Skip to content

System configuration

The System configuration page provides information relating to Osirium PAM and allows you to configure a number of different settings.

The following tabs are available:

System Config tabs

Licencing tab

The licencing page provides an overview of the licence you have bought and the features that have been activated as part of your licence.

It can help you manage your allowance limits against your current configurations and when you are in need of an upgrade to your licence limits.

Licencing tab

The following information is presented in the page:

Heading Description
Product usage Osirium PAM version: The version that has been installed and is currently running.

Users: Displays the total number of created user accounts against the total number of allowed user accounts.

The support account and the first superadmin accounts will not be included in this count.

Devices: Displays the total number of provisioned devices managed by against the total number of allowed devices. The PAM Server device will not be included in this count.

MAP servers: Displays the total number of provisioned MAP Servers used with Osirium PAM against the total number of allowed MAP Servers.

Cluster nodes: Displays the total number of provisioned cluster nodes against the total number of allowed cluster nodes.

Enabled features Any additional features purchased will be listed here.
Active licence(s) Licencee: Name of the organisation or individual which the licencing has been assigned to.

Expiry: The date/time the license is due to expire.

Note

When a licence is within 30 days of expiry a countdown warning message will appear in the banner on the Admin Interface.

When a licence has expired, Osirium PAM will only be fully functional until midday on the following day.

After this period the only access will be to the Admin Interface and the product licencing upload page.

Uploading a license

To load a licencing:

  1. Click the Load new licence button. A Question window opens.

  2. Click Yes to proceed.

  3. Within the Upload licence window, click Choose File.

    Upload Licence

  4. Within the File upload page navigate to and select a valid Osirium PAM licence file. For further details on how to upload a file see Uploading a file.

  5. Within the Upload licence window, click Upload. The new licencing file will be loaded. The licencing information is updated to reflect any changes.

Certificates tab

By default, Osirium PAM provides a generic certificate to allow secure web connections to the UI and Admin Interface. On this page you will see information about the current certificate that is being used.

We recommend that you upload a trusted certificate valid within your organisation.

Click here for information on how to enable the admin interface at /admin.

Certificates tab

Upload a certificate

To upload a new certificate:

  1. On the Certificates tab, click Load new certificate. The Upload TLS Certificate window appears.

    Upload Certificate

  2. In the Upload TLS Certificate window, upload your trusted certificate and an RSA Private key. For further details on how to upload a file see Uploading a file.

  3. Click Upload. The certificate is uploaded.

Fingerprints tab

Fingerprints help guard against man-in-the-middle attacks on devices, in which attackers can secretly redirect network traffic between Osirium PAM and the device to monitor and manipulate the flow of information.

Fingerprints tab

When a device is deployed on Osirium PAM, a fingerprint is generated which Osirium PAM associates with the device. When connecting, Osirium PAM checks that the fingerprint of the device matches the fingerprint Osirium PAM associated with that device. By default, if the device fingerprint is not approved, Osirium PAM notes the discrepancy in the Logs page, but does not block the connection.

Connection fingerprint enforcement behaviour

If you want Osirium PAM to block connections to devices with unapproved fingerprints, you can configure the Connection fingerprint enforcement behaviour.

To configure the Connection fingerprint enforcement behaviour:

  1. On the table, click the Edit pencil icon for Connection fingerprint enforcement behaviour. The Edit entry window appears.

    Edit entry value

  2. From the Value drop-down, select one of the following options.

    Value Details
    Log only - Osirium PAM allows connections to devices with unapproved fingerprints.
    - Connection details are logged in the Logs page on the Key Verifier tab.
    Block - Osirium PAM blocks connections to devices with unapproved fingerprints.
    - Users attempting the connection receive an error message.
    - Connection details are logged in the Logs page on the Key Verifier tab.
  3. Click Save. The Connection fingerprint enforcement behaviour value is applied.

Fingerprints table

The Fingerprints table allows you to select fingerprints to associate with designated devices. The following details are available:

Column Details
Device Provisioned device on your PAM Server.
Tool Tool the fingerprint is attached to.
Approved If selected Checked box , the fingerprint is associated with the corresponding device.
If deselected Unchecked box icon the fingerprint is not associated with the corresponding device.

You can configure the PAM Server to block connections to devices with unapproved fingerprints using the Connection fingerprint enforcement behaviour above.

Fingerprint The fingerprint generated for the device. The PAM Server generates fingerprints from the device SSH key or certificate.
Last seen at The last time the PAM Server connected to, or ran a task on, the device.

Clustering tab

On the clustering tab you will find information related to your clustered environment.

Clustering tab

Heading Details
Nodes Number of nodes: Includes the leader and all followers.
Addresses: FQDN or IP Address of all the nodes in the cluster.
Leader's address Address of the PAM Server that is the leader of the cluster.
Local address Address of the PAM Server you are logged into.
Local role The role (leader or follower) of the PAM Server you are logged into within the cluster.
Node status Database status provides a status of the database for the PAM Server you are connected to based on the following:

- Standalone: this PAM Server is operating as a standalone and therefore a cluster with a single node for which it is the leader. A standalone PAM Server can be configured to use the clustering feature by adding additional nodes using the cluster joining bundle. The correct licence will be required to enable clustering.

- Clustered: there is more than one PAM Server which has a minimum of a leader node and a follower node. Data is replicated between the nodes.

- Unknown: the cluster service is unable to retrieve data from the back-end services of this node.

Key-Value store provides a status on the accessibility of node related data and provides a status based on the following:

- Standalone: this PAM Server is operating as a standalone and therefore a cluster with a single node for which it is the leader. A standalone PAM Server can be configured to use the clustering feature by adding additional nodes using the cluster joining bundle. The correct licence will be required to enable clustering.

- Clustered: there is more than one PAM Server which has a minimum of a leader node and a follower node. The node will make a connection to each node in the cluster to access specific data.

- Unknown: the cluster service is unable to retrieve data from the back-end services of this node.

Cluster status This section relates to the state of your entire cluster. The following states will be displayed based on the response received from the checks carried out by the cluster service:

Database provides a status of the database for each node in the cluster. Each node subscribes to every other node, each node then publishes its database tables to the subscribers. Each subscriber is then notified when a change occurs on a node and receives the updates. This ensures configuration data is synchronised and kept up-to-date between all the nodes.

The status is assigned as follows:

- Healthy: each node in the cluster can be contacted successfully.

- Partitioned: local node is considered as having issues.

- Degraded: this node is unable to stream to a node. This could be due to network issues or the node being taken off line.

Key-Value store provides a status on the accessibility of node related data for each node in the cluster. The cluster service connects to each node in the cluster and a status is assigned as follows:

- Healthy: each node in the cluster can be contacted successfully.

- Partitioned: local node is considered as having issues.

- Degraded: other nodes in the cluster are not contactable, this could be due to network issues or issues with services on the node itself.

Cluster joining bundle

The cluster joining bundle is required during the setup and configuration phase of the installation process and only available for download from the cluster leader node.

The bundle should only be downloaded when required as they will only be valid for 24 hours from the time of download or until the next bundle is downloaded.

A separate cluster joining bundle is required to join a PAM Server follower node to an existing cluster. The cluster joining bundle contains the following:

  • Configured address of the cluster leader node during installation (IP address or FQDN).
  • Client certificate that is used to make a connection identification and verification between the leader node and follower node. The certificate is revoked once the identification has been made.
  • Public half of the certificate authority so that the cluster may trust it.
  • Ability to generate a new certificate which contains the cryptographic keys signed by the certificate authority on the node joining the cluster.

Note

If you are configuring the node address using an IP address then ensure dns A records have been created.

NTP is recommended to ensure the clocks are synchronised for certificate times.

Clustering tab

Promoting a node to a leader

The Set cluster leader button allows you to promote an existing follower node within your cluster to take on the role of leader.

To promote a follower to leader:

  1. Log onto the follower node using the UI.

  2. Open up the Admin Interface.

  3. Click System configuration from the left-hand menu.

  4. Within the System configuration page, click the Cluster tab.

  5. Select the Set cluster leader button.

    Cluster promotion question

  6. Within the Question window, click Yes to continue with the promotion to leader.

    Cluster promotion question

  7. An API call is made to the cluster service, if successful contact is made then the following will happen:

    • Demoted leader node: write permission is dropped to read-only and status changed to follower node.
    • Promoted follower node: write permission is restored, the database is updated to match the demoted leaders database and status changed to leader node.
    • All other nodes: will be updated to ensure they know who the new leader is.

    Note

    If the node fails to contact the cluster service the promotion to leader will fail and an error message will be displayed.

    Cluster promotion failure

  8. Refresh your Admin Interface browser window to see the updates.

    Osirium Cluster Leader

System settings tab

The following can be configured on the System settings tab:

System settings tab

Enable Admin Interface at admin

The Admin Interface at /admin feature allows you to log directly into the Admin Interface through a browser session.

Note

A UI is still required to single sign-on to devices and to run device tasks.

To enable the Admin Interface at /admin login:

  1. On the System settings tab, click the Edit pencil icon for Enable Admin Interface at /admin. The Edit entry window appears.

  2. On the Edit entry window, select Enabled.

  3. Click Save. Admin Interface at /admin is now enabled.

    Note

    For more information, see Upload a Certificate.

To use the Admin Interface at /admin login:

  1. In a browser, enter the PAM Server HTTPS IP address followed by /admin and press ENTER.

    For example 123.123.1.1/admin .

  2. In Osirium PAM Login window, enter the login information:

    Field name Description
    Username/Password Depending on the configuration of your Osirium PAM, either enter your Osirium PAM local account details or your existing external authentication details (Active Directory or RADIUS).
    Token code: If multi factor authentication has been configured then your Superadmin will provide you with a token code to enter.

    Only after successful verification of both the password and token code will you be logged in.

  3. Click Login. The Admin Interface appears.

Support account

The support account (osirium_support) is a PAM Server Ubuntu server administrative account. It is created during the installation of the PAM Server. This account is useful if you are unable to access the Admin Interface and want to troubleshoot issues through the command line.

The default settings is disabled and no password set.

Note

It should always be enabled and a password set when upgrading or carrying out a system restore.

To enable:

  1. Click on the Edit pencil next to Support account (User name: osirium_support).

    Support Acc

  2. Check the Enabled box and type in a password.

    Support Acc enable window

  3. Click Save.

    Support Acc Set

PAM Server local password policy

If you are creating users that will be authenticated by Osirium PAM this setting will allow you to create and set a password policy to implement a greater complexity and stronger authentication on the passwords set for user accounts. Only passwords that meet the password policy will be allowed ensuring all passwords met the required criteria.

Note

This will not apply to externally authenticated Active Directory or RADIUS users.

To configure:

  1. To the right of PAM Server password policy, click the Edit pencil icon.

    Local Password policy

  2. Set the appropriate policy using the fields described below.

    Password policy window

    Field name Description
    Invalid Characters Enter any characters you don't want used in a password.
    Any password containing these characters will be disallowed.
    Minimum Length The password must be equal to or greater than the minimum length set.
    Maximum Length The password must be less than or equal to the maximum length set.
    If set to 0, the password will not expire.
    Require Letters and Numbers If true (tickbox checked), the password must contain both letters and numbers.
    Password Retries The user will be locked if an incorrect password is entered this many times.
    If set to 0, the user will be allowed infinite retries to enter their password.
    Unlock time
    (In Seconds)
    Time the user will have to wait before the account is automatically unlocked.
    Maximum Password Age
    (In Days)
    From the moment a password is changed, it starts aging. When the maximum age is exceeded, the user will be forced to change their password at next logon.
    Password Must Differ From The Last N When the user sets a new password, it must be different from the last N passwords they have used.

    If left as the default 0, the password does not have to differ from any passwords used before.

  3. Click Save.

Enable pass-through

The pass-through feature allows users to single sign-on to devices using personalised accounts that preexist on the device. When a user logs onto the UI their credentials (username/password) are cached and encrypted to an instance on the PAM Server.

Then, when the user connects to a device which has been configured to use an access level of pass-through (see Creating a New Profile), the cached credentials are used to single sign-on to the device.

Note

Cached pass-through credentials are saved as case sensitive. To ensure successful pass-through the username/password must match the users preexisting device account (username/password).

When a user logs out or disconnects from the UI, their credentials are removed from the cache. Also, if the PAM Server is restarted (specifically the userauth service) all cached pass-through credentials are removed.

The pass-through feature is Enabled as default which means all user credentials will be cached when logged onto the UI.

If this feature is Disabled at anytime, profiles that have devices with pass-through access levels will show as greyed out in the UI for all user in the profile.

To change the setting:

  1. Click on the Edit pencil icon.

    Enable pass-through

  2. Check or uncheck the Enabled box as per the setting required.

    Edit entry window

  3. Click Save.

Debug task logging

If you want more detailed debug messages from your PAM Server you can turn on the debug logging level. It can be helpful and provide more clues if you come across issues.

When enabled, the debug logging messages will be available on the System configuration > Logs page on the Admin Interface.

To enable:

  1. Click on the Edit pencil icon.

    Debug Task Logging

  2. Check the Enabled box.

    Edit entry window

  3. Click Save.

Debug API logging

If you require more detailed messaging and logging of the API function then you can turn on the debug level for the API. It can be helpful and provide more clues if you come across issues.

To enable:

  1. Click on the Edit pencil icon.

    Debug API Logging

  2. Check the Enabled box.

    Edit entry window

  3. Click Save.

Debug UI logging

If you require more detailed messaging and logging of the UI you can turn on the debug level for the UI. It can be helpful and provide more clues if you come across issues.

To enable:

  1. Click on the Edit pencil icon.

    Debug API Logging

  2. Check the Enabled box.

    Edit entry window

  3. Click Save.

External filestore

We recommend that you attach an external filestore to avoid disk space issues and to hold some of the larger files. This will ensure that the internal disk does not fill up too quickly allowing for a smoother running of system services and tasks.

Enabling and attaching a filestore will allow your PAM Server to save the following files directly onto the attached filestore:

  • Backups.
  • Techouts.
  • Session recordings.
  • Session archives if configured.

To add an external filestore:

  1. Firstly, you will need to add a virtual hard drive to your PAM Server which should be done in accordance with your company policy.

  2. Click on the Edit pencil icon.

    Use external filestore

  3. Check the Enabled box.

    Edit entry window

  4. Click Save. Osirium PAM will now partition, format and map to the external drive. Once successfully mapped, the disk usage bar on the Manage files page will be updated and display both the internal and external disks.

    From here you can monitor your disk status to manage your storage levels and take precautions if you disk space is getting full.

    Note

    The external filestore may take a little time to appear on Admin Interface, depending on the size of the disk that is being configured.

    External disk on Manage files page

Scheduled session archive

If you are session recording all your users on a daily basis then you will be creating a lot of recorded files on your system. This setting will allow you to manage the recordings being saved and help you with archiving the older session recordings for storage and backup.

Implementing a scheduled archive of session recordings will also allow you to manage disk space on your system or external disk. The schedule is based on the age of the recording and will automatically be archived when they reach the age limit set.

When a scheduled session archive setting has been configured it will:

  • Run the Archive Session task everyday at midnight and archive any UI sessions that are older than the age (days) set.

    When a session has been archived it will be marked as archived on the Device access report page on the PAM UI sessions section.

  • Store the archived file in the filestore. Will default to the external filestore if one has been configured.

  • List the archived session file on the Manage files page from where it can be downloaded.

  • Copy the archived file to a remote backup server if one has been configured. See Remote Backup Server Configuration.

  • Delete the session recordings from the Osirium PAM filestore and database once successfully archived.

To configure:

  1. Click on the Edit pencil icon.

    Scheduled session archive

  2. Check the Enabled box.

    Session archive edit Window

  3. In the Maximum session age (days) field, type in the number of days before a session is to be archived.

  4. Click Save.

    Session archive configured

Scheduled file removal

The number of device files created can grow rapidly so to help easily manage older files you may want to configure a schedule that will automatically delete files when they reach a certain age. This will also help you manage your disk space, ensuring stored files don't fill up your disk space which could slow your system down.

The deletion of files will be based on their age. But before you enable this schedule make sure you have any backup requirements in place, especially if you need to archive the files before they are deleted.

To configure:

  1. Click on the Edit pencil icon.

    Scheduled file removal

  2. Check the Enabled box.

    File removal edit Window

  3. In the Maximum file age (days) field, type in the number of days before a file is deleted.

  4. Click Save.

    Scheduled file removal

    The File removal task is run everyday at midnight and will now remove any files that are older than the age (days) set.

User group synchronisation interval

This setting should be used to create an automated synchronisation between the user groups in Osirium PAM linked to user groups on your Active Directory. This will help ensure that the Active Directory users within the group are kept up to date and any changes (removed/added users, password changes etc) are reflected in Osirium PAM.

Define in minutes how often you want Osirium PAM to synchronise user groups with your Active Directory.

To configure:

  1. Click on the Edit pencil icon.

    User Group Sync Interval

  2. The default value is set to 15 minutes. The value must be greater than or equal to 5.

    Generic value window

  3. Click Save. The User Group Synchronisation task will be run against each Active Directory user group listed on the Manage user groups page and make any necessary updates.

    User group sync log

Active Directory user group sync new user authentication type

This setting should be used to automate the authentication type setting of all new users that are synchronised through an Active Directory user group. See Managing user groups.

To select the authentication type setting that will be applied to new users that are synchronised through an Active Directory group:

  1. Click on the Edit pencil icon.

    AD New user authentication type

  2. The external authentication type values that can be set for the synchronised Active Directory user are:

    • Active Directory: This authentication type setting means that the user will use their Active Directory username/password to log on. Osirium PAM will consult with the Active Directory to verify the user logon before logging the user on.
    • Active Directory then RADIUS: This authentication type requires a multi-factor login meaning a user will have to enter their Active Directory username/password as well as a RADIUS token to log on.

    Edit value window

  3. Click Save.

Backup breakglass passphrase

This setting allows you to configure a passphrase to protect the KeePass file containing your device credentials. The KeePass file is stored in the archived backup file created when you run a backup task on Osirium PAM.

To set a backup breakglass passphrase:

  1. Click on the Edit pencil icon.

    Backup breakglass passphrase

  2. Click the Edit pencil icon for Backup breakglass passphrase. The Edit entry window appears.

    Edit entry passphrase

  3. In the Passphrase field, type a passphrase.

  4. Click Save. The backup breakglass passphrase is applied.

Client settings tab

The following can be configured on the Client settings tab:

Client Settings tab

Client colour

The colour option allows you to specify a colour for the UI. This is useful when you want to distinguish the connections made to different Osirium PAM.

To change the colour:

  1. Click on the Edit pencil icon.

    Client colour

  2. Enter a HEX colour code; or

    Client colour window

    Click the icon to use the Select a Color window:

    Client picker window

  3. Click Save. Now when a user logs onto the UI, the browser tab icon will contain the colour configured.

    Favicon

Connection settings tab

The following can be configured on the Client settings tab:

Connection Settings tab

Device group separation identifier

Device group separation allows you to restrict access to device tools from multiple customers, to ensure that workstations don’t become a bridge point for data.

Before creating a group separation identifier, you need to create a meta-column entry of type Device. See Configure meta-info.

The meta-column values define the groups that are available. When a user connects to device tools through the UI, the group separation identifier controls which sets of device tools they can use at the same time.

To configure the group separation identifier:

  1. Click on the Edit pencil icon.

    DGS Identifier

  2. Choose the appropriate option from the drop-down box.

    DGS Identifier edit window

  3. Click Save. Now the values in the device type meta-column will determine which device tools can be accessed after the first device tool connection has been made.

    For example:

    Device Meta-column value
    Device A Group 1
    Device B Group 1
    Device C Group 2
    Device D Group 2

    From the UI, if a user opens a tool from Device A which belongs to Group 1, the tool opens successfully. Then, whilst Device A is open, if the user opens a tool from Device B, then this will be allowed.

    In the default block mode, if the user has a device tool from Group 1 open and then tries to open a tool on Device C which belongs to Group 2, then the user will be unable to access the tool and an error message will be shown:

    Osirium proxy separation error

    Only when all Group 1 connections have been closed can the user open device connections from Group 2.

    Note

    This only applies to device tools, NOT to device tasks. Tasks can still be run at any time for any device.

Device group separation behaviour

Device group separation behaviour can be changed from the default Block setting (meaning devices from multiple groups can't be accessed at the same time) to a Warn setting. Selecting Warn means that a warning message appears when a user tries to connect to two devices from different groups, but the user can still continue to access both devices.

To configure the separation:

  1. Click on the Edit pencil icon.

    DGS behaviour

  2. Select the Warn value from the drop-down box.

    DGS behaviour edit window

  3. Click Save.

    Now when a user opens up two connections to a device in different device separation groups, they won't be blocked but will be presented with a warning:

    DGS behaviour warning message

Network settings tab

The Network settings tab allows you to configure the following settings on Osirium PAM:

Network Settings tab

DNS servers

To set DNS servers:

  1. Click on the Edit pencil icon.

    DNS servers

  2. Set the primary, secondary and tertiary servers as required.

    DNS Edit entry

  3. Click Save.

DNS search suffix

Adding DNS search suffix entries will help resolve IP addresses when adding new devices.

