The installation with balancing includes installation of multiple management servers and access servers (SSH-Proxy or RDP-Proxy) on different servers.


Before you begin the installation, prepare the configuration files.

Inventory

  1. Go to the axidian-pam-linux distribution folder and rename the inventory.template file to inventory.
  2. Edit the inventory file:
    1. In the managment section, specify the FQDN address of the management server, in the access section, specify the FQDN address of the SSH Proxy access server.
    2. or all of the servers except the local one, add the following line: remote_ssh_user=root ansible_ssh_password=123 ansible_become_password=123
      1. remote_ssh_user=root username for remote connection to the resource
      2. ansible_ssh_password=123 user password for remote connection to the resource
      3. ansible_become_password=123 user password for remote connection to the resource
    3. Uncomment the last two lines of the file.
    4. In the all:vars section, set server_fqdn= to the Axidian Privilege name.
    5. Comment out all fields that have not been changed and save.
# NOTE: To access docker host use local.docker name instead of localhost

[management]
pammng1.test.local
pammng2.test.local remote_ssh_user=root ansible_ssh_password=123 ansible_become_password=123

[access]
pamgtw1.test.local remote_ssh_user=root ansible_ssh_password=123 ansible_become_password=123
pamgtw2.test.local remote_ssh_user=root ansible_ssh_password=123 ansible_become_password=123

#[haproxy]
#HAPROXY_SERVER_FQDN_OR_IP

#[rds]
#RDS_SERVER_FQDN_OR_IP

# Use this section to override vars
[all:vars]
server_fqdn=pammng.test.local

Configuration Files

Unzip the downloaded configuration files and move the extracted folders to axidian-pam-linux\state.

Certificates

Certification Authority Certificate

Move the CA certificate along the path axidian-pam-linux\state\ca-certificates.


 

Server Certificates

  1. Go to axidian-pam-linux\state\certs and create a separate folder for each of the management server. Name each of the folders with the FQDN name of the management server.


  2. Move the management server certificates to the folders corresponding to the management servers.


  3. Go to axidian-pam-linux\state\keys\rdp-proxy and create a separate folder for the access server. Name each of the folders with the FQDN name of the access server.


  4. Move the access server certificate to the folder corresponding to the access server.


vars

  1. Go to axidian-pam-linux\scripts\ansible and open the file vars.yml.
  2. In the # pfx_pass: "ENTER_HERE" line remove the # symbol.
  3. Instead of ENTER_HERE, specify the password for the certificates.
  4. Save.

Installation

  1. Move the distribution to the target Linux resource.

  2. If CIS Benchmark Docker security settings are applied, then run the installation script with the command:

    sudo bash run-deploy.sh

    If CIS Benchmark Docker security settings are not applied, then run the installation script with the command:

    sudo bash run-deploy.sh -bench-skip


  3. When prompted, enter your local sudo username (for example, root) and password.
  4. Wait for the installation to finish.


If the script aborted with an error, send the log file to technical support.

Components Restarting

Management Server

  1. Go to the /etc/indeed/indeed-pam folder.
  2. Restart Axidian Privilege management server components using the following commands:

    1. Restarting all of the components:

      sudo docker compose -f docker-compose.management-server.yml down
sudo docker compose -f docker-compose.management-server.yml up -d

      or

      sudo docker-compose -f docker-compose.management-server.yml down
sudo docker-compose -f docker-compose.management-server.yml up -d


    2. Restarting a specific component:

      sudo docker compose -f docker-compose.management-server.yml up -d <Имя компонента> --force-recreate

      or

      sudo docker-compose -f docker-compose.management-server.yml up -d <Имя компонента> --force-recreate


    3. Example of restarting the Axidian Privilege Core component:

      sudo docker compose -f docker-compose.management-server.yml up -d core --force-recreate

      or

      sudo docker-compose -f docker-compose.management-server.yml up -d core --force-recreate


Access Server

  1. Go to the /etc/indeed/indeed-pam folder.

  2. Restart Axidian Privilege access server components using the following commands:

    sudo docker compose -f docker-compose.access-server.yml down
sudo docker compose -f docker-compose.access-server.yml up -d

    or

    sudo docker-compose -f docker-compose.access-server.yml down
sudo docker-compose -f docker-compose.access-server.yml up -d