Setting Up Privileged Session Management

Privileged Session Manager (PSM) is an application cluster used to access, record, and monitor privileged sessions. It can be hosted as a Docker Swarm on local or cloud service locations. It launches when users with Login Session Access to a managed computer check out the credentials for that computer. You can configure PSM to record session activity, allowing Access Managers and other administrators to view what users do on the computer during a session.

This walks you through the process of setting up PSM. To completely set up PSM, you need to do the following:

  1. Install Docker and Docker-Compose on a Linux server. The Linux server is the PSM server.
  2. Create an OAuth application for PSM in EmpowerID.
  3. Configure EmpowerID System Settings for PSM.
  4. Generate a X509 certificate for the PSM OAuth application and upload it to the local machine and EmpowerID certificate stores.
  5. Create a service account (EmpowerID Person) for PSM and map the certificate to that service account.
  6. Use OpenSSL to extract the private and public key from the certificate.
  7. Create Docker secrets on the PSM server.
  8. Copy the psm.yml file you receive from EmpowerID to the root directory of the Linux server.
  9. Initiate Docker swarm mode on the Linux server.
  10. Pull the PSM Docker images from Dockerhub.
  11. Deploy the stack.


To comply with European Union GDPR (General Data Protection Regulation) that was implemented on May 25, 2018, you must do one of two things:

  • Turn off live monitoring and session recording. (See Creating Privileged Session Policies.)
  • Clearly alert the user that their session will be recorded, how it will be recorded, and that they can opt out of such monitoring by not continuing to the session.

Prerequisites:

To set up PSM, you must have a good understanding of containerization technologies and their advantages, the Docker Command Line and Docker Container Management System. If you are not familiar with Docker, the following resources may be helpful:

What is Docker?

https://itnext.io/getting-started-with-docker-1-b4dc83e64389

https://docs.docker.com/get-started

What is Docker Hub?

https://docs.docker.com/docker-hub

What is Docker swarm?

https://docs.docker.com/engine/swarm.key-concepts

https://docs.docker.com/engine/swarm

https://docs.docker.com/engine/swarm/swarm-tutorial


In addition to understanding Docker, you must have access to the below PSM Docker images:

empowerid/psm_app:0.1.0

empowerid/psm_daemon:0.1.0

empowerid/psm_uploader:0.1.0

OpenSSL - OpenSSL is needed to extract the KEY from the certificate you will generate and map the Service Account used for PSM. If you do not have OpenSSL installed, you can do so by following the instructions provided here: https://www.xolphin.com/support/OpenSSL/OpenSSL_-_Installation_under_Windows.

PSM Server Installation Instructions

PSM Server requires a Linux instance (Amazon AMI/Ubuntu preferred). Follow the below instructions to install Docker and Docker-Compose on the server. 

• Ubuntu

Run the following commands one after the other:

sudo apt-get remove docker docker-engine docker.io containerd runc

curl =fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-get add -

sudo apt-get update

sudo apt-get install -y docker-ce

sudo systemctl status docker

• Amazon AMI

If you are running Linux on Amazon AMI, please follow the instructions provided by Amazon at the below link:

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/docker-basics.html#install_docker


EmpowerID Server Setup Instructions

In order to implement PSM for your environment, there are a number of tasks you must complete on your EmpowerID server. These include:

Creating an OAuth Application for PSM

  1. From the navigation sidebar of the EmpowerID Web interface, expand Single Sign-On and click Applications.
  2. From the Actions pane, click Create OAuth Application.
  3. In the OAuth Application Details section of the form, do the following:
    1. Fill in the Name, Display Name and Description fields with values that reflect the purpose of the application.
    2. Select Active from the Application Status drop-down.
    3. Select Web Application from the Application Type drop-down.
    4. Leave all other fields as is.



  4. Scroll to the JWT Details section of the form and select the certificate used to sign assertions in your environment from the Signing Certificate drop-down.
  5. Scroll to the Callback URLs section of the form and add Callback URLs for the application by doing the following:
    1. Click the Add button (plus) located to the left of Callback URL.



    2. In the Details pane that appears, type the FQDN of your EmpowerID server in the Callback URL field and then click Save.



    3. Click the Add button again and add a second Callback URL, formatted as https://yourserver/WebIdPForms/Auth/v2.



    4. Scroll to the bottom of the page and click Save to save the application.
  6. From the View One page for the application, copy the values for the Client ID, Client API SecretAPI Key and OAuthProviderApplicationID. You will use these when creating Docker secrets later in this topic.

Configuring EmpowerID System Settings for PSM

  1. From the navigation sidebar, expand Infrastructure Admin > EmpowerID Servers and Settings and click EmpowerID System Settings.
  2. From the EmpowerID System Settings page, search for psm.




  3. For each setting relevant to your implementation of PSM, click the Edit button and specify the value for your environment. 




    The below table shows the EmpowerID Systems Settings for PSM.

