Installation and Set Up

Prerequisites and Considerations

Environment Requirements



Decisions you will need to make

Preparing the Environment


We need DNS to resolve the future hostname of the PEM Server. Add a Forward Look Up Zone by opening DNS Manager and navigating to your domain folder.

DNS Manager -> DNS -> Computer Name -> Forward Lookup Zones - > Domain

Right click in the list and select New Host (A or AAAA).

Forward Lookup Zone


Your Windows Domain Controller needs to have LDAPS enabled, see here for more detail on enabling LDAPS.

Service Account

PEM requires a service account to be able to operate. Before configuring PEM you'll need to set up a service account with the following privileges:

  • Join a computer to the domain (using Samba).
  • Make LDAP queries concerning users and groups.
  • Run Powershell scripts via WinRM to:
    • Create, update and delete GPOs in the domain.
    • Generate TLS certificates (using certreq.exe).
    • Generate a Kerberos keytab for the PEM Server (using ktpass.exe).

PEM Server

The PEM Server is a virtual appliance, so you'll need a hypervisor to deploy the PEM Server.


In this guide, we'll look at using the vSphere HTML 5 client as an example.

Creating the Virtual Appliance

To get started, download the latest OVA. Please contact Osirium for details on how to download the PEM Server OVA.

Deploying the OVA

Right clicking a folder in the Hosts and Clusters pane of vSphere will display a drop down menu. Select the Deploy OVF Template option.

Actions Menu

Either download and verify the OVA locally, or deploy the PEM Server directly from the download link using the URL option.

Forward Lookup Zone

  • Assign a name to the PEM Server and select a folder where the PEM Server will be deployed.
  • Select a resource pool for the virtual appliance to use.

  • Review the OVA details.

  • Read and accept the license agreements.

  • Select a datastore for the PEM Server to be installed to.

  • Select a network to connect the PEM Server to.

  • Review and accept the settings.

Booting the PEM Server

Initially the PEM Server will be in a powererd off state by default, once the appliance has finished deploying, right click it and select Power On.


Configuring the PEM Server

Network Configuration

Once the PEM Server has completed booting use sudo netconf to configure a static IP.


Once you've filled in the details type sudo reboot to apply the configuration. Once the server has rebooted, check you can ping the DC using its FQDN to ensure the network configuration has been set up correctly.


Optionally at this point, type sudo sshconf and follow the instructions to set up SSH access to the PEM Server.

Setting up PEM

Navigate to the static IP address you designated to access the PEM server interface. Assign the password (which is also the MEK), confirm, and log in.
What's a MEK?

MEK stands for "Master Encryption Key". This is a permanent key that is necessary to unlock PEM after rebooting the PEM server. Without it, you will not be able to access the PEM server after a reboot.

Your initial admin password and MEK will be the same passphrase. Be sure to choose a strong admin passphrase/MEK during initial setup as this is the key to unlocking PEM after rebooting.


Complete the PEM Management configuration by following the in-product steps. You’ll need the information and assets listed on the pre-install checklist.