Skip to content

Configuring a PAM HA Pair

This section covers:

Introduction

The installation instructions set out on this page are for configuring a new PAM HA Pair.

Deploying the PAM Servers

The first step will be to deploy the software package into your chosen supported infrastructure. You will need two PAM Servers to create a HA Pair.

Click on the appropriate link below to be navigated to the deployment steps.

Configuring the PAM Server HA Pair

Once you have deployed your two standalone PAM Servers, you can configure the servers. The configuration for a Primary and Secondary HA server will differ so ensure you follow the correct steps:

Configure a Primary PAM Server

Follow these configuration steps if you are setting up a Primary server.

  1. Within the Console window, press ENTER when prompted to start the setup and configuration.

  2. Read and accept the EULA to continue.

  3. Select Standalone (or HA Primary) as the installation type.

    Installation type

  4. Within the Configure Networking screen, configure the following server settings. Press TAB to navigate between the fields.

    • IP Address: Enter the IP Address which will be used to connect to the server.
    • Netmask: Enter the network mask.
    • Gateway: Enter the network default gateway IP address.
    • Primary DNS: Enter the network primary DNS IP address.
    • (Secondary DNS): Enter the secondary DNS IP address if relevant, else leave blank.
    • (Tertiary DNS): Enter the tertiary DNS IP address if relevant, else leave blank.
    • (DNS Suffixes): Enter the DNS Suffixes. Multiple entries can be separated with a comma, else leave blank.

    Note

    If you are using a .local domain, DNS suffixes MUST be added.

    configure networking

  5. Once completed TAB down to the OK button and press ENTER.osi

  6. Within the Enter a hostname window, enter a name to identify the new server.

  7. TAB down to the OK button and press ENTER.

  8. Your Master Encryption Key will be shown. MEK

    Type Description
    Master encryption key This key is VERY IMPORTANT so you MUST make a note of it and securely store it externally for future reference as it is not stored on the server. It will be required during a backup/restore procedure to recreate the hash file and decrypt the PAM database stored within the PAM Server backup file.
    Salt During the installation process the master encryption key is combined with the Salt to generate a hash which is stored in a file. The Salt is stored on the server and will be included in the PAM backup file.
    Hash Is generated during the installation process and stored on the server. The hash file will not be included in the PAM Server backup file. During a backup/restore procedure the master encryption key will be used with the salt to recreate the hash and decrypt the PAM Server backup database file to reinstate the server.
  9. TAB down to the OK button and press ENTER.

  10. Enter the Master Encryption Key including the dashes to verify.

  11. TAB down to the OK button and press ENTER.

  12. Set a password for the SuperAdmin account. The username (SuperAdmin) and the password will be used later to log into the UI.

  13. TAB down to the OK button and press ENTER.

  14. Confirm the SuperAdmin account password.

  15. TAB down to the OK button and press ENTER. Wait while the system is configured.

  16. Once the setup has completed a message will be displayed. Make a note of the https address which will be required to connect to the PAM Server and run through the system configuration steps.

System Configuration

The following system configuration steps are required on the Primary PAM Server:

Uploading an Osirium product licence REQUIRED

  1. Using the https address noted at the end of your deployment of the PAM Server log on using the superadmin account.

    PAM UI Login window

  2. Click Browser (HTTP) to open the Admin Interface.

    PAM UI

  3. Within the Admin Interface you will be prompted to upload a valid Osirium PAM licence before you can continue.

    Licence upload

  4. Within the Upload licence window, click Choose File.

  5. Select your Osirium PAM licence file and click Open

  6. Click UPLOAD.

  7. Click ACKNOWLEDGE within the Action notifications window. Your browser will be refreshed. Your server is now ready.

We highly recommend that an SMB share is configured to maintain resilience and ensure session recordings continue to be available in case of any failovers.

Warning

If an SMB share is not configured then you are at risk of losing files stored locally on the PAM Server.

To configure:

  1. Within the Admin Interface navigate to the System configuration > System settings tab.

  2. Click on the Edit pencil next to SMB share configuration.

  3. Enter the SMB share details.

    SMB Filestore Configuration

    Field name Description
    UNC path The UNC path by which PAM can connect to the SMB share.

    For example \\server-name\shared-resource-pathname

    Username The username of the SMB share location.
    Password The password of the SMB share location.
    Options (comma-separated) Optional
    Allows additional parameters to be passed to the SMB share as a comma separated list if required.
  4. Click SAVE.

  5. Click on the Edit pencil next to File store.

  6. Select SMB Share and click SAVE.

By default, PAM provides a generic certificate to allow secure web connections to the user interfaces.

