided byTivoli Policy Director, you must obtain the /etc/gsk/pd_ldapcert.arm file fromthe LDAP server and use that file during Tivoli Policy Director for OperatingSystems configuration.

–login_policyEnable system login and password restrictions.

After enabling login policy, any graphical login methods, such as dtlogin, that arerunning must be restarted if login activity policy is to be active for logins usingthose methods. When the graphical login program is restarted, the login activitypolicy is read and made active.

Default: on

–operationsLists the supported options.

–pdosd_log_entriesNumber of PDOSD log entries to use before rolling over to a new log. The default 0means never roll over to a new log.

Default: 0

–pdosd_logsNumber of PDOSD log files to use before recycling log files. A value of 0 indicatesthat log files should never be recycled. Setting logs to a nonzero value has an effectonly if pdosd_log_entries is nonzero.

Default: 0

–pdoswdd_log_entriesNumber of PDOSWDD log entries to use before rolling over to a new log. Thedefault 0 means never roll over to a new log.

Default: 0

–pdoswdd_logsNumber of PDOSWDD log files to use before recycling log files. A value of 0indicates that log files should never be recycled. Setting logs to a nonzero value hasan effect only if pdoswdd_log_entries is nonzero.

Default: 0

–refresh_intervalInterval in minutes that the Tivoli Policy Director management server is polled forpolicy updates, if it has not received any during the interval. A value of zeroindicates that policy database updates are not received by polling. Compare–ssl_listening_port.

Default: 0

–rspfileName of file containing option values for the configuration.

–sec_master_pwdTivoli Policy Director security master password.



4.C

on

figu

ring

–ssl_listening_portPort to listen for policy database update notifications. A value of zero indicates thatpolicy database updates will not be received by notification. Compare–refresh_interval.

Default: 7134

–suffixThe LDAP suffix under which the Tivoli Policy Director users and groups associatedwith Tivoli Policy Director for Operating Systems should be created duringconfiguration.

-tcb_ignore_ctimeCauses ctime to be ignored when performing Trusted Computing Base (TCB)signature comparisons. When this option is enabled, a change in ctime does notcause the TCB resource to become untrusted.

Default: off

–tcb_intervalInterval in seconds during which all TCB files are checked for signature changes.The workload is approximately distributed uniformly over this interval.

Default: 1800

–tcb_max_file_sizeMaximum number of megabytes of a file considered significant for calculating achecksum. The bytes checked are distributed throughout the file.

Default: 10

–tcb_monitor_threadsNumber of threads used to monitor TCB files for changes. Setting this value aboveone is useful only on multi-processor machines. Must be a positive integer.

Default: 1

-tcb_nocrc_on_execCauses the CRC check that normally occurs as part of the authorization checkassociated with running an executable file to be skipped. Enabling this optionsavoids performing the CRC check on large binary files.

Default: off

–uid Enables caching of the UID/GID to user/group name mapping information.

Default: off

–usageDisplays help on the command’s usage.

–user_cred_refreshRefresh interval of user’s credentials in minutes.

Default: 720

–versionDisplays the version of the pdoscfg utility.

–warningEnables global authorization warning mode.


44 Version 3.8

Default: off

–? Displays help on the command’s usage.

Configuring from the Command LineFor initial configuration of Tivoli Policy Director for Operating Systems from the commandline, use this example:pdoscfg –ldap_ssl_cacert /tmp/ldapcacert.b64 \–branch policy_branch_name \–suffix o=tivoli


Configuring Using a Response FileTivoli Policy Director for Operating Systems can be configured using a response file. Aresponse file contains the information that you would normally specify on the command line.Using a response file enables you to automate your configuration process by eliminating theneed to enter the information at the command line. If you prefer to automate only part of theprocess, you can create a partial response file that contains information for only one optionor a few options. You can then specify the remaining options on the command line. Optionsspecified on the command line override the values provided in the response file.

Each line in a response file contains an attribute and an associated value. The value is usedby the configuration program as if it were input on the command line.

Creating a Response FileThe response file format is the same as the configuration file format. The response filecontains stanzas of attribute=value pairs. A stanza starts with a line containing the stanzaname in brackets and ends either when another line begins with another stanza name inbrackets or when the end of the file is reached. Each stanza contains zero or moreattribute=value pairs. A stanza name cannot be repeated more than once in a response file.Comments can be added to a response file by using the character # before the comment.

A response file looks like the following example:[policy]#Information about the policy.branch=policy_name[ldap]ssl-certificate=/tmp/ldapcacert.b64[credentials]admin-cred-refresh=30[pdoscfg]sec-master-pwd=cGo0sutbnielrsuffix=o=tivoli[ssl]ssl-listening-port=888

In the example, the stanza name lines are [policy], [ldap], [credentials], [pdoscfg],and [ssl]. The policy stanza contains the attribute=value pair branch=policy_name. Theldap stanza contains the attribute=value pair ssl-certificate=/tmp/ldapcacert.b64. Thecredentials stanza contains the attribute=value pair admin-cred-refresh=30. The pdoscfgstanza contains the attribute=value pairs sec-master-pwd=cGo0sutbnielr and suffix=o=tivoli.The ssl stanza contains the attribute=value pair ssl-listening-port=888. The example responsefile has one comment: ″#Information about the policy.″



4.C

on

figu

ring

A response file can also be created by concatenating the configuration files into one file. Theconfiguration files that you use are in the /opt/pdos/etc directory and include:osseal.conf, pdosd.conf, pdosauditd.conf, and pdoswdd.conf.

Using a Response FileTo use a response file to configure Tivoli Policy Director for Operating Systems, type theresponse file name on the command line after the pdoscfg command with the –rspfileoption. For example:pdoscfg -rspfile /opt/pdos/etc/config.rsp

If you want to override items in the response file or to provide additional items to theresponse file, type the response file name on the command line after the pdoscfg commandwith the –rspfile option and the option for each of the items that you want to override or toadd to the configuration. For example:pdoscfg -rspfile /opt/pdos/etc/config.rsp \–uid off \–audit_level all

Mapping Command Line Options to Attributes in Response FileThe response file has stanzas that contain sets of attribute=value pairs. Stanzas and attributesmap to the command line options as shown in the following table.

Table 9. Attribute Equivalents of pdoscfg OptionsStanza Attribute Option

[audit] level –audit_level

[authorization] warning –warning

[cache] dns –dns

uid –uid

[credentials] admin-cred-refresh –admin_cred_refresh

cred-hold –cred_hold

user-cred-refresh –user_cred_refresh

[ldap] ssl-certificate –ldap_ssl_cacert

[pdosauditd] log-entries –audit_log_entries

audit-logflush –audit_logflush

logs –audit_logs

audit-logsize –audit_log_size

[pdoscfg] sec-master-pwd –sec_master_pwd

delete –delete

suffix –suffix

autostart –autostart

login-policy –login_policy

[pdosd] kmsg-handler-threads –kmsg_hnd_threads

log-entries –pdosd_log_entries

logs –pdosd_logs

[pdoswdd] log-entries –pdoswdd_log_entries

logs –pdoswdd_logs

Configuring Using a Response File

46 Version 3.8

Table 9. Attribute Equivalents of pdoscfg Options (continued)Stanza Attribute Option

[policy] branch –branch

refresh-interval –refresh_interval

[ssl] ssl-listening-port –ssl_listening_port

[tcb] ignore-ctime -tcb_ignore_ctime

interval –tcb_interval

max-checksum-file-size –tcb_max_file_size

monitor-threads –monitor_threads

nocrc-on-exec -tcb_nocrc_on_exec



4.C

on

figu

ring


48 Version 3.8

Configuring the PDOSTECD Daemon

This chapter briefly describes how to configure the PDOSTECD daemon on AIX, HP-UX,Solaris, and Linux. The PDOSTECD daemon only needs to be configured if you intend touse the Tivoli Policy Director for Operating Systems Enterprise Console Integrationcomponent.

You must configure the PDOSTECD daemon before using it unless both of the followingstatements are true:

¶ You installed the Tivoli Policy Director for Operating Systems Enterprise ConsoleIntegration component from the Tivoli desktop, and

¶ This is the first time you have installed Tivoli Policy Director for Operating Systems onthis system, or this is an upgrade of an existing system that had patch 3.7-SEC-0003 orlater already applied.

The PDOSTECD daemon configuration command is pdosteccfg.

Information on the PDOSTECD daemon, the pdosteccfg command, and details onintegrating Tivoli Policy Director for Operating Systems with Tivoli Enterprise Console andTivoli Risk Manager can be found in the Tivoli Policy Director for Operating SystemsAdministration Guide.

