Posted: 8/9/2013, Updated: 8/10/2015
Identity Finder Endpoint for Linux supports management via the Identity Finder Console. This management includes the application of policies, scheduling of tasks in user mode, and reporting of results and logs. Additionally, the client can be executed via the command line in a terminal window.
To configure Endpoint for Linux to communicate with the console, it is necessary to install configuration information on each client that includes the location of the console as well as the encryption information necessary to securely communicate with the console.
Before a search can be executed by the client, it is necessary for each client to have license information that is provided via a license file (identityfinder.lic) or created via the activation process.
It is also possible to customize the automated execution and/or user experience through the use of policies, configuration settings (xml) files, or via command line configuration files (xml).
To detail the above, this article contains information about:
- Client/Console Communication
- License Files
- Configuration Settings (XML) Files and Command Line Switches
- Endpoint Service, Tasks, and Policies
Finally, additional information about the operation of the client and storage locations for logs are also included.
To support these features, it is necessary to create a custom installation package using Identity Finder supplied build scripts.
To configure communication between the client and the console, it is necessary, at a minimum, to configure the settings to point to the enterprise console, establish the encryption key used for communication, and to enable communication. The easiest way to obtain these settings is to browse to http://consoleserver/Services where consoleserver is the name or IP address of the enterprise console. On that page, there is a link entitled, "Identity Finder for Linux." Clicking that link will provide an XML file containing the aforementioned settings. This file should be included in the custom package that is created for deployment to all Linux systems. Alternatively, this file can be distributed to those systems via any existing software distribution method; however, if a custom package is not created that deploys the endpoint service application and creates the launch agent, it will be necessary to manually transfer all relevant files at least once to establish the client/console communication.
The Linux client software supports a list of publicly trusted root certificate authorities, such as Verisign, Thawte, etc. If the Console server uses a private certification authority or a self-signed certificate, then it is necessary to take additional steps to enable encrypted (HTTPS) communication. Details are available here:
To use Identity Finder for Linux, a license file must be supplied. The file must be named identityfinder.lic and be located in the same system directory as the Identity Finder application. The license file should be included in the custom package.
System settings that are either manually copied or installed by the installation package are the primary source of local settings on Linux. Additional settings can be supplied to the client via the --configurationfile command line switch. The system settings are installed/located here:
When settings are present in an xml configuration file (whether the system settings or an additional xml file supplied by the command line), they are considered to be authoritative. Creating a configuration file from scratch is possible, but it is recommended that an existing file is modified with the desired information to ensure proper formatting.
More information is available in the article, Enterprise Client Command Line Switches
When Identity Finder for Linux is used, an endpoint service application (daemon) is used to communicate with the console to obtain tasks and policies. The endpoint service application must be deployed by the custom installation package. If the endpoint service binary does not exist in the specified location, as noted below, the client will be unable to communicate with the enterprise console. Communication with the console is conducted according to the specified polling interval.
The application binary is located here:
The supporting files for the endpoint service (including downloaded tasks and policies) are located here:
The endpoint service log files named with date and time, EPS_YYYY-MM-DD_HH-MM-SS.log, is located here:
By default, client logs are stored under the Application Support folder:
All Linux searches are run scheduled from the console as root. The log files are stored in a subdirectory for system searches: