| Warning | ||
|---|---|---|
| ||
With this type of installation you will install the components of management server and access server (SSH-Proxy or RDP-Proxy) on the one server. |
Preparation
Before you begin the installation, please read the preparation for installation section.
Certificates
Certificate of Certification Authority
Move the CA certificate to the distribution along the path:
indeedaxidian-pam-linux\state\ca-certificates
| Page properties | ||
|---|---|---|
| ||
|
Server Certificate
Move the server certificate to the distribution along the path:
indeedaxidian-pam-linux\state\certs
| Page properties | ||
|---|---|---|
| ||
|
vars
- Go to the folder
indeedaxidian-pam-linux\scripts\ansibleand open the filevars.yml. - Find the line # pfx_pass: "ENTER_HERE" and delete the # symbol.
- Instead of ENTER_HERE, specify the password for the server certificate and save the changes.
Flat Configuration File
- Go to the distribution folder.
- Change the config.json.template file extension from template to json.
- Make sure the file name is config.json.
Fill in the indicated fields in the configuration file:
| Code Block |
|---|
{
"DefaultServer": "TARGET_SERVER_FQDN", //to be filled out
"DefaultDbServer": "pgsql",
"DefaultDbUser": "admin",
"DefaultDbPassword": "Q1w2e3r4",
"IdpAdminSids": [
"AD_ADMIN_SID" // to be filled out
],
"CoreServiceStorageConfiguration": {
"Type": "FileSystem",
"Settings": {
"Root": "/mnt/storage"
}
},
"GatewayServiceStorageConfiguration": {
"Type": "FileSystem",
"Settings": {
"Root": "/mnt/storage"
}
},
"Database": "pgsql",
"LogServerUrl": "http://ls:5080/api",
"EncryptionKey": "3227cff10b834ee60ad285588c6510ea1b4ded5b24704cf644a51d2a9db3b7e5", //to be filled out
"ActiveDirectoryDomain": "AD_FQDN", //to be filled out
"ActiveDirectoryContainerPath": "USER_CONTAINER_DN", //to be filled out
"ActiveDirectoryUserName": "AD_SERVICE_USER_NAME", //to be filled out
"ActiveDirectoryPassword": "AD_SERVICE_USER_PASSWORD", //to be filled out
"ActiveDirectorySsl": false,
"IsLinux": true,
"ThreadPoolSize": 8,
"Enable2faByDefault": true,
"enableOrganizationalUnits": false
} |
Parameters:
- DefaultServer — FQDN name of the server, for example
server.domain.local.com. - DefaultDbServer — FQDN name of the database server, e.g. for example
server.domain.local.com. To install a pgsql with local docker image on a pilotfor simplified installation, you need to specifypgsql. - DefaultDbUser — database user. To install a pgsql with local docker image, you need to specify
admin. - DefaultDbPassword — password of the database user. To install a pgsql with local docker image, you need to specify
Q1w2e3r4. - IdpAdminSids — Administrator SID from Active Directory.
- CoreServiceStorageConfiguration — path to the media storage from where the Core component will read session artifacts.
- GatewayServiceStorageConfiguration — path to the media storage where session artifacts will be placed.
- Database — database type, for simplified installation use pgsqlspecify
pgsql. - LogServerUrl — URL address for accessing the LogServer component. Leave unchanged.
EncryptionKey — encryption key. You can use the key specified above.
Note It is recommended to generate a new database encryption key using the IndeedPAM AxidianPAM.KeyGen.exe utility, located at the path indeedaxidian-pam-tools\key-gen
- ActiveDirectoryDomain — DNS name of the domain, for example
domain.local.com. - ActiveDirectoryContainerPath — path to Active Directory users, for example
DC=indeedaxidian,DC=test. - ActiveDirectoryUserName — username for connecting to Active Directory.
- ActiveDirectoryPassword — user password for connecting to Active Directory.
- ActiveDirectorySsl — this parameter is responsible for selecting a connection via LDAPS.
- IsLinux — this parameter is responsible for applying default settings for Linux and Windows systems.
- ThreadPoolSize — total number of created threads in rdp-proxy. Leave unchanged.
- Enable2faByDefault — parameter responsible for requesting 2FA from users by default.
- enableOrganizationalUnits — parameter responsible for adding the Structure section to PAM.
An example of a completed config.json file:
| Code Block |
|---|
{
"DefaultServer": "pamserver.indeed.local", //to be filled out
"DefaultDbServer": "pgsql",
"DefaultDbUser": "admin",
"DefaultDbPassword": "Q1w2e3r4",
"IdpAdminSids": [
"S-1-5-21-2099084505-2851035876-2509165319-1112" //to be filled out
],
"CoreServiceStorageConfiguration": {
"Type": "FileSystem",
"Settings": {
"Root": "/mnt/storage"
}
},
"GatewayServiceStorageConfiguration": {
"Type": "FileSystem",
"Settings": {
"Root": "/mnt/storage"
}
},
"Database": "pgsql",
"LogServerUrl": "http://ls:5080/api",
"EncryptionKey": "3227cff10b834ee60ad285588c6510ea1b4ded5b24704cf644a51d2a9db3b7e5", //to be filled out
"ActiveDirectoryDomain": "indeed.local", //to be filled out
"ActiveDirectoryContainerPath": "OU=PAMUsers,DC=indeed,DC=local", //to be filled out
"ActiveDirectoryUserName": "IPAMADReadOps", //to be filled out
"ActiveDirectoryPassword": "!Q2w3e$R", //to be filled out
"ActiveDirectorySsl": false,
"IsLinux": true,
"ThreadPoolSize": 8,
"Enable2faByDefault": true,
"enableOrganizationalUnits": false
} |
Installation
- Move the indeedaxidian-pam-linux distribution folder to the target Linux resource
If CIS Benchmark Docker security settings are applied, then run the installation script with the command:
Code Block language bash sudo bash run-deploy.sh
If CIS Benchmark Docker security settings are not applied, then run the installation script with the command:
Code Block language bash sudo bash run-deploy.sh --bench-skip- At the Enter target IP step press Enter
- When prompted, enter your local sudo user name (for example, root) and password
- Wait until the installation is complete
| Info |
|---|
If the script aborted with an error, send the log file to technical support. |
| Divbox | ||||
|---|---|---|---|---|
| ||||
|