Planning to Configure the PDOSTECD DaemonThe initial configuration of the PDOSTECD daemon defines authorization policy in theTivoli Policy Director ACL database that is used later when the integration with TivoliEnterprise Console or Tivoli Risk Manager is done.

You need to know the Tivoli Policy Director security master password in order to set thePDOSTECD daemon so that it does not start automatically. The initial configuration of thedaemon should be done with autostart set to off.

Configuring from the Command LineTo set the PDOSTECD daemon so that it does not start automatically, log on as root andenter the following command:pdosteccfg -autostart off


5


5.C

on

figu

ring

the

PD

OS

TE

CD

Daem

on

Configuring from the Command Line

50 Version 3.8

Starting and Stopping

This chapter explains how to start and stop Tivoli Policy Director for Operating Systems.

Note: The operations outlined in this chapter can be done only by a Tivoli Policy Directorfor Operating Systems runtime administrator.

Starting Tivoli Policy Director for Operating SystemsYou can start Tivoli Policy Director for Operating Systems manually from the command lineor you can use autostart.

Command LineTo start Tivoli Policy Director for Operating Systems, enter the following command on thecommand line:rc.osseal start

Note: If this is the first time that Tivoli Policy Director for Operating Systems is beingstarted after a system reboot, the command must be performed as root.

AutostartIf you did not disable autostart at initial configuration, Tivoli Policy Director for OperatingSystems defaults to autostart at system reboot.

To stop Tivoli Policy Director for Operating Systems from starting automatically at systemrestart, type the following command on the command line and press Enter. When the systemreboots, Tivoli Policy Director for Operating Systems will not be started automatically.pdoscfg –autostart off

If you have autostart disabled or you have recently enabled autostart but do not want toreboot the system at this time, you can immediately start Tivoli Policy Director forOperating Systems by logging in as root and entering the following command on thecommand line and pressing Enter.rc.osseal start

Protection Against Errors During InitializationTivoli Policy Director for Operating Systems attempts to identify common environmentalerrors during initialization and prevents its daemons from starting if these conditions exist.

Kernel Extension Must Be LoadedThe kernel extension needed by Tivoli Policy Director for Operating Systems must besuccessfully installed before the daemons are started. To help ensure that the kernelextension is installed, Tivoli Policy Director for Operating Systems creates a temporary file

6


6.S

tarting

and

Sto

pp

ing

called /opt/pdos/etc/kosseal_starting___load. (There are 3 underscore charactersbetween the last two words in the file name.) This file is removed after the kernel extensionis successfully loaded.

The presence of this temporary file prevents the Tivoli Policy Director for OperatingSystems daemons from starting. This protects your system against repeated failures whenTivoli Policy Director for Operating Systems is configured to start automatically but theloading of the kernel extensions has been unsuccessful.

After saving diagnostic data about this error and reporting the problem to Tivoli CustomerSupport, you can delete this temporary file and attempt to start Tivoli Policy Director forOperating Systems again.

Users and Groups Must Be PresentTivoli Policy Director for Operating Systems relies on the osseal user ID, the osseal group,and the ossaudit group being available. If these are not available, Tivoli Policy Director forOperating Systems does not start.

If you are running in an NIS environment, ensure that the osseal user ID and osseal andossaudit groups are defined locally and not in NIS. Otherwise, the user ID and groups arenot usable when the NIS server is unavailable.

Confirming Tivoli Policy Director for Operating Systems IsRunning

To confirm that Tivoli Policy Director for Operating Systems is running, enter the followingcommand on the command line:pdosctl –s

Stopping Tivoli Policy Director for Operating SystemsTo stop Tivoli Policy Director for Operating Systems, type the following command on thecommand line and press Enter:rc.osseal stop

Starting and Stopping the PDOSTECD DaemonThe starting of the PDOSTECD daemon is handled as part of setting up the integration ofTivoli Policy Director for Operating Systems with Tivoli Enterprise Console or Tivoli RiskManager. This procedure is described in the Tivoli Policy Director for Operating SystemsAdministration Guide and not included in this document.

To stop the PDOSTECD daemon, type the following command on the command line andpress Enter:rc.pdostecd stop

Starting Tivoli Policy Director for Operating Systems

52 Version 3.8

Unconfiguring the PDOSTECD Daemon

This chapter explains how to unconfigure the PDOSTECD daemon on AIX, HP-UX, Solaris,and Linux.

The PDOSTECD daemon unconfiguration command is pdostecucfg. You must unconfigurethe PDOSTECD daemon before unconfiguring Tivoli Policy Director for Operating Systems.

For detailed information about the pdostecucfg command, the PDOSTECD daemon itself,and the integration of Tivoli Policy Director for Operating Systems with Tivoli EnterpriseConsole and Tivoli Risk Manager, see the Tivoli Policy Director for Operating SystemsAdministration Guide.

Planning to Unconfigure the PDOSTECD DaemonIf you are unconfiguring the PDOSTECD daemon on the last machine that it is running onin your environment, you should remove the PDOSTECD daemon specific authorizationpolicy from Tivoli Policy Director for Operating Systems as well. Updating the authorizationpolicy requires the Tivoli Policy Director security master password.

Unconfiguring from the Command LineTo unconfigure the PDOSTECD daemon on this machine, but make no change authorizationpolicy for the PDOSTECD daemon, enter the following command:pdostecucfg

To unconfigure the PDOSTECD daemon on this machine and remove the specificauthorization policy about the PDOSTECD daemon defined in the Tivoli Policy DirectorACL database, enter the following command:pdostecucfg -remove_per_policy on

You are prompted for the Tivoli Policy Director security master password before the TivoliPolicy Director ACL database is updated.

7


7.U

nco

nfig

urin

gth

eP

DO

ST

EC

DD

aemo

n

Unconfiguring from the Command Line

54 Version 3.8

Unconfiguring

This chapter explains how to unconfigure Tivoli Policy Director for Operating Systems onAIX, HP-UX, Solaris, and Linux.

The Tivoli Policy Director for Operating Systems unconfiguration command is pdosucfg.This command removes the Tivoli Policy Director for Operating Systems configuration files,disables autostart of the daemons and the kernel, and unregisters Tivoli Policy Director forOperating Systems with Tivoli Policy Director.

The following sections include information about:

¶ Planning to unconfigure Tivoli Policy Director for Operating Systems

¶ Usage of the unconfiguration command options

¶ Unconfiguration options

¶ Using a response file for unconfiguration

¶ Unconfiguring associated products installed by Easy Install or Tivoli Desktop Install

Planning to Unconfigure Tivoli Policy Director for OperatingSystems

Before you unconfigure Tivoli Policy Director for Operating Systems, your environmentneeds to be in a certain state and you need to know some information about your system:

1. The Tivoli Policy Director management server and the LDAP Server should be running.

2. The Tivoli Policy Director Runtime Environment should be installed and configured onthe same machine that Tivoli Policy Director for Operating Systems is installed on.


4. Unconfigure the PDOSTECD daemon, if it was configured. See Chapter 7,“Unconfiguring the PDOSTECD Daemon” on page 53.

5. Stop Tivoli Policy Director for Operating Systems. See Chapter 6, “Starting andStopping” on page 51 for information on how to stop Tivoli Policy Director forOperating Systems.

Usage of the Unconfiguration Command OptionsTivoli Policy Director for Operating Systems unconfiguration options are used with theunconfiguration command pdosucfg.

8


8.U

nco

nfig

urin

g

Unconfiguration OptionsOptions for the unconfiguration command are described in this section. The definition anddefault, if applicable, for each option is given. Additional information about acceptablevalues for the options is given in the appendix on Appendix B, “Unconfiguration Options”on page 69.

–help Displays help for all of the options. To display help for one option, type –help–option.

–operationsLists the supported options.

–remove_once_onlyUnregisters the Tivoli Policy Director for Operating Systems product policy. Do notspecify if other Tivoli Policy Director for Operating Systems machines areconfigured to this Tivoli Policy Director management server, because it would makethe other machines inoperable. If additional policy has been added, you may need toremove it manually.

Default: off

–remove_per_policyUnregisters the Tivoli Policy Director for Operating Systems information specific tothe policy branch that this machine is configured to use. Do not specify if otherTivoli Policy Director for Operating Systems machines are configured under thatpolicy branch because it would make the other machines inoperable. If additionalpolicy has been added under that policy branch, you might need to remove itmanually.

