Privileged Session Manager (PSM) is an application cluster used to access, record, and monitor privileged sessions. It can be hosted as a Docker Swarm on local or cloud service locations. It launches when users with Login Session Access to a managed computer check out the credentials for that computer. You can configure PSM to record session activity, allowing Access Managers and other administrators to view what users do on the computer during a session.
This walks you through the process of setting up PSM. To completely set up PSM, you need to do the following:
To comply with European Union GDPR (General Data Protection Regulation) that was implemented on May 25, 2018, you must do one of two things:
|
Prerequisites: To set up PSM, you must have a good understanding of containerization technologies and their advantages, the Docker Command Line and Docker Container Management System. If you are not familiar with Docker, the following resources may be helpful: What is Docker? https://itnext.io/getting-started-with-docker-1-b4dc83e64389 https://docs.docker.com/get-started What is Docker Hub? https://docs.docker.com/docker-hub What is Docker swarm? https://docs.docker.com/engine/swarm.key-concepts https://docs.docker.com/engine/swarm https://docs.docker.com/engine/swarm/swarm-tutorial In addition to understanding Docker, you must have access to the below PSM Docker images: empowerid/psm_app:0.1.0 empowerid/psm_daemon:0.1.0 empowerid/psm_uploader:0.1.0 |
PSM Server requires a Linux instance (Amazon AMI/Ubuntu preferred). Follow the below instructions to install Docker and Docker-Compose on the server.
Run the following commands one after the other:
sudo apt-get remove docker docker-engine docker.io containerd runc curl =fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-get add - sudo apt-get update sudo apt-get install -y docker-ce sudo systemctl status docker |
If you are running Linux on Amazon AMI, please follow the instructions provided by Amazon at the below link:
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/docker-basics.html#install_docker
In order to implement PSM for your environment, there are a number of tasks you must complete on your EmpowerID server. These include:
From the EmpowerID System Settings page, search for psm.
For each setting relevant to your implementation of PSM, click the Edit button and specify the value for your environment.
The below table shows the EmpowerID Systems Settings for PSM.
|
C:\Program Files\TheDotNetFactory\EmpowerID
.EmpowerID.CertificateManager.exe
file.To extract the private key, run the below OpenSSL command:
openssl pkcs12 -in <filename>.pfx -nocerts -nodes -out key.pem |
To extract the certificate (public key), run the OpenSSL command:
openssl pkcs12 -in <filename>.pfx -nokeys -out cert.pem |
You will need to create the following secrets and keys:
Secrets | Description |
---|---|
PSM_EID_OAUTH_CLIENT_SECRET | The OAuth Client Secret of the OAuth application used to authenticate the PSM Uploader application |
PSM_EID_OAUTH_CLIENT_ID | The OAuth Client ID of the OAuth application used to authenticate the PSM Uploader application |
PSM_EID_OAUTH_API_KEY | The OAuth API Key of the OAuth application used to authenticate the PSM Uploader application |
PSM_EID_SRV_ACCT_CERT_THMB | The Thumbprint of the certificate attached to the service user(Uploader Service account) for PSM in EmpowerID |
PSM_EID_OAUTH_JWT_PFX | The Pfx of the certificate attached to the service user(Uploader Service account) for PSM in EmpowerID |
PSM_EID_OAUTH_JWT_KEY | The JWT Key used to sign the payload with (Uploader) |
PSM_EID_OAUTH_JWT_KEY_PASSPHRASE | Passphrase to the JWT Key used to sign the request payload with (Uploader) |
PSM_SSL_PUB_CERT | PSM Application server SSL certificate (Public Cert) |
PSM_SSL_PRIV_PEM | PSM Application server SSL certificate (Private Key) |
