Skip to main content
Version: Axidian Privilege 2.10

Simplified Installation on Linux OS

caution

With this type of installation you will install the components of management server and access server (SSH-Proxy or RDP-Proxy) on the one server.

Preparation

Before you begin the installation, please read the preparation for installation section.

Certificates

Certificate of Certification Authority

Move the CA certificate to the distribution along the path:

axidian-pam-linux\state\ca-certificates

Server Certificate

Move the server certificate to the distribution along the path:

axidian-pam-linux\state\certs

vars

  1. Go to the folder axidian-pam-linux\scripts\ansible and open the file vars.yml.
  2. Find the line # pfx_pass: "ENTER_HERE" and delete the # symbol.
  3. Instead of ENTER_HERE, specify the password for the server certificate and save the changes.

Flat Configuration File

  1. Go to the distribution folder.
  2. Change the config.json.template file extension from template to json.
  3. Make sure the file name is config.json.

Fill in the indicated fields in the configuration file:

{
  "DefaultServer": "TARGET_SERVER_FQDN", //to be filled out
  "DefaultDbServer": "pgsql",
  "DefaultDbUser": "admin",
  "DefaultDbPassword": "Q1w2e3r4",
  "IdpAdminSids": [
    "AD_ADMIN_SID" //to be filled out
  ],
 "CoreServiceStorageConfiguration": {
    "Type": "FileSystem",
    "Settings": {
    "Root": "/mnt/storage"
    }
  },
  "GatewayServiceStorageConfiguration": {
    "Type": "FileSystem",
    "Settings": {
    "Root": "/mnt/storage"
    }
  },
  "Database": "pgsql",
 "LogServerUrl": "http://ls:5080/api",
  "EncryptionKey": "3227cff10b834ee60ad285588c6510ea1b4ded5b24704cf644a51d2a9db3b7e5", //to be filled out
  "ActiveDirectoryDomain": "AD_FQDN", //to be filled out
  "ActiveDirectoryContainerPath": "USER_CONTAINER_DN", //to be filled out
  "ActiveDirectoryUserName": "AD_SERVICE_USER_NAME", //to be filled out
  "ActiveDirectoryPassword": "AD_SERVICE_USER_PASSWORD", //to be filled out
  "ActiveDirectorySsl": false,
  "IsLinux": true,
  "ThreadPoolSize": 8,
  "Enable2faByDefault": true,
  "enableOrganizationalUnits": false
}

Parameters:

  • DefaultServer — FQDN of the server, for example server.domain.local.com.

  • DefaultDbServer — FQDN of the database server, for example server.domain.local.com. To install a pgsql with local docker image for simplified installation, you need to specify pgsql.

  • DefaultDbUser — database user. To install a pgsql with local docker image, you need to specify admin.

  • DefaultDbPassword — password of the database user. To install a pgsql with local docker image, you need to specify Q1w2e3r4.

  • IdpAdminSids — Administrator SID from Active Directory.

  • CoreServiceStorageConfiguration — path to the media storage from where the Core component will read session artifacts.

  • GatewayServiceStorageConfiguration — path to the media storage where session artifacts will be placed.

  • Database — database type, for simplified installation specify pgsql.

  • LogServerUrl — URL address for accessing the LogServer component. Leave unchanged.

  • EncryptionKey — encryption key. You can use the key specified above.

    note

    It is recommended to generate a new database encryption key using the Axidian PAM.KeyGen.exe utility, located at the path axidian-pam-tools\key-gen.

  • ActiveDirectoryDomain — DNS of the domain, for example domain.local.com.

  • ActiveDirectoryContainerPath — path to Active Directory users, for example DC=axidian,DC=test.

  • ActiveDirectoryUserName — username for connecting to Active Directory.

  • ActiveDirectoryPassword — user password for connecting to Active Directory.

  • ActiveDirectorySsl — this parameter is responsible for selecting a connection via LDAPS.

  • IsLinux — this parameter is responsible for applying default settings for Linux and Windows systems.

  • ThreadPoolSize — total number of created threads in rdp-proxy. Leave unchanged.

  • Enable2faByDefault — parameter responsible for requesting 2FA from users by default.

  • enableOrganizationalUnits — parameter responsible for adding the Structure section to PAM.

Example of a completed config.json
{
  "DefaultServer": "pamserver.axidian.local", //to be filled out
  "DefaultDbServer": "pgsql",
  "DefaultDbUser": "admin",
  "DefaultDbPassword": "Q1w2e3r4",
  "IdpAdminSids": [
    "S-1-5-21-2099084505-2851035876-2509165319-1112" //to be filled out
  ],
 "CoreServiceStorageConfiguration": {
    "Type": "FileSystem",
    "Settings": {
    "Root": "/mnt/storage"
    }
  },
  "GatewayServiceStorageConfiguration": {
    "Type": "FileSystem",
    "Settings": {
    "Root": "/mnt/storage"
    }
  },
  "Database": "pgsql",
  "LogServerUrl": "http://ls:5080/api",
  "EncryptionKey": "3227cff10b834ee60ad285588c6510ea1b4ded5b24704cf644a51d2a9db3b7e5", //to be filled out
  "ActiveDirectoryDomain": "axidian.local", //to be filled out
  "ActiveDirectoryContainerPath": "OU=PAMUsers,DC=axidian,DC=local", //to be filled out
  "ActiveDirectoryUserName": "IPAMADReadOps", //to be filled out
  "ActiveDirectoryPassword": "!Q2w3e$R", //to be filled out
  "ActiveDirectorySsl": false,
  "IsLinux": true,
  "ThreadPoolSize": 8,
  "Enable2faByDefault": true,
  "enableOrganizationalUnits": false
}

Installation

  1. Move the axidian-pam-linux distribution folder to the target Linux resource

  2. If CIS Benchmark Docker security settings are applied, then run the installation script with the command:

    sudo bash run-deploy.sh

    If CIS Benchmark Docker security settings are not applied, then run the installation script with the command:

    sudo bash run-deploy.sh --bench-skip

  3. At the Enter target IP step press Enter

  4. When prompted, enter your local sudo user name (for example, root) and password

  5. Wait until the installation is complete

    info

    If the script aborted with an error, send the log file to technical support.