Default: off

–rspfileFile containing option values for the unconfiguration.

–sec_master_pwdTivoli Policy Director security master password.

–usageDisplays help on the command’s usage.

–versionDisplays the version.


pdosucfg| [-help]| [-operations]| [-remove_once_only (on | off) ]| [-remove_per_policy (on | off) ]| [-rspfile file_name ]| [-sec_master_pwd security_master_password ]| [-usage]| [-version]| [-?]

Figure 3. pdosucfg Command

Unconfiguration Options

56 Version 3.8

Using a Response File for UnconfigurationTivoli Policy Director for Operating Systems may be unconfigured using a response file.

Creating a Response FileThe format of the unconfiguration response file is the same as the format for a configurationresponse file.

The contents of a response file for unconfiguring Tivoli Policy Director for OperatingSystems looks like the following example:[pdoscfg]sec-master-pwd=cGo0sutbnielr

where[pdoscfg]

is the stanza name andsec-master-pwd=cGo0sutbnielr

is the attribute=value pair.

Using a Response FileTo use a response file to unconfigure Tivoli Policy Director for Operating Systems, type theresponse file name on the command line after the pdosucfg command with the –rspfileoption. For example:pdosucfg -rspfile /opt/pdos/etc/unconfig.rsp

where/opt/pdos/etc/unconfig.rsp

is the response file name.

If you want to override items in the response file or to provide additional items to theunconfiguration command, type the response file name on the command line after thepdosucfg command with the –rspfile option and the option for each of the items that youwant to override or to add to the unconfiguration. For example:pdosucfg -rspfile /opt/pdos/etc/unconfig.rsp –remove_per_policy off

Mapping Command Line Options to Attributes in Response FileThe response file has stanzas that contain sets of attribute=value pairs. Stanzas and attributesmap to the command line options as shown in the following table.

Table 10. Attribute Equivalents of pdosucfg OptionsStanza Attribute Option

[pdoscfg] remove-once-only –remove_once_only

remove-per-policy –remove_per_policy

sec-master-pwd –sec_master_pwd

Unconfiguring Associated ProductsIf you installed using Easy Install or Tivoli Desktop Install, the following products mighthave been installed with Tivoli Policy Director for Operating Systems:



Using a Response File for Unconfiguration


8.U

nco

nfig

urin

g

¶ Tivoli Policy Director runtime environment.

The only one of these products that needs to be unconfigured is the Tivoli Policy Directorruntime environment.

Note: Do not unconfigure the Tivoli Policy Director runtime environment if other productson the system are using it.

The steps to unconfigure the Tivoli Policy Director runtime environment are as follows:

1. Log on as root.

2. Enter the following command on the command line and press Enter.pdconfig

3. Choose option 2 to unconfigure Tivoli Policy Director.

4. A list of configured components is displayed. Starting at the first one listed, unconfigureeach one, in order, until you have unconfigured the Tivoli Policy Director runtimecomponent. Typically, only the Tivoli Policy Director runtime is listed, however, if othercomponents have been installed and configured, they need to be removed prior toremoving the runtime.

Unconfiguring Associated Products

58 Version 3.8

Uninstalling

This chapter explains how to uninstall Tivoli Policy Director for Operating Systems on AIX,HP-UX, Solaris, and Linux. You should be familiar with the native installation anduninstallation utility for the platform where you have installed Tivoli Policy Director forOperating Systems.

You might also have to uninstall one or more associated products that were installed alongwith Tivoli Policy Director for Operating Systems by Easy Install or Tivoli Desktop Install.

To uninstall Tivoli Policy Director for Operating Systems you must:

¶ Have root permission.

¶ Unconfigure the PDOSTECD daemon, if it was configured, as described in Chapter 7,“Unconfiguring the PDOSTECD Daemon” on page 53.

¶ Unconfigure Tivoli Policy Director for Operating Systems, as described in Chapter 8,“Unconfiguring” on page 55.

¶ Uninstall Tivoli Policy Director for Operating Systems following the procedures outlinedin this chapter.

¶ Reboot your system after uninstalling Tivoli Policy Director for Operating Systems toremove the kernel extension.

¶ If you installed using Easy Install, unconfigure and uninstall the other products installedwith Tivoli Policy Director for Operating Systems. The steps required to do this can befound in “Uninstalling Associated Products” on page 63.

If the osseal group entry, the ossaudit group entry, or the osseal user ID were created duringinstallation, they are deleted when Tivoli Policy Director for Operating Systems isuninstalled.

Uninstalling on AIXTivoli Policy Director for Operating Systems can be uninstalled on AIX using SMIT, or itcan be uninstalled from the command line.

Uninstalling on AIX Using SMITUse these steps to uninstall PDOS on AIX using SMIT:

1. Log on as root.

2. Enter the following command at the command line:smit

The System Management Interface Tool window is displayed.

9


9.U

nin

stalling

3. From the System Management window, click Software Installation and Maintenance.

4. From the Software Installation and Maintenance menu, click Software Maintenanceand Utilities.

5. From the Software Maintenance and Utilities menu, click Remove Installed Software.The Remove Installed Software pop-up panel is displayed.

6. Click the entry field for Software Name and type PDOS.rte and PDOS.msg.language,where language is the locale and language version being uninstalled. For example, forUS English, you would use:PDOS.msg.en_US

7. Before uninstalling the selected software, SMIT determines if it is possible to uninstall.PREVIEW only should be set to yes. Click OK. Click OK on the confirmationwindow.

8. During the Preview, a split screen shows the uninstall command and the output log forthe preview of the uninstallation.

9. When the preview is complete, click Done.

10. The Remove Installed Software window is displayed. Specify no in PREVIEW only.Click OK.

11. Click OK on the confirmation window.

12. During the uninstallation, a split screen shows the uninstall command and the outputlog for the uninstallation.

13. When the uninstallation is complete, the Remove Installed Software window isdisplayed. Click Done.

14. Close the Remove Installed Software window.

15. Close the Software Maintenance Interface Tool window.

16. Reboot when uninstallation is complete.

Uninstalling on AIX Using the Command LineTo uninstall PDOS on AIX from the command line, use these steps:

1. Log on as root.

2. Enter the following command on the command line:installp –u –g PDOS.rte PDOS.msg.language

where language is the locale and language version being uninstalled. For example, thecommand to uninstall the runtime and the associated US English messages is:installp -u -g PDOS.rte PDOS.msg.en_US


Uninstalling on HP-UXTivoli Policy Director for Operating Systems can be uninstalled on HP-UX using swremove,or it can be uninstalled from the command line.

Uninstalling on HP-UX Using swremoveUse these steps to uninstall Tivoli Policy Director for Operating Systems on HP-UX usingswremove:

Uninstalling on AIX

60 Version 3.8

1. Log on as root.

2. Enter the following command at the command line:swremove

The SD Remove-Software Selection window is displayed.

3. Select all Tivoli Policy Director for Operating Systems packages to uninstall.

4. In the Action menu, select Mark for Remove.

5. In the Action menu, select Remove (analysis). The Remove (analysis) pop-up panel isdisplayed. When status is Ready, click OK.

6. In the confirmation pop-up panel, click Yes. The Remove window is displayed.

7. When status is Completed, click Done.

8. Close the SD Remove-Software Selection window.


Uninstalling on HP-UX Using the Command LineTo uninstall Tivoli Policy Director for Operating Systems on HP-UX from the commandline, use these steps:

1. Log on as root.

2. Enter the following command on the command line:swremove PDOSrte PDOSmsg.language

where language is the locale and language version being uninstalled. For example, thecommand to uninstall the runtime along with the US English messages is:swremove PDOSrte PDOSmsg.en_US


Uninstalling on SolarisTivoli Policy Director for Operating Systems can be uninstalled on Solaris using Admintool,or it can be uninstalled from the command line.

Uninstalling on Solaris Using ADMINTOOLUse these steps to uninstall Tivoli Policy Director for Operating Systems on Solaris usingAdmintool:

1. Log on as root.

2. At the command line, type:admintool

Press Return. The Admintool: Users window is displayed.

3. In the Admintool: Users Browse menu, highlight Software. The Admintool: Softwarewindow is displayed.

4. In the scrollable window in the Admintool: Software window, locate and highlight thepackages to uninstall: Tivoli Policy Director for Operating Systems Runtime andTivoli Policy Director for Operating Systems Messages - language where language isthe locale and language version being uninstalled. For example, the language versionfor US English is:

Uninstalling on HP-UX


9.U

nin

stalling

Tivoli Policy Director for Operating Systems Messages - U.S. English (en_US)

5. From the Edit menu, select Delete.

6. The Admintool: Warning window is displayed. Click Delete. The Admintool: DeleteSoftware window is displayed.

7. Confirmation messages are displayed before packages are removed. The order that theyare displayed depends on the order that the packages are removed. The confirmationmessage, ″Do you want to remove this package?″ is displayed for each package. TypeYes when it is displayed. Press Return.

