Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
Issuing a certificate for IdP
Run PowerShell as administrator on any of the PAM servers and run the command:
Code Block language powershell New-SelfSignedCertificate -DnsName idp.domain.local -CertStoreLocation cert:\LocalMachine\MyNote icon false The DNS name idp.domain.local does not matter and can be anything.
Export certificate for IdP
- Run the MMC snap-in on the server where the certificate was issued and select Computer certificates
- Go to the Personal section, open the context menu of the idp.domain.local certificate and select All Tasks - Export. The export must be done both with the private key and without the private key
Import certificate for IdP
- Transfer the exported certificates to the second PAM server
- Open the context menu of the .pfx file and select Install PFX, install the certificate to Local Machine\Personal store
- Open the context menu of the .crt file and select Install Certificate, install the certificate to Local Machine\Trusted Root Certification Authorities store. This item must be done for the first PAM server as well.
Configuring a certificate for IdP
Configuration is performed on all PAM servers.
- Start the MMC snap-in, open the context menu of the idp.domain.local certificate (Personal store) and select All Tasks - Manage Private Keys
- Click Add in the Security section
- Click Locations and select local computer
- Enter the pool name IIS AppPool\Indeed.idp and click Check Names
- Save your changes
Indeed PAM IdP configuration
Configuration is performed on all PAM servers.
- Start the MMC snap-in, open the idp.domain.local certificate (Personal store), click the Details tab
Find the Thumbprint item and copy its value
Warning icon false When copying, a non-printable character is always added to the beginning of the line, it must be removed! - Edit the file C:\inetpub\wwwroot\pam\idp\appsettings.json and specify the thumbprint value for the SigningCertificate parameter
- Restart IIS.
Configuring Indeed PAM configuration files
It is necessary to change all URLs in Indeed PAM configuration files, except those intended for working with ILS. For example:
| Old URLss | New URL |
|---|---|
| https://pam.domain.local/pam/core | |
| https://pam.domain.local/pam/core | |
| https://pam.domain.local/pam/core | |
| https://pam.domain.local/pam/core |
https://pam.domain.local/pam/core, IdP, MC, UC change to https://haproxy.domain.local/pam/core, IdP, MC, UC
To balance PAM Core, an Active-Passive scheme is recommended.
Additional servers are added to Component arrangement #2 with Indeed PAM Core installed.
Let their names be pam2, pam3, etc., each PAM Core is configured exactly like the first, the configuration files c:\inetpub\wwwroot\api\Web.config should be the same.
The balancer itself will act as api, all PAM Core will be tied to it. The balancer address must be entered in the corresponding sections of the User Console, Management Console and Gateway configuration files:
Edit lines in files C:\inetpub\wwwroot\uc\assets\config\config.prod.json and C:\inetpub\wwwroot\mc\assets\config\config.prod.json
| Code Block | ||
|---|---|---|
| ||
"apiServer": {
"url": "https://haproxy.indeed-id.local/api"
}, |
Edit lines in file C:\Program Files\Indeed PAM\Gateway\ProxyApp\Pam.Proxy.App.exe
| Code Block | ||
|---|---|---|
| ||
<pamProxy ApiUrl="https://haproxy.indeed-id.local/api" IdpUrl="https://pam1.indeed-id.local/idp" ... FileCopyMinBytesToSave="1048576" /> |
HAProxy settings in the case of two servers (the first is active, the second is standby) are presented below:
| Code Block | ||
|---|---|---|
| ||
global
log /dev/haproxy/log local0 # see https://en.wikipedia.org/wiki/Syslog#Facility
log /dev/haproxy/log local1 notice # notice - Error level. The whole list: emerg, alert, crit, err, warning, notice, info, debug
chroot /var/lib/haproxy # Change the execution directory to protect against attacks. The folder is empty and there are no permissions.
maxconn 256 # Maximum number of simultaneous connections.
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
# HAPROXY Immutable settings
user haproxy
group haproxy
daemon # Run the process in the background
defaults
log global
mode http
option httplog
option dontlognull
# Timeouts
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
retries 3 # retries before lowering server status
# Statistics
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /haproxy #here's a link to the statistics page
stats auth stat:stat
option httpchk HEAD / HTTP/1.0
# Access settings
option redispatch # Allows users to go to another server if the server their cookies refer to doesn't work
balance roundrobin # Server selection algorithm (least loaded in order)
frontend frontend_http
bind *:443 ssl crt /etc/ssl/certs/haproxy.indeed-id.local.pem # Setting up the frontend interface with the path to the certificate of this server
option forwardfor # Pass the original client ip address to the server
default_backend backend_http # Indicate which backend processes requests
backend backend_http
option prefer-last-server # Attempt to reuse the same connection to the server
option httpchk GET /api/isHealthy # PAM Core application availability check
stick-table type string len 35 size 1m expire 1d # The setting required for communication between gateway and core, otherwise viewing the video stream will not work
stick on path,word(2,/) if { path_beg /screencast/ } ##
server pam2 192.168.10.122:443 ssl verify none check inter 5000ms # Server names for HAProxy monitoring, availability check enabled, certificate not verified
server pam1 192.168.10.121:443 backup ssl verify none check inter 5000ms # Backup server is inactive while the main server is available for connections
|