We recommend that you upload a trusted certificate valid within your organisation. For further details on the types of certificates that can be uploaded click here.

The steps to upload a certificate differ depending upon the certificate type.

Certificate with RSA private key

To upload:

  1. Within the Admin Interface navigate to the System configuration > Certificates tab.

  2. On the Certificates tab, click LOAD NEW CERTIFICATE.

  3. In the Upload TLS Certificate window, upload your trusted certificate and RSA private key. Both are required for a successful upload.

    • TLS Certificate: Uploaded certificates will be verified to ensure they are an X.509 certificate with a .pem file format.
    • RSA Private Key: Uploaded keys are verified to ensure they are an rsa key with a .key file format. Passwords/passphrase are NOT supported on the the rsa key.

    Upload TLS Certificate

  4. If the private key you are uploading has been encrypted, enter the password in the Key password (optional) input box.

  5. Click UPLOAD. The certificate is uploaded.

PKCS12 archive file

To upload:

  1. Within the Admin Interface navigate to the System configuration > Certificates tab.

  2. On the Certificates tab, click LOAD NEW CERTIFICATE.

  3. In the Upload TLS Certificate window, upload your PKCS #12 file.

    • The certificate contained within the PKCS #12 file will be verified to ensure it is a X.509 certificate.
    • The private key contained within the PKCS #12 file will be verified to ensure it is an rsa key.

    Upload PKCS Certificate

  4. If the private key you are uploading has been encrypted, enter the password in the Key password (optional) input box.

  5. Click UPLOAD. The certificate is uploaded.

Configure a Secondary PAM Server

Follow these configuration steps if you are setting up a new Secondary server.

  1. Within the Console window, press ENTER when prompted to start the setup and configuration.

  2. Read and accept the EULA to continue.

  3. Select HA Secondary (or replacement Primary) as the installation type.

    Installation Type

  4. Within the Configure Networking screen, configure the following server settings. Press TAB to navigate between the fields.

    • IP Address: Enter the IP Address which will be used to connect to the server.
    • Netmask: Enter the network mask.
    • Gateway: Enter the network default gateway IP address.
    • Primary DNS: Enter the network primary DNS IP address.
    • (Secondary DNS): Enter the secondary DNS IP address if relevant, else leave blank.
    • (Tertiary DNS): Enter the tertiary DNS IP address if relevant, else leave blank.
    • (DNS Suffixes): Enter the DNS Suffixes. Multiple entries can be separated with a comma, else leave blank.

    Note

    If you are using a .local domain, DNS suffixes MUST be added.

    Configure Networking

  5. Once completed TAB down to the OK button and press ENTER.

  6. Within the Enter a hostname window, enter a name to identify the new server.

  7. TAB down to the OK button and press ENTER.

  8. Once the setup has completed a message will be displayed. Your system is now ready for High Availability.

    Make a note of the joining code displayed on the screen as it will be required to initialise your PAM HA pair.

    Joining code

Initialise High Availability

Once you have deployed and configured your PAM Servers, the final step is to initialise your HA pair and setup replication.

  1. Open up a web browser and enter the address of the Primary server:

    [PAM Server Address]:8443

    You will be presented with the Management Interface.

  2. Login as the SuperAdmin set during installation.

    Management Interface

  3. You will be presented with Management Interface SSH window.

    Management Interface shell window

  4. At the prompt type ha-initialise and press ENTER.

    Note

    If an SMB share is not configured you will be presented with a warning message. We recommend you configure an SMB share before continuing.

    SMB Share warning

  5. Enter the IP address of the Secondary server and press ENTER.

    Enter secondary PAM Server IP Address

  6. OPTIONAL Enter a floating IP address and press ENTER.

    Enter Floating IP

  7. Read what will happen on the secondary then type y and press ENTER to continue.

    Secondary operation list

  8. Enter the joining code of your Secondary server and press ENTER.

    Enter Joining Code

    The joining code of your Secondary PAM Server can be found on the servers console window:

    Secondary Server Joining code

  9. Wait while the joining procedure completes and the HA Pair is established.

  10. When the operation has completed, review the follow-up actions listed and complete as required.

    Connect to secondary management

    The High Availability tab on the Admin Interface > System configuration page will also show the HA configuration details.

    HA tab

HA Pair configuration is now complete.

Next steps

Only the PAM Owner role can access the Management Interface. We recommend creating personalised user accounts with PAM Owner role to access the Management Interface. See Managing roles for more information.

You can now start to administer your privileged access by adding users, devices and configuring profiles. For more information click here.