Versions Compared

Old Version 1

changes.mady.by.user Pavel Golubnichiy

Saved on

compared with

New Version Current

changes.mady.by.user Pavel Golubnichiy

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

IIS

  1. Run IIS and switch to Default Web Site\pam
  2. Open the Configuration Editor from Management section
  3. Open the Section: drop-down list and select system.webServer\security\requestFiltering item
  4. Open the requestLimits item, set maxQueryString to 8192
  5. Click Apply in Actions section
  6. Switch to Default Web Site\pam\core
  7. Open the
Tip
iconfalse

Indeed PAM Core can work as the part of an Active-Active failover cluster. Failover requires one or several additional Indeed PAM Core servers. Load balancing is performed using the HAProxy load balancer. To configure a fault-tolerant configuration, you must contact technical support support@indeed-id.com

IIS

  1. Run IIS and switch to Default Web Site
  2. Select the api application and open the Configuration Editor from Management section
  3. Open the Section: drop-down list and select system.webServer - serverRuntime \serverRuntime item
  4. Set the uploadReadAheadSize parameter to value of  to 1048576
  5. Click Apply in Actions section

Indeed PAM Core

Warning
iconfalse

All URLs are specified in lowercase.

The json format does not allow comments in the file, so you must delete lines beginning with the characters "//"

Switch to C:\inetpub\wwwroot\pam\apicore folder and edit webappsettings.configjson file:

<logServer … />

  • Url - API URL for the uniform event log
Code Block
<logServer Url="http://logserver.indeed-id.local/ils/api" CertificateThumbprint="" CertificateFilePath="" CertificateFilePassword="" />

<logServerClient … />:

  • EventCacheDirectory - a temporary folder for event writing
Code Block
languagexml
themeConfluence
<logServerClient AppId="pam" Component="server" EventCacheDirectory="C:\Temp\ILS\Core\EventCacheDirectory" LogServerTargetConfigFile="" EventCacheSendingIntervalSec="10"/>

<encryptionSettings ... />:

ConnectionStrings section

  • PamCore - IPAMCore database connection string
  • JobsQueue - IPAMTasks database connection string

Connection String parameters:

  • Server - DBMS server name or named instance
  • Database - Database name
  • User ID - account to use with Database

  • Password - account password

    Code Block
    languagejs
    "ConnectionStrings": {
  "PamCore": "Server=sql.domain.local;Database=IPAMCore;Integrated Security=False;User ID=IPAMSQLService;Password=password",
  "JobsQueue": "Server=sql.domain.local;Database=IPAMTasks;Integrated Security=False;User ID=IPAMSQLService;Password=password"
},


    Warning
    iconfalse

    If using a Named Instance of Microsoft SQL Server, the value of the Server parameter must be specified in the Server Name\\Named instance format.

    Code Block
    languagejs
    "PamCore": "Server=sql\\instance; ..."



Database section

Provider - DBMS provider

  • mssql - Microsoft SQL Server
  • pgsql - PostgreSQL, PostgreSQL Pro

Auth section

  • IdpUrls - Indeed PAM IdP URL address

  • ApiSecret - Secret for component authentication purposes



    Note
    iconfalse

    The secret for the ApiSecret parameter is generated by the console utility Pam.ConsoleApp.exe



  • PamGatewayIpAddresses - Indeed PAM Gateway or SSH PROXY IP Addresses

    Code Block
    languagejs
      "Auth": {
    "IdpUrls": [ "https://pam.domain.local/pam/idp" ],
	"ApiSecret": "aEB+UkZI3imDdp4xLHgHz/pxLZI9XEX4q6uI822/XfdPKaXJjfGrDVCH/u7SxVq3Os3GTFnfgkQc+AJBhmm4rQ==",
    "MediaDataUrlsSecret": "42C329CF-B932-46DE-83F5-0C302AE9E486",
    "PamGatewayIpAddresses": "192.168.48.155, 192.168.48.202",
    "GatewayCertificateValidation": {
      "Enabled": false,
      "Filter": ""
    }   
  },


Encryption section

  • Algorithm - encryption algorithm

  • Key - encryption

  • cryptoAlgName - is the name of encryption algorithm
    • cryptoKey - is encryption

  • key

    Note
    iconfalse

    The encryption key is generated by the IndeedPAM.KeyGen.exe utility, which is the part of the Indeed PAM distribution and is located in the /Misc directory.


