All URLs are specified in lowercase.

Switch to C:\inetpub\wwwroot\pam\idp folder and edit appsettings.json file:

ConnectionStrings:

  • Serveris the name of Microsoft SQL Server or its named instance
  • Database - is the name of database (IPAMIdP)
  • User ID - is the service account to use with Indeed PAM databases

  • Password - is the password for that service account

    "ConnectionStrings": {
	"DefaultConnection": "Server=MSSQLServer;Database=IPAMIdP;Integrated Security=False;User ID=IPAMSQLService;Password=password"
}

    If you are using a named instance of Microsoft SQL Server, the value of the Server parameter must be set in the format
    <server name>\\<instance name>.

    "ConnectionStrings": {
	"DefaultConnection": "Data Source=MSSQLServer\\Named instance; ..."
}

Database section

In the Provider section, select the DBMS connection provider:

  • mssql - is for the MS SQL Server
  • pgsql - is for the PostgreSQL Pro

Example for the PostgreSQL Pro:

"Database":{
   "Provider": "pgsql"
},

IdentitySettings section

  • AdminSids - is SID of the user to get access to administrator console and the Roles management. If there are several of them, then the SIDs must be divided by comma
  • IdpUrls - are Indeed PAM IdP URL addresses
  • Lang - is the user interface language of the component, set it to "en" value
  • GatewaySecret - Hash for client keys for additional authentication of Indeed PAM Gateway

  • ConsoleAppClientSecret Hash for client keys for additional authentication of the Console App utility

    The hashes for the GatawaySecret, ConsoleAppClientSecret, SshProxyClientSecret, and CoreApiSecret parameters are generated by the console utility Pam.ConsoleApp.exe

  • SshProxyClientSecret - Hash for client keys for additional authentication of Indeed PAM SSH Proxy

  • CoreApiSecret - Hash for client keys for additional authentication of PAM Core

  • IdpApiSecret - Secret for client key of PAM IdP
  • Enable2FaCacheForClients - List of client IDs for which the 2nd factor caching will work
  • SecondFaCacheLifetimeSeconds - 2nd factor caching time in seconds
    List of available client IDs:
    • "console-app"
    • "ssh-proxy-app"
    • "pam-management-console"
    • "pam-user-console"
    • "pam-gateway"

    • "pam-remote-client"

      "IdentitySettings":{
    "AdminSids": [ "S-1-5-21-1487179672-2651565253-5257550508-0000", "S-1-5-21-1487179672-2651565253-5257550508-0001" ],
    "IdpUrls": [ "https://pam.domain.local/pam/idp" ],
    "Lang": "en",
    "SigningCertificate": "",
    "GatewaySecret": "oF/d7eb/qOKgJrb+uA/l/4BVI3/OI3q3Yxq6TsdcHuY=",
	"ConsoleAppClientSecret": ""
    "SshProxyClientSecret": "xAlrki/souxzqK4wrDf4P2AOiGCfV5sA8XdJbj53cAI=",
    "CoreApiSecret": "zuUOwHHOReDWDw4T/hYT/eMbe4wTEjqlVdmoxJQO1fI=",
	"IdpApiSecret": "yGJHfNmHT0EX5GidmZ0GxChcqWLPx8HxXAyefo8eUWb6azPnBZIhQ5J1twyA3S+fomKeJpYbxHgQqyRilGadWg==",
	"RemoteInstallerClientSecret": "",
    "Enable2FaCacheForClients": [ "pam-management-console" ],
    "SecondFaCacheLifetimeSeconds": 60
},

Encryption section

  • Algorithm - data encryption algorithm in the IDP database

  • Key - data encryption key in the IDP database

      "Encryption": {
    "Algorithm": "AES",
    "Key": "3227cff10b834ee60ad285588c6510ea1b4ded5b24704cf644a51d2a9db3b7e5"
  },

PamSettings section

  • ManagementConsoleUrl - URL of Indeed PAM Management Console
  • UserConsoleUrl - URL of Indeed PAM User Console
  • CoreApiUrls - URL of Indeed PAM Core

  • SessionLifetime - maximum duration of a user session in seconds

    "PamSettings": {
    "ManagementConsoleUrls": [ "https://pam.domain.local/pam/mc" ],
    "UserConsoleUrls": [ "https://pam.domain.local/pam/uc" ],
	"CoreApiUrls": [ "https://pam.domain.local/pam/core" ],
    "SessionLifetime": 43200
},

UserCatalog section

This section is required to search and add users to the Roles. It is filled in the same way as the similar section in the Pam Core settings.




  • No labels