IIS
- Run IIS and switch to Default Web Site\pam
- Open the Configuration Editor from Management section
- Open the Section: drop-down list and select system.webServer\security\requestFiltering item
- Open the requestLimits item, set maxQueryString to 8192
- Click Apply in Actions section
- Switch to Default Web Site\pam\core
- Open the Configuration Editor from Management section
- Open the Section: drop-down list and select system.webServer\serverRuntime item
- Set uploadReadAheadSize to 1048576
- Click Apply in Actions section
Indeed PAM Core
All URLs are specified in lowercase. The json format does not allow comments in the file, so you must delete lines beginning with the characters "//" |
Switch to C:\inetpub\wwwroot\pam\core folder and edit appsettings.json file:
ConnectionStrings section
- PamCore - IPAMCore database connection string
- JobsQueue - IPAMTasks database connection string
Connection String parameters:
- Server - DBMS server name or named instance
- Database - Database name
- User ID - account to use with Database
Password - account password
"ConnectionStrings": { "PamCore": "Server=sql.domain.local;Database=IPAMCore;Integrated Security=False;User ID=IPAMSQLService;Password=password", "JobsQueue": "Server=sql.domain.local;Database=IPAMTasks;Integrated Security=False;User ID=IPAMSQLService;Password=password" },If using a Named Instance of Microsoft SQL Server, the value of the Server parameter must be specified in the Server Name\\Named instance format.
"PamCore": "Server=sql\\instance; ..."
Database section
Provider - DBMS provider
- mssql - Microsoft SQL Server
- pgsql - PostgreSQL, PostgreSQL Pro
Auth section
- IdpUrls - Indeed PAM IdP URL address
ApiSecret - Key for component authentication purposes
The key for the ApiSecret parameter is generated by the console utility Pam.ConsoleApp.exe
PamGatewayIpAddresses - Indeed PAM Gateway or SSH PROXY IP Addresses
"Auth": { "IdpUrls": [ "https://pam.domain.local/pam/idp" ], "ApiSecret": "aEB+UkZI3imDdp4xLHgHz/pxLZI9XEX4q6uI822/XfdPKaXJjfGrDVCH/u7SxVq3Os3GTFnfgkQc+AJBhmm4rQ==", "MediaDataUrlsSecret": "42C329CF-B932-46DE-83F5-0C302AE9E486", "PamGatewayIpAddresses": "192.168.48.155, 192.168.48.202", "GatewayCertificateValidation": { "Enabled": false, "Filter": "" } },
Encryption section
- Algorithm - encryption algorithm
Key - encryption key
The encryption key is generated by the IndeedPAM.KeyGen.exe utility, which is the part of the Indeed PAM distribution and is located in the /Misc directory.
"Encryption": { "Algorithm": "AES", "Key": "4258egk74n834rr93bf458813l7618wq7f1jei9a58915pk511z63n5j0svt1m1o8", "MediaFiles": { "Algorithm": "AES" } },
Features section
- AllowRevealAccountName - option for reveal the Account in the user console. If false, the Account names will not be revealed in the user console.
- AllowRevealCredentials - option for reveal the Password in the user console. If false, the password from Accounts will not be revealed in the user console..
LogServer section
- Directory - temporary folder for recording events
Url - Indeed Log Server API URL address
"LogServer": { "AppId": "pam", "Component": "server", "EventCache": { "Directory": "C:\\ILS\\Core", "SendingIntervalSec": 10 }, "Server": { "Url": "https://pam.domain.local/ls/api", "Certificate": { "Thumbprint": "", "FilePath": "", "FilePassword": "" } } },
UserCatalog section
- ServerName - is the DNS name of Domain Controller that performs Global Catalog function
- ContainerPath - is the Distinguished name of Container or OU to be used as Active Directory user directory
- UserName - service account for working with Active Directory user directory
Password - service account password
"UserCatalog": { "RootProvider": "ad", "Providers": { "ActiveDirectory": [ { "Id": "ad", "ServerName": "domain.local", "ContainerPath": "DC=domain,DC=local", "UserName": "IPAMManager", "Password": "password", "UserMapRules": { "Settings": [ { "Category": "person", "Class": "user" } ] } } ] } }