Indeed Identity PAM Core

All URLs are specified in lowercase.

The json format does not allow comments in the file, so you must delete lines beginning with the characters "//"

You need to recycle Indeed.PAM.Core application pool after every change to the configuration file. You can do this in IIS Manager snap-in, or with powershell command 

Restart-WebAppPool Indeed.PAM.Core

URL example: https://pam.domain.local/pam/core
pam.domain.local - the fully qualified DNS name of the management server

Go to C:\inetpub\wwwroot\pam\core folder and edit appsettings.json file:

ConnectionStrings 

  • PamCore IPAMCore database connection string
  • JobsQueue - IPAMJobs database connection string

Connection String parameters

  • ServerDBMS server name or named instance
  • DatabaseDatabase name
  • User IDaccount to use with Database

  • Passwordaccount password

      "ConnectionStrings": {
    "PamCore": "Server=sql.domain.local;Database=IPAMCore;Integrated Security=False;User ID=IPAMSQLServiceOps;Password=password",
    "JobsQueue": "Server=sql.domain.local;Database=IPAMTasks;Integrated Security=False;User ID=IPAMSQLServiceOps;Password=password"
  },

    If using a Named Instance of Microsoft SQL Server, the value of the Server parameter must be specified in the Server Name\\Named instance format.

    "PamCore": "Server=sql\\instance; ..."

Database

Provider - DBMS provider

  • mssql - Microsoft SQL Server
  • pgsql - PostgreSQL, PostgreSQL Pro

Auth

  • IdpUrls - IDP URL address

  • ApiSecret - Secret for PAM Core component authentication

    1. Go to Indeed.PAM\Misc\ConsoleApp folder
    2. Run Command Prompt (CMD)
    3. Execute Pam.ConsoleApp.exe generate-secret
    4. Use secret and hash values

  • PamGatewayIpAddressesIndeed Identity PAM Gateway and SSH PROXY IP Addresses

      "Auth": {
    "IdpUrls": [ "https://pam.domain.local/pam/idp" ],
	"ApiSecret": "Nkq26+pScsle+rDZ4q77+bITcgFO1wKrCGBHa/EqsthQFn9p5K5TBHlEOJw1MGU1PVvjaNlWobxipvsAreQBNA==",
    "PamGatewayIpAddresses": "192.168.48.155, 192.168.48.202",
    "GatewayCertificateValidation": {
      "Enabled": false,
      "Filter": ""
    }   
  },

Encryption

  • Algorithmencryption algorithm
  • Keyencryption key

The encryption key is generated by the IndeedPAM.KeyGen.exe utility, which is the part of the Indeed Identity PAM distribution and is located in the /Misc directory.

  "Encryption": {
    "Algorithm": "AES",
    "HashAlgorithm": "SHA512",
    "Key": 	"4258egk74n834rr93bf458813l7618wq7f1jei9a58915pk511z63n5j0svt1m1o8",
    "MediaFiles": {
      "Algorithm": "AES"
    }
  },

LogServer

  • Directorytemporary folder for recording events

  • Url - Log Server API URL address

      "LogServer": {
    "AppId": "pam",
    "Component": "server",
    "EventCache": {   
    	"Directory": "C:\\ILS",
    	"SendingIntervalSec": 10
	},
    "Server": {
      "Url": "https://pam.domain.local/ls/api",
      "Certificate": {
        "Thumbprint": "",
        "FilePath": "",
        "FilePassword": ""
      }
    }
  },

ManagementConsole

  • Urlmanagement console URL address

      "ManagementConsole": {
    "Url": "https://pam.domain.local/pam/mc"
  },

UserCatalog

  • ServerNameis the DNS name of Domain Controller that performs Global Catalog function
  • ContainerPathis the Distinguished name of Container or OU to be used as Active Directory user directory
  • UserNameservice account for working with Active Directory user directory
  • Passwordservice account password
"UserCatalog": {
    "RootProvider": "ad",
    "Providers": {
      "ActiveDirectory": [
        {
          "Id": "ad",
          "ServerName": "domain.local",
          "ContainerPath": "DC=domain,DC=local",
          "UserName": "IPAMADReadOps",
          "Password": "password",
          "UserMapRules": {
            "Settings": [
              {
                "Category": "person",
                "Class": "user"
              }
            ]
          }
        }
      ]
    }
  }

  • No labels