8. An additional confirmation message is displayed for the runtime package: ″Thispackage contains scripts which will be executed with super-user permission during theprocess of removing this package. Do you want to continue with removal of thispackage?″ Type Yes. Press Return.

9. Press Return when complete.

10. Close the Admintool: Software window.


Uninstalling on Solaris Using the Command LineTo uninstall Tivoli Policy Director for Operating Systems on Solaris from the command line,use these steps:

1. Log on as root.

2. Enter the following command on the command line:pkgrm PDOSrte PDOSlanguage

where language is the locale and language version being uninstalled. For example, thecommand to uninstall the runtime and the associated US English messages is:pkgrm PDOSrte PDOSenUS

3. Confirmation messages are displayed before packages are removed. The order that theyare displayed depends on the order that the packages are removed. The confirmationmessage, ″Do you want to remove this package?″ is displayed for each package. TypeYes when it is displayed. Press Return.

4. An additional confirmation message is displayed for the runtime package: ″This packagecontains scripts which will be executed with super-user permission during the process ofremoving this package. Do you want to continue with removal of this package?″ TypeYes. Press Return.

5. When the uninstallation process is complete for each package, this message is displayed:″Removal of package was successful.″


Uninstalling on LinuxTivoli Policy Director for Operating Systems can be uninstalled on Linux from the commandline.

Uninstalling on Linux Using the Command LineTo uninstall Tivoli Policy Director for Operating Systems on Linux from the command line,use these steps:

Uninstalling on Solaris

62 Version 3.8

1. Log on as root.

2. Enter the following command on the command line:rpm -e PDOSrte-PDOSruntime PDOSmsg-xx_XX

where xx_XX is the language pack identifier.


No messages are shown during uninstallation unless an unexpected error occurs.

Uninstalling Associated ProductsIf you installed Tivoli Policy Director for Operating Systems using Easy Install or TivoliDesktop Install, you must uninstall the other products that might also have been installed.These products include:

¶ Tivoli Policy Director runtime



To uninstall these associated products, follow the procedure outlined for your operatingsystem platform.

Note: Ensure no other products on the system are using these products before uninstallingthem.

AIXTo uninstall these associated products on AIX, do the following:

1. Log on as root.

2. Enter the following command on the command line:smitty maint

3. Choice the Remove Installed Software option.

4. At the SOFTWARE Name prompt, press F4 to display a list of packages. Remove thefollowing packages by highlighting the entry and pressing F7:

¶ PD.RTE

¶ ldap.client.adt

¶ ldap.client.rte

¶ ldap.max_crypto_client.adt

¶ ldap.max_crypto_client.rte

¶ gskit.rte

After you have selected all the packages, press ENTER.

5. At the PREVIEW Only (remove operation will NOT occur) prompt, change the valueto No by pressing the Tab key.

6. Press Enter to remove the selected components.

You also can use the installp command:

Uninstalling on Linux


9.U

nin

stalling

installp -u -g PD.RTE ldap.client.adt ldap.client.rte \ldap.max_crypto_client.adt ldap.max_crypto_client.rte \gskit.rte

HP-UXTo uninstall the Tivoli Policy Director runtime environment, the IBM Global SecurityToolkit, and the IBM SecureWay Directory Client on HP-UX, do the following:

1. Log on as root.

2. Enter the following command on the command line and press Enter:swremove PDRTE LDAP GSK4BAS

SolarisTo uninstall the associated products on Solaris, do the following:

1. Log on as root.

2. Enter the following command on the command line and press Enter:pkgrm PDRTE IBMldapc gsk4bas

3. The pkgrm commands might prompt you several times. Press Y each time.

LinuxTo uninstall the associated products on Linux, do the following:

1. Log on as root.

2. Remove the components by issuing the following command:rpm -e PDRTE-PD ldap-clientd gsk4bas

Uninstalling Associated Products

64 Version 3.8

Configuration OptionsOptions available for the Tivoli Policy Director for Operating Systems configurationcommand, pdoscfg, include:

Table 11. Configuration OptionsOption Description Values

–admin_cred_refresh Refresh interval of administrator’s credentialsin minutes.

Minimum: 1Maximum: maxintDefault: 360 (6

hours)

–audit_level A comma separated list of values for globalaudit level.

all, none, permit, deny,loginpermit, logindeny,admin, verbose, info,trace_exec, trace_file

–audit_log_entries Number of PDOSAUDITD log entries beforerolling over to a new log. The default 0means never roll over to a new log.

Minimum: 0Maximum: maxintDefault: 0

–audit_logflush Interval in seconds to flush the audit logbuffers.

Minimum: 5Maximum: 9999Default: 5

–audit_logs Number of PDOSAUDITD files to usebefore recycling log files. A value of 0indicates that log files should never berecycled. Setting logs to a nonzero value hasan effect only if audit_log_entries is nonzero.


–audit_log_size Maximum size in bytes of log file before thelog rolls over to a new log.


–autostart Automatically start Tivoli Policy Director forOperating Systems when the system starts.

on | offDefault: on

–branch Name of the policy branch to which thismachine subscribes.

–cred_hold Maximum amount of time in minutes that anonadministrator credential is cached withoutbeing accessed. This value must be greaterthan or equal to the admin_cred_refreshvalue and the user_cred_refresh value.

Minimum: 1Maximum: maxintDefault: 10080 (one

week)

A


A.

Co

nfig

uratio

nO

ptio

ns

Table 11. Configuration Options (continued)Option Description Values

–delete Comma-separated list of options to removefrom configuration files.

admin_cred_refresh,audit_level,audit_log_entries,audit_logflush, audit_logs,audit_log_size, cred_hold,dns, kmsg_hnd_threads,pdosd_log_entries,pdosd_logs,pdoswdd_log_entries,pdoswdd_logs,refresh_interval,tcb_interval,tcb_max_file_size,tcb_monitor_threads, uid,user_cred_refresh, warning

–dns Enables Tivoli Policy Director for OperatingSystems to store the IP address to host namemapping information.

on | offDefault: on

–help Displays help for all of the options. Todisplay help for one option, type –help–<option>.

–kmsg_hnd_threads Number of threads used to handleauthorization requests from the kernel. Mustbe a positive integer.

Increasing this value on multi-processorsystems with more than 8 processors canreduce the time authorization requests takeand improve performance. On systems withmore than 8 processors, specify a value equalto the number of processors in the system,otherwise use the default value. Themaximum recommended number of threadsat this time is 24.


–ldap_ssl_cacert The CA certificate of the LDAP Server thatcontains the Tivoli Policy Director UserRegistry. This certificate is required for themutual authentication that occurs betweenTivoli Policy Director for Operating Systemsand the LDAP Server.

If you used the ezinstall_ldap_server scriptto install and configure your LDAP serverand you chose to use the default LDAP SSLCA certificate file provided by Tivoli PolicyDirector, you must obtain the/etc/gsk/pd_ldapcert.arm file from theLDAP server and use that file during TivoliPolicy Director for Operating Systemsconfiguration.

The file must be provided.

–login_policy Enable systems login and passwordrestrictions.

on | offDefault: on

66 Version 3.8


–operations Lists the supported options.

–pdosd_log_entries Number of PDOSD log entries to use beforerolling over to a new log. The default 0means never roll over to a new log.


–pdosd_logs Number of PDOSD log files to use beforerecycling log files. A value of 0 indicates thatlog files should never be recycled. Settinglogs to a nonzero value has an effect only ifpdosd_log_entries is nonzero.


–pdoswdd_log_entries Number of PDOSWDD log entries to usebefore rolling over to a new log. The default0 means never roll over to a new log.


–pdoswdd_logs Number of PDOSWDD log files to usebefore recycling log files. A value of 0indicates that log files should never berecycled. Setting logs to a nonzero value hasan effect only if pdoswdd_log_entries isnonzero.


–refresh_interval Interval in minutes that the Tivoli PolicyDirector management server is polled forpolicy updates, if it has not received anyduring the interval. A value of zero indicatesthat policy database updates are not receivedby polling. Compare –ssl_listening_port.

Minimum: 0Maximum: maxint/60Default: 0

–rspfile Name of file containing option values for theconfiguration.

