ARCON PAM Installation and Configuration Guide Version 4.8.5.0 U4
advertisement
ARCON|PAM Installation and Configuration Guide | Version 4.8.5.0_U4 Installation and Configuration Guide | Version 4.8.5.0_U4 Table of Contents 1 Introduction............................................................................................................................................7 2 About this Guide....................................................................................................................................8 3 Product Overview ................................................................................................................................10 3.1 Solution Benefits ............................................................................................................................... 10 3.2 Solution Architecture ......................................................................................................................... 11 3.3 Communication Flow......................................................................................................................... 11 3.4 Reference Architecture...................................................................................................................... 12 3.4.1 Introduction...................................................................................................................................... 12 3.4.1.1 Standard and Appliance Architecture Configuration (SAC) .......................................................... 12 3.4.1.2 Cloud Based Deployment Architecture (AWS) .............................................................................. 14 3.4.1.3 Intermediate Architecture Configuration (IAC) 3.4.1.4 Advanced Architecture Configuration (AAC) 3.4.1.5 Distributed ARCON PAM ............................................................................................................... 20 3.4.1.6 Near Zero Time (Offline) Architecture............................................................................................ 21 4 4.1 5 ........................................................................... 16 ............................................................................. 18 Preparing to Install ..............................................................................................................................24 Prerequisite for Infrastructure Requirement ...................................................................................... 24 Database Installation and Configuration .............................................................................................25 5.1 SQL Server Setup Pre-requisites ...................................................................................................... 25 5.2 SQL Server Express Installation........................................................................................................ 25 5.3 DB User Creation and Assign Permission......................................................................................... 32 5.4 Folder Creation for database and Log files ....................................................................................... 32 5.4.1 5.4.1.1 5.5 Database ......................................................................................................................................... 32 Log Data File (LDF)....................................................................................................................... 32 Database Creation, Restoration and Owner Assignment.................................................................. 33 5.5.1 ARCOSDB....................................................................................................................................... 33 5.5.2 ARCOSRDPDB ............................................................................................................................... 33 5.5.3 Create Database ............................................................................................................................. 34 5.5.3.1 Create ARCOSDB database ......................................................................................................... 34 5.5.3.2 Create ARCOSRDPDB database.................................................................................................. 35 5.5.4 Database Restore ........................................................................................................................... 35 5.5.4.1 Restore template ARCOSDB from setup files ............................................................................... 35 5.5.4.2 Restore template ARCOSRDPDB from setup files ....................................................................... 39 5.5.5 Database Ownership and Recovery................................................................................................ 39 2 Installation and Configuration Guide | Version 4.8.5.0_U4 5.5.5.1 Ownership and Recovery mode for ARCOSDB ............................................................................ 39 5.5.5.2 Recovery mode for ARCOSRDPDB.............................................................................................. 40 5.5.6 6 Assign Database Role to New User (arcossqladmin) ..................................................................... 41 Web Component Configuration ...........................................................................................................43 6.1 Install Frameworks and Controls....................................................................................................... 43 6.2 Configure ARCON PAM Client Manager ........................................................................................... 43 6.2.1 Import SSL Certificate for ARCON PAM Client Manager ................................................................ 44 6.2.2 Create Self-Signed Certificate for ARCON PAM Client Manager.................................................... 44 6.2.3 Assign SSL Certificate to ARCON PAM Client Manager ................................................................. 44 6.2.4 Application Pool Setting for ARCON PAM Client Manager ............................................................. 45 6.2.5 Test ARCON PAM Client Manager component on IE Browser........................................................ 46 6.3 Configure ARCON PAM User Access Log Viewer Web Component ................................................ 46 6.3.1 Application Pool Setting for ARCON PAM User Access Log Viewer Web ...................................... 48 6.3.2 Test ARCON PAM User Access Log Viewer Web component on Browser ..................................... 49 6.4 6.4.1 6.5 Database (DB) Settings Creations .................................................................................................... 50 Enable IIS Server on Web Server (Windows Only)......................................................................... 51 License Registration and Login ......................................................................................................... 51 6.5.1 ARCON PAM Server License Registration...................................................................................... 52 6.5.2 Domain Creation ............................................................................................................................. 53 6.5.2.1 AD Integration (LDAP or LDAP SSL) ............................................................................................ 53 6.5.2.2 ARCOSAUTH Local Repository Creation ..................................................................................... 54 6.5.2.3 ARCON PAM Portal Login............................................................................................................. 55 7 7.1 7.1.1 7.2 7.2.1 7.3 8 Secure Gateway Configuration ...........................................................................................................56 With Windows Server (Using Bitvise)................................................................................................ 56 Installing Bitvise............................................................................................................................... 63 With UNIX/Linux Server .................................................................................................................... 78 Configure Secure Gateway Server.................................................................................................. 78 Supporting ARCON PAM Windows Components.............................................................................. 82 LOB or Profile Master..........................................................................................................................84 3 Installation and Configuration Guide | Version 4.8.5.0_U4 About this manual This user manual is a comprehensive documentation for those wanting to get the most out of ARCON PAM (Privileged Access Management). It combines step–by–step instructions to help you install ARCON PAM and configure database. • • • • • • • Disclaimer Copyright Notice Related Documents Target Audience Symbols & Conventions Acronyms POC (Point of Contacts) & Support Information Disclaimer This manual of ARCON PAM solution is being published to guide administrators with the step-by-step procedures involved in installing ARCON PAM and configuring database. The manual is in the nature of a guide for the users and, if any of the statements in this document are at variance or inconsistent it shall be brought to the notice of ARCON PAM through the support team. Wherever appropriate, references have been made to facilitate better understanding of the PAM solution. The ARCON PAM team has made every effort to ensure that the information contained in it was correct at the time of publishing. This Manual of ARCON PAM solution contains information, which is the intellectual property of ARCON PAM. This document is received in confidence and its contents cannot be disclosed or copied without the prior written consent of ARCON PAM. Nothing in this document constitutes a guaranty, warranty, or license, expressed or implied. ARCON PAM disclaims all liability for all such guaranties, warranties, and licenses, including but not limited to: Fitness for a particular purpose; merchantability; non-infringement of intellectual property or other rights of any third party or of ARCON PAM; indemnity; and all others. The reader is advised that third parties can have intellectual property rights that can be relevant to this document and the technologies discussed herein, and is advised to seek the advice of competent legal counsel, without obligation of ARCON PAM. Copyright Notice Copyright © 2020 ARCON PAM All rights reserved. ARCON PAM retains the right to make changes to this document at any time without notice. ARCON PAM makes no warranty for the use of this document and assumes no responsibility for any errors that can appear in the document nor does it make a commitment to update the information contained herein. Trademarks Other product and corporate names may be trademarks of other companies and are used only for explanation and to the owners' benefit, without intent to infringe. Related Documents Below are the related documents, which help to understand the ARCON PAM in detail • ARCON PAM Overview Guide gives the overview of ARCON PAM Privilege Access Management. 