Skip to content

System configuration of the PAM UI

Configuration of the PAM UI Server should take around 5 minutes.

Install HTTPS certificates

Although default HTTPS certificates are installed during the installation to ensure your data to and from the PAM UI is encrypted, it is recommended that you install your own certificates before you start to use your PAM UI Server.

To install your HTTPS certificates:

  1. On your workstation open up a PowerShell client.

  2. To update the PAM UI Server with your own HTTPS certificates you will need to replace the following files: /var/disk/certs/https.key and /var/disk/certs/https.crt.
    Within the PowerShell client window type the following:

    tar -c https.key https.crt | ssh support@<address> -C "tar -x --no-same-owner -C /tmp/"

    ssh support@<address> -C "sudo mv /tmp/https.* /var/disk/certs/"

  3. Reboot the PAM UI Server to apply the configuration and wait while the system is rebooted.

Pair PAM UI with a specific PAM Server OPTIONAL

The PAM UI supports connecting to multiple PAM Servers, however it is possible to bind a single instance of the PAM UI to a given PAM Server. In order to do so, we need to save the PAM host to /var/disk/settings/pxm_host.

  1. Open the Console window of the PAM UI Server.

  2. At the command prompt type the following:

    echo "<your PAM Server hostname>" | sudo tee /var/disk/settings/pxm_host

    Example:

    PAM UI Pairing

  3. At the command prompt type sudo reboot to apply the configuration. Wait while the system is rebooted.

Securing against man-in-the-middle (MITM) attacks OPTIONAL

Although this is optional, to avoid MITM attacks between the PAM UI and a given PAM Server implement the following to improve security:

  1. Within VMware vSphere open the Console window of the deployed PAM UI Server if not already open.

  2. Open the /var/disk/settings/hosts.yml file in your preferred editor. You will need to use sudo to write to the file:

    Example using a nano editor:

    sudo nano /var/disk/settings/hosts.yml

    The file should look like the below example: hosts file

  3. The PAM UI Server is configured by default to enable (allow_insecure: true) all connections as we do not have any stored fingerprints. To disable this setting we need to set it to false (allow_insecure: false) and then add the PAM Server hostname (FQDN or IP Address) and host key fingerprint to the list.

    If you have multiple PAM Servers then add the hostnames and the host key fingerprints of each of the PAM Servers you will be connecting to this list.

    The host key fingerprint can be obtained from the Osirium PAM web page. Open a web browser window and enter the following: https://(PAM_Server_address).

    Example
    Replace the example hostnames (FQDNs or IP Addresses) and host key fingerprints with your own PAM Servers.
    hosts file configured

  4. Once updated, save the changes within your editor.