Versions Compared

Old Version 1

changes.mady.by.user Pavel Golubnichiy

Saved on

compared with

New Version Current

changes.mady.by.user Pavel Golubnichiy

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Issuing a certificate for IdP

  • Run PowerShell as administrator on any of the PAM servers and run the command:

    Code Block
    languagepowershell
    New-SelfSignedCertificate -DnsName idp.domain.local -CertStoreLocation cert:\LocalMachine\My


    Note
    iconfalse
    The DNS name idp.domain.local does not matter and can be anything.


Export certificate for IdP

  • Run the MMC snap-in on the server where the certificate was issued and select Computer certificates
  • Go to the Personal section, open the context menu of the idp.domain.local certificate and select All Tasks - Export. The export must be done both with the private key and without the private key

Import certificate for IdP

  • Transfer the exported certificates to the second PAM server
  • Open the context menu of the .pfx file and select Install PFX, install the certificate to Local Machine\Personal store
  • Open the context menu of the .crt file and select Install Certificate, install the certificate to Local Machine\Trusted Root Certification Authorities store. This item must be done for the first PAM server as well.

Configuring a certificate for IdP

Configuration is performed on all PAM servers.

  • Start the MMC snap-in, open the context menu of the idp.domain.local certificate (Personal store) and select All Tasks - Manage Private Keys
  • Click Add in the Security section
  • Click Locations and select local computer
  • Enter the pool name IIS AppPool\Indeed.idp and click Check Names
  • Save your changes

Indeed PAM IdP configuration

Configuration is performed on all PAM servers.

  • Start the MMC snap-in, open the idp.domain.local certificate (Personal store), click the Details tab

  • Find the Thumbprint item and copy its value

    Warning
    iconfalse
    When copying, a non-printable character is always added to the beginning of the line, it must be removed!


  • Edit the file C:\inetpub\wwwroot\pam\idp\appsettings.json and specify the thumbprint value for the SigningCertificate parameter
  • Restart IIS.

Configuring Indeed PAM configuration files

It is necessary to change all URLs in Indeed PAM configuration files (Core, Idp, MC, UC, Gateway, SSH Proxy), except those intended for working with Log Server. For example:

Old URLsNew URLs
https://pam.domain.local/pam/corehttps://haproxy.domain.local/pam/core
https://pam.domain.local/pam/idphttps://haproxy.domain.local/pam/idp
https://pam.domain.local/pam/mchttps://haproxy.domain.local/pam/mc
https://pam.domain.local/pam/uchttps://haproxy.domain.local/pam/uc

HAProxy settings example

Code Block
languagepy
global
	#log		/dev/haproxy/log local0			# see https://en.wikipedia.org/wiki/Syslog#Facility
    #log		/dev/haproxy/log local1 notice	# notice - Error level. The whole list: emerg, alert, crit, err, warning, notice, info, debug
    log 	127.0.0.1 local2 
    chroot	/var/lib/haproxy	# Change the execution directory to protect against attacks. The folder is empty and there are no permissions.
    stats socket /run/haproxy/admin.sock mode 660 level admin 
    stats timeout 30s
    
# HAPROXY Immutable settings 
    user haproxy
    group haproxy 
    daemon 					# Run the process in the background

defaults
    log		global
    mode	http
    option	httplog
    option	dontlognull
	maxconn	256				# Maximum number of simultaneous connections. 
    
# Timeouts
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms
    retries 2 				# retries before lowering server status

# Statistics
    stats enable
    stats hide-version
    stats realm Haproxy\ Statistics
    stats uri /haproxy		#here's a link to the statistics page
    stats auth stat:stat	#statistics page credentials
    option httpchk HEAD / HTTP/1.0

# Access settings 
    option redispatch		# Allows users to go to another server if the server their cookies refer to doesn't work
    balance source 			# Server selection algorithm

frontend frontend_pam
    bind *:443 ssl crt /etc/ssl/certs/haproxy.indeed-id.local.pem 	# Setting up the frontend interface with the path to the certificate of this server
    option forwardfor												# Pass the original client ip address to the server
    acl url_core path_beg /pam/core						#
    use_backend backend_core if url_core				 #
    acl url_idp path_beg /pam/idp						 #	
    use_backend backend_idp if url_idp  				 #	balancing rules
    acl url_mc path_beg /pam/mc							 #
    use_backend backend_mc if url_mc					 #
    acl url_uc path_beg /pam/uc							 #
    use_backend backend_uc if url_uc 					#

backend backend_core   
    option prefer-last-server           								# Attempt to reuse the same connection to the server
    option httpchk GET /pam/core/health 								# PAM web application availability check
    stick-table type string len 35 size 1m expire 1d    				# The setting required for communication between gateway and core, 
    stick on path,word(34,/) if { path_beg -i /pam/core/screencastScreencasts/ }  	# otherwise viewing the video stream will not work
    server srv1 192.168.48.21:443 ssl verify none check inter 1000ms fall 3	# Server names for HAProxy monitoring
    server srv2 192.168.48.22:443 ssl verify none check inter 1000ms fall 3	# 

backend backend_idp  
    option prefer-last-server           								# Attempt to reuse the same connection to the server
    option httpchk GET /pam/idp/            							# PAM web application availability check
    server srv1 192.168.48.21:443 ssl verify none check inter 5000ms	# Server names for HAProxy monitoring
    server srv2 192.168.48.22:443 ssl verify none check inter 5000ms	#

backend backend_mc
    option prefer-last-server											# Attempt to reuse the same connection to the server
    option httpchk GET /pam/mc/											# PAM web application availability check
    server srv1 192.168.48.21:443 ssl verify none check inter 5000ms	# Server names for HAProxy monitoring
    server srv2 192.168.48.22:443 ssl verify none check inter 5000ms	#

backend backend_uc  
    option prefer-last-server											# Attempt to reuse the same connection to the server
    option httpchk GET /pam/uc/											# PAM web application availability check
    server srv1 192.168.48.21:443 ssl verify none check inter 5000ms	# Server names for HAProxy monitoring
    server srv2 192.168.48.22:443 ssl verify none check inter 5000ms	#

Backtotop
Delay0
Distance250


Divbox
classrightFloat

Table of Contents
printablefalse