4 Installation and Configuration Guide | Version 4.8.5.0_U4 • ARCON PAM Client Manager Guide describes a web console which supports multi-domain authentication, dual factor authentication, multi-tenancy and target connectors. • ARCON PAM Privileged Access Management (PAM) User Guide describes the features, benefits, functionalities. • ARCON PAM Set-up Pre-requisite describes the hardware and software required for deployment of ARCON PAM in the user environment. • ARCON PAM Troubleshoot provides the basic information for ARCON PAM issues. • ARCON PAM Administrative Guide describes the process to administer, manage, and monitor Privilege Identities and servers across the organization. Target Audience This guide is intended for auditors, consultants and security experts responsible for securing, auditing and monitoring server administration processes; especially remote server management. It is also useful for IT decision makers seeking for a tool to improve the security and auditing of their servers or to facilitate compliance to the unique standard. The following skills and knowledge are necessary for a successful ARCON PAM administrator: • • • • Basic system administration knowledge. Basic understanding of networks, TCP/IP protocols, and general network terminology. Working knowledge of the Windows operating system is not mandatory, but highly useful. In-depth knowledge of various servers and server applications is required for forensics situations. Symbols and Conventions The Following are the symbols and conventions used in this manual: Symbols Description Indicates helpful tips, shortcuts, and suggestions. Note Indicates additional information. Information 0 This manual uses the following conventions to refer to sections, navigation, and other information. Convention Description Bold Keywords and menu names are displayed in bold. 0 Acronyms The acronyms used in this manual are as follows: Acronyms Description PAM Privileged Access Management LOB Line of Business SSH Secure Shell RDP Remote Desktop Protocol DB Database IIS Internet Information Services 5 Installation and Configuration Guide | Version 4.8.5.0_U4 Acronyms Description EPAM Enterprise Privilege Access Management PVSL Password Vault & Session Logging SGS Secure Gateway Server 0 POC (Point of Contacts) & Support Information The product is developed and maintained by ARCON TechSolutions Private Limited web: https://arconnet.com/ Sales Contact You can directly contact us with sales related topics at the email address <sales@arconnet.com>, or leave us your contact information and we will call you back. Support Contact To access ARCON PAM Support Centre (ASC), Sign in with your account. • • • • • Remote support is available 24*7. ARCON PAM Support System is available only for registered users with a valid support package. ARCON PAM Support Centre (ASC): https://support.arconnet.com/ Central Support e-mail address: <arcos.support@arconnet.com> Support hotline: ▪ Global: +91 8080005577 (For ARCON PAM Support Press 3) ▪ UAE: 800035703628 (Press 1) 6 Installation and Configuration Guide | Version 4.8.5.0_U4 1 Introduction This guide provides the Installation and configuration instruction for system Administrators and security Administrators for ARCON Privileged Access Management (PAM) suite. For more information about its features, benefits, functionalities, and basic procedures, see the ARCON Related Document. ARCON PAM ships with a number of documents that helps you to use the various features of the product. See the following section for a list of guides. The following section include the document convention, list of documentation for the product, and where to get additional product information and technical support. 7 Installation and Configuration Guide | Version 4.8.5.0_U4 2 About this Guide This Guide describes the ARCON Privilege Access Management and its installation and configuration processes. The book has been divided into the following sections: The first part of the guide introduces you to the ARCON Privilege Access Management and its unique features. The second part of the guide takes you through pre-requisites required for infrastructure. The third part of the guide shows how to install and configure database; database creation, restoration and ownership. The forth part of the guide describes how to configure web components and license registration. The fifth part of the guide puts you through the secure gateways configuration. The sixth part of the guide explains the creation of LOB, users, services, user group and service group. Part 1: Introduction The first part of the book contains the following information: • ARCON Privilege Access Management – An introduction to the concept of application identity and the risks involved, as well as the solution requirements. Part 2: Preparing to Install Privilege Access Management The second part of the book contains the following information: • Prerequisite for Infrastructure Requirement – The infrastructure requirement for ARCON Privilege Access Management. Part 3: Installing and Configuring ARCON PAM Database The third part of the book contains the following information: • Pre-requisite for SQL Server Set-up – The system requirements for the SQL Setup. • Installing SQL Server – A step-by step guide to install SQL Server. • DB User Creation and Assign Permission – A step-by step guide to create user required for ARCON PAM database. • DB Folder Creation – A step-by step guide to create two DB folders required for ARCON PAM Privilege Account Management solution. • DB Creation, Restoration and Ownership – A step-by step guide to create two databases, configure those databases and give them the ownership. Part 4: Web Component Configuration The forth part of the book contains the following information: • Enable IIS Server – A step-by-step guide to enable IIS Server on Windows. • Install Framework and Controls – An overview of various frameworks and controls to be installed. • Configure ARCON PAM Client Manager Online – A step-by-step guide on how to configure ARCON PAM Client Manager Online on IIS Manager. 8 Installation and Configuration Guide | Version 4.8.5.0_U4 • Configure ARCON PAM User Access Log Viewer Web Component – A step-by-step guide on how to configure ARCON PAM User Access Log Viewer Web, assign Application Pool settings and test the web component configuration on browser. • ARCON PAM Database Settings Creation – A step-by-step guide on how to create DB settings for ARCON PAM Client Manager. • License Registration and Login – A guide about to license registration and login into ARCON PAM Server Manager. Part 5: Secure Gateway Configuration The fifth part of the book contains the following information: • With Windows Server – A guide to install freeSSHd. • With UNIX / Linux Server – A guide to configure and map secure gateway server. Part 6: LOB/Profile Master and Manager The sixth part of the book contains the following information: • • • • • • • • • • • • • • • • Creating LOB – A guide to create LOB. User/Service Creation and Mapping – A guide to User/Service creation and mapping. Creating User – A guide to create user. Creating Service – A guide to create service. Creating User and Service Group – A guide to create user and service group. Mapping User to User Group – A guide to map user to user group. Mapping Service to Server Group – A guide to map service to server group. Mapping Server/Service Group – A guide to map server/service group. Mapping Service to Users – A guide to map service to users. Mapping Service to Multiple Users – A guide to map service to multiple users. Mapping Users to LOB – A guide to map users to LOB. Removing Users from LOB – A guide to remove users from LOB. Sharing Users between LOB(s) – A guide to share users between LOBs. Mapping User Group/s to LOB – A guide to map user groups to LOB. Removing User Group from LOB – A guide to remove user group from LOB. Mapping Service(s) to LOB – A guide to map service to LOB. 9 Installation and Configuration Guide | Version 4.8.5.0_U4 3 Product Overview The product overview gives information about the high level and full life cycle description and product offerings provided by ARCON PAM Privilege Access Management solution. ARCON Privilege Access Management (PAM) solution is a high level access security solution for managing the privilege accounts in an enterprise. The solution allows organization to secure, control, monitor and audit all the activities associated with all types of Privilege Identities such as Administrators on Windows server, Root on UNIX server, Cisco Enable in Cisco, etc. ARCON PAM Privilege Access Management uses a highly secured Digital Vault which is also known as Password Vault to store the Privilege password of privilege identities. This Password Vault is the heart of the solution. The audit and session logging activities associated with the privilege account is kept in this vault with highest security standards. The password vault uses numerous secured methodology to authenticate, encrypt, audit and protect data. The ARCON PAM Privilege Access Management solution uses following components: Single Sign On: Single Sign-On enables Administrators to enter the login id and password only once to logon into multiple systems or domains within an enterprise. The username and password is authenticated with local repository or Active Directory of the windows server through LDAP protocol. Password Vault: Password Vault is the heart of the ARCON PAM solution where passwords and sensitive data of privilege accounts are stored. It is the central repository for passwords and auditing management. It is designed with the state-of-art technology and can be installed on dedicated server as well as on the application server depending on the enterprise infrastructure. Access Control: ARCON PAM Access Control manages super-users authentication and authorization based on assigned privileges. It enables organization to secure, control and monitor privilege account by using vault technology. It empowers the organization and gives complete visibility and control of privilege account and super users in an enterprise. Also enables centralized management and auditing of the privilege account. Session Monitoring: The Session Monitoring enables enterprise to secure, control and monitor the access of privilege account. It automatically creates video log which records all activity of the Administrators for each minutes and seconds on the server. These recordings are stored in ARCON PAM database and accessible to authorized auditors. All activities are fully monitored and strictly meet the auditing and governance standards. Realtime Data Synchronization Process and Near Zero Downtime Application Failure: ARCON PAM supports High Availability by real-time data synchronization and near zero down time application failure. The Data Synchronization process for HA (High Availability) establishes consistency among data from a source to a target data storage and vice versa and the continuous harmonization of the data over time. 3.1 Solution Benefits • • • • • • • Secure, Manage and Protect Privilege Account Minimize Shared Administrative Accounts Reliably Control and Monitor Privilege Account Audit and Comply with governance requirement Streamline Password Management Easily Integrate with Enterprise Simple to Deploy 10 Installation and Configuration Guide | Version 4.8.5.0_U4 3.2 Solution Architecture The ARCON PAM solution securely manages, stores, archive and transfers all your privilege Administrative passwords within your organization internally or remotely. These secured passwords are kept in the password vault. The password vault which acts as a ‘Bunker’ is the heart of the solution. It is secured with multiple layer of security which includes Firewall, Authentication, Authorization, Access control, Encryption, Session monitoring, etc. These layers make the solution secure for the Privilege Accounts present in an organization. The PAM architecture is very simple and seamlessly integrates with the complex infrastructure of an enterprise. It can be deployed within a short period of time and can be accessed through Web interface. The various API’s help the solution to be more secure. The