Privileged Session Manager (PSM) is an application cluster used to access, record, and monitor privileged sessions. It can be hosted as a Docker Swarm on local or cloud service locations. It launches when users with Login Session Access to a managed computer check out the credentials for that computer. You can configure PSM to record session activity, allowing Access Managers and other administrators to view what users do on the computer during a session.

This topic walks you through the process of setting up PSM. To completely set up PSM, you need to do the following:

1. Install Docker and Docker-Compose on a Linux server. The Linux server is the PSM server.

2. Create an OAuth application for PSM in EmpowerID.

3. Configure EmpowerID System Settings for PSM.

4. Generate a X509 certificate for the PSM OAuth application and upload it to the local machine and EmpowerID certificate stores.

5. Create a service account (EmpowerID Person) for PSM and map the certificate to that service account.

6. Use OpenSSL to extract the private and public key from the certificate.

7. Create Docker secrets on the PSM server.

8. Copy the psm.yml file you receive from EmpowerID to the root directory of the Linux server.

9. Initiate Docker swarm mode on the Linux server.

10. Pull the PSM Docker images from Dockerhub.

11. Deploy the stack.

PSM Server Installation Instructions

PSM Server requires a Linux instance (Amazon AMI/Ubuntu preferred). Follow the below instructions to install Docker and Docker-Compose on the server. 

• Ubuntu — Run the following commands one after the other:
  

  Code Block
  language text
  sudo apt-get remove docker docker-engine docker.io containerd runc curl =fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-get add - sudo apt-get update sudo apt-get install -y docker-ce sudo systemctl status docker

• Amazon AMI — If you are running Linux on Amazon AMI, please follow the instructions provided by Amazon at the following link: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/docker-basics.html#install_docker

EmpowerID Server Setup Instructions

In order to implement PSM for your environment, there are a number of tasks you must complete on your EmpowerID server. These include:

• Creating an OAuth Application for PSM

• Configuring EmpowerID System Settings for PSM

• Generating a self-signed X509 certificate for PSM

• Creating a PSM service account (EmpowerID Person)

• Mapping the PSM certificate to PSM service account

Step 1 – Create an OAuth Application for PSM

1. On the navbar, expand Apps and Authentication and click Applications.

2. From the Actions pane, click Create OAuth Application.
   

   

   
   This opens the OAuth Provider Application Details form.
   

   

3. In the OAuth Application Details section of the form, do the following:

   1. Fill in the Name, Display Name, and Description fields with values that reflect the purpose of the application.

   2. Select Web Application from the Application Type drop-down.

   3. Search for and select an owner for the application from the Application Owner drop-down. By default, the creator of the application is selected as the owner.

4. In the JWT Details section of the form, do the following:

   1. Leave the Issuer as EmpowerID

   2. Select the certificate used to sign assertions in your environment from the Signing Certificate drop-down.

5. Click Save.
   
   After EmpowerID creates the OAuth Provider application, your browser should be directed to the View One page for it.
   

   

Step 2 – Add the Callback URLs to the app

1. On the View One page for the application, expand the Callback URLs accordion and click the Add button.
   

   

2. Enter the FQDN of your EmpowerID server in the Callback URL field, formatted as https://yourserver/ui, and then click Save.

3. Click the Add button again and add a second callback URL, formatted as https://yourserver/WebIdPForms/OAuth/v2.
   

   

Step 3 – Add a client secret to the app

1. Expand the Client Secrets accordion on the View One page for the application and click the Add button.
   

   

2. In the General dialog that appears, do the following:

   • Name – Name of the secret

   • Expires – Select one of the below options:

     • I year

     • 2 years

     • Never

   • Client Secret – Copy and save this value as you will use it when creating Docker secrets later in this article.
     

     

     
     

     Insert excerpt
     IL:Callouts IL:Callouts name ClientSecret nopanel true

     
     

3. Save the secret.

4. On the View One page for the application, copy the values for the Client ID, API Key and OAuthProviderApplicationID. You will use these when creating Docker secrets later in this topic.
   

