Privilege Management for Unix and Linux Shared Libraries

When configured with Kerberos, SSL, LDAP, or PAM, Privilege Management for Unix and Linux requires the appropriate third-party libraries. The installation provides Kerberos, SSL, LDAP, and PAM libraries that are designed to work with Privilege Management for Unix and Linux. We recommended you install these third-party libraries.

The shared libraries for the following operating systems are not currently supported:
  • NCR
  • IRIX
  • OSF
  • QNX
  • Mac OS X

Shared Libraries for Kerberos

These settings are related to the shared libraries that are needed for Kerberos in Privilege Management for Unix and Linux.

sharedlibkrb5dependencies

  • Version 5.0.4 and earlier: sharedlibkrb5dependencies setting not available.
  • Version 5.1.0 and later: sharedlibkrb5dependencies setting available.

The libraries are listed in the order they are loaded (dependencies first). This setting should be used in either of the following circumstances:

  • The kerberos setting is set to yes, the pam setting is set to yes, and PAM uses Kerberos
  • The ssl setting is set to yes and the SSL libraries that are listed in the sharedlibssldependencies setting are dependent on the Kerberos libraries

By default, the shared libraries that are listed for this setting are the ones that are shipped with Privilege Management for Unix and Linux. However, you can replace them with libraries that are used by the PAM or SSL services that are installed on the Privilege Management for Unix and Linux host computer.

sharedlibkrb5dependencies /usr/lib/symark/pb/libcom_err.so.3
	/usr/lib/symark/pb/libk5crypto.so.3 /usr/lib/symark/pb/libkrb5.so.3
	/usr/lib/symark/pb/libgssapi_krb5.so.2

No default value

  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

loadkrb5libs

  • Version 5.2 and earlier: loadkrb5libs setting not available.
  • Version 6.0 and later: loadkrb5libs setting available.

The loadkrb5libs setting determines whether the libraries that are listed in the sharedlibkrb5dependencies setting are loaded at runtime even if the value of the kerberos setting is no. This setting is ignored when kerberos is set to yes.This setting is useful in certain cases where the operating system is configured to use Kerberos and the Privilege Management for Unix and Linux submitconfirmuser() function returns false even when the correct Kerberos password is supplied.

loadkrb5libs yes 
loadkrb5libs no
  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

Shared Libraries for SSL

The following setting is related to the shared libraries needed for SSL use.

loadssllibs

  • Version 6.2.5 and earlier: loadssllibs setting not available.
  • Version 6.2.6 and later: loadssllibs setting available.

The loadssllibs setting determines whether the libraries that are listed in the sharedlibssldependencies setting are loaded at runtime even if the value of the ssl setting is no. This setting is ignored when ssl is set to yes.This setting is useful in certain cases where the operating system is configured to use SSL and we need to force Privilege Management for Unix and Linux to load the SSL libraries.

loadssllibs yes
loadssllibs no
  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

sharedlibssldependencies

  • Version 5.0.4 and earlier: sharedlibssldependencies setting not available.
  • Version 5.1.0 and later: sharedlibssldependencies setting available .

The libraries are listed in the order they are loaded (dependencies first). This setting should be used in either of the following circumstances:

  • The ssl setting is set to yes
  • LDAP is used in the policy or by PAM and the LDAP libraries that are listed in the sharedlibldapdependencies setting are dependent on the SSL libraries

By default, the shared libraries listed for this setting are shipped with Privilege Management for Unix and Linux. However, you can replace them with libraries that are used by the SSL service that is installed on the Privilege Management for Unix and Linux host computer.

sharedlibssldependencies  /usr/lib/symark/pb/libcrypto.so.0.9.7 /usr/lib/symark/pb/libssl.so.0.9.7

No default value

  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

Shared Libraries for LDAP

The following setting is related to the shared libraries that are needed for LDAP use.

loadldaplibs

  • Version 6.2.5 and earlier: loadldaplibs setting not available.
  • Version 6.2.6 and later: loadldaplibs setting available.

The loadldaplibs setting determines whether the libraries that are listed in the sharedlibldapdependencies setting are loaded at runtime even if policy LDAP functions are not used. This setting is useful in certain cases where the operating system is configured to use LDAP and we need to force Privilege Management for Unix and Linux to load the LDAP libraries.

loadldaplibs yes
loadldaplibs no
  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

sharedlibldapdependencies

  • Version 5.0.4 and earlier: sharedlibldapdependencies setting not available.
  • Version 5.1.0 and later: sharedlibldapdependencies setting available .