following diagram shows the various components of PAM solution: The PAM architecture consists of two important components. First is ARCON PAM Secured Vault which stores data and protect it through authentication and authorization. The Vault server manages numerous services within ARCON PAM which are required for the successful operation of the PAM solution. Second is the Secured Gateway Server which uses a unique technology to channelize all the traffic. It uses a secured server that runs proprietary components to manage all traffic directly from a user machine to the target devices. Secured port are used to channelize these traffics. Major advantage of this technique is, it makes ARCON PAM highly scalable as it is not dependent on ‘RDP’ to access the application server. Further, this technology helps in managing highly complex environments including distributed datacenters, wherein all devices across data center can be managed by single instance of ARCON PAM. 3.3 Communication Flow • Enter the ARCON PAM portal URL on the browser. The request goes to the ARCON PAM Application Server and the login page of ARCON PAM is displayed on the machine. • Enter the login credentials and click OK button. The user will get authenticated in either of the two ways: ▪ If the user is a local repository user, the credentials will get authenticated with the database server [password vault (PVSL)]. OR 11 Installation and Configuration Guide | Version 4.8.5.0_U4 ▪ If he’s a domain user, the credentials will get authenticated with Active Directory. • If dual factor authentication is enabled for the user, they will get authenticated twice and on successful with AD or password vault, Client Manager will open. Depending on the access granted, user can search the Hostname/IP Address/Service Type which are populated on the portal. • On clicking the Open Connection icon the request goes to the application server and the necessary executable files are downloaded on the User’s machine, under temp folder with the help of the browser plugin. On execution of this executable a secured (SSH) connection is locally established from the user’s machine to the ARCON PAM Secured Server which eventually routes it to target server/device. Thus the session is delivered on the User’s Machine. • Simultaneously, the session also establishes a dedicated connection with ARCON PAM Application Server through which the activities performed by the Administrators / users are logged and saved in the password vault (database) on real time. • Whereas for a Thick client, when a user Clicks Open Connection, Application execute the .exe of Third Party Application from the User’s local machine at the given path which is configured in User’s My Preference Tab in the ARCON PAM portal. 3.4 Reference Architecture 3.4.1 Introduction ARCON Deployment encompasses all the processes involved in getting new software or hardware up and running properly in its environment, including installation, configuration, running, testing, and making necessary changes. ARCON PAM supports multiple deployment procedures: • • • • Standard and Appliance Deployment Cloud based Deployment Distributed Deployment Near Zero Downtime (Offline mode) Deployment 3.4.1.1 Standard and Appliance Architecture Configuration (SAC) The standard architecture configuration is the most compact of the architecture and offers simplicity, performance and cost savings. It consists of a combined application server (EPAM), Secure Gateway Server (SGS) and a database server (PVSL). This type of environment is typically deployed in smaller scale organizations or non-production environment. Recommended OS & DB: • OS: Windows Server 2012 R2+ • DB: Windows SQL Server 20012 R2+ standard edition • Gateway: FreeSSHD or Bitwise Deployment Diagram Example: 12 Installation and Configuration Guide | Version 4.8.5.0_U4 Suggested High Availability & DR Strategy ARCON PAM Suite High Availability Application Layer DR • Load Balancing: ARCON PAM Application Server can be in HA in Active-Active mode. We need to use the option of Persistence Hash with Session Stickiness. Failover will be automatic. • NLB: ARCON PAM Application Server can be in HA in ActivePassive. All the requests will go to Node One and in case Node One fails, Node Two will be active and all the requests will go to Node Two. Failover will be automatic. 13 • Load Balancing Resource Requirement • Should plan in coordination with OEM Installation and Configuration Guide | Version 4.8.5.0_U4 ARCON PAM Suite High Availability Database Layer DR • Microsoft SQL High Availability Always On: We can use MSSQL Cluster Always On between Primary, HA and DR Server. Data will be replicated in real time from Primary to HA and to DR. Failover from Primary to HA will be Automatic and Failover to DR will be Manual. • MS SQL Clustering: We can use MSSQL Cluster between Primary and HA Server and MSSQL Log Shipping for Database Replication on DR Server. Failover from Primary to HA will be Automatic and Failover to DR will be Manual. • Microsoft SQL Server data replication Resource Requirement • Should plan in coordination with OEM For Appliance Deployment Architecture, ARCON provides Hardware with standard deployment installation. 3.4.1.2 Cloud Based Deployment Architecture (AWS) In the AWS Cloud, Amazon VPC can help our customers by serving as an extension of their existing onpremise datacenter. Amazon VPC allows for specifying an IP address range so that the existing datacenter can be extended into AWS in a similar way an extenstion would be made into a new physical data center or branch office. VPN and AWS Direct Connect connectivity options allow these networks to be seamlessly and securely integrated to create a single corporate network capable of supporting your users and applications regardless of where they are physically located. It also allows for IT resources hosted in VPC to leverage existing centralized IT systems, like user authentication, monitoring, logging, change management, or deployment services, without the need to change how users or systems administrators access or manage your applications. ARCON PAM in Customer Premises: 14 Installation and Configuration Guide | Version 4.8.5.0_U4 ARCON PAM in Cloud: Scenario: Extended On-premise Datacenter into the Cloud (AWS) 15 Installation and Configuration Guide | Version 4.8.5.0_U4 Using this above methodology, ARCON PAM can be implemented either in the local data center & then extended to manage the devices/applications in the AWS cloud. In a similar manner, ARCON PAM can be implemented in the AWS Cloud & then be extended to manage devices in the local on-premise datacenter. This would allow for SSO, SSH key based management capabilities, password management, auditing & other features provided by ARCON PAM to be utilized across both the on-premise and AWS cloud seamlessly. ARCON PAM would also facilitate the integration of the AWS management console with the solution. This would result in a completely centralized PAM solution within the hybrid architecture. ARCON PAM can be implemented in other cloud based services like Microsoft Azure & Google Cloud along with their respective management consoles in the same manner as explained above for AWS cloud. 3.4.1.3 Intermediate Architecture Configuration (IAC) The intermediate architecture configuration offers the flexibility to segregate the application servers while utilizing a central database. It consists of a combined application server (EPAM) and Secure Gateway Server (SGS) & separate database server (PVSL). Organizations can linearly scale up this environment by horizontally adding more resources to the existing setup. This architecture is highly recommended for mid-large scale implementation to ensure automatic failover capabilities with complete redundancy for each ARCON PAM components. Recommended OS & DB: • OS: Windows Server 2012 R2+ • DB: Windows SQL Server 2012 R2+ standard edition • Gateway: FreeSSHD or Bitwise Deployment Diagram Example: 16 Installation and Configuration Guide | Version 4.8.5.0_U4 Suggested High Availability & DR Strategy ARCON PAM Suite High Availability Application Layer • Load Balancing: ARCON PAM Application Server can be in HA in Active-Active mode. We need to use the option of Persistence Hash with Session Stickiness. Failover will be automatic. • NLB: ARCON PAM Application Server can be in HA in Active-Passive. All the requests will go to Node One and in case Node One fails, Node Two will be active and all the requests will go to Node Two. Failover will be automatic. DR • Load Balancing 17 Resource Requirement • Should plan in coordination with OEM Installation and Configuration Guide | Version 4.8.5.0_U4 ARCON PAM Suite Database Layer High Availability • Microsoft SQL High Availability Always On: We can use MSSQL Cluster Always On between Primary, HA and DR Server. Data will be replicated in real time from Primary to HA and to DR. Failover from Primary to HA will be Automatic and Failover to DR will be Manual. • MS SQL Clustering: We can use MSSQL Cluster between Primary and HA Server and MSSQL Log Shipping for Database Replication on DR Server. Failover from Primary to HA will be Automatic and Failover to DR will be Manual. DR • Microsoft Server replication Resource Requirement SQL data • Should plan in coordination with OEM 3.4.1.4 Advanced Architecture Configuration (AAC) The Advanced Architecture Configuration offers the most flexibility, scalability, and performance features of all the architectures, hence ARCON recommends this configuration for large organization. Enterprise can scale this environment by adding more resources into the application, database & secured server layers. This configuration enables a high degree of redundancy across all ARCON PAM components to manage high number of sessions. Also high volume connection traffics can be routed on a dedicated secure gateway server to manage high concurrency of users. Recommended OS for Application, Database Server, Secured Server and Database • OS for App and DB: Windows Server 2012 R2+ • DB: Windows SQL Server 2012 R2+ standard edition • OS for SGS: Any flavor of UNIX (Red hat, Suse, Solaris etc.) Deployment Diagram Example: 18 Installation and Configuration Guide | Version 4.8.5.0_U4 Suggested High Availability & DR Strategy ARCON PAM Suite High Availability Application Layer DR • Load Balancing: ARCON PAM Application Server can be in HA in Active-Active mode. We need to use the option of Persistence Hash with Session Stickiness. Failover will be automatic. • NLB: ARCON PAM Application Server can be in HA in ActivePassive. All the requests will go to Node One and in case Node One fails, Node Two will be active and all the requests will go to Node Two. Failover will be automatic. 