Non-root IDM Installation using Privileged Account Manager

0 Likes
over 4 years ago

The main objective of this article is to give a step by step procedure to install and configure the IDM 4.6 as non-root / non-administrator user on Linux/Windows operating systems.

Requirements:

Below are some requirements to be fulfilled.

    • Privileged Account Manager (PAM) 3.1 should be installed on Linux OS.




    • Non-root user account at PAM machine should be active. Ex: “nonadmin”.






Introduction

A privileged user is someone who has administrative access to critical systems. For instance, anyone who can set up and delete user accounts and roles on LDAP is a privileged user, in our case we will make non-root user / non-admin user as a privileged user by giving them administrative access.

Like any privilege, a privileged account should only be extended to trusted people. You only give accounts with “root” privileges (like the ability to change system configurations, install software, change user accounts or access secure data) to those that you trust.

NetIQ Privileged Account Management (PAM) helps IT administrators manage the identity and access for super user, root