The file must be provided.

–sec_master_pwd Tivoli Policy Director security masterpassword.

–ssl_listening_port Port to listen for policy database updatenotifications. A value of zero indicates thatpolicy database updates will not be receivedby notification. Compare –refresh_interval.


–suffix The LDAP suffix under which the TivoliPolicy Director for Operating Systems usersand groups should be created duringconfiguration.

-tcb_ignore_ctime Causes ctime to be ignored when performingTrusted Computing Base (TCB) signaturecomparisons. When this option is enabled, achange in ctime does not cause the TCBresource to become untrusted.

on | offDefault: off

–tcb_interval Interval in seconds during which all TCBfiles are checked for signature changes. Theworkload is approximately distributeduniformly over this interval.


–tcb_max_file_size Maximum number of megabytes of a fileconsidered significant for calculating achecksum. The bytes checked are distributedthroughout the file.

Minimum: 1Maximum: (2^44) − 1Default: 10


A.

Co

nfig

uratio

nO

ptio

ns


–tcb_monitor_threads Number of threads used to monitor TCB filesfor changes. Setting this value above one isuseful only on multi-processor machines.Must be a positive integer.


-tcb_nocrc_on_exec Causes the CRC check that normally occursas part of the authorization check associatedwith running an executable file to beskipped. Enabling this option avoidsperforming the CRC check on large binaryfiles.


–uid Enables caching of the UID/GID touser/group name mapping information.


–usage Displays help on the command’s usage.

–user_cred_refresh Refresh interval of user’s credentials inminutes.


–version Displays the version of the pdoscfg utility.

–warning Enables global authorization warning mode. on | offDefault: on


68 Version 3.8

Unconfiguration OptionsOptions available for the Tivoli Policy Director for Operating Systems unconfigurationcommand, pdosucfg, include:

Table 12. Unconfiguration OptionsOption Description Value

–help Displays help for all of the options. To displayhelp for one option, type –help –<option>.

–operations Lists the supported options.

–remove_only_once Unregister the Tivoli Policy Director forOperating Systems product policy. Do not specify,if other Tivoli Policy Director for OperatingSystems machines are configured to this TivoliPolicy Director Management Server, because itwould make the other machines inoperable. Ifadditional policy has been added, you may needto remove it manually.


–remove_per_policy Unregister the policy branch specific TivoliPolicy Director for Operating Systemsinformation that this machine is configured touse. Do not specify, if other Tivoli PolicyDirector for Operating Systems machines areconfigured under that policy branch because itwould make the other machines inoperable. Ifadditional policy has been added under thatpolicy branch, you might need to remove itmanually.


–rspfile file_name Contains values that are used in theunconfiguration process.

The file must beprovided.

–sec_master_pwd password The security master password used to unregisterwith Tivoli Policy Director.

–usage Displays help on the command’s usage.

–version Displays the version of the pdosucfg utility.


B


B.

Un

con

figu

ration

Op

tion

s

70 Version 3.8

Migrating from Tivoli Access ControlFacility

This section describes how you can transfer existing resource protection from an existingTivoli Access Control Facility environment to a Tivoli Policy Director for Operating Systemsenvironment. If you do not have an existing Tivoli Access Control Facility environment, theinformation in this section is not applicable to you.

Note: If you have been managing Tivoli Access Control Facility using Tivoli SecurityManager, refer to the migration section of the Tivoli Security Manager User’s Guidein addition to the information provided in this chapter.

This chapter includes information about:

¶ Overview of the migration process

¶ Planning to migrate to Tivoli Policy Director for Operating Systems

¶ Migration process

¶ Translation utility

¶ ACL permissions and namespace

¶ Script mapping

Overview of the Migration ProcessThe migration process occurs after Tivoli Policy Director for Operating Systems has beeninstalled and configured, but before Tivoli Policy Director for Operating Systems is started.The focus of the migration process is defining users from a Tivoli Access Control Facilitydatabase as Tivoli Policy Director users and then redefining Tivoli Access Control Facilityprotection in terms of Tivoli Policy Director for Operating Systems namespace entries,access control lists (ACLs), and protected object policies (POPs). The migration processinvolves translating Tivoli Access Control Facility scripts to Tivoli Policy Director pdadminscripts by translating Tivoli Access Control Facility commands to Tivoli Policy Director forOperating Systems commands. See Figure 4 on page 72.

C


C.

Mig

rating

from

Tivoli

Access

Co

ntro

lF

acility

Planning to Migrate to Tivoli Policy Director for OperatingSystems

Considerations as you plan to migrate to Tivoli Policy Director for Operating Systemsinclude:

¶ The differences between the Tivoli Access Control Facility noninheritance ACL modeland the Tivoli Policy Director inheritance ACL model

¶ The differences between distributed policy and centralized policy

Inherited and Noninherited ACL ModelsTivoli Access Control Facility uses a noninherited ACL model, and Tivoli Policy Directorfor Operating Systems uses an inherited ACL model. Before migrating to Tivoli PolicyDirector for Operating Systems, carefully consider and plan the effects of migrating to aninherited model. Review your current Tivoli Access Control Facility protection scheme interms of an inherited model implementation. After review, make updates before translatingthe protection to Tivoli Policy Director for Operating Systems.

Because Tivoli Access Control Facility uses a noninherited ACL model, an ACL placed on adirectory does not apply to any contained files or subdirectories. Tivoli Access ControlFacility administrators might be familiar with implementing a protection scheme thatsimulates inheritance. For example, an administrator can place restrictive default access ontop-level directories such as /proj and then grant specific access to files for users andgroups:editres FILE ("/proj") defaccess(READ CHDIR)

editres FILE ("/proj/*") defaccess(READ CHDIR)

editres FILE ("/proj/projA/designs/projahld") comment (’Projecta Design’) defaccess (READ)owner (’projalead’)

authorize FILE ("/proj/projA/designs/projahld") access(READ WRITE CREATE DELETE...)gid(’engineers’)

Figure 4. Initial Population of PDOS Data

Planning to Migrate to Tivoli Policy Director for Operating Systems

72 Version 3.8

Tivoli Policy Director for Operating Systems uses the Tivoli Policy Director ACL inheritancemodel. In the example, the ACL on ″/proj/*″ becomes redundant because an ACL containingREAD and CHDIR permissions on ″/proj″ is sufficient. A similar Tivoli Policy Director forOperating Systems policy for /projects and /proj/proja/designs/projahld can be constructedwith the following Tivoli Policy Director pdadmin commands:object create "/OSSEAL/mypolicy/File/proj" "" 0 ispolicyattachable yes

acl create proj_acl

acl attach "/OSSEAL/mypolicy/File/proj" proj_acl

acl modify proj_acl set any-other "T[OSSEAL]rlD"

acl modify proj_acl set unauthenticated "T[OSSEAL]rlD"

object create "/OSSEAL/mypolicy/File/proj/projA/designs/projahld" "" 0ispolicyattachable yes

object modify "/OSSEAL/mypolicy/File/proj/projA/designs/projahld"set description "Projecta Design"

acl create projA_projahld_acl

acl attach "/OSSEAL/mypolicy/File/proj/projA/designs/projahld" projA_projahld_acl

acl modify projA_projahld_acl set user "projalead" "T[OSSEAL]cabvm"

acl modify projA_projahld_acl set any-other "T[OSSEAL]rl

acl modify projA_projahld_acl set unauthenticated "T[OSSEAL]rl

acl modify projA_projahld_acl set group "engineers" "T[OSSEAL]drlwN...

In the Tivoli Access Control Facility representation, note that if the resource for ″/proj/*″ isnot specified, the directory /proj/projaA/designs/ would not have an associated ACL. In theTivoli Policy Director for Operating Systems representation, /proj/projaA/designs/ and all ofits subdirectories have an effective ACL of T[OSSEAL]rlD for the Tivoli Policy Directorusers ″any-other″ and ″unauthenticated.″

Centralized and Distributed PolicyA multi-Tivoli Access Control Facility system environment is an instance of a distributedpolicy model. Tivoli Policy Director for Operating Systems is an instance of a centralizedpolicy model.

In a multi-Tivoli Access Control Facility system environment, each Tivoli Access ControlFacility system is self-contained. Each system maintains its own user and group registry andits own protection policy. Without the use of a centralized management tool such as TivoliSecurity Manager, consistency across the environment cannot be guaranteed. For example,one system might grant READ and WRITE permissions to a file for a given user name,while another system might grant READ, WRITE, and DELETE permissions to the samefile for the same user name. Further complications and inconsistencies can exist if the username does not actually refer to the same person.