To add a DNS search suffix:

  1. Click on the plus icon icon next to DNS Suffixes. DNS search suffix 1 will be added.

    DNS search suffix add

  2. Fill in the suffix:

    Edit entry

  3. Click Save.

NTP server

To set an NTP server:

  1. Click on the plus icon icon next to NTP server. NTP server 1 will be added.

    NTP server add

  2. Click the Edit pencil icon for NTP server 1.

  3. Enter the IP Address or pool of the NTP servers.

    NTP server entry example

  4. Click Save.

    Tip

    You can add multiple NTP servers by clicking the plus icon icon several times.

Syslog server

Osirium PAM will send copies of its syslog messages to as many external syslog servers as you wish.

To add an external Syslog server:

  1. Click on the plus icon next to Syslog server. Syslog server 1 will be added.

    Syslog server add

  2. Click the Edit pencil icon for Syslog server 1.

  3. Enter the IP Address of the Syslog server Osirium PAM will be communicating with.

    Syslog edit entry

  4. Click Save.

Use CEF formatted syslog messages

Enabling this setting allows Osirium PAM to use the CEF formatting standard when displaying syslog messages.

To enable:

  1. Click on the Edit pencil icon.

    CEF syslog messages

  2. Check the Enabled box.

    Edit entry

  3. Click Save.

Logstash server

Enter your logstash server details to allow Osirium PAM to push events to your logstash server.

To add a logstash server:

  1. Click on the Edit pencil icon.

    Logstash server

  2. Fill in the details.

    Logstash edit entry

    Field name Description
    Host: Enter the host name or IP address of the logstash server.
    Port Enter the port number assigned to the logstash server.
    Unchecked box Enabled Enabling will allow Osirium PAM to connect to the logstash server.
  3. Click Save.

SMTP configuration

Configure the SMTP to allow emails to be sent from the PAM Server. SMTP is required if you want to setup Email subscriptions, see Managing Email Subscriptions.

Note

The SMTP server should support TLS (Transport Layer Security) otherwise there is a risk that a password will be sent in plain text.

To configure SMTP:

  1. Click on the Edit pencil icon.

    SMTP config

  2. Fill in the details.

    SMTP config edit entry

    Field name Description
    SMTP Server IP address of the SMTP server.
    Port Enter the port number assigned to the SMTP server.
    Username Enter the username that will be used to authenticate onto the SMTP server.
    Password Enter the password that will be used to authenticate onto the SMTP server.
    From Email Address Used to set the Reply-To and Sender headers user@domain of the outbound email.
    From name Used to set a text description in the Reply-To and Sender headers of the outbound email.
    SMTP Server Debug This allows email server transaction messages to be directed to the mail.log file
    Force STARTTLS If checked, will force Osirium PAM to use STARTTLS. If the remote server does not support STARTTLS then an error will be logged in mail.log file.
  3. Click Save. All superadmins will receive an email to confirm that email has been successfully configured.

SNMP configuration

Configure SNMP to allow Osirium PAM to be monitored on your network.

To configure SNMP:

  1. Click on the Edit pencil icon.

    SNMP Config

  2. Fill in the details.

    SNMP config edit entry

    Field name Description
    Read only community string Enter a valid read-only community string to allow SNMP requests to be sent.
    System location Enter the location of Osirium PAM.
    System contact Enter a valid contact name for Osirium PAM.
  3. Click Save.

RADIUS configuration

For Osirium PAM users to be authenticated through RADIUS, configure the RADIUS settings.

To configure Radius:

  1. Click on the plus icon next to RADIUS configuration. RADIUS configuration 1 will be added.

    Radius config

  2. Click the Edit pencil icon for RADIUS configuration 1. Fill in the following details:

    RADIUS config edit entry

    Field name Description
    Address Enter the IP Address of the RADIUS server.
    Port Enter the port number assigned to the RADIUS server service.
    Secret Enter the RADIUS Secret that will be used to authenticate onto the RADIUS server.
    Retries Enter the number of times you want a user to retry the connection before it fails.
    Timeout Enter the minutes allowed before the connection is timed out.
  3. Click Save.

Remote backup and archive server

If the remote backup and archive server is configured, Osirium PAM will automatically push Osirium PAM backups to the specified server at the end of the backup task. If session recording is enabled, session recording archives will also be pushed automatically at the end of the archive task.

Supported protocols are SCP, SFTP and SMB.

