Issuing a certificate for IdP
Run PowerShell as administrator on any of the PAM servers and run the command:
New-SelfSignedCertificate -DnsName idp.domain.local -CertStoreLocation cert:\LocalMachine\My
The DNS name idp.domain.local does not matter and can be anything.
Export certificate for IdP
- Run the MMC snap-in on the server where the certificate was issued and select Computer certificates
- Go to the Personal section, open the context menu of the idp.domain.local certificate and select All Tasks - Export. The export must be done both with the private key and without the private key
Import certificate for IdP
- Transfer the exported certificates to the second PAM server
- Open the context menu of the .pfx file and select Install PFX, install the certificate to Local Machine\Personal store
- Open the context menu of the .crt file and select Install Certificate, install the certificate to Local Machine\Trusted Root Certification Authorities store. This item must be done for the first PAM server as well.
Configuring a certificate for IdP
Configuration is performed on all PAM servers.
- Start the MMC snap-in, open the context menu of the idp.domain.local certificate (Personal store) and select All Tasks - Manage Private Keys
- Click Add in the Security section
- Click Locations and select local computer
- Enter the pool name IIS AppPool\Indeed.idp and click Check Names
- Save your changes
Indeed PAM IdP configuration
Configuration is performed on all PAM servers.
- Start the MMC snap-in, open the idp.domain.local certificate (Personal store), click the Details tab
Find the Thumbprint item and copy its value
When copying, a non-printable character is always added to the beginning of the line, it must be removed! - Edit the file C:\inetpub\wwwroot\pam\idp\appsettings.json and specify the thumbprint value for the SigningCertificate parameter
- Restart IIS.
Configuring Indeed PAM configuration files
It is necessary to change all URLs in Indeed PAM configuration files (Core, Idp, MC, UC, Gateway, SSH Proxy), except those intended for working with Log Server. For example:
| Old URLs | New URLs |
|---|---|
| https://pam.domain.local/pam/core | https://haproxy.domain.local/pam/core |
| https://pam.domain.local/pam/idp | https://haproxy.domain.local/pam/idp |
| https://pam.domain.local/pam/mc | https://haproxy.domain.local/pam/mc |
| https://pam.domain.local/pam/uc | https://haproxy.domain.local/pam/uc |
HAProxy settings example
global
#log /dev/haproxy/log local0 # see https://en.wikipedia.org/wiki/Syslog#Facility
#log /dev/haproxy/log local1 notice # notice - Error level. The whole list: emerg, alert, crit, err, warning, notice, info, debug
log 127.0.0.1 local2
chroot /var/lib/haproxy # Change the execution directory to protect against attacks. The folder is empty and there are no permissions.
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
# HAPROXY Immutable settings
user haproxy
group haproxy
daemon # Run the process in the background
defaults
log global
mode http
option httplog
option dontlognull
maxconn 256 # Maximum number of simultaneous connections.
# Timeouts
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
retries 2 # retries before lowering server status
# Statistics
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /haproxy #here's a link to the statistics page
stats auth stat:stat #statistics page credentials
option httpchk HEAD / HTTP/1.0
# Access settings
option redispatch # Allows users to go to another server if the server their cookies refer to doesn't work
balance source # Server selection algorithm
frontend frontend_pam
bind *:443 ssl crt /etc/ssl/certs/haproxy.indeed-id.local.pem # Setting up the frontend interface with the path to the certificate of this server
option forwardfor # Pass the original client ip address to the server
acl url_core path_beg /pam/core #
use_backend backend_core if url_core #
acl url_idp path_beg /pam/idp #
use_backend backend_idp if url_idp # balancing rules
acl url_mc path_beg /pam/mc #
use_backend backend_mc if url_mc #
acl url_uc path_beg /pam/uc #
use_backend backend_uc if url_uc #
backend backend_core
option prefer-last-server # Attempt to reuse the same connection to the server
option httpchk GET /pam/core/health # PAM web application availability check
stick-table type string len 35 size 1m expire 1d # The setting required for communication between gateway and core,
stick on path,word(3,/) if { path_beg -i /pam/core/screencast/ } # otherwise viewing the video stream will not work
server srv1 192.168.48.21:443 ssl verify none check inter 1000ms fall 3 # Server names for HAProxy monitoring
server srv2 192.168.48.22:443 ssl verify none check inter 1000ms fall 3 #
backend backend_idp
option prefer-last-server # Attempt to reuse the same connection to the server
option httpchk GET /pam/idp/ # PAM web application availability check
server srv1 192.168.48.21:443 ssl verify none check inter 5000ms # Server names for HAProxy monitoring
server srv2 192.168.48.22:443 ssl verify none check inter 5000ms #
backend backend_mc
option prefer-last-server # Attempt to reuse the same connection to the server
option httpchk GET /pam/mc/ # PAM web application availability check
server srv1 192.168.48.21:443 ssl verify none check inter 5000ms # Server names for HAProxy monitoring
server srv2 192.168.48.22:443 ssl verify none check inter 5000ms #
backend backend_uc
option prefer-last-server # Attempt to reuse the same connection to the server
option httpchk GET /pam/uc/ # PAM web application availability check
server srv1 192.168.48.21:443 ssl verify none check inter 5000ms # Server names for HAProxy monitoring
server srv2 192.168.48.22:443 ssl verify none check inter 5000ms #
|