Prerequisites
This section covers:
PAM Server prerequisites
Before starting your deployment take note of the following prerequisites.
Prerequisite | Description |
---|---|
Hardware & Software | Ensure the correct resources are available before deploying. The following outlines the hardware and software requirements. |
Ports | Ensure TCP ports 443 and 9002 are open as they are required for the PAM UI and PAM Client. TCP 2379 (etcd, i.e. key-value store), 2380 (etcd, i.e. key-value store), 2390 (cluster setup API), 2391 (cluster delegation API), 5432 (postgres, i.e. database) For a full list of ports used by the server click here . |
Software downloads | The software installation package is supplied in Open Virtual Appliance (OVA) and Virtual hard disk (VHD) formats, ready for deployment into your existing virtual infrastructure. To download the latest software, click here. To cluster your servers you must use release version 7.0.0 or above. NOTE: SHA256 checksum is available to verify the integrity of the download. |
Licencing | Standalone/Leader A valid license file will be required during the system configuration step. If you don't have a license file contact Osirium. |
Additional prerequisites for clustering
Prerequisite | Description |
---|---|
Master Encryption Key | Ensure you have the Master Encryption Key (MEK) of the current PAM Server leader node. |
Cluster joining bundle | Ensure you have the cluster joining bundle of the current PAM Server leader node. |
Cluster sizing | PAM clusters must have a minimum of 2 nodes and a maximum of 7 nodes. |
Bidirectional port connectivity | Bidirectional port connectivity is required between each and every node and must be open before adding followers. The list of ports can be found here. Specifically, the clustering ports are TCP: 2379, 2380, 2390, 2391 and 5432. |
Network time protocol (NTP) | The clocks of all nodes must be within two seconds drift of each other. The PAM Server OVA is preconfigured with public ntp.org NTP servers but these can be changed to your internal corporate servers (if required) by clicking here. |
Node identifiers | Nodes are identified by their address which can either be a fully qualified domain name (FQDN) (i.e. clusterleader.companyABC.net) or an IP Address. Cluster nodes communicate with each other using their assigned address, therefore the address must be unique to allow a node to resolve the address of other nodes. If you wish to use FQDNs then the names must resolve to a local address on the node before the installation can continue. All nodes must be able to resolve all FQDNs of all other nodes. |
Server not NATted | If you wish to run nodes on premise and in the cloud, they must be able to communicate with each other bidirectionally using their given IP address (for example through a VPN) and not be NATted. |