To setup remote backup:

  1. Click on the Edit pencil icon.

    Remote Backup and archive server

  2. Within the Edit entry window, fill in the following details:

    Remote Backup and archive server edit entry

    Field name Description
    Server type Select the method to be used to copy the backup file.
    Options available from the drop-dwon listbox are:
    SMB, SCP and SFTP.

    NOTE If None is selected from the drop-down list then the settings will be saved but the backup file will not be copied to the remote server.

    Server IP address Enter the IP address of the remote backup server.
    Port (SMB=445, SCP=22, SFTP=22) Enter the port number for the Server type selected.
    Path or share name Enter the path where the file will be saved to on the remote backup server.
    Username Enter a valid username with access to the remote backup server. The user must have the correct permission to write to the path specified.
    Password Enter a valid password.
  3. Click Save.

Routing table

Allows you to add static routes into Osirium local routing table.

To add entries:

  1. Click the Edit pencil icon.

    Routing table

  2. Within the Edit value window, click New and select Plus icon Add entry.

    Routiong table add entry

  3. Enter the values you want to add to the routing table.

    Routing table values

  4. Click Save icon to save the new entry.

  5. Click Save changes.

    The PAM Server must be rebooted before the routing table is applied. This can be done through the PAM Server device detail page > Tasks tab or the PAM Server console window.

SailPoint IdentityIQ integration configuration

Osirium PAM can be integrated with SailPoint IdentityIQ to provide a governance based identity access management solution.

Integrating with SailPoint IdentityIQ, enables users and Osirium PAM user groups to be synchronised into the SailPoint IdentityIQ server. SailPoint IdentityIQ can then manage and instruct Osirium PAM on provisioning requests for user creation, modifications, deletes, enable, disable and password changes.

Before the PAM Server can be configured to integrate with your SailPoint IdentityIQ the following prerequisites must be configured on your SailPoint IdenitityIQ server:

  • The Simple Table Integration (STI) module must be installed and configured.

  • The Osirium PAM STI schema which has been created, and is available through SailPoint must be applied. The schema provides the default integration configuration requirements as well as creating the database tables that will contain the user and user group fields.

    Note

    For more information, refer to the SailPoint IdentityIQ documentation.

    Then, when the PAM Server has been configured to connect with your SailPoint IdentityIQ implementation the following will be enabled:

    • SailPoint will be able to create users and user groups on Osirium PAM which will be disabled as default.
    • When new users are created they will be automatically synchronised onto the SailPoint IdentityIQ server.
    • Multiple PAM Servers can be added to the SailPoint IdentityIQ server as long as they have a unique hostname.
    • Policies defined within SailPoint IdentityIQ will be applied directly into Osirium PAM.

To synchronise your PAM Server with SailPoint IdentityIQ:

  1. On the left-hand menu, under System, click System configuration. The System configuration page appears.

  2. Click the Network settings tab.

  3. On the table, click the Edit pencil icon to the right of Sailpoint IdentityIQ integration configuration.

    SailPoint config

    The Edit entry window appears.

    SailPoint edit entry

  4. Within the Edit entry window, provide the following details to allow SailPoint IdentityIQ to synchronise with Osirium PAM:

    Field name Description
    Host The unique hostname of the SailPoint IdentityIQ server.
    Port The port number assigned to the SailPoint IdentityIQ STI database.
    Database Name Name of the STI database created in SailPoint IdentityIQ.
    Username The SailPoint username used to access the STI database.
    Password The password of the SailPoint username used to access the STI database.
    Unchecked box icon Enabled By default, SailPoint IdentityIQ integration in Osirium PAM is disabled. Select the checkbox to enable SailPoint IdentityIQ integration.
  5. Click Save. The SailPoint IdentityIQ integration details are added to the table.

    Note

    When SailPoint IdentityIQ integration is complete, Osirium PAM automatically begins communicating with SailPoint. Desired integration behaviours, such as policies, must be configured within SailPoint IdentityIQ.

ServiceNow ticket integration configuration

ServiceNow ticket integration in Osirium PAM allows tickets entered in the Change Management Tool to be validated against an existing ServiceNow configuration management database (CMDB), providing the following benefits.

  • Accountability: ability to see when, why and how tickets are allocated.
  • Security: attackers require a valid change ticket on top of privileged credentials.