The libraries are listed in the order they are loaded (dependencies first). This setting should be used in either of the following circumstances:

  • LDAP is used in the Privilege Management for Unix and Linux policy
  • The pam setting is set to yes and PAM is using LDAP

By default, the shared libraries that are listed for this setting are shipped with Privilege Management for Unix and Linux. However, you can replace them with libraries that are used by the LDAP service that is installed on the Privilege Management for Unix and Linux host computer.

sharedlibldapdependencies  /usr/lib/symark/pb/liblber-2.3.so.0 /usr/lib/symark/pb/libldap-2.3.so.0

No default value

  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

Shared Library Directory Location for AIX and HP (PA RISC)

For AIX and HP (PA-RISC), the directory for installing third-party libraries must be in one of the following locations:

  • /usr/lib/symark/pb
  • /usr/lib
  • /lib
  • /usr/local/lib

If any other directory is specified, then it is rejected with an error message stating that you must use one of these four directory locations.

Shared Library File Name for AIX

The notation that is used on AIX to specify some libraries (Kerberos and LDAP) is different from other platforms. On AIX for third-party libraries that are archives, you also need to specify the shared object that is a member of the archive and add it to the file name.

If libcom_err.a.3.0 is an archive and shr.0.3.0 is the actual shared object, then the file specification for the member of the archive is:
libcom_err.a.3.0(shr.0.3.0)

For SSL, because the library is not an archive, it is not necessary to alter the file name.

Shared Libraries for PAM

The following are the shared libraries needed for PAM use.

libpam

  • Version 5.2 and earlier: libpam setting not available.
  • Version 6.0 and later: libpam setting available.

libpam is a user-defined PAM library that Privilege Management for Unix and Linux uses as a first option in case the system does not use the standard default PAM libraries. The notation used for AIX to specify the OS-provided PAM library is the following:

/usr/lib/libpam.a(shr.o)
libpam /lib/libpam.so.1

No default value

  • Policy server hosts
  • Submit hosts
  • Run hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

Hardware Security Module (HSM)

Privilege Management for Unix and Linux, through its integration with the SafeNet Luna SA Hardware Security Module (HSM), provides the first privileged user management solution to use FIPS 140-2 Security Level 2-validated key storage services to achieve compliance with the most strict key storage requirements and standards. Privilege Management for Unix and Linux supports the configuration of an SSL engine. An SSL engine is a plug-in mechanism for third parties to add extra cryptographic capabilities to SSL. The SSL engine must be properly configured according to the engine provider’s instructions.The SSL library that is shipped with Privilege Management for Unix and Linux does not support the use of SSL engines. Therefore, to use an SSL engine, you must build your own set of SSL libraries to support the SSL engine. If you use Kerberos or LDAP, then you must also build your own set of those libraries.The file name of the SSL engine shared object should be appended to the sharedlibssldependencies setting, and the engine ID should be specified using the sslengine keyword.

sslengine

  • Version 5.0.4 and earlier: sslengine setting not available.
  • Version 5.1.0 and later: sslengine setting available.

The sslengine setting specifies the SSL engine ID to be used with the HSM. The value is case-sensitive.

The following is an example pb.settings configuration when using the SafeNet Luna SA Hardware Security Module:
sharedlibkrb5dependencies none
	sharedlibldapdependencies none
	sharedlibssldependencies /usr/local/lunassl/lib/libcrypto.so.0.9.8
	/usr/local/lunassl/lib/libssl.so.0.9.8
	/usr/local/lunassl/lib/engines/liblunaca3.so
			
	ssl yes
	sslservercertfile /etc/pb/CERTS/safenet.crt
	sslserverkeyfile /etc/pb/CERTS/safenet.key

	sslengine LunaCA3

New SSL libraries with engine support are built and installed in the /usr/local/lunassl directory. Kerberos and LDAP are not in use. The engine ID is LunaCA3. The key file value is a name that is interpreted by the engine to access the private key on the HSM.

No default value

  • Policy server hosts
  • Log hosts