PSM_SSL_PRIV_PEM_PW | PSM Application server SSL Private Key password |
PSM_DAEMON_SERVER_CRYPTKEY | PSM Application – Daemon communication Cryptkey (needs to be the same as the PSM_GUAC_SERVER_CRYPTKEY) |
PSM_GUAC_SERVER_CRYPTKEY | PSM Application – Daemon communication Cryptkey (needs to be the same as the PSM_ DAEMON_SERVER_CRYPTKEY) |
PSM_AWS_ACCESS_KEY_ID | AWS Access Key ID for S3 recording storage |
PSM_AWS_ACCESS_KEY_SECRET | AWS Access Key Secret for S3 recording storage |
PSM_AZURE_STORAGE_ACCOUNT | Azure Storage account name for recording storage |
PSM_AZURE_STORAGE_ACCESS_KEY | Azure Storage account access key for recording storage |
PSM_AZURE_CONTAINER_NAME | Azure container name where recordings are stored |
REMOTE_UNC_USERNAME | Remote UNC location (Shared Folder) Credential Username (For local UNC storage of session recordings) |
REMOTE_UNC_DOMAIN | Remote UNC location (Shared Folder) Credential Domain |
REMOTE_UNC_PASSWORD | Remote UNC location (Shared Folder) Credential Password |
Keys | Default Value | Description |
---|---|---|
PSM_UPLOADER_SERVICE_URL | https://upload er.{your eid dns name}.co | The URL to the uploader service |
PSM_EID_OAUTH_GRANT_TYPE | urn:ietf:param s:oauth:granttype:jwtbearer | The OAuth Grant Type used to authenticate the uploader with EID. Do not change the value |
PSM_EID_OAUTH_CALLBACK_URL | https/ | The EmpowerID Server URL |
PSM_UPLOAD_TYPE | AZURE | The cloud storage service option (AZURE/AWS) |
PSM_EID_SERVER_AUTHENTICATION_URL | https://{dns_of_your_empowerid_server}/oauth/v2 /token | Temporary local storage for recordings on the Application Server |
PSM_STORAGE_SHARE_LOCATION | /recording | |
OAUTH_AUTHENTICATION_SERVICE_URL | https://{dns_of_your_empowerid_server}/oauth/v2 /userinfo | |
FAILURE_RETRIES_INTERVAL | 5000 | Retry interval for a failed session recording upload (milliseconds) |
FAILURE_RETRIES_COUNT | 5 | Number of retries for a failed session recording upload |
PSM_DAEMON_SERVER_PORT | 4822 | Daemon port |
REMOTE_UNC_SHARE_LOCATION | /{IP}/recording | Shared folder location for remote UNC Storage |
REMOTE_UNC_PORT | 445 | Remote UNC port number to the shared folder location |
PSM_UNC_SHARE_LOCATION | /recording | Temporary local storage on the Uploader service container |
PSM_AZURE_CONTAINER_NAME | Azure Storage container name | |
PSM_AWS_REGION | AWS region | |
PSM_AWS_BUCKET_NAME | AWS storage bucket name |
The below examples demonstrate how to create Docker secrets for each of the types used by PSM.
docker secret create PSM_EID_OAUTH_JWT_KEY /home/ec2-user/PSM_OAuth_Certificate_PublickeyCertificate.pem printf p@$$w0rd | docker secret create PSM_EID_OAUTH_JWT_KEY_PASSPHRASE - docker secret create PSM_SSL_PUB_CERT /home/ec2-user/pub.pem docker secret create PSM_SSL_PRIV_PEM /home/ec2-user/pri.pem printf manticore | docker secret create PSM_AZURE_CONTAINER_NAME - printf p@$$w0rd | docker secret create PSM_SSL_PRIV_PEM_PW - printf 6EFvpDfwiqpVv4YJVVwjY4ks4dNyPKDy | docker secret create PSM_DAEMON_SERVER_CRYPTKEY - printf 6EFvpDfwiqpVv4YJVVwjY4ks4dNyPKDy | docker secret create PSM_GUAC_SERVER_CRYPTKEY - printf AKIAIWR4JVLRY5BIBOKA | docker secret create PSM_AWS_ACCESS_KEY_ID - printf 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 | docker secret create PSM_AWS_ACCESS_KEY_SECRET - printf psmmanticore | docker secret create PSM_AZURE_STORAGE_ACCOUNT - printf LNGyhS3AWKUF0F2Lg83Qr9r5MvEqqNyV0aEkpOPud7t+FjfqonGYvp6JOZlZKOoqrPyUQZB9gXtsogAeRTMC8Q== | docker secret create PSM_AZURE_STORAGE_ACCESS_KEY - printf username | docker secret create REMOTE_UNC_USERNAME - printf domain | docker secret create REMOTE_UNC_DOMAIN - printf passwprd | docker secret create REMOTE_UNC_PASSWORD - |
docker swarm init
.Run the following command to deploy the stack:
docker stack deploy --with-registry-auth -c psm.yml psm |
docker ps
.
|
|