Enrolling and Managing Computers Using the Cloud Client for Linux

The Cloud Client for Linux is a software package you can install on Linux computers to support agent-based authentication services for all Privileged Access Service users and application to application password management for secure communication between accounts stored in the Privileged Access Service.

By installing the Cloud Client for Linux, computer accounts can be used to run services and to check out account passwords that are stored in the Privileged Access Service. This capability enables you to store and rotate managed passwords for application to application authentication without user intervention and eliminates the need for shared administrative passwords to run services.

Additionally, on registered computers with the agent-based authentication enabled, visible roles become UNIX groups. Each role has a unique name and GID associated with it. Therefore, commands like getent group <rolename> executed on registered computers, will return a valid result. If a cloud user is a member of a visible role (visiblerole), commands like groups <cloudusername> or id <cloudusername> will return a result where the user is considered to be a member of a visible role (visiblerole).

A role does not need to have any members associated with it to be visible on registered computers.

Also see, Enabling Client-Based Login and Adding a Role for Client-Based Login.

The Cloud Client for Linux is only available for a limited set of supported platforms. If you are managing computers where the client is supported, you can download the client from the Admin Portal, from the Delinea Download Center, or from the Delinea YUM or APT repository.

To download the Cloud Client for Linux

  1. Click Downloads and review the features available and supported distributions.
  2. Click the appropriate link to download the appropriate software package for a supported platform.

For more information about installing and using the Cloud Client for Linux package, see the following topics:

Verifying a Signed Package

You should note that these native packages are signed with a GNU Privacy Guard (GPG) key. If you have not already installed the key on the local computer, you need to import the key to verify the package authenticity before installing the package. You can download the RPM-GPG-KEY-centrify file from the Download Center where agent packages are listed. After you download the file, you can run a command similar to the following to import the key:

rpm --import RPM-GPG-KEY-centrify

After you import the key, run the appropriate package manager command to install the package.

For more information about installing and using the Cloud Client for Linux package, see the following topics:

Setting Profile Attributes for Clients

The Cloud Client for Linux is a software package you can install on Linux computers to support password management and authentication services for Privileged Access Service users. To support these features, the client has a service user account. The service user requires some additional settings to have a valid profile on the Linux computer where services run or where you are authorizing client-based authentication for access.

To set profile attributes for the client service user:

  1. In the Admin Portal > Settings >Enrollment to display the settings available for Privileged Access Service.
  2. Click Linux Settings.
  3. Select a default shell from the list of available shells to use for the client service user.
  4. Specify the template to use for the home directory for the client service user.
  5. Click Save.

Installing the Cloud Client for Linux Package

After you download a Cloud Client for Linux, you can use a native package manager to install the commands, man pages, and sample scripts included in the package. For example, if you downloaded the package that supports Red Hat, CentOS, and Oracle distributions of Linux, you would run a command similar to the following on the Linux computer:

rpm -Uvh CentrifyCC-rhel6.x86_64.rpm

After you install the package using a native package manager, you can find the command line programs and sample scripts in the /usr/bin and /usr/sbin directory. For examples of how you can use the command-line programs in scripts to manage passwords for local or privileged accounts, see the sample scripts included in the /opt/centrify/samples directory.

Perl is required for the Cloud Client for Linux installation on Oracle but is not installed by default. As of Oracle 7.6 this is available as a separate install via: sudo yum install -y perl.

For more information about the Cloud Client package, see the following topics:

Exploring the Sample Scripts

After you install the client package using a native package manager, you can find the command-line programs and sample scripts in the /usr/bin, /usr/sbin, and /opt/centrify/samples directories. The sample scripts in the /opt/centrify/samples directory illustrate some common use-cases for the commands in the client package. For example, there are sample scripts that illustrate how to use the commands in the client package to perform the following tasks:

  • Automate the deployment and registration of virtual machines in an Amazon Web Services (AWS) environment (aws_userdata.sh in the /opt/centrify/samples/orchestration directory).
  • Write a script to access privileged account passwords stored in the Privileged Access Service (mysql.sh and scp.sh in the /opt/centrify/samples/apppassword directory).
  • Write a notification script to automatically add randomly-generated passwords for new local user accounts to the Privileged Access Service (handle_local_accts.cc.sh in the /opt/centrify/samples/localacctmgmt directory).

For more information about copying and modifying the sample scripts, see the README and script file comments in the /opt/centrify/samples directory.

Enrolling a Computer

There are two ways you can register a computer in the Privileged Access Service:

  • By using the credentials for a specific user account.
  • By using an registration code.

In both cases, you run the cenroll command either interactively or in a script to specify registration options, such as the customer-specific URL to use for enrollment, the system-specific policies you want to set, and the features you want to support after registration.

For more information about registering, including examples of the most common registration options, see the following topics:

Note that you can register a computer without specifying a network address by DNS name or IP address. However, you must specify the DNS name or IP address to add local accounts for the system or open secure shell sessions on the system after registration.

For complete information about all of the command-line options available, see the cenroll man page.