19 • Load Balancing Resource Requirement • Should plan in coordination with OEM Installation and Configuration Guide | Version 4.8.5.0_U4 ARCON PAM Suite High Availability DR Resource Requirement Database Layer • Microsoft SQL High Availability Always On: We can use MSSQL Cluster Always On between Primary, HA and DR Server. Data will be replicated in real time from Primary to HA and to DR. Failover from Primary to HA will be Automatic and Failover to DR will be Manual. • MS SQL Clustering: We can use MSSQL Cluster between Primary and HA Server and MSSQL Log Shipping for Database Replication on DR Server. Failover from Primary to HA will be Automatic and Failover to DR will be Manual. • Microsoft SQL Server data replication • Should plan in coordination with OEM Secure Gateway Server • Load Balancing: ARCON PAM Application Server can be in HA in Active-Active mode. We need to use the option of Persistence Hash with Session Stickiness. Failover will be automatic. • NA • Should plan in coordination with OEM 3.4.1.5 Distributed ARCON PAM The distributed deployment architecture describes the ability to integrate multiple DataCenters present in different locations in one Instance of ARCON PAM. Distributed deployments can be used to support scalability and performance across multiple dimensions. Key Challenge: The client engages with multiple vendors on project basis to manage critical operational tasks. Privileged accounts were shared with vendors. However, vendors had uncontrolled and unmonitored access to servers. There were certain instances where an incident had happened and the Forensic Team was unable to find the root cause. Therefore, secure third-party access was the biggest concern faced by our client. Further, the tour operator managed four Data Center environments located in four different cities spread across 3 continents. ADMINs used VPN to connect to Local Data Centers, but had unsecured access to servers. Solution: ARCON's enterprise-class suite enables the client to overcome these challenges in a seamless manner. Our product's unique range of functionalities also enables our client to comply with regulatory and audit requirements.Our client had four different Data center environments which had no impact during the implementation process. ARCON server was installed at the client's central Data Center whilst and other three Data Centers were integrated in one Setup. Every privileged account in the client's network now had a secure access as ARCON PAM was integrated at all layers of the IT infrastructure whilst. This solution provided Audit Trails for each session. All end-users ( Admins and Vendors ) had restricted access to all devices in Data Center. Access was monitored. The solution enabled the client to control all privileged sessions as every end-user located at all locations around the globe had access to any Device through ARCON Server. Likewise, all Third-party access was now regulated, monitored, and controlled after the deployment of ARCON Privileged Access Management (PAM) Suite. Additional Value Adds 20 Installation and Configuration Guide | Version 4.8.5.0_U4 Our client had limited bandwidth and wanted to accumulate Video Logs on a Local server and then move them to a Central Location (Where ARCON server was installed). We installed a staging server at each location to suit our client's environment. A staging Server at each location enabled the client to accumulate logs during Production Hours. During off Production Hours, Logs were transferred automatically to the Central Location. This architecture helped in significant reduction of network bandwidth utilization thus ensuring there was no impact on productivity during production hours. 3.4.1.6 Near Zero Time (Offline) Architecture ARCON PAM supports High Availability by real-time data synchronization and near zero down time application failure. The Data Synchronization process for HA (High Availability) establishes consistency among data from a source to a target data storage and vice versa and the continuous harmonization of the data over time. 21 Installation and Configuration Guide | Version 4.8.5.0_U4 Real Time Data Synchronization Real Time Data Synchronization between Primary and Secondary Node could be achieved using following scenarios: • AlwaysOn Feature of MS SQL server Enterprise Version (Prerequisite for AlwaysOn feature is explained in this Document). Full ARCON PAM database of Primary node would be replicated on all secondary nodes. • ARCOS Data Sync Service Failure of Primary Node If Primary Node is Down and not accessible due to network failure or any other reason, users have to switch to Secondary Node (Restricted Mode) manually which will store Session Logs and Activities performed on secondary node to its local database storage. Below are the ARCON PAM activities that are accessible during Restricted Mode: • My Services(User can take session to assigned services) Restoration of Primary Node 22 Installation and Configuration Guide | Version 4.8.5.0_U4 Once Primary node is restored and accessible then admin have to run the ARCOSDataSync service on secondary node which will synchronize the data from Secondary Node to Primary Node and Users will be able to see their activities log from Primary Node. Configuration for Restricted ARCON PAM Setup a new server with latest version ARCON PAM which is enabled with Restricted Mode. Steps to deploy Restricted ARCON PAM 1. API Setup for Restricted ARCON PAM a. Deploy API on full mode application server. b. DBSetting.ini (Same as full Mode DBSetting) 2. Database Server Setup For Restricted ARCON PAM a. DB Server Shall contain ARCOSDB.mdf database with Read only Access which will continuously syncing data with Full Mode ARCOSDB Data And ARCOSDB_RA.mdf(RA Database) with read-write access. 3. Application Server Setup For Restricted ARCON PAM a. Restricted Mode Application shall deploy on a new application server with same configuration as Full Mode Application Server. b. Web.config file shall have ARCOS Mode parameter as Restricted c. Restricted Mode Application shall have two ini file in DBSetiing folder as DBSetting.ini(Same as full Mode) and DBSetting_RA.ini. d. DBSetting_RA.ini - Server details of Secondary Node and Primary Database is ARCOSDB_RA. 4. ARCOSDataSync Service Setup For Restricted ARCON PAM a. Install ARCOSDataSync Service on Application/Database server b. After Installation Folder of ARCOS Data Sync Service will be created on the server path “C: \Program Files (x86)\ARCON Solutions\”. c. Go to that path and set the API URL (RA_API) in ARCOSDSConfig.ini d. DBSetting.ini - Server details of Secondary Node and RDP Database is ARCOSDB_RA. 23 Installation and Configuration Guide | Version 4.8.5.0_U4 4 Preparing to Install Before preparing to install you need to plan the various requirement required for the solution in your organization. This chapter provides various information that is required for installing and configuring the solution. During this preparation phase you may have to gather information regarding hardware and software requirements; and how to manage the passwords of the privilege accounts. Depending on your infrastructure, the decision for architecture and the Password Vault; where and how it will be installed and configured and whether or not you want to manage it through the secured gateway sever will be taken. Further this chapter provides information you should review before installing. ARCON Privilege Access Management. It discusses the following topics: Pre-requisite for Infrastructure Requirement 4.1 Prerequisite for Infrastructure Requirement Before installing the ARCON PAM application, you should read the ARCON PAM Set-up Prerequisite document to ensure that your environments meets the minimum installation requirement for the ARCON PAM product. Pre-requisite required for successful implementation is as follows: • • • • ARCON PAM Implementation Setup files Windows based Server with IIS for Application Server (EPAM). Windows based Server with SQL pre-installed for Password Vault Server (PVSL). UNIX based Server for Secure Gateway (SGS) - depending on the architecture finalized by the organization. 24 Installation and Configuration Guide | Version 4.8.5.0_U4 5 Database Installation and Configuration This chapter describes how to install MS SQL Server 2014 for ARCON Privilege Access Management. This chapter discusses the following topics: • • • • • SQL Server Setup Pre-requisites SQL Server Express Installation DB User Creation Folder Creation for database Database Creation, Restoration and Owner Assignment 5.1 SQL Server Setup Pre-requisites Before installing the SQL Server Express edition, you should have the SQL Server Express edition setup file with you. Also your environment should have the minimum installation requirement for MS SQL Server Express edition. 5.2 SQL Server Express Installation The SQL Server setup installs the below components which is required by the ARCON Privilege Access Management. • DOT NET Framework 3.5 SP1 • SQL Server support files The below process shows how to install the SQL Server Express in Windows. 1. Double click the SQL Server Express setup file. 2. The SQL Server Installation Center window opens. On the right hand side, click on New SQL Server stand-alone Installation or add features to an existing installation link. 25 Installation and Configuration Guide | Version 4.8.5.0_U4 3. The Microsoft Software License Terms page opens. To install the SQL Server Express edition, click on checkbox I accept the license terms and accept the license terms. 4. Click on Next button. 26 Installation and Configuration Guide | Version 4.8.5.0_U4 5. On Microsoft Update page, click checkbox Use Microsoft Update to check for updates (recommended). Important updates for Windows and other Microsoft software will get automatically updated. 6. Click Next button. 7. On the Feature Selection page, select all the below checkboxes for express features to get installed: ▪ Instance Features ▪ Database Engine Services ▪ SQL Server Replication 8. Shared Features • • • • Client Tools Connectivity Client Tools Backward Compatibility Client Tools SDK Management Tools - Basic ▪ Management Tools – Complete • SQL Client Connectivity SDK • LocalDB Change the path of the Shared feature directory to E:\ drive and click Next button. 27 Installation and Configuration Guide | Version 4.8.5.0_U4 • On Feature Rules page, click on Show Details button to view the details and click Next button. • On Instance Configuration page, select the default instance if there is only one instance running for the SQL Server. If there are more than one instance ▪ Click Normal Instance radio button. ▪ Create an instance called ARCON PAM. This instance id is specifically dedicated for ARCON PAM database only. SQL Server name should not be more than 15 characters. ▪ Click Next button. • On Server Configuration page, ▪ Service Accounts tab - change the startup type of SQL Server Database Engine service to Automatic. ▪ Collation tab - keep the default settings and click Next button. 28 Installation and Configuration Guide | Version 4.8.5.0_U4 • On Database Engine Configuration page, on Account Provisioning tab, on Authentication Mode. ▪ Windows authentication mode: uses domain username and password for authentication. ▪ Mixed Mode (SQL Server Authentication and Windows authentication): uses SQL Server super username and password for authentication and to create and manage multiple users. If Mixed Mode is not selected then the administrator will not be able to login into the arcossqladmin which is the SQL user for the ARCOS database application. • Select the Mixed Mode for authentication. The Specify the password for the SQL Server system administrator (sa) account will get active. ▪ Enter the password for the ‘SA’ account which is the internal SQL Administrator account. ▪ Enter the same SA password on theConfirm Passwordfield. You should use complex password for the SA account. ▪ To specify the SQL Server Administrator, click Add Current User to login with the Default windows user. ▪ Click on Add button, to add admin and user for the SQL Server. ◦ arcossqladmin\Domain as admin ◦ arcossqladmin\SQL2008R2Serviceas User ▪ Click Data Directory tab, change the Data root directory to any specific drive e.g. E:\drive. Create ARCON PAM folder on the specified drive i.e. E drive and update the location to specified drive i.e. E:\ARCOS. 29 Installation and Configuration Guide | Version 4.8.5.0_U4 We recommend you not to store data on the C drive even you have plenty of space. When you change the Data root directory the Temp DB directory is also changed. ▪ ▪ ▪ ▪ Change the User database directory to E:\ARCON Solutions\ARCOS Database Change the Backup directory to E:\ARCON Solutions\ARCOS Backup No changes are required on the FILESTREAM tab. Click Next button. • On Feature Configuration Rules page, click the Show Details button. The status of all the rules applicable is changed to Passed status. Click Next button. • On Installation Progress page, you can see the progress of your SQL Server installation. The installation will take approximately 20 minutes depending on the performance of your machine. 