    PSM SettingRequiredPurpose
    PSMAWSBucketNameOptional

    Specifies the Amazon AWS S3 bucket to store recordings. Leave the value empty if you are not using AWS.

    PSMAWSRegionEndpoint 

    Optional

    Specifies the Amazon AWS region for the S3 bucket for recordings. Leave the value empty if you are not using AWS.

    PSMAzureBucketNameOptional

    Specifies the Azure bucket to store recordings. Leave the value empty if you are not using Azure.

    PSMEnabled

    Required

    Specifies whether the PSM RDP proxy is enabled in the EmpowerID user interface.

    If set to false, users who request and receive approval to access a computer cannot initiate a PSM session from the My Resources view of the IT Shop

    PSMStorageModeRequired

    Specifies where to store session recordings. Valid values are: AWS, Azure, or UNC.

    PSMUNCStorageLocationOptional

    Specifies the UNC path to a network folder for storage of recordings when PSMStorageMode is set to UNC.

    PSMAzureConnectionStringRequiredSpecifies the Azure Manticore Storage Container Connection String.
    PSMAzureContainerNameRequiredThe Azure container that holds the session recordings.
    PSMOAuthConsumerGUIDRequiredUsed to look up the OAuth Consumer credentials to use for AWS storage.
    PSMOAuthApplicationGUIDRequiredPrivileged Session Manager RDP Client OAuth Application GUID

Generating an OAuth certificate for PSM

  1. From File Explorer, navigate to the EmpowerID installation directory, located by default at C:\Program Files\TheDotNetFactory\EmpowerID.
  2. Open the Programs folder and locate the EmpowerID.CertificateManager.exe file.
  3. Open the application and click the Generate tab.



  4. Select X509 Certificate.



  5. Change the Subject Name from CN=EmpowerID Self-signed Certificate to something more suitable to the purpose of the certificate, such as CN=PSM_OAuth_Certificate.
  6. Enter a Password in the Password field.
  7. Click the Browse button, browse to an Output Folder and click OK.
  8. Select the Import to EmpowerID Certificate Store option.
  9. Select the Import to Local Certificate Store option.
  10. Click Generate.



    Once the EmpowerID generates the certificate, you should see the Certificate Information pane.


Creating a PSM Service Account (EmpowerID Person)

  1. From the navigation sidebar, expand Identity Administration and click People.
  2. Click the Create Person Simple Mode action link.
  3. In the Create Person Request form that appears, enter a First Name and Last Name for the Person account. As a best practice, the name should reflect the purpose of the Person account.



  4. Click the Select a Role and Location link.
  5. Search for the desired Business Role for the Person and then click the node for that role.



  6. Click the Location - link and then search for and select the desired location.



  7. Click Select to select the Business Role and Location.
  8. Click Save to save the new Person account.



    Next, map the PSM certificate to the Person as outlined below.

Mapping the PSM Certificate

  1. From the View page for the Person you just created, expand the Roles, Accounts, and Login Security accordion.
  2. Click the Edit link in the Mapped Login Certificates pane.



  3. Search for and select the PSM certificate you generated earlier.
  4. Click Save.


Extracting the Key from the PFX File
  1. To extract the private key, run the below OpenSSL command:

    openssl pkcs12 -in <filename>.pfx -nocerts -nodes -out key.pem
  2. To extract the certificate (public key), run the OpenSSL command:

    openssl pkcs12 -in <filename>.pfx -nokeys -out cert.pem

Creating Docker Secrets and Keys on the PSM Server

You will need to create the following secrets and keys:

SecretsDescription
PSM_EID_OAUTH_CLIENT_SECRETThe OAuth Client Secret of the OAuth application used to authenticate the PSM Uploader application
PSM_EID_OAUTH_CLIENT_IDThe OAuth Client ID of the OAuth application used to authenticate the PSM Uploader application
PSM_EID_OAUTH_API_KEYThe OAuth API Key of the OAuth application used to authenticate the PSM Uploader application
PSM_EID_SRV_ACCT_CERT_THMBThe Thumbprint of the certificate attached to the service user(Uploader Service account) for PSM in EmpowerID
PSM_EID_OAUTH_JWT_PFXThe Pfx of the certificate attached to the service user(Uploader Service account) for PSM in EmpowerID
PSM_EID_OAUTH_JWT_KEYThe JWT Key used to sign the payload with (Uploader)
PSM_EID_OAUTH_JWT_KEY_PASSPHRASEPassphrase to the JWT Key used to sign the request payload with (Uploader)
PSM_SSL_PUB_CERTPSM Application server SSL certificate (Public Cert)
PSM_SSL_PRIV_PEMPSM Application server SSL certificate (Private Key)
PSM_SSL_PRIV_PEM_PWPSM Application server SSL Private Key password
PSM_DAEMON_SERVER_CRYPTKEYPSM Application – Daemon communication Cryptkey (needs to be the same as the PSM_GUAC_SERVER_CRYPTKEY)
PSM_GUAC_SERVER_CRYPTKEYPSM Application – Daemon communication Cryptkey (needs to be the same as the PSM_ DAEMON_SERVER_CRYPTKEY)
PSM_AWS_ACCESS_KEY_IDAWS Access Key ID for S3 recording storage
PSM_AWS_ACCESS_KEY_SECRETAWS Access Key Secret for S3 recording storage
PSM_AZURE_STORAGE_ACCOUNTAzure Storage account name for recording storage
PSM_AZURE_STORAGE_ACCESS_KEYAzure Storage account access key for recording storage
PSM_AZURE_CONTAINER_NAMEAzure container name where recordings are stored
REMOTE_UNC_USERNAMERemote UNC location (Shared Folder) Credential Username (For local UNC storage of session recordings)
REMOTE_UNC_DOMAINRemote UNC location (Shared Folder) Credential Domain
REMOTE_UNC_PASSWORDRemote UNC location (Shared Folder) Credential Password
KeysDefault ValueDescription
PSM_UPLOADER_SERVICE_URLhttps://upload er.{your eid dns name}.coThe URL to the uploader service
PSM_EID_OAUTH_GRANT_TYPEurn:ietf:param s:oauth:granttype:jwtbearerThe OAuth Grant Type used to authenticate the uploader with EID. Do not change the value
PSM_EID_OAUTH_CALLBACK_URLhttps/The EmpowerID Server URL
PSM_UPLOAD_TYPEAZUREThe cloud storage service option (AZURE/AWS)
PSM_EID_SERVER_AUTHENTICATION_URLhttps://{dns_of_your_empowerid_server}/oauth/v2 /tokenTemporary local storage for recordings on the Application Server
PSM_STORAGE_SHARE_LOCATION/recording
OAUTH_AUTHENTICATION_SERVICE_URLhttps://{dns_of_your_empowerid_server}/oauth/v2 /userinfo
FAILURE_RETRIES_INTERVAL5000Retry interval for a failed session recording upload (milliseconds)
FAILURE_RETRIES_COUNT5Number of retries for a failed session recording upload
PSM_DAEMON_SERVER_PORT4822Daemon port
REMOTE_UNC_SHARE_LOCATION/{IP}/recordingShared folder location for remote UNC Storage
REMOTE_UNC_PORT445Remote UNC port number to the shared folder location
PSM_UNC_SHARE_LOCATION/recordingTemporary local storage on the Uploader service container
PSM_AZURE_CONTAINER_NAME
Azure Storage container name
PSM_AWS_REGION
AWS region
PSM_AWS_BUCKET_NAME
AWS storage bucket name

How to create a Docker secret

The below examples demonstrate how to create Docker secrets for each of the types used by PSM.

docker secret create PSM_EID_OAUTH_JWT_KEY /home/ec2-user/PSM_OAuth_Certificate_PublickeyCertificate.pem
printf p@$$w0rd | docker secret create PSM_EID_OAUTH_JWT_KEY_PASSPHRASE -
docker secret create PSM_SSL_PUB_CERT /home/ec2-user/pub.pem
docker secret create PSM_SSL_PRIV_PEM /home/ec2-user/pri.pem
printf manticore | docker secret create PSM_AZURE_CONTAINER_NAME -
printf p@$$w0rd | docker secret create PSM_SSL_PRIV_PEM_PW -
printf 6EFvpDfwiqpVv4YJVVwjY4ks4dNyPKDy | docker secret create PSM_DAEMON_SERVER_CRYPTKEY -
printf 6EFvpDfwiqpVv4YJVVwjY4ks4dNyPKDy | docker secret create PSM_GUAC_SERVER_CRYPTKEY -
printf AKIAIWR4JVLRY5BIBOKA | docker secret create PSM_AWS_ACCESS_KEY_ID -
printf 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 | docker secret create PSM_AWS_ACCESS_KEY_SECRET -
printf psmmanticore | docker secret create PSM_AZURE_STORAGE_ACCOUNT -
printf LNGyhS3AWKUF0F2Lg83Qr9r5MvEqqNyV0aEkpOPud7t+FjfqonGYvp6JOZlZKOoqrPyUQZB9gXtsogAeRTMC8Q== | docker secret create PSM_AZURE_STORAGE_ACCESS_KEY -
printf username | docker secret create REMOTE_UNC_USERNAME -
printf domain | docker secret create REMOTE_UNC_DOMAIN -
printf passwprd | docker secret create REMOTE_UNC_PASSWORD -

Edit the Docker Stack YAML File

  1. Copy the psm.yml file you received from EmpowerID to the root directory of the Linux server.
  2. Edit the values as needed for your implementation.
  3. Save the psm.yml file.

Deploying the Docker Stack

  1. Initiate swarm mode by running docker swarm init.
  2. Pull the PSM Docker images from Docker Hub using the account EmpowerID support provisioned for you.
  3. Run the following command to deploy the stack:

    docker stack deploy --with-registry-auth -c psm.yml psm
  4. Verify the Docker containers are running by using the command docker ps.


   

On this page