Skip to content

System configuration of the PAM UI Server

Configuration of the PAM UI Server should take around 5 minutes.

Install HTTPS certificates

Although default HTTPS certificates are installed during the installation to ensure your data to and from the PAM UI is encrypted, it is recommended that you install your own certificates before you start to use your PAM UI Server.

To install your HTTPS certificates:

  1. In order to replace the existing HTTPS certificate files on the PAM UI Server you will first need to ensure they are in PEM format and rename them to https.key and https.crt to match the existing files.

  2. Now open your preferred SFTP tool and enter the following:

    • IP address of the PAM UI Server.
    • Enter support as the login username.
    • Select the private key file (.ppk file) for authentication.

    Note

    If your PAM UI Server was deployed in Azure, enter the Administrator account that was configured when you created the PAM UI virtual machine.

  3. Transfer your https.key and https.crt files onto the PAM UI Server.

  4. Close the SFTP window.

  5. Now open your preferred SSH tool and enter the following:

    • IP address of the PAM UI Server.
    • Enter support as the login username.
    • Select the private key file (.ppk file) for authentication.

    Note

    If your PAM UI Server was deployed in Azure, enter the Administrator account that was configured when you created the PAM UI virtual machine.

  6. Within the command line tool window, backup the existing files before you overwrite the existing HTTPS certificate files.

    sudo mv /var/disk/certs/https.crt /var/disk/certs/https.crt.bak

    sudo mv /var/disk/certs/https.key /var/disk/certs/https.key.bak

  7. Now move your own https.crt and https.key files into the /var/disk/certs/ folder.

    sudo mv /https.* /var/disk/certs/

  8. Navigate to the certs folder.

    cd /var/disk/certs/

  9. Set the files permission and ownership.

    sudo chmod 0600 https.key

    sudo chmod 0644 https.crt

    sudo chown root:root https.key

    sudo chown root:root https.crt

  10. Reboot the PAM UI Server to apply the configuration and wait while the system is rebooted.

    sudo reboot

Pair PAM UI with a specific PAM Server OPTIONAL

The PAM UI Server supports connecting to multiple PAM Servers, however it is possible to bind a single instance of the PAM UI Server to a given PAM Server. In order to do so, you need to save the PAM host to /var/disk/settings/pxm_host.

  1. Open the Console window of the PAM UI Server.

  2. At the command prompt open the pxm_host file in /var/disk/settings/ using your preferred editor.

    Example: sudo nano /var/disk/settings/pxm_host

  3. Add your PAM Server IP address to the host file.

    Note

    If you have configured an HA Pair, and you are unable to use a floating IP address, you can enter
    <primary-ip>,<secondary-ip> as the host and the PAM UI Server will automatically detect and connect to whichever is the active server.

  4. Save the changes and exit the file.

  5. At the command prompt type sudo reboot to apply the configuration. Wait while the system is rebooted.

Securing against man-in-the-middle (MITM) attacks OPTIONAL

Although this is optional, to avoid MITM attacks between the PAM UI and a given PAM Server implement the following to improve security:

  1. Open the Console window of the PAM UI Server.

  2. At the command prompt open the host.yml file in /var/disk/settings/ using your preferred editor.

    Example: sudo nano /var/disk/settings/hosts.yml

  3. The PAM UI Server is configured by default to enable (allow_insecure: true) all connections as we do not have any stored fingerprints. To disable this setting we need to set it to false (allow_insecure: false) and then add the PAM Server hostname (FQDN or IP address) and host key fingerprint to the list.

    If you have multiple PAM Servers then add the hostnames and the host key fingerprints of each of the PAM Servers you will be connecting to this list.

    The host key fingerprint can be obtained from the Osirium PAM. Open a web browser window and enter the following: https://[PAM_Server_address/downloads].

    Example
    Replace the example hostnames (FQDNs or IP Addresses) and host key fingerprints with your own PAM Servers.
    hosts file configured

  4. Once updated, save the changes within your editor.

Use Multiple PAM UI Servers for a single PAM Server OPTIONAL

To assist in managing load, PAM supports distributing load across multiple PAM UI Servers via your load balancer.

Note

The load balancer must:

  • Use 'sticky' sessions, whereby a user must be routed to a single PAM UI Server through the life time of their PAM UI session. Typically this is based on the source IP address (the user's IP).

  • Have WebSocket or Socket.IO enabled.