30 Installation and Configuration Guide | Version 4.8.5.0_U4 • Once the SQL Server setup is complete, restart the system/computer. 31 Installation and Configuration Guide | Version 4.8.5.0_U4 5.3 DB User Creation and Assign Permission This section provides information about creating a SQL database user for ARCON PAM database application. Use the following steps to create and assign privileges to DB user i.e. arcossqladmin: 1. Login to SQL Server with the default Windows authentication instance or ‘SA’ instance which we created using Mixed Mode authentication while configuring the database engine. The Microsoft SQL Server Management Studio application opens. 2. On the left hand side, on Object Explorer pane, click on the + sign of Security. 3. Right click on Logins and click on New Login option. The New Login window opens. 4. On the General option, set the following details: ▪ Enter the Login name as arcossqladmin. ▪ Click on the SQL Server authentication radio button. ◦ Enter complex Password for the user. ◦ Click on the SQL Server authentication radio button. ◦ Uncheck the Ensure password policy checkbox. 5. Click on the Server Roles option to set the privileges for arcossqladmin use ▪ Check the public and sysadmin Server roles checkbox. 6. Click on the Status option, to set the below parameters. ▪ Permission to connect database engine: click on Grant radio button ▪ Login: Click on Enabled radio button 7. Click OK button. 5.4 Folder Creation for database and Log files This section provides information about what is database, types of database files i.e. Log Data File (LDF) and Meta Data File (MDF) files and to create database folder for ARCON PAM (ARCOSDB and ARCOSRDPDB). 5.4.1 Database When any database is created, two files are generated, namely Meta Data File (MDF) and Log Data File (LDF). The MDF and the LDF are the standard formats of SQL to store the data. The MDF is a primary master data and is important in the SQL database, the LDF is the log data. 5.4.1.1 Log Data File (LDF) Log data is used for the transaction purpose, as it is a temporary memory. The LDF file is used only when performing the recovery of the database. When performing the update or delete process, it holds the data in the temporary LDF file. So, even if the LDF file is deleted, it won’t have much effect on data. If a new blank LDF file is created, it will work and the data will not be lost. When any database is configured, there are three types of recovery modes in SQL – • Full • Simple. • Bulk-Logged Full Mode: In the full mode, the data can be recovered because it stores the temporary data in the LDF file. From the LDF file, the deleted data can be recovered up to a certain extent only. If you configure database in full recovery mode, then only clustering and mirroring can be configured. 32 Installation and Configuration Guide | Version 4.8.5.0_U4 To configure clustering and mirroring, the full recovery mode should be enabled. If the full recovery mode has not been configured, clustering and the mirroring cannot take place. Simple Mode: In the simple mode, there is no recovery; you cannot recover any loss of data from the LDF. Bulk Logged Mode: The bulk-logged recovery model is a special-purpose recovery model that should be used only intermittently to improve the performance of certain large-scale bulk operations, such as bulk imports of large amounts of data. Much of the description of backup under the full recovery model also applies to the bulk-logged recovery model. This topic looks only at considerations that are unique to the bulklogged recovery model. By default, ARCOSDB should be in a full recovery mode. For the ARCOSRDPDB, if the database is kept in full recovery mode, the database will grow rapidly. Hence, it is recommended to keep in simple mode. 5.4.1.1.1 Create DB Folder for Database (.mdf) and Log (.ldf) files Use the following steps to create folder for database (.mdf) and log (.ldf) files. 1. Click Start button on Windows. 2. Double click on My Computer. The My Computer window opens. Double click on the Drive for e.g. E drive. 3. Click on the New Folder option and create below two folders: ▪ <:\Drive> ARCON Solutions\ARCOS Database\ARCOSDB ▪ <:\Drive> ARCON Solutions\ARCOS Database\ARCOSRDPDB In a real scenario, the two database folders created for ARCON PAM may not be on the same drive of the server, but for the performance improvement it is advised to install and configure two databases on two different drives. 5.5 Database Creation, Restoration and Owner Assignment This section provides information about database creation, restoration and assign ownership to the ARCON PAM database. In ARCON PAM application two database ARCOSDB and ARCOSRDPDB are created. 5.5.1 ARCOSDB The ARCOSDB database contains the actual data of the application. If there are multiple database on the database server the ARCOSDB folder should be given the ownership and should be given the Full recovery mode. 5.5.2 ARCOSRDPDB When configuring the ARCOSRDPDB, make sure to configure the database in simple mode, so that the LDF file does not increases in size. When performing Insert, the MDF will grow and the LDF will not have any impact. Video logs are stored in ARCOSRDPDB database for temporary period. The video logs are captured for every action which takes place for each minute and second on the server. As the Log Manager Service archives or removes the data from ARCOSRDPDB database hence, this database is always in use. 33 Installation and Configuration Guide | Version 4.8.5.0_U4 When the ARCOSRDPDB is configured for multiple drives, we recommend you to configure both the databases on multiple drives. For example, the client provides a server of 500 GB and it is partitioned as follows: C drive is given 100GB and the remaining 400GB is divided into 200GB and 200GB or 100GB and 300GB. We recommend you to have at least 100GB space for ARCOSRDPDB database. If the Log Manager Service fails and you cannot recognize the Log Manager Service for 1 to 3 weeks it will increase the database size. When configuring the ARCOSRDPDB, configure it in such a way that such a disaster should not occur and even if it does happens, it should be manageable only in the production environment. When the application is moved to DR, it means production environment is not available. If there is an application issue or if you have moved to DR, it means that the production has failed. If it is an infrastructure issue, this needs to be checked with the infra team. If it is an application or configuration issue and the drive size is not configured properly, the application goes down. Due to which the given application cannot be accessed and this will be considered as a disaster. When configuring the application, there should be sufficient drive space for ARCOSDB and ARCOSRDPDB. It is not necessary, if there are only 10 users. However, if the organization has more than 1000 users, then consider a scenario for may be 6 months or 1 year down the line. If there is a space, it means, that the infrastructure is available for ARCON PAM and there are chances of growing it. When configuring the RDP DB check if the disk space is available, at least 100 GB should be dedicated for the ARCOSRDPDB, even if it is not used, For example, for 300 GB drive create 100 GB for D drive and 200 GB for ARCOSRDPDB. When configuring or providing the prerequisite for ARCON PAM implementation, ensure to have a separate drive for the log or the video log, images or video files. The separate drive may not be on the same server or on the physical drive. It can be a SAN storage type. There is a separate drive mapped to the system, which means the logs are separate. For a given hardware drive, hard disk or physical drive, you can utilize these drives in the database configurations or for the database files. The program files are created for the services. Do not install the services on the C drive, as according to most of the organization policies, it is recommended not to install application or EXE’s on the C drive as all the Windows operating systems files are present in this drive. For example: If the Windows or any Operating System crashes the Administrator will format the C drive. If the application or the database is present in the C drive during formatting it will be lost. Hence you should always install SQL or any other EXE or components, in other drives. 5.5.3 Create Database This section provides information about how to create ARCOSDB and ARCOSRDPDB database. 5.5.3.1 Create ARCOSDB database Use the following steps to create database (ARCOSDB) for the new user (arcossqladmin). 1. Login to SQL Management studio with the newly created User ID (arcossqladmin). 2. On the left hand side, on Object Explorer pane, right click on Databases option and select New Database, New Database window opens. 3. Enter the Database Name as ARCOSDB. 4. On the Database file area, horizontal scroll till the Path column. 5. On the Path column, click on the ellipse button and change the path of ‘ARCOSDB_DATA and ‘ARCOSDB_LOG’ file to ARCOS Database folder present in ARCON Solutions i.e.<:\Drive> ARCON Solutions\ARCOS Database\ARCOSDB 34 Installation and Configuration Guide | Version 4.8.5.0_U4 Select the path of the folders which you have created in Create DB Folder for Database (.mdf) and Log (.ldf) files. 6. Click OK button. 5.5.3.2 Create ARCOSRDPDB database For creating ARCOSRDPDB folder repeat the steps 2- 5 of Create ARCOSDB database. You should give the folder name as ARCOSRDPDB instead of ARCOSDB. 5.5.4 Database Restore This section provides information about how to restore the blank database of ARCON PAM on specified drive. The backup database is the blank file. During restoring ARCON PAM application do not select the database other than ARCOSDB and ARCOSRDPDB and the physical path should be assigned properly. 5.5.4.1 Restore template ARCOSDB from setup files This section helps you to restore ARCOSDB template from ARCON PAM setup files. Use following steps to restore ARCOSDB template from ARCON PAM setup files: 35 Installation and Configuration Guide | Version 4.8.5.0_U4 1. On the left hand side, on Object Explorer pane, click on + sign of Databases option and right click on ARCOSDB database > Tasks > Restore > Database. The Restore Database window opens. 2. On the left hand side pane, click on the General option, set the following details: ▪ Source: Click on Device radio button. ▪ Database: Select ARCOSDB from the drop down list. ▪ Click on the ellipse button above the ARCOSDB selected and select the template database present in the ARCON PAM setup file i.e. ARCOSDB_Backup_Blank. 36 Installation and Configuration Guide | Version 4.8.5.0_U4 3. On the Restore plan, check the Restore checkbox to set the backup to restore. 4. On the left hand side pane, click on the Files option to map the database file i.e. ARCONDB to .mdf and .ldf files. 5. Click on the ellipse of Restore As column and map the data and log files ▪ ARCONDB_Data: Map it to the .mdf file present in the ARCON Solution>ARCOS Database > ARCOSDB >ARCOSDB.mdf. ▪ ARCONDB_Log: Map it to the .ldf file present in the ARCON Solution >ARCOS Database > ARCOSDB >ARCOSDB.ldf. 37 Installation and Configuration Guide | Version 4.8.5.0_U4 6. On the left hand side pane, click on the Options option, in the Restore Options, check the checkbox Overwrite the existing database (WITH REPLACE). 7. Click OK button. 38 Installation and Configuration Guide | Version 4.8.5.0_U4 8. Wait for few minute for the database ‘ARCOSDB’ to get restored. 9. A pop window ‘Database ARCOSDB restored successfully’ opens. 