Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Warning
iconfalse

All URLs are specified in lowercase.

The json format does not allow comments in the file, so you must delete lines beginning with the characters "//"

Note
iconfalse

URL example: https://pam.domain.local/pam/core
pam.domain.local - the fully qualified DNS name of the management server


Warning
iconfalse

You need to recycle Indeed.Idp application pool after every change to the configuration file. You can do this in IIS Manager snap-in, or with powershell command 
Restart-WebAppPool Indeed.Idp


Note
iconfalse

URL example: https://pam.domain.local/pam/idp
pam.domain.local - the fully qualified DNS name of the management server


Go to C:\inetpub\wwwroot\pam\idp folder and edit appsettings.json file:

ConnectionStrings

  • DefaultConnection - database connection string IPAMIdP

Connection String parameters:

  • Server is the name of Microsoft SQL Server or its named instance
  • Database - is the name of database (IPAMIdP)
  • User ID - is the service account to use with Indeed PAM databases
  • Password - is the password for that service account

Code Block
languagejs
  "ConnectionStrings": {
    "DefaultConnection": "Server=sql.domain.local; Database=IPAMIdP; Integrated Security=False; User ID=IPAMSQLServiceOps; Password=password"
  }, 


Warning
iconfalse

If using a Named Instance of Microsoft SQL Server, the value of the Server parameter must be specified in the Server Name\\Named instance format.

Code Block
languagejs
"DefaultConnection": "Server=sql\\instance; ..."



Database

In the Provider section, select the DBMS connection provider:

  • mssql - is for the MS SQL Server
  • pgsql - is for the PostgreSQL Pro

IdentitySettings

  • AdminSids - is SID of the user to get access to administrator console and the Roles management. If there are several of them, then the SIDs must be divided by comma
  • IdpUrls - are Indeed PAM IdP URL addresses
  • Lang - is the user interface language of the component, set it to "en" value
  • GatewaySecret - Hash for client keys for additional authentication of Indeed PAM Gateway
  • ConsoleAppClientSecret Hash for client keys for additional authentication of the Console App utility

  • SshProxyClientSecret - Hash for client keys for additional authentication of Indeed PAM SSH Proxy
  • CoreApiSecret - Hash for client keys for additional authentication of PAM Core

  • IdpApiSecret - Secret for client key of PAM IdP

    Excerpt Include
    Configuration
    Configuration
    nopaneltrue

  • Enable2FaCacheForClients - List of client IDs for which the 2nd factor caching will work
  • SecondFaCacheLifetimeSeconds - 2nd factor caching time in seconds
    List of available client ids -

    • "console-app"
    • "ssh-proxy-app"
    • "pam-management-console"
    • "pam-user-console"
    • "pam-gateway"

    • "pam-remote-client"


Code Block
languagejs
"IdentitySettings":{
	"AdminSids": [ 
		"S-1-5-21-1487179672-2651565253-5257550508-0000", 
		"S-1-5-21-1487179672-2651565253-5257550508-0001" 
	],
	"IdpUrls": [ "https://pam.domain.local/pam/idp" ],
    "Lang": "en",
    "SigningCertificate": "",
    "GatewaySecret": "N2u7dSLd5f8BmLHe5BImaOg7HWb9gCeKdTGCIC0iy9o=",
    "ConsoleAppClientSecret": "",
    "SshProxyClientSecret": "pgJSv8V5+mWMEecN3e6Lvp/pWBlbOOdiAuaU4nYvtv4=",
    "CoreApiSecret": "m2Ux/xH/uifL5xuILdkChgwyyZDDY8DacwHMUgURs7k=",
    "IdpApiSecret": "yGJHfNmHT0EX5GidmZ0GxChcqWLPx8HxXAyefo8eUWb6azPnBZIhQ5J1twyA3S+fomKeJpYbxHgQqyRilGadWg==",
    "RemoteInstallerClientSecret": "",
    "Enable2FaCacheForClients": [ "pam-management-console" ],
    "SecondFaCacheLifetimeSeconds": 60
  },

Encryption

  • Algorithm - data encryption algorithm in the IDP database
  • Key - data encryption key in the IDP database

    Code Block
    languagejs
    firstline13
      "Encryption": {
        "Algorithm": "AES",
        "Key": "3227cff10b834ee60ad285588c6510ea1b4ded5b24704cf644a51d2a9db3b7e5"
      },


    Note
    iconfalse

    The encryption key is generated by the IndeedPAM.KeyGen.exe utility, which is included in the Indeed PAM distribution kit and is located in the /Misc directory.


PamSettings

  • ManagementConsoleUrls - URL of Indeed PAM Management Console
  • UserConsoleUrlsURL of Indeed PAM User Console
  • CoreUrlsURL of Indeed PAM Core
  • SessionLifetimemaximum duration of a user session in seconds

    Code Block
    languagejs
    firstline13
      "PamSettings": {
        "ManagementConsoleUrls": [ "https://pam.domain.local/pam/mc" ],
        "UserConsoleUrls": [ "https://pam.domain.local/pam/uc" ],
        "CoreUrls": [ "https://pam.domain.local/pam/core" ],
        "SessionLifetime": 43200
      },


UserCatalog

This section is required to search and add users to the Roles. It is filled in the same way as the similar section in the Pam Core settings.

Backtotop
Delay0
Distance250


Divbox
classrightFloat

Table of Contents
printablefalse