Prerequisites

  • Osirium PAM must be configured as an OAuth provider on the ServiceNow CMDB. When configured, a Client ID and Client Secret are created. Make a note of these credentials as they will be required to identify Osirium PAM to ServiceNow.

  • Obtain a ServiceNow refresh token by running the relevant command on your workstation, as detailed in the ServiceNow documentation. The client ID and client secret created above, as well as the ServiceNow CMDB URL, are required, as per the example below.

    Example command:

    $ curl -d "grant_type=password&client_id=be3aeb583ace210011c15b24a43e25d8 &client_secret=client_password &username=admin&password=admin" https://instancename.service-now.com/oauth_token.do

    Make a note of the obtained refresh token.

    Note

    The refresh token has a lifespan designated in ServiceNow. When the refresh token expires, Osirium PAM automatically generates a new token.

To integrate ServiceNow:

  1. On the left-hand menu, under System, click System configuration. The System configuration page appears.

  2. Click the Network settings tab.

  3. On the table, click the Edit pencil icon to the right of ServiceNow Ticket integration configuration.

    ServiceNow config

    The Edit entry window appears.

    ServiceNow edit entry

  4. Within the Edit entry window, provide the following details to allow ServiceNow the integration:

    Field name Description
    Host URL of the ServiceNow CMDB.
    Client ID Client ID generated when Osirium PAM was configured as an OAuth provider.
    Client Secret Client secret generated when Osirium PAM was configured as an OAuth provider.
    ServiceNow Instance Refresh Token Refresh token obtained when Osirium PAM was configured as an OAuth provider.
    Emergency Ticket (blank to disable) In the event that an incident or change ticket number does not exist on the ServiceNow CMDB, or if you are unable to access the ServiceNow CMDB, you can provide an emergency ticket. Osirium PAM does not check the emergency ticket against ServiceNow.

    NOTE This feature should only be used in an emergency and should otherwise be left blank.

    Unchecked Enabled By default, ServiceNow integration is disabled. Select the checkbox to enable ServiceNow integration.
  5. Click Save. The ServiceNow integration details are added to the table.

Mesh tab

Info

In v7.x a Mesh backup can only be used to restore the leader onto a new PAM Server. All other PAM Servers in the cluster will have to be manually re-added. For this reason, we strongly recommend that VM level backups are performed on all PAM Servers.

Further information regarding backing up and restoring a PAM Cluster can be found here.

The Mesh mechanism will allow an Active virtual appliance primary to push a copy of its backup file to a Mesh secondary virtual appliance. The Mesh secondary virtual appliance does not contain any live configurations. A public key is used between the Active primary virtual appliance and the Mesh secondary virtual appliance to validate the mesh connection.

The stored backup file on the Mesh secondary virtual appliance can then used to restore an Active primary virtual appliance in a disaster recovery situation.

See PxM Virtual Appliance Restore Instructions Using a Mesh backup.

Note

When you build a mesh or upgrade a mesh server, ensure you don't delete or move the install files that are in /data/kits/latest/ as these are required for the restore process to work.

Mesh tab

To setup:

  1. Within the Active primary virtual appliance, click on the Mesh tab within System Configuration.

  2. Click the Edit pencil icon for Outbound Mesh Connection 1.

    Mesh outbound edit entry

    Fill in the following details:

    Field name Description
    IP Address IP address of the Mesh secondary VM where the backup will be stored.
    Push Backups Check to enable. This will allow the backup to be copied to the Mesh secondary VM.
  3. Click Save.

  4. Now click on the Public keyand copy.

  5. Log onto the Mesh secondary* VM and open up the Admin Interface***.

  6. Click System Configuration in the left-hand menu.

  7. Within the System configuration window, click on the Mesh tab.

  8. Click the Edit pencil icon for Inbound Mesh Connection 1.

    Mesh inbound

  9. Enter the API Key copied from the Active primary VM.

    Mesh inbound edit entry

  10. Click Save.

    Now, an outbound connection can be made from the Active primary VM to the Mesh secondary VM. The Mesh secondary VM will now accept file transfers from the Active primary VM.

  11. Now you need to create a profile to run the backup task against the Active primary VM. See Creating a New Profile.

    For a scheduled time see Creating a Schedule or use an existing schedule.

    Once the scheduled backup has been created, it is automatically transfered to the Mesh secondary VM using SCP file transfer.

    Note

    Any Osirium PAM backup files created through manual execution will also be pushed to the Mesh secondary VM.