10. Click OK button. 5.5.4.2 Restore template ARCOSRDPDB from setup files Right click on ARCOSRDPDB folder and repeat the steps from 1-4 from above process i.e. Restore template ARCOSDB from ARCON PAM setup files. Map the ARCOSRDPDB_Data folder to ARCOSRDPDB.ldf to ARCOSRDPDB.mdf and ARCOSRDPDB_Log folder 5.5.5 Database Ownership and Recovery This section provides information about how to create ownership and recover the ARCON PAM database. 5.5.5.1 Ownership and Recovery mode for ARCOSDB Use the following steps to set the ownership and recovery mode of ARCOSDB to Full. 1. Right click the ARCOSDB folder, click Properties, Database Properties window opens. 2. On the left hand side pane Select a page, click the Files option. 3. On the right hand side, in Owner field enter arcossqladmin. 39 Installation and Configuration Guide | Version 4.8.5.0_U4 4. On the left hand side pane Select a page, click the Options option. 5. On the right hand side, for Recovery model select Full from the dropdown list. 6. Click OK button. 5.5.5.2 Recovery mode for ARCOSRDPDB Use the following steps to set the recovery mode of ARCOSRDPDB to simple. 1. Right click the ARCOSRDPDB folder, click on Properties, Database Properties window opens. 2. On the left hand side pane Select a page, click on the Options option. 3. On the right hand side, for Recovery model select Simple from the drop down list. The bulk log is a middle type of recovery mode, which is in between the full mode and simple mode. The bulk log is not recommended from Microsoft. So, select the full mode or the simple mode. 4. Click OK button. 40 Installation and Configuration Guide | Version 4.8.5.0_U4 5.5.6 Assign Database Role to New User (arcossqladmin) This section provides information about how to assign roles and privileges to new user (arcossqladmin). Use the following steps to assign database role to new user (arcossqladmin). 1. On the left hand side, on Object Explorer pane, click on + sign of Security option, click on + sign of Logins option. You will see the various users created. 2. Right click on new user created (arcossqladmin) and click Properties. The Login Property – arcossqladmin opens. 3. On the left hand side pane, click on the User Mapping option, set the following details. ▪ Users mapped to this login table, check the checkbox for ARCOSDB database. The Database role membership for ARCOSDB area will get active. Check the checkbox and select the following roles for the ARCOSDB. ▪ ▪ ▪ ▪ ▪ db_datareader db_datawriter db_dlladmin db_owner public – default selected ▪ Users mapped to this login table, check the checkbox for ARCOSRDPDB database. The Database role membership for ARCOSRDPDB area will get active. Check the checkbox and select the following roles for the ARCOSRDPDB. 41 Installation and Configuration Guide | Version 4.8.5.0_U4 ◦ db_datareader ◦ db_datawriter ◦ db_dlladmin ◦ db_owner ◦ public – default selected 4. Click OK button. 42 Installation and Configuration Guide | Version 4.8.5.0_U4 6 Web Component Configuration This chapter describes how to configure various web components on Windows Server 2008. This chapter discusses the following topics: • • • • • • • • • • Enable IIS Server on Web Server (Windows Only) Install Frameworks and Controls Configure ARCON PAM Client Manager Import SSL Certificate for ARCON PAM Client Manager Create Self Signed Certificate Assign SSL Certificate Configure Video Log Viewer Web Configuration DB Settings Creation License / Domain Creation Video Log Viewer Web Configuration 6.1 Install Frameworks and Controls .Net Framework and other Windows Components are required to be installed on all the ARCON PAM Solution Servers. Follow the below mentioned steps to install Framework and Controls: • • • • • • • • • • Opens Windows Server Manager. In Dashboard, Click on Add roles and Features Click Next. Select Role-based or feature-based installation radio button and Click Next. Select Select a server from the server pool radio button and click Next. Click Next. Select .NET Framework 3.5 Features, .NET Framework 4.5, Telnet Client checkboxes. Select Desktop Experience from User Interfaces and Infrastructure checkbox and Click Next. Click Install. Click Finish. Server Reboot is required. 6.2 Configure ARCON PAM Client Manager This section provides information about how to configure ARCON PAM Client Manager on IIS Manager, import or create or assign SSL certificate, assign Application Pool settings and test the web component is configured properly on browser. Use the following steps to configure ARCON PAM Client Manager: 1. Create ARCONClientManager Online folder on ARCON Solutions path e.g. :\ARCON Solutions\ARCOSClientManagerOnline 2. Copy the ARCOSClientManagerOnline zip file from the ARCOS setup folder to the above drive location created i.e. <Drive>:\ARCON Solutions\ARCOSClientManagerOnline 3. Unzip the ARCOSClientManagerOnline file. 4. GotoStart button and type run. 5. In run window type ‘inetmgr’. The Internet Information Services (IIS) Manager window opens. 6. Click on the arrow sign of your <server name>. 7. Right click on the Sites and click on Add Web Site. 43 Installation and Configuration Guide | Version 4.8.5.0_U4 8. Enter the following details on the Add Web Site window: ▪ Site Name: ARCOSClientManagerOnline ▪ Physical Path: Select the path of where the ARCONClientManager folder is created. e.g. :\ARCON Solutions\ARCOSClientManagerOnline ▪ Type: https ▪ Port: 443 9. Click OK button. Install Certificate if applicable. 6.2.1 Import SSL Certificate for ARCON PAM Client Manager This topic provides information about how to Import SSL Certificate for ARCON PAM Client Manager provided by the client. Use the following steps to import certificate for ARCOSClientManagerOnline: 1. 2. 3. 4. 5. 6. 7. 8. Goto Start button and type run. In run window type ‘inetmgr’. The Internet Information Services (IIS) Manager window opens. Click on the arrow sign of your <server name>. Double click on the Server Certificate icon. The Internet Information Services (IIS) Manager window opens. On right hand side Actions pane, click Import link. The Import Certificate window opens. Click on ellipse button of Certificate file (.pfx) and select the path of the certificate from the directory. Enter the Password. Click OK button. The certificate imported is displayed on the Server Certificate page. 6.2.2 Create Self-Signed Certificate for ARCON PAM Client Manager This topic provides information about how to generate self-signed certificate for ARCON PAM Client Manager. Use the following steps to create self-signed certificate for ARCOSClientManagerOnline: 1. 2. 3. 4. Go to Start button and type run. In run window type ‘inetmgr’. The Internet Information Services (IIS) Manager window opens. Click on the arrow sign of your <server name>. Double click on the Server Certificate icon. The Internet Information Services (IIS) Manager window opens. 5. On right hand side Actions pane, click Create Self-Signed Certificate link. The Import Certificate Create Self-Signed Certificate window opens. 6. Specify a file name for the certificate e.g. arcon. 7. Click OK button. The self-signed certificate created is displayed on the Server Certificate page. 6.2.3 Assign SSL Certificate to ARCON PAM Client Manager This topic provides information about how to assign self-signed certificate to ARCON PAM Client Manager. Use the following steps to assign self-signed or SSL certificate to ARCOSClientManagerOnline: 1. On Internet Information Services (IIS) Manager window, on the left hand side Connection pane, click on Sites. 2. In Run window type ‘inetmgr’. The Internet Information Services (IIS) Manager window opens. 3. Click on the arrow sign of Sites, click ARCOSClientManagerOnline icon. 4. Double click on SSL Settings icon. 44 Installation and Configuration Guide | Version 4.8.5.0_U4 5. 6. 7. 8. On SSL Settings page, click on Require SSL checkbox. On Client Certificate: click on Accept radio button. On right hand side Actions pane, click Apply link. The Alerts ‘The changes have been successfully saved’ pops up. 6.2.4 Application Pool Setting for ARCON PAM Client Manager This topic provides information about how to configure Application Pool for ARCON PAM Client Manager. Application Pool Application Pool is a logical grouping of web application that executes in a common process. It is the heart of the website. It enables to isolate the web application for better security, reliability, and availability and performance and help the web application to keep running without impacting each other. The worker process serves as the process boundary that separates each application pool so that when one worker process or application is having an issue or recycles, other applications or worker processes are not affected. One Application Pool can have multiple worker process. For example, if you wanted every web application to execute in a separate process you have to create an application pool for each web application or in other words it is a group of one or more url’s that are served by a worker process or a set of worker processes. Use the following steps to assign application pool settings to ARCOSClientManagerOnline component. 1. 2. 3. 4. 5. Go to Start button and type Run. In run window type ‘inetmgr’. The Internet Information Services (IIS) Manager window opens. On the left hand side pane, click on Application Pool. Application Pool page opens in middle. Click on ARCOSClientManagerOnline on the Application Pool pane. On the right hand side Actions pane, click on Basic Settings in Edit Application Pool window opens. 6. For .NET Framework version select .NET Framework v2.0 from the drop down list. In Windows 2012, default pool is set to 4.0 change it to 2.0 as the ARCON PAM application is developed on .NET Framework version 2.0 7. Click OK button. 45 Installation and Configuration Guide | Version 4.8.5.0_U4 6.2.5 Test ARCON PAM Client Manager component on IE Browser This topic provides information about how to test ARCON PAM Client Manager Online component on Internet Explorer. Use the following steps to test ARCOSClientManagerOnline component on IE browser. 1. On IIS Manager window. 2. On the left hand side pane, right click on ARCOSClientManagerOnline \Manage Web Site\ Browse. 3. The Client Manager web page opens on Internet Explorer as seen below. 6.3 Configure ARCON PAM User Access Log Viewer Web Component This section provides information about how to configure ARCON PAM User Access Log Viewer Web, assign Application Pool settings and test the web component configuration on browser. ARCON PAM User Access Log Viewer Web or Video Log Viewer Web component is used to view the video log captured by the ARCON PAM application. The Log Viewer Web folder is on the Vault Server (Database Server). Basically in a scenario where there is only one sever all the web components are installed on that particular server only. In the actual implementation process, the App server is different from the Vault server. Use the following steps to configure the ARCON PAM User Access Log Viewer Web component. 1. Create ARCOSUserAccessLogViewerWeb Online folder on ARCON Solutions path e.g. <Drive>: \ARCON Solutions\ ARCOSUserAccessLogViewerWeb 2. Copy the ARCOSUserAccessLogViewerWeb zip file from the ARCOS setup folder to the above drive location created i.e. <Drive>:\ARCON Solutions\ ARCOSUserAccessLogViewerWeb 3. Unzip the ARCOSUserAccessLogViewerWeb file. The video logs created will be stored in this folder therefore you should have sufficient space on this drive (Minimum: 1 TB for High Quality files). The Server Administrator should have rights to enter into this path. 46 Installation and Configuration Guide | Version 4.8.5.0_U4 4. 5. 6. 7. 