Enrolling with User Credentials

If you want to register a computer using a specific user name and password, you can run the cenroll command using the --user option. The --user you specify should be an identity service user in a role with the Linux System Enrollment administrative right. For information about adding roles, members, and administrative rights, see the following topics:

  • Creating roles that can create and manage customer's Privileged Access Service
  • Admin Portal administrative rights

After you have configured at least one role for registration, you can run a command similar to the following to register a local computer in the Privileged Access Service:

Copy
 sudo cenroll --tenant abc0123.my.centrify.net 
\--username=joe.user@acme.com --features all --owner "Enrollment Admins"

The --owner option specifies the role with the registration administrative right.

For more information about using enrollment and other commands, see Using Cloud Client Commands.

Using Enrollment Codes

If you want to register a computer using an enrollment code instead of a user name and password, you should verify the following:

  • You must be a member of the System Administrator role.

  • You must have at least one role with the Linux System Registration administrative right.

  • You must generate one or more enrollment codes with the appropriate criteria—such as an expiration date, maximum number of computers that can be registered, or the IP address ranges allowed, if applicable—to be used for registration.

    If you specify IP address restrictions and are connecting to the Privileged Access Service instance through a web proxy server, be sure the IP address for the web proxy server is included in the range allowed.

If you satisfy these prerequisites, you can run the cenroll command using the --code option. To use an enrollment code, you can run a command similar to the following to register a computer in the Privileged Access Service:

sudo cenroll --tenant abc0123.my.centrify.net --code A1BC2345-D6E7-89F0-G123-HIJK4LM5N67P --features all

Enrollment Confirmation

If the cenroll command connects to the Privileged Access Service successfully, you might see confirmation similar to the following in standard output (stdout) or recorded in a log file.

Copy
cenroll.exe -t abc1234.my.centrify.net -c A1BC2345-D6E7-89F0-G123-HIJK4LM5N67P -f --features=all

Enrolling in https://abc1234.my.centrify-qa.net/ ...
Cloud client started.
Enabled features: AgentAuth, AAPM, DMC
Enrollment complete.

Automating Registration

You can use the commands included in the client package and registration codes to automate the deployment and removal of virtual machine instances such as Amazon Machine Instances (AMI) in an Amazon Web Services (AWS) cloud environment.

Sample scripts in the client package illustrate how to perform the following tasks when starting a new instance:

  • Access the Delinea repository.
  • Download and install the client package.
  • Run the cenroll program with an registration code and a public IP, private IP, or host name for the network address.
  • Configure the secure shell server sshd process.
  • Create a shell script for unregistering to be executed when an instance is shut down.

You must modify some configuration details in the sample script -—for example, you must specify your customer-specific URL, registration code, features to enable, and network address type—and run the script as “user data” to register the instance in the Privileged Access Service. After running the script with the appropriate information, the instance will be registered as a system and Delinea identity users can log on to the instance.

For more information, see the README file in the /usr/share/centrifycc/samples directory, the README file in the /usr/share/centrifycc/samples/orchestration directory, and the comments in the aws_userdata.sh sample script.

Verifying Registration

A successful registration updates the Privileged Access Service with new information in several places. After registration, you can verify the new information associated with the computer.

Depending on the features you enable, registration might include all or a subset of the following tasks:

  • Add the computer to the Systems tab in the Admin Portal.

  • Update the system-specific settings with default values or the settings you specify.

  • Update the system-specific policies with default values or the policies you specify.

  • Add the service user account for the computer to the Delinea Agent Computers read-only role.

    This role automatically grants the service user the Agent Management (Manage Clients) administrative right to perform agent operations, such as unenroll a computer or set an account password.

  • Set system-specific permissions for the service user account for the computer.

Authorizing Access for the Service User

A service user is a user account associated with a Cloud Client on a managed Linux computer. The credentials associated with this account are used to authenticate the service when it attempts to perform an operation on a server. Therefore registering a computer and authorizing a service user to access registered computers are key to enabling application-to-application password management.

You should note that a connector is not required to register a computer as an account in the Privileged Access Service. However, you must have a connector installed to support:

  • Remote access to computers using secure shell sessions or remote desktop connections.
  • The ability to change local account passwords for application-to-application password management (AAPM).

Therefore, if you want to support remote access or enable application-to-application password management, you must have at least one connector installed.

By default, the service user is assigned the Grant, Edit, and Delete permissions on its registered computer and can be used to set passwords for accounts on that computer. For the service user to get passwords for local accounts or for accounts on another computer, however, you must grant the service user Checkout permission. This additional step is required to support application-to-application password management. For more information about setting and retrieving passwords for application-to-application password management, see Managing Passwords For Services.

Setting Options For Registered Computers

You can set a global profile for registered computers and the service accounts associated with the Cloud Client for Linux computers. For example, the service account user you define for an registered computer requires some additional settings to have a valid profile on the Linux computer where services run or where you are authorizing client-based authentication for access.

For information about defining the profile attributes to use for a service account, see Setting Profile Attributes for Clients.