System configuration of the PAM UI
Configuration of the PAM UI Server should take around 5 minutes.
- Install HTTPS certificates
- Pair PAM UI with a specific PAM Server OPTIONAL
- Securing against man-in-the-middle (MITM) attacks OPTIONAL
Install HTTPS certificates
Although default HTTPS certificates are installed during the installation to ensure your data to and from the PAM UI is encrypted, it is recommended that you install your own certificates before you start to use your PAM UI Server.
To install your HTTPS certificates:
On your workstation open up a PowerShell client.
To update the PAM UI Server with your own HTTPS certificates you will need to replace the following files:
Within the PowerShell client window type the following:
tar -c https.key https.crt | ssh support@<address> -C "tar -x --no-same-owner -C /tmp/"
ssh support@<address> -C "sudo mv /tmp/https.* /var/disk/certs/https.*"
Reboot the PAM UI Server to apply the configuration and wait while the system is rebooted.
Pair PAM UI with a specific PAM Server OPTIONAL
The PAM UI supports connecting to multiple PAM Servers, however it is possible to bind a single instance of the PAM UI to a given PAM Server. In order to do so, we need to save the PAM host to
Open the Console window of the PAM UI Server.
At the command prompt type the following:
echo "<your PAM Server hostname>" | sudo tee /var/disk/settings/pxm_host
At the command prompt type
sudo rebootto apply the configuration. Wait while the system is rebooted.
Securing against man-in-the-middle (MITM) attacks OPTIONAL
Although this is optional, to avoid MITM attacks between the PAM UI and a given PAM Server implement the following to improve security:
Within VMware vSphere open the Console window of the deployed PAM UI Server if not already open.
/var/disk/settings/hosts.ymlfile in your preferred editor. You will need to use sudo to write to the file:
Example using a nano editor:
sudo nano /var/disk/settings/hosts.yml
The file should look like the below example:
The PAM UI Server is configured by default to enable (allow_insecure: true) all connections as we do not have any stored fingerprints. To disable this setting we need to set it to
false(allow_insecure: false) and then add the PAM Server hostname (FQDN or IP Address) and host key fingerprint to the list.
If you have multiple PAM Servers then add the hostnames and the host key fingerprints of each of the PAM Servers you will be connecting to this list.
The host key fingerprint can be obtained from the Osirium PAM web page. Open a web browser window and enter the following:
Replace the example hostnames (FQDNs or IP Addresses) and host key fingerprints with your own PAM Servers.
Once updated, save the changes within your editor.