8. Goto Start button and type run. In run window type ‘inetmgr’. The Internet Information Services (IIS) Manager window opens. Click on the arrow sign of your <server name>. Right click on the Sites and click on Add Web Site. Enter the following details on the Add Web Site window: ▪ Site Name: ARCOSUserAccessLogViewerWeb ▪ Physical Path: Select the path of where the ARCOSUserAccessLogViewerWeb folder is created. ▪ Site Type: http ▪ IP Address: All Unassigned ▪ Port: 8181 ▪ Click OK button. 47 Installation and Configuration Guide | Version 4.8.5.0_U4 6.3.1 Application Pool Setting for ARCON PAM User Access Log Viewer Web This topic provides information about how to configure Application Pool for ARCON PAM User Access Log Viewer Web component. Use the following steps to assign application pool settings to ARCON PAM User Access Log Viewer Web component. 1. 2. 3. 4. 5. Goto Start button and type run. In run window type ‘inetmgr’. The Internet Information Services (IIS) Manager window opens. On the left hand side pane, click on Application Pool. Application Pool page opens in middle. Click on ARCOSUserAccessLogViewerWeb on the Application Pool pane. On the right hand side Actions pane, click on Basic Settings in Edit. Application Pool window opens. 6. For .NET Framework version select .NET Framework v2.0 from the dropdown list. In Windows 2012, default pool is set to 4.0 change it to 2.0 as the ARCON PAM application is developed on .NET Framework version 2.0 7. On the right hand side Actions pane, click on Advanced Settings. Advanced Settings window opens. 48 Installation and Configuration Guide | Version 4.8.5.0_U4 ▪ Enable 32 bit Applications : True This setting enables the 32-bit application to run on 64 bit machine. ▪ Load User Profile: True Load User Profile is used to isolate the web application. For example when this option is set to False (the user profile is not loaded) the application will use the c:\windows\temp folder as its temporary directory. If you have other application pools still they will use the same c: \windows\temp folder. If you set the option to True the load user profile temporary directory will change from windows temporary folder to user profile’s temporary folder i.e. C: \Users\apppooluserid\AppData\Local\Temp. 6.3.2 Test ARCON PAM User Access Log Viewer Web component on Browser This topic provides information about how to test ARCON PAM User Access Log Viewer Web component on Internet Explorer. Use the following steps to Test ARCON PAM User Access Log Viewer Web on IE Browser: 1. On IIS Manager window, on the left hand side pane, right click on ARCOSUserAccessLogViewerWeb\Manage Web Site\ Browse. 49 Installation and Configuration Guide | Version 4.8.5.0_U4 2. The web page opens on Internet Explorer browser. 6.4 Database (DB) Settings Creations This section provides information about how to create DB settings for ARCON PAM Client Manager. Use the following steps to create DB settings for ARCON PAM Client Manager: 1. Goto <Drive>:\ARCON Solutions\ARCOSClientManagerOnline\DBSetting folder. 2. Double click on ‘ARCOSDBSettingCreator.exe’ file. 3. The ARCON PAM Database DBSettings.ini File Creator window opens. Enter the following details: Connection Details (Primary) ▪ Server IP– address where Database is located ▪ Server Port– port on which the ARCON PAM Database will listen (Default port is - 1433) ▪ Server Name– name of the server / IP address ▪ User Name– ARCON PAM Database name ▪ User Password– ARCON PAM database password 4. Click on Generate ini File button, to generate the ini file. The DBSetting.ini file is generated inside the DBSetting folder. 50 Installation and Configuration Guide | Version 4.8.5.0_U4 6.4.1 Enable IIS Server on Web Server (Windows Only) If you are installing ARCON PAM Privilege Identity Management on Windows Server 2012 and above, it’s necessary to enable the IIS Server. The below procedure shows how to enable IIS Server on Windows Server 2012 and above. To enable IIS on Web Server that is running on Windows Server 2012 or above: • • • • • • • • • • Opens Windows Server Manager. In Dashboard, Click on Add roles and Features. Click Next. Select Role-based or feature-based installation radio button and Click Next. Select Select a server from the server pool radio button and click Next. Select Web Server (IIS) checkbox and click Next. Click Next. Select all the options of IIS except FTP and click Next. Click Install. Click Finish. Server Reboot is recommended. 6.5 License Registration and Login This section provides information about license registration and login into ARCON PAM Server Manager. 51 Installation and Configuration Guide | Version 4.8.5.0_U4 6.5.1 ARCON PAM Server License Registration If you are registering ARCON PAM for first time, then follow below steps on Application Server: 1. 2. 3. 4. 5. 6. 7. 8. 9. Goto Start button and type run. In run window type ‘inetmgr’. The Internet Information Services (IIS) Manager window opens. Click on the arrow sign of your <server name>. Click on the arrow sign of Sites. Double click ARCOSClientManagerOnline. On right hand side Actions pane, on Browse Web Site, click Browse *:443 (https) link. ARCON PAM url https://localhost/ will open Click Continue to this website (not recommended) link. ARCON PAM License Registration screen pops-up. A] Register Using License Key: ▪ Enter the 25 digit key in the License Key (Enter the 25 digit key.) text boxes. ▪ Select the validity dates in Valid From and Valid To fields. OR B] Register Using License Text: ▪ Enter the alphanumeric text key in the License Text (Enter the alphanumeric text key.) text box. ◦ When you register using License Text, the license validity is auto updated in backend. ◦ The license key or license text will be provided by ARCON Team. 10. Click OK button. A message “Registration Key updated” window pops-up for successful registration. 11. Click OK button. The ARCON PAM Domain Registration screen pops-up. 52 Installation and Configuration Guide | Version 4.8.5.0_U4 To register the domain read the Domain Creation chapter. 6.5.2 Domain Creation In ARCON PAM the Administrator can create domain in two ways: 1. AD Integration (LDAP/ LDAP SSL) 2. ARCOSAUTH Local Repository Creation 6.5.2.1 AD Integration (LDAP or LDAP SSL) This topic provides information about how to enter the domain details on the Domain Registration pop-up window. After entering the correct license key a Domain Registration window pops-up. The Administrator has to enter the details of the domain. Domain created is an Active Directory domain through LDAP/LDAP SSL) protocol. To configure Domain Registration through AD Integration (LDAP / LDAP SSL) Use the following steps to enter the domain details on the Domain Registration pop-up window. 1. Enter the following details in ARCON PAM Domain Registration screen. ▪ ▪ ▪ ▪ Enter the Domain Server name. Enter the Domain Name. Enter the Domain Extension e.g. COM, CO, etc. Enter the Application Administration name. This Application Admin name is the first user to enter in the ARCON PAM Server Manager with all the privileges. ▪ Enter the Domain Password. This password is the password which you type when you enter into your domain or standalone system. ▪ Enter the Confirm Password. ▪ Click on Finish button. 53 Installation and Configuration Guide | Version 4.8.5.0_U4 2. A message “Authentication Successful. Application will close now” window pops-up for successful domain registration. 3. Click OK button. The ARCON PAM portal is seen on the computer screen. 6.5.2.2 ARCOSAUTH Local Repository Creation The second way to create the domain is by running the SQL script at the backend which is provided by the support team. The SQL script contains all the default ARCOSAUTH (Local Repository) domain configuration. This topic provides information about how to create the domain by running the SQL script at the backend. The first user created would be ARCOSADMIN and it will have all the privileges. Use the following steps to create ARCOSAUTH Local Repository. 54 Installation and Configuration Guide | Version 4.8.5.0_U4 1. 2. 3. 4. 5. Open the SQL Server Management Studio. Copy the script in the Query Analyzer. Select the ARCOSDB database from the Available Database drop down list. Click Execute. The query gets executed successfully and the local domain ARCOSAUTH is created. Login into the ARCON PAM portal. The username and password for ARCOSAUTH domain will be provided by the support team. 6.5.2.3 ARCON PAM Portal Login On successful domain registration, login into the ARCON PAM portal with the domain details you have entered while registration of ARCON PAM application. Follow below steps to login into the ARCON PAM portal or Server Manager. 1. Enter the User Name i.e. Application Admin or first username you have entered on the Domain Registration window. This user has all the privileges of the server manager. 2. Enter the Password i.e. Domain Password name that you have entered on the Domain Registration window. 3. The Domain name will get automatically selected for the first time. 4. Click on Login button, the ARCON PAM Server Manager application opens. 55 Installation and Configuration Guide | Version 4.8.5.0_U4 7 Secure Gateway Configuration This chapter describes how to configure and map secured gateway with Windows / UNIX / Linux Server. This chapter discusses the following topics: • Windows Server (using Bitvise) • Unix / Linux Server 7.1 With Windows Server (Using Bitvise) Bitvise SSH server supports all desktop and server versions of Windows, 32-bit and 64-bit, from Windows XP SP3 and Windows Server 2003, up to the most recent – Windows 10 and Windows Server 2016. Bitvise SSH Server supports the following SSH services: • • • • • Secure remote access via console (vt100, xterm and bvterm supported) Secure remote access via GUI (Remote Desktop or WinVNC required) Secure file transfer using SFTP and SCP (compatible with all major clients) Secure, effortless Git integration Secure TCP/IP connection tunneling (port forwarding) Installation Bitvise SSH Server Step 1: Download Bitvise SSH Server Setup You can download the Bitvise SSH Server Setup file from following link, https://www.bitvise.com/ssh-serverdownload Select the link highlighted mentioned below. This will download a 14MB bitvise setup. Step 2: Run the Bitvise Installer which is downloaded. Make sure you have Administrator privileges on the Server/computer where you are running the setup. Step 3: Welcome page 56 Installation and Configuration Guide | Version 4.8.5.0_U4 1. Read the terms and conditions and if you agree, click on I agree to terms and conditions check box. 2. Select the option Install new Bitvise SSH Server Instance and under Install new default instance. If you want to give a name to the instance, select “Install new named instance” and provide a name for the new Bitvise Instance. 3. Provide the location for the installation. 4. Check the box “Run Bitvise SSH Server Control panel when done” to launch the Bitvise SSH Server control panel upon completion of installation. Step 4: Select the option Standard Edition 1. Standard edition will run free for 30 days. Post which a license needs to be purchased. 2. Click OK to install and it will start the installation. 57 Installation and Configuration Guide | Version 4.8.5.0_U4 Step 5: Complete the Installation 1. Once installation is complete, it will prompt you with the window. 2. Click OK and Restart the Server/Computer once. 58 Installation and Configuration Guide | Version 4.8.5.0_U4 3. Service with name “Bitvise SSH Server” will be installed in service.msc Configuration of Bitvise SSH Server Step 1: Open the Bitvise SSH Server Control Panel from Start Menu. 59 Installation and Configuration Guide | Version 4.8.5.0_U4 Step 2: Configure Easy Settings. Goto Open Easy Settings option 1. Select IP versions for listening port as IPv4 and IPv6 2. Listening port: 22 (or any other customized port where Bitvise SSH component will listen). 