    Code Block
<encryptionSettings cryptoAlgName="DES" cryptoKey="ea06v76ht457t2l8" />

<adUserCatalogProvider ... >:

  • serverName - is the DNS name of Domain Controller that performs Global Catalog function
  • containerPath - is the LDAP path to container or unit to be used as Active Directory user directory
  • userName - service account for working with Active Directory user directory
  • Password - service account password
Code Block
languagexml
themeConfluence
<adUserCatalogProvider id="ad" serverName="dc.indeed-id.local" containerPath="OU=organization unit,DC=indeed-id,DC=local" userName="IPAMManager" password="password">
<connectionStrings> ... </connectionStrings>:
  1. <add name="DBConnection" ... />:
    • Data Source - Microsoft SQL Server Name or Instance Name
    • Initial Catalog - database Name (IPAMCore)
    • User ID - service account to use with Indeed PAM databases
    • Password - service account password
  2. <add name="JobsQueueConnectionString" ... />:
    • Data Source - Microsoft SQL Server Name or Instance Name
    • Initial Catalog - database Name (IPAMTasks)
    • User ID - service account to use with Indeed PAM databases
    • Password - service account password

An example of connecting to a Microsoft SQL Server database

Code Block
languagexml
themeConfluence
<connectionStrings>
	<add name="DBConnection" connectionString="Data Source=MSSQLServer;Initial Catalog=IPAMCore;Integrated Security=False;User ID=IPAMSQLService;Password=password" providerName="System.Data.SqlClient" />
	<add name="JobsQueueConnectionString" connectionString="Data Source=MSSQLServer;Initial Catalog=IPAMTasks;Integrated Security=False;User ID=IPAMSQLService;Password=password" providerName="System.Data.SqlClient" />
</connectionStrings>

An example of connecting to a PostgreSQL Pro database

Warning
iconfalse

In the connection string, you need to replace the providerName=''System.Data.SqlClient' with the providerName=''Npgsql'

Code Block
languagexml
<connectionStrings>
	<add name="DBConnection" connectionString="Data Source=PostgreSQLProServer;Initial Catalog=IPAMCore;Integrated Security=False;User ID=IPAMSQLService;Password=password" providerName="Npgsql" />
	<add name="JobsQueueConnectionString" connectionString="Data Source=PostgreSQLProServer;Initial Catalog=IPAMTasks;Integrated Security=False;User ID=IPAMSQLService;Password=password" providerName="Npgsql" />
</connectionStrings>

For PostgreSQL Pro, in the <appSettings> ... </appSettings> section, add the line

Code Block
languagexml
<appSettings>
	...
	<add key="DBMS" value="PostgreSQL" /> 
</appSettings>
Warning
iconfalse

If using a Named Instance of Microsoft SQL Server, the value of the Data Source parameter must be specified in the <Server Name>\<Named instance> format.

Code Block
<connectionStrings>
	<add name="DBConnection" connectionString="Data Source=MSSQLServer\Named instance; ... "/>
	<add name="JobsQueueConnectionString" connectionString="Data Source=MSSQLServer\Named instance; ... "/>
</connectionStrings>

<add key="IdpUrl" ... />:

  • value - URL Indeed PAM IdP
Code Block
languagexml
themeConfluence
<add key="IdpUrl" value="https://pam.indeed-id.local/idp"/>

<add key="PamProxyIpAddresses" … />:

  • value - Indeed PAM Gateway server IP address
Code Block
languagexml
themeConfluence
<add key="PamProxyIpAddresses" value="192.168.0.100" />
  • languagejs
    "Encryption": {
  "Algorithm": "AES",
  "Key": "4258egk74n834rr93bf458813l7618wq7f1jei9a58915pk511z63n5j0svt1m1o8",
  "MediaFiles": {
    "Algorithm": "AES"
  }
},


Features section

  • AllowRevealAccountName - option for reveal the Account in the user console. If false, the Account names will not be revealed in the user console.
  • AllowRevealCredentials - option for reveal the Password in the user console. If false, the password from Accounts will not be revealed in the user console..

LogServer section

  • Directory - temporary folder for recording events

  • Url - Indeed Log Server API URL address

    Code Block
    languagejs
      "LogServer": {
    "AppId": "pam",
    "Component": "server",
    "EventCache": {   
    	"Directory": "C:\\ILS\\Core",
    	"SendingIntervalSec": 10
	},
    "Server": {
      "Url": "https://pam.domain.local/ls/api",
      "Certificate": {
        "Thumbprint": "",
        "FilePath": "",
        "FilePassword": ""
      }
    }
  },


UserCatalog section

  • ServerNameis the DNS name of Domain Controller that performs Global Catalog function
  • ContainerPathis the Distinguished name of Container or OU to be used as Active Directory user directory
  • UserName - service account for working with Active Directory user directory

  • Password - service account password

    Code Block
    languagejs
    "UserCatalog": {
    "RootProvider": "ad",
    "Providers": {
      "ActiveDirectory": [
        {
          "Id": "ad",
          "ServerName": "domain.local",
          "ContainerPath": "DC=domain,DC=local",
          "UserName": "IPAMManager",
          "Password": "password",
          "UserMapRules": {
            "Settings": [
              {
                "Category": "person",
                "Class": "user"
              }
            ]
          }
        }
      ]
    }
  }


Backtotop
Delay0
Distance250


Divbox
classrightFloat

Table of Contents
printablefalse