   

Step 4 – Configure EmpowerID System Settings for PSM

1. Expand Infrastructure Admin > EmpowerID Servers and Settings on the navbar and select EmpowerID System Settings.

2. On the EmpowerID System Settings page, search for psm.
   

   

3. For each setting relevant to your implementation of PSM, click the Edit  button and specify the value for your environment. 
   

   

   
   

   The table below shows the EmpowerID Systems Settings for PSM.
   

   Insert excerpt
   IL:PSM Settings Table IL:PSM Settings Table nopanel true

Step 5 – Generate a self-signed certificate for PSM

1. Expand Apps and Authentication> SSO Connections on the navbar and select SSO Components.

2. Select the Certificates tab and then click the Add button in the grid header.
   

   

3. Select Generate Self-Signed Certificate and enter the following information:

   • Certificate Owner – Search for and select an EmpowerID Person

   • Prefer Local Machine Store – Select this option

   • Subject Name – Enter something suitable to the purpose of the certificate, such as CN=PSM_Certificate

   • Requires Password – Select this option

   • Certificate Password – Enter a password for the certificate

4. Click Save to create the certificate.
   

   

Step 6 – Create the PSM Service Account

1. On the navbar, expand Identity Administration and click People.

2. Click the Create Person Simple Mode action link.
   

   

3. In the Create Person Request form that appears, do the following:

   1. Enter a First Name and Last Name for the Person account. As a best practice, the name should reflect the purpose of the Person account.

   2. Click the Select a Role and Location link.

   3. Search for and select the desired Business Role from the Business Role tree.

   4. Click the Location - link and then search for and select the desired location from the Location tree.

   5. Click Select to select the Business Role and Location.

   6. Click Save to save the new Person account.
      

      

      
      After EmpowerID creates the Person object, your browser should be directed to the View Page for the person.
      

      

      
      
      Next, map the PSM certificate to the Person as outlined below.

Step 7 – Map the PSM Certificate

1. Expand the Roles, Accounts, and Login Security accordion on the View page for the Person you just created.

2. Click the Edit  link in the Mapped Login Certificates pane.
   

   

3. Search for and select the PSM certificate you generated earlier and then click Save.

Step 8 – Create a computer object for the PSM Server

In order to include your PSM server as a PSM Gateway option when configuring computers for PSM, you need to create a computer object for it in EmpowerID and add it to the Computers for RDP account store. This account store is internal to EmpowerID and is used for managing non-inventoried computers. EmpowerID adds all computers located in this directory to the list of available PSM Gateways.

1. On the navbar, expand Privileged Access and select PAM Workflows.

2. Click Create Computer and Credential.
   

   Image RemovedImage Added

   This opens the Onboard Computer wizard workflow.
   

   Image RemovedImage Added

    

3. Enter the following information in the Computer Form section of the workflow:

   • DNS Host Name – DNS of the computer

   • Display Name – Display name of the computer

   • Description – Description of the computer

   • Publish in IAM Shop – Select this option if you want users to be able to request access to the computer in the IAM Shop; Not recommended for PSM Gateway

   • Computing Platform – Select one of the available options or leave the default setting of Unknown

   • Operating System Type – OS of the computer

   • Computer Type – Type of computer, such as Windows Workstation

   • Private Address – Private IP address of the computer

   • Public Address – Public IP address of the computer

4. Click Next to progress to the Select Creation Location configuration step.

5. In the Creation Location Selection lookup that appears, search for and select Computers for RDP.
   

   

6. Click Submit to progress to the Access Request Settings configuration step.

7. Under Owners and Policies, configure the following settings:

   • Access Request Policy – Select the Access Request policy appropriate for the credential. For computers, the following policies are pertinent. Each is linked to the Owner Approval Approval Flow policy, which means the owner of the computer must approve access requests.

     • Default Access Request Policy – Select this option when creating a computer without vaulting credentials for it in EmpowerID

     • Computer Creds - Allow Multi-Check-Out - No Password Reset – Select this policy when creating a computer and simultaneously vaulting credentials that initiate an RDP or SSH session where more than one session (credential check out) is allowed and you do not want EmpowerID to reset the password for the account when a user checks in the credentials. This policy is configured with the Owner Approval Approval Flow policy.