60 Installation and Configuration Guide | Version 4.8.5.0_U4 3. Goto 2nd Tab “Windows Account’. Here you can configure a Local Windows Account for Bitvise. 4. Goto 3rd Tab “Virtual accounts”. Here you can create an account for Bitvise SSH Server. 61 Installation and Configuration Guide | Version 4.8.5.0_U4 5. Click On Add and create an account, a. b. c. d. e. f. g. Virtual Account Name: Account name for Bitvise SSH Server (eg: arcosshadmin) Virtual Account Password: Set a password for the account Check the box Login allowed Check the box Allow File Transfer Shell Access Type: Command Prompt Check the Box Allow Port Forwarding Virtual Filesystem Layout: Allow full access Step 3: Configure Advance Settings. Goto Edit Advance Settings Option and select the following Algorithm’s, 62 Installation and Configuration Guide | Version 4.8.5.0_U4 7.1.1 Installing Bitvise This topic provides information about how to install Bitvise. Install Bitvise Following are the steps to install Bitvise: 1. Open the setup folder of ARCON PAM provided by the support team. 63 Installation and Configuration Guide | Version 4.8.5.0_U4 2. 3. 4. 5. Browse to Basic Supported Files folder and click on freeSSHd (SSH Server) folder. Double click the setup file of freeSSHd to start installing. Complete the installation by taking all the defaults with the Next button all the way through. If prompted to create private keys, click Yes. 6. A message window “Do you want to run FreeSSHd as a system service” pops-up. 7. Click Yes button. 8. Click Finish button for successful installation of freeSSHd. Configuration Steps Following are the steps to configure Bitvise: 1. Run the freeSSHd program from the Desktop Icon or from Start > Select All Programs > freeSSHd. 2. Right-Click on the freeSSHd icon in the System Tray next to the clock and select Settings. 64 Installation and Configuration Guide | Version 4.8.5.0_U4 3. On the SSH tab, change the SSH listen Port to 22. 4. The below figure shows the Service status. 65 Installation and Configuration Guide | Version 4.8.5.0_U4 5. The below figure shows the Telnet service configuration for ARCON PAM. 66 Installation and Configuration Guide | Version 4.8.5.0_U4 6. The below figure shows the SSH service configuration. 67 Installation and Configuration Guide | Version 4.8.5.0_U4 7. The below figure shows the Authentication configuration. 68 Installation and Configuration Guide | Version 4.8.5.0_U4 8. The below figure shows the Encryption configuration in ARCON PAM. 69 Installation and Configuration Guide | Version 4.8.5.0_U4 9. The following figure shows the Tunneling configuration for ARCON PAM. 70 Installation and Configuration Guide | Version 4.8.5.0_U4 10. The following figure shows the SFTP configuration for ARCON PAM. 71 Installation and Configuration Guide | Version 4.8.5.0_U4 11. The following figure shows the user creation configuration for ARCON PAM. Here select the Tunnelin g option. There is no need to tick on Shell and SFTP. 72 Installation and Configuration Guide | Version 4.8.5.0_U4 12. The following figure shows the user status for ARCON PAM. Green mark will be seen under Tunnel option as Tunneling option was selected. Rest would be marked as red i.e., shell and sftp would mark as red. 73 Installation and Configuration Guide | Version 4.8.5.0_U4 13. The following figure shows the Host restrictions configuration for ARCON PAM. 74 Installation and Configuration Guide | Version 4.8.5.0_U4 14. The following figure shows Logging configuration for ARCON PAM. 75 Installation and Configuration Guide | Version 4.8.5.0_U4 15. The following figure shows the Online users configuration for ARCON PAM. 76 Installation and Configuration Guide | Version 4.8.5.0_U4 16. The following figure shows the Automatic updates configuration for ARCON PAM. 77 Installation and Configuration Guide | Version 4.8.5.0_U4 7.2 With UNIX/Linux Server SSH provides a secure channel over an unsecured network in a client-server architecture, connecting an SSH client application with an SSH server. Common applications include remote command-line login and remote command execution, but any network service can be secured with SSH. 7.2.1 Configure Secure Gateway Server This section helps you to configure Secure Gateway Server. Use the following steps to configure Secure Gateway Server. 1. Login to ARCON PAM Secured Server with root or (root equivalent) access. 78 Installation and Configuration Guide | Version 4.8.5.0_U4 2. Using VI editor open sshd_config file through path /etc/ssh/ 3. Default value for AllowTcpforwarding is “No”. Change the value to “Yes” (# is commented, to uncomment the same remove the #) 79 Installation and Configuration Guide | Version 4.8.5.0_U4 4. Use DNS value should be “NO”. 5. Save the file using command: ZZ or : wq 80 Installation and Configuration Guide | Version 4.8.5.0_U4 6. Add arcossshadmin user by using below command setting a complex password. This user account will be used as ARCON PAM Gateway Server user under ARCON PAM. 81 Installation and Configuration Guide | Version 4.8.5.0_U4 7. User will be created and updated. 7.3 Supporting ARCON PAM Windows Components ARCON DeskInsight:ARCON DeskInsight is used for managing Laptop/desktop password and connection between local systems. 0 ARCON DeskInsight Master:ARCON Deskinsight Master will provide you a full and accurate scan of all your network devices. Including Windows and Desktops machines. If it's on your network and same OU in AD, this service can find it. Used to fetch data from AD server. 0 ARCON Folder Sync Service:ARCON Folder Sync Service synchronizes data from source to destination server. This service can synchronize video logs, text files, images, etc. after configured time interval. It is designed to save time setting up and running backup jobs while having nice visual feedback along the way. ARCON Folder Sync Service ARCON PAM Windows Component is used to Replicate Data in Folder from One server to another. 0 ARCOS Alert Service:ARCOS Alert Service sends alerts as per the criteria or the requirement defined in the application ie whenever a particular action is triggered or a condition is satisfied the alert is sent to the administrator. 0 ARCOS DB Sync Service:In ARCOS, there are multiple environments for redundancy. In some of the setups have SQL Express edition. SQL Express edition does not support replication, mirroring or log shipping. In such cases, ARCON provides this tool to overcome this challenge. 0 ARCOS Log Archiver Service:ARCOS Archival Service is installed on ARCOS Server* to archive video logs in playable Video Format. The logs are converted and archived into viewable video formats for transfer / share or audit logging. Logs are stored in .avi format and can be viewed using Windows Built-in Media Player. These logs can be retained for audit trail and retention of data. 0 82 Installation and Configuration Guide | Version 4.8.5.0_U4 ARCOS Log Manager Service:ARCOS Log Manager Service Windows Component is used to convert Binary Video Logs in Database to Encrypted Video Logs on Local Drive. 0 ARCOS PerfMonIT:This is to monitor the performance of ARCOS Servers. (ARCOS Server Performance Monitor). Windows Component is used to Check HW/SW Details of Servers 0 ARCOS SIEM Connector Service:ARCOS SIEM Connector Service is an ARCON PAM Component which is used to send unencrypted Data to Database Tables related to SIEM. 0 ARCOS SPC Service:ARCOS SPC Service is an ARCON PAM Windows Component which is used to change Password Automatically (On a Schedule). 0 ARCOS VPC Service:ARCOS VPC Service is an ARCON PAM Windows Component which is used to change Password of Service whose password has been viewed by User. 0 ARCOS Staging Log Sync Service:ARCOS Staging Log Sync Service is an ARCON PAM Windows Component which is used to send Video Logs from Staging Server to Centralized Location. 0 ARCOS TS Plugin:ARCOS TS Plugin ARCON PAM Windows Component is used to restrict / elevate process on Target Windows Device. 0 ARCON PAM Windows Vaulting Service ARCON PAM Vaulting Service is used to perform following actions: 1. Privileged IDs password discovery. 2. Change password for Windows type of devices. WinPWD version has been updated and renamed as ARCON PAM Windows Vaulting Service ARCOSADScannerService This service is used to scan details of Active Directory and fetch User/ Device details. ARCOSUserOnboardingService This service is used to auto onboard or deboard users/ devices. These users and device details are scanned from Active Directory, using ARCOSADScannerService. 83 Installation and Configuration Guide | Version 4.8.5.0_U4 8 LOB or Profile Master In ARCON PAM user are of two types’ domain user and local user. The domain users are present in the active directory and are authenticated using active directory whereas the local users are present locally. The login credentials are authenticated according to the domain name specified during the login process. The LOB’s are created and fetched according to the domain name. Once the LOBs are created ARCON PAM application follows a maker-checker principle for authorization. The maker-checker principle is used for each request made by the user, for this feature there should be at least two Administrator which are necessary for its confirmation / authorization. While one Administrator may create a user, the other Administrator would be involved in confirmation/authorization of the same. Once the users are created services are added for the users. A service is an instance of a server, assume there are 4 users on a windows server such as Administrator, SYS, TEST, and UAT. Now, each user will have a unique service. This will help Administrator to have a proper control over the service which is mapped to a particular user. Due to this Administrator ID can get user wise audit trail for each action which are performed under ARCON PAM. As the Administrators are responsible for managing services they should be assigned Add Service privilege to create, delete or update a service. After creating the services the Administrator should create user group and server group; map user group to users and server group to services. After the above process the server group are mapped to user group. For mapping the Administrator should be assigned Assign Service Group To User Group privilege to perform group mapping. The services are then mapped to users. The connections to the users are established in Map Users / Services screen. The Administrator should be assigned Assign Service To User privilege to map services to user. The services are assigned to a user based on the services available in the server group, where the users are a part of the user group. To assign an existing or newly created services to single or multiple users map services to multiple users. In addition, this allows Administrator to restrict commands for the user. The next step is to map the user to LOB, map user groups to particular LOB. When LOB is assigned to User Group, the users available under User Group can be mapped to services assigned to that LOB. To assign LOB to User Group, the Administrator should have Assign LOB To User Group privilege. Next map service to LOB to assign LOB to Service, the Administrator should have Assign LOB To Service privilege. Next map a service group(s) to a particular LOB. When LOB is assigned to Service Group, the service available under Service Group can be mapped to users of that LOB. To assign LOB to Service Group, the Administrator should have Assign LOB To Service Group privilege. 84 Installation and Configuration Guide | Version 4.8.5.0_U4 The Administrator can create multiple LOBs and map those LOBs. For more detail about the process refer the ARCON PAM Administrative guide. 85 No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means such as electronic, mechanical, photocopying, recording, or otherwise without permission.