Tivoli Policy Director for Operating Systems provides a centralized policy model. User,group, and policy information (Tivoli Policy Director Users, Group, Objects, ACLs, andPOPs) is held in centralized databases for multiple systems. ACLs are defined and attachedto a protected object. An ACL that protects the /etc/passwd file is defined once and then



C.

Mig

rating

from

Tivoli

Access

Co

ntro

lF

acility

interpreted by all subscribing Tivoli Policy Director for Operating Systems clients. ACLsapply to only those Tivoli Policy Director for Operating Systems clients that subscribe to thepolicy branch containing the protected object.

Before migrating to a centralized environment, review the systems in the domain for anycollisions and inconsistencies. When these issues have been resolved, target a single systemas the ″model,″ and then use this system to populate the Tivoli Policy Director databases.Note, however, that if a centralized management scheme is used, there is a high collisionfactor because all Tivoli Access Control Facility systems define the same resources withsimilar protection. For example, all Tivoli Access Control Facility systems can contain aFILE resource for /etc/passwd in the Tivoli Access Control Facility database. Because acentralized management tool is used, the inconsistencies for these resources across thedomain are minimal. In this case, any machine in the domain can be selected as the″model.″

Migration ProcessMigration to Tivoli Policy Director for Operating Systems involves several pre-migrationtasks and then the actual migration.

Pre-migration TasksBefore migrating workstations from Tivoli Access Control Facility to Tivoli Policy Directorfor Operating Systems, complete these tasks:

¶ Install and configure Tivoli Policy Director Server. Make the server available to TivoliPolicy Director for Operating Systems clients.

¶ If Tivoli Policy Director for Operating Systems is to be managed with Tivoli SecurityManager:

v Install Tivoli Security Manager and determine the Tivoli Policy Director policybranch name configuration.

v Ensure that the Tivoli Policy Director for Operating Systems client and prerequisitesare installed. Do not start Tivoli Policy Director for Operating Systems.

Note: Policy branch name configuration information is used during the Tivoli PolicyDirector for Operating Systems configuration step.

¶ Resolve effects of migrating to an inheritance ACL model. Determine the Tivoli AccessControl Facility ″model″ system for migrating to a centralized policy system.

Migration StepsUse these steps to migrate from Tivoli Access Control Facility to Tivoli Policy Director forOperating Systems:

1. Select a Tivoli Access Control Facility ″model″ machine.

2. Disable Tivoli Access Control Facility autostart on bootup.

AIX Remove any Tivoli Access Control Facility entries from /etc/inittab:seos:2:once:/usr/seos/rc/SeOS.baseselogrd:2:respawn:/usr/seos/bin/selogrd>de/console 2>&1selogrcd:2:respawn:/usr/seos/bin/selogrcd >dev/console 2>&1

HP-UXRemove any SeOS startup files from the etc/rc*.d directories.


74 Version 3.8

SolarisRemove any SeOS startup files from the etc/rc2.d directories.

3. Create the Tivoli Access Control Facility database source script. Run the Tivoli AccessControl Facility sedb2scr utility to save the Tivoli Access Control Facility database to ascript format:# /usr/seos/bin/ sedb2scr –r > /outdirectory/sedb2scr.out

If Tivoli Access Control Facility has been stopped, sedb2scr can be run in a localmode:# cd /usr/seos/seosdb# /usr/seos/bin/sedb2scr –1 > /outdirectory/sedb2scr.out

where /outdirectory is a directory that is large enough to contain the output file. Thesize of the output file depends on the number of Tivoli Access Control Facility databaseentries. For some systems, such as Solaris, the /tmp directory should not be usedbecause it could be automatically purged when the system is rebooted.

4. Save the Tivoli Access Control Facility *.ini file. Tivoli Access Control Facility loginand password policy information is located in the /var/TACF_install-dir/seos.ini file.# cp /var/TACF_install-dir/seos.ini /outdirectory

5. Stop the Tivoli Access Control Facility daemons and reboot the system:# secons –s

AIX# shutdown –Fr

HP-UX# shutdown –r –y 10

Solaris# /usr/sbin/shutdown –y –g 10 –i6

6. Install and configure Tivoli Policy Director for Operating Systems. Do not start TivoliPolicy Director for Operating Systems.

a. If you are installing using Tivoli Security Manager, refer to “Installing Using theTivoli Desktop” on page 23.

b. If the Tivoli Policy Director for Operating Systems client is to be configured as partof a Tivoli Security Manager-managed environment, use the appropriate policybranch name defined during Tivoli Security Manager installation for the TivoliPolicy Director for Operating Systems policy branch name. For example:pdoscfg –branch policy-branch

Otherwise, see Chapter 2, “Planning to Install” on page 9 for determining policybranch name and LDAP suffix information.

7. Populate the Tivoli Policy Director user registry with the Tivoli Access Control Facilityuser registry.

¶ Use the Tivoli Policy Director for Operating Systems se2pdos utility to translateTivoli Access Control Facility user and groups to Tivoli Policy Director users andgroups. See Chapter 2, “Planning to Install” on page 9 for determining policybranch name and LDAP suffix information.

¶ Create a Tivoli Policy Director script that will create Tivoli Policy Director usersand groups:

Migration Process


C.

Mig

rating

from

Tivoli

Access

Co

ntro

lF

acility

# cd /outdirectory# se2pdos –i –u"suffix" –p policy-branch –nr <sedb2scr.out > pdosusers.pd

¶ Use a text editor to verify output of the result:# vi pdosusers.pd

¶ Input the PDOS user and group information to Tivoli Policy Director using thepdadmin utility:# pdadmin –a sec_master –p sec_master_password < pdosusers.pd

8. Populate the Tivoli Policy Director security policy.

Note: This step is for non-Tivoli Security Manager environments. If you are using aTivoli Security Manager-managed environment, populate the policy using theTivoli Security Manager profile distributions.

# cd /outdirectory# se2pdos –i –p policy-branch –na <sedb2scr.out > pdospolicy.pd

a. Use a text editor to verify output of the result:# vi pdospolicy.pd

b. Input the Tivoli Policy Director for Operating Systems policy to Tivoli PolicyDirector using the pdadmin utility:# pdadmin –a sec_master –p sec_master_password < pdospolicy.pd

c. Input Login and Password policy to Tivoli Policy Director using the pdadminutility. Use this table to match Tivoli Policy Director Extended Attribute Names withthe appropriate value from the [server] stanza in the /outdirectory/seos.ini file.

Table 13. Tivoli Policy Director Extended Attribute Names and TACF ValuesTivoli Policy Director Extended Attribute

NameTACF/var/TACF/seos.ini Value

Login-LockMinutes def_disable_time

Login-MaxFailedLogins def_fail_count

Login-LoginMinutes def_diff_time

Login-MaxGraceLogins def_fail_count

# pdadmin –a sec_master –p sec_master_passwordpdadmin> object modify /OSSEAL/policy-branch/Login \

set attribute "Login-MinPassswordDays" "0"pdadmin> object modify /OSSEAL/policy-branch/Login \

set attribute "Login-MaxPasswordDays" "0"pdadmin> object modify /OSSEAL/policy-branch/Login \

set attribute "Login-MaxInactiveDays" "0"pdadmin> object modify /OSSEAL/policy-branch/Login \

set attribute "Login-MaxFailedLogins" "0"pdadmin> object modify /OSSEAL/policy-branch/Login \

set attribute "Login-MaxGraceLogins" "0"pdadmin> object modify /OSSEAL/policy-branch/Login \

set attribute "Login-LockMinutes" "0"pdadmin> object modify /OSSEAL/policy-branch/Login \

set attribute "Login-LoginMinutes" "0"

9. Restore system, start Tivoli Policy Director for Operating Systems, and verifymigration.

a. HP-UX only:

1) Verify that the Tivoli Access Control Facility drivers are not configured usingthis command:

Migration Process

76 Version 3.8

kminstall –d SEOS

2) Verify that SEOS is not present using this command:kmadmin –s SEOS

No information should appear for SEOS.

b. Restore autostart:# pdoscfg –autostart on

c. Start Tivoli Policy Director for Operating Systems:# rc.osseal start

d. After policy migration is completed, verify resulting policy behavior with the TivoliPolicy Director for Operating Systems audit and warning mode capabilities beforeplacing the policy into production.