     • Computer Creds - No Multi-Check-Out - Password Reset – Select this policy when creating a computer and simultaneously vaulting credentials that initiate an RDP or SSH session where more than one session is not allowed, and you do want EmpowerID to reset the password for the account when the user checks in the credentials.

     • MFA - Computer Creds - Allow Multi- Check-Out - No Password Reset – Select this policy when creating a computer and simultaneously vaulting credentials that initiate an RDP or SSH session where multi-factor authentication is required, more than one session (credential check out) is allowed, and you do want EmpowerID to reset the password for the account when the user checks in the credentials.

   • Responsible Party – Search for and select the person responsible for the computer.

   • Computer Owners – Search for and select one or more persons as owners of the computer and then click Add. 

   • Computer Deputies – Search for and select one or more persons as deputy owners of the computer and then click Add.

8. Under Configure Eligibility, optionally add any eligible users for the computer as needed. Users must have a form of eligibility to request access to the computer in the IAM Shop. If you are not publishing the computer to the IAM shop, you can skip this and proceed to the next step.

9. Click Next to progress to the Select Gateway (Optional) configuration.

10. Optionally, search for and select the gateway computer used for PSM sessions and click Next to progress to the Select Credentials (optional) setting. If this setting is not applicable, simply click Next.

11. Optionally, search for and select the vaulted credentials for the computer and click Next to create the computer. If this setting is not applicable, simply click Next. 

Extract the Key from the PFX File

1. To extract the private key, run the below OpenSSL command:

   Code Block
   openssl pkcs12 -in <filename>.pfx -nocerts -nodes -out key.pem

2. To extract the certificate (public key), run the OpenSSL command:

   Code Block
   openssl pkcs12 -in <filename>.pfx -nokeys -out cert.pem

Create Docker Secrets and Keys on the PSM Server

You will need to create the following secrets and keys:

docker secret create PSM_EID_OAUTH_JWT_KEY /home/ec2-user/PSM_OAuth_Certificate_PublickeyCertificate.pem
printf p@$$w0rd | docker secret create PSM_EID_OAUTH_JWT_KEY_PASSPHRASE -
docker secret create PSM_SSL_PUB_CERT /home/ec2-user/pub.pem
docker secret create PSM_SSL_PRIV_PEM /home/ec2-user/pri.pem
printf manticore | docker secret create PSM_AZURE_CONTAINER_NAME -
printf p@$$w0rd | docker secret create PSM_SSL_PRIV_PEM_PW -
printf 6EFvpDfwiqpVv4YJVVwjY4ks4dNyPKDy | docker secret create PSM_DAEMON_SERVER_CRYPTKEY -
printf 6EFvpDfwiqpVv4YJVVwjY4ks4dNyPKDy | docker secret create PSM_GUAC_SERVER_CRYPTKEY -
printf AKIAIWR4JVLRY5BIBOKA | docker secret create PSM_AWS_ACCESS_KEY_ID -
printf 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 | docker secret create PSM_AWS_ACCESS_KEY_SECRET -
printf psmmanticore | docker secret create PSM_AZURE_STORAGE_ACCOUNT -
printf LNGyhS3AWKUF0F2Lg83Qr9r5MvEqqNyV0aEkpOPud7t+FjfqonGYvp6JOZlZKOoqrPyUQZB9gXtsogAeRTMC8Q== | docker secret create PSM_AZURE_STORAGE_ACCESS_KEY -
printf username | docker secret create REMOTE_UNC_USERNAME -
printf domain | docker secret create REMOTE_UNC_DOMAIN -
printf passwprd | docker secret create REMOTE_UNC_PASSWORD -

Edit the Docker Stack YAML File

1. Copy the psm.yml file you received from EmpowerID to the root directory of the Linux server.

2. Edit the values as needed for your implementation.

3. Save the psm.yml file.

Deploy the Docker Stack

1. Initiate swarm mode by running docker swarm init.

2. Pull the PSM Docker images from Docker Hub using the account EmpowerID support provisioned for you.

3. Run the following command to deploy the stack:

   Code Block
   docker stack deploy --with-registry-auth -c psm.yml psm

4. Verify the Docker containers are running by using the command docker ps.

Password Vaulting

Computer and Service Management

Checking Out Credentials and Initiating an RDP Session

Viewing Privileged Session Details