10. Uninstall Tivoli Access Control Facility.

If you are in a Tivoli Security Manager endpoint environment, not a managed node, usethe wuninstalltacf utility to remove Tivoli Access Control Facility. Information onwuninstalltacf can be found in the Tivoli SecureWay Security Manager User’s Guideand Tivoli SecureWay Security Manager Release Notes. Alternately, you can alsoremove the contents of the Tivoli Access Control Facility product directory:# rm –fr /var/TACF

se2pdos Translation UtilityThis section describes the translation utility se2pdos. Most command line parameters areoptional. If you are translating users or groups, the suffix must be specified. If no input fileis specified, stdin is assumed.

Usagese2pdos [–f input file] [–o output file] [–e error file] [–na] [–nc] [–nr] [–s][–w {012}] [–i] [–1][–p branch] [–g "suffix"] [–u "suffix"] [–?] [–h] [–V]

Options

Table 14. se2pdos Translation Utility OptionsOption Description Default

–f input file Input file stdin

–o output file Output file stdout

–e error file Error/warning log Comments in translation output

–nc Do not create objects andtemplates for resource createdwith editres or editfilecommands

Create objects and templates foreditres or editfile

–nr Do not translate registrycommands (resources)

Process resource commands

–na Do not translate registrycommands (accessors)

Process resource commands

–p branch Tivoli Policy Director forOperating Systems policybranch name

Value in osseal.conf; ″default″ ifnot set

Migration Process


C.

Mig

rating

from

Tivoli

Access

Co

ntro

lF

acility

Table 14. se2pdos Translation Utility Options (continued)Option Description Default

–s Separate registry items fromresource items

Do not separate items (ignoredfor either –na or –nr)

–w # Warning level

0 = Suppress all warnings

1 = Report possiblesemantic differences

2 = Report nonapplicableitems

Warning level 1

–i Interlace original script Do not interlace

–1 Translate each lineindependently

Translate after entire script hasbeen read

–g suffix Suffix for groups (requiredunless –na or –u is specified)

–u value (if specified;otherwise, no default)

–u suffix Suffix for users (required unless–na or –g is specified)

–g value (if specified; otherwise,no default)

–? Usage n/a

–V Version n/a

ExamplesThis section contains some examples of how to use the translation utility. In the examples,the output of the Tivoli Access Control Facility command is a file named sedb2scr.out.The LDAP suffixes that are referenced have been created.

Populate a Tivoli Policy Director RegistryTo generate a series of commands that will initially populate a Tivoli Policy Director registrywith Tivoli Access Control Facility users and groups, type the following commands at thecommand line:se2pdos –nr –s –u "ou=users, o=IBM, c=US" –g "ou=groups, o=IBM, c=US" \

–f sedb2scr.out –o se2pdos.out

pdadmin –a sec_master –p password <se2pdos.out

The –s option is used to ensure that the user commands are generated before the groupcommands.

If the group suffix is not specified or is the same as the user suffix, then group DN isappended with ″group.″ For example,editgrp ("mygroup") name(’My group’) owner(’root’)

thense2pdos –u"o=tivoli,c=us" –f mygroup.se

will yieldgroup create mygroup "cn=mygroup group, o=IBM,c=US" "mygroup"group modify mygroup description "My group"

The group DN is modified to prevent name collisions between similarly named users andgroups.

se2pdos Translation Utility

78 Version 3.8

Populate Tivoli Policy Director Policy InformationTo generate a series of commands that will populate Tivoli Policy Director policyinformation, type the following commands at the command line:se2pdos –na –i –f sedb2scr.out –o se2pdos.outpdadmin –a sec_master –p password < se2pdos.out

Using the –i option with the se2pdos command interlaces Tivoli Access Control Facility andTivoli Policy Director for Operating Systems so that the result can be inspected and bemodified, if needed, before applying it to pdadmin.

Migrating Tivoli Access Control Facility Shell ScriptsTo generate the Tivoli Policy Director for Operating Systems equivalent of a Tivoli AccessControl Facility shell script named kevinc.se, type the following at the command line:se2pdos –1 –f kevinc.se –o kevinc.pdos –u "ou=users, o=IBM, c=us"

where the kevinc.se script is used to create a user and define policy for that user on a filenamed /home/kevinc/filea. The –1 option is recommended when translating shell scripts.The kevinc.se script might consist of the following:editusr ("kevinc") restrictions (days(AnyDay) time(AnyTime)) name(’Kevin Cee’) \grace(1) audit(FAILURE LOGINFAILURE)chusr ("kevinc") owner(’root’)join ("kevinc") group(’staff’)newres FILE ("/home/kevinc/filea") audit(FAILURE) defaccess(NONE) uid(’kevinc’)authorize FILE ("/home/kevinc/filea") audit(FAILURE) access(ALL) uid(’kevinc’)authorize FILE ("/home/kevinc/filea") audit(FAILURE) access(ALL) uid(’root’)

ACL Permissions and NamespaceTivoli Access Control Facility classes and permissions map to Tivoli Policy Director forOperating Systems policy and permissions.

Permissions for the Tivoli Access Control Facility _default resource are mapped to the TivoliPolicy Director for Operating Systems namespace root. For example, newres class(″_default″)defaccess(READ) results in an entry of a T[OSSEAL]r permission forany-other and unauthenticated for the /OSSEAL/policy-branch/class root. The Tivoli PolicyDirector base permission T (traverse) is added to all permission translations.

Because the permissions for the File class root are not inherited, there is no translation forthe Tivoli Access Control Facility FILE _default resource.

Table 15. CONNECT Resource and Permission EquivalentsTSSM/TACF Resource/Class: CONNECT

TACF Permission PDOS Resource Namespace PDOS Permission

all/read NetOutgoing C

none NetOutgoing None

Table 16. FILE Resource and Permission EquivalentsTSSM/TACF Resource/Class: FILE


all(r, w, x, create, del, chown, chmod,utime, sec, rename, chdir)

File r, l, w, x, N, d, p, o,u, c, R, D

se2pdos Translation Utility


C.

Mig

rating

from

Tivoli

Access

Co

ntro

lF

acility

Table 16. FILE Resource and Permission Equivalents (continued)TSSM/TACF Resource/Class: FILE


alter(r, w, x, create, del, chown, chmod,utime, sec, rename, chdir)

File r, l, w, x, N, d, p, o,u, c, R, D

chdir File D

chmod File p

chown File o

control File r, l, w, x, o, p, u, c,D

create File N

delete File d

none File None

read File l, r

rename File R

sec (Change ACL in TSSM) File p

update (r, w, x) File l, r, w, x

utime File U

write File w

execute File x

Table 17. GRPSURROGATE = SURROGATE PDOS Resource and PermissionEquivalents

TSSM/TACF Resource/Class: GRPSURROGATE = SURROGATE (″GROUP.groupname)


all/read Surrogate/Group G

none Surrogate/Group None

Table 18. HOLIDAY Resource and Permission EquivalentsTSSM/TACF Resource/Class: HOLIDAY


all/read Login/Holidays L

none Login/Holidays None

Table 19. PROCESS PDOS Resource and Permission EquivalentsTSSM/TACF Resource/Class: PROCESS


all/read File K

none File None

ACL Permissions and Namespace

80 Version 3.8

Table 20. PROGRAM PDOS Resource and Permission EquivalentsTSSM/TACF Resource/Class: PROGRAM


none File None

read File r

none File None

Trusted resource TCB/Secure-Programs namespace entryonly

Table 21. SECFILE PDOS Resource and Permission EquivalentsTSSM/TACF Resource/Class: SECFILE


Trusted Resource TCB/Secure-Files namespace entryonly

SE FILEpermissions

File PDOS File Classpermissions

Table 22. SUDO PDOS Resource and Permission EquivalentsTSSM/TACF Resource/Class: SUDO


all/execute Sudo/sudo-commandSudo/sudo-command/PermittedSudo/sudo-command/Prohibited

x

none Sudo/sudo-command None

Table 23. SURROGATE SURROGATE PDOS Resource and Permission EquivalentsTSSM/TACF Resource/Class: SURROGATE SURROGATE (″USER.username″)


all/read Surrogate/User G

none Surrogate/User None

Table 24. TCP PDOS Resource and Permission EquivalentsTSSM/TACF Resource/Class: TCP


all, read, write NetIncoming C

none NetIncoming None

Table 25. TERMINAL PDOS Resource and Permission EquivalentsTSSM/TACF Resource/Class: TERMINAL


all, read, write Login/Terminal/Local/Default/<terminal> orLogin/Terminal/Remote/Default/<terminal>

L



C.

Mig

rating

from

Tivoli

Access

Co

ntro

lF

acility

Table 25. TERMINAL PDOS Resource and Permission Equivalents (continued)TSSM/TACF Resource/Class: TERMINAL


none Login/Terminal/Local/Default/<terminal> orLogin/Terminal/Remote/Default/<terminal>

None

Table 26. GTERMINAL PDOS Resource and Permission EquivalentsTSSM/TACF Resource/Class: GTERMINAL


all, read, write Login/Terminal/Local/<group name>/<terminal> orLogin/Terminal/Remote/<group name>/<terminal>

L

none Login/Terminal/Local/<group name>/<terminal> orLogin/Terminal/Remote/<group name>/<terminal>

None

Script MappingTivoli Access Control Facility is a resource authorization-based model. Resources andaccessors are defined separately and are then joined with a set of permissions. Tivoli PolicyDirector for Operating Systems protection is achieved by binding collections (ACLtemplates) of accessors (registry objects with permissions) to one or more system resources.

Many Tivoli Access Control Facility selang commands have equivalents in Tivoli PolicyDirector for Operating Systems pdadmin commands. For some selang commands, there areno pdadmin equivalents. The following table gives the commands with equivalents.

Table 27. TACF and PDOS Equivalent Commandsselang Command pdadmin Translation

authorize/authorize– acl modify

access() attach

uid() set user

gid() set group

via(pgm()) acl modify set attribute Access-Restrictions″accessor:actions:filespec1,...filespecn″

newfile/chfile/editfile object createacl create

defaccess() acl modify any-otheracl modify unauthenticated

comment() object modify descriptions

audit() pop createpop modify set audit-level all | none | {permit,deny, admin}pop attach

warning pop createpop modify set warning on | offpop attach


82 Version 3.8

Table 27. TACF and PDOS Equivalent Commands (continued)selang Command pdadmin Translation

restrictions() pop createpop modify set tod-access on | offpop attach

newgrp/chgrp/editgrp group create

comment() group modify description

restrictions pop createpop modify set tod-access on | offpop attach

newres/chres/editres acl create

defaccess() acl modify any-otheracl modify unauthenticated

comment() object modify description

comment()(SUDO only) object modify set attribute Sudo-Commandobject modify set attribute Sudo-Target-Userobject modify set attribute Sudo-Passwordobject modify set attribute Sudo-Arguments

audit() pop createpop modify set audit-level all | none |{permit, deny, admin}pop attach

warning pop createpop modify set warning on | offpop attach

restrictions() pop createpop modify set tod-access on | offpop attach

dates()(HOLIDAY only) object createobject modify set attribute Holiday-Dates

targuid object createobject modify set attribute Sudo-Target-User user

trust object create TCB entry

newusr/chusr/editusr create user

password() user modify password

comment() user modify description

restrictions() policy set tod-access –user

join group modify add

join– group modify remove

rmfile acl deleteobject delete

rmgroup group delete

rmres acl deleteobject delete

rmusr user delete

setoptions inactive() object modify /OSSEAL/policy-branch/Login setattribute Login-MaxInactiveDays

Script Mapping


C.

Mig

rating

from

Tivoli

Access

Co

ntro

lF

acility

Table 27. TACF and PDOS Equivalent Commands (continued)selang Command pdadmin Translation

showfile acl showobject show

showgrp group show

showres object show

showusr user show

Tivoli Access Control Facility commands that have no Tivoli Policy Director for OperatingSystems equivalent include:allow/allow-chapplchlogin/editloginnewappl/chappl/editapplenvironmentfindhelphistoryhostsnewloginrmapplrmloginrulersetoptionsshowapplsource

The Tivoli Access Control Facility commands alias, unalias, and source are supported bythe se2pdos utility.

Script Mapping

84 Version 3.8

Index

Special Characters/OSSEAL 10

AACL permissions, migration 79Admintool

installing on Solaris 20AIX

installing 15installing from command line 17language support 6prerequisites 9uninstalling 59uninstallling from command line 60

attributesresponse file for configuration 46response file for unconfiguration 57

autostarting, PDOS 51

Bbooks

feedback viiionline viiiordering viii

Ccentralized policy, migration 73command

pdoscfg 39pdosteccfg 49pdostecucfg 53pdosucfg 55

configurationcreating a response file 45options 41, 65using a response file 46

configuration on command line, PDOS 45configuration options, PDOS 41, 65configuration using response file, PDOS 45configuring, PDOS 39creating a response file

configuration 45unconfiguration 57

Customer Support ix

Ddirectory names, notation xdistributed policy, migration 73

Ee-mail contact ixEasy Install

installing 14environment variables, notation xexamples, translation utility 78

Ffeatures

PDOS 1feedback about publications ix

Hhardware requirements 9HP-UX


Iinherited ACL model, migration 72installing

AIX 15HP-UX 17Linux 22Solaris 19tasks in Tivoli Security Manager 35Tivoli Enterprise Console Integration 36using Easy Install 14using Tivoli Security Manager 23

installing from command lineAIX 17HP-UX 19Linux 22


Ind

ex

installing from command line (continued)Solaris 21

installing on AIXSMIT 15

installing on HP-UXswinstall 18

installing on SolarisAdmintool 20

Llanguage support

AIX 6HP-UX 7Linux 8Solaris 7

Linuxinstalling 22installing from command line 22language support 8prerequisites 9uninstalling 62uninstallling from command line 62

Mmanuals

feedback viiionline viiiordering viii

mapping command line options to attributesresponse file for configuration 46response file for unconfiguration 57

migrationACL permissions 79centralized policy 73distributed policy 73inherited ACL model 72migration steps 74namespace 79noninherited ACL model 72overview 71PDOS 9, 12, 37, 71planning 72pre-migration tasks 74process 74script mapping 82se2pdos 77translation utility 77

Nnamespace, migration 79noninherited ACL model, migration 72

notationenvironment variables xpath names xtypeface x

Oonline publications ixoptions

configuration 41, 65se2pdos 77translation utility 77unconfiguration 56, 69

ordering publications ix

Ppath names, notation xPDOS

autostarting 51configuration on command line 45configuration options 41, 65configuration using response file 45configuring 39features 1how it works 2migration 9, 71package contentspackage contents 2planning configuration 39planning to install 9planning to unconfigure 55running 52starting 51starting from command line 51stopping 52unconfiguration 55unconfiguration options 56, 69uninstalling 59upgrading 12, 37usage of configuration command options 40usage of unconfiguration command options 55

pdoscfg command 39pdosteccfg command 49PDOSTECD daemon

configuring 49starting 52stopping 52unconfiguring 53

pdostecucfg command 53pdosucfg command 55planning migration 72policy branch 10pre-migration tasks 74prerequisites

AIX 9hardware 9Linux 9

86 Version 3.8

prerequisites (continued)Solaris 9

prerequisitiesHP-UX 9

publicationsfeedback viiionline viiiordering viii

Rresponse file

creating a response file 45, 57using a response file 46, 57

response file for configurationattributes 46mapping command line options to attributes 46

response file for unconfigurationattributes 57mapping command line options to attributes 57

running, PDOS 52

Sscript mapping, migration 82se2pdos

migration 77options 77

SMITinstalling on AIX 15uninstalling on AIX 59

software requirements 9Solaris


startingPDOS 51Policy Director for Operating Systems 51

starting from command linePDOS 51Policy Director for Operating Systems 51

stopping, PDOS 52swinstall

installing on HP-UX 18syntax, translation utility 77

TTivoli Access Control Facility 71Tivoli Customer Support ix

translation utilityexamples 78migration 77options 77syntax 77usage 77

Uunconfiguration

creating a response file 57options 56, 69PDOS 55using a response file 57

unconfiguration optionsPDOS 69

unconfiguration options, PDOS 56uninstalling

AIX 59HP-UX 60Linux 62Solaris 61

uninstalling from command lineAIX 60HP-UX 61Linux 62Solaris 62

uninstalling on AIXSMIT 59

upgradingPDOS 12, 37

usageconfiguration command options 40translation utility 77

usage of unconfiguration command options, PDOS 55using a response file

configuration 46response file 46, 57unconfiguration 57

Vvariables, notation for x


Ind

ex

88 Version 3.8

Printed in the United States of Americaon recycled paper containing 10%recovered post-consumer fiber.

GC32-0796-00

Documents

Tivoli Policy Director for Operating Systemspublib.boulder.ibm.com/tividd/td/ITAMOS/GC32-0796-00/en...Chapter 2, “Planning to Install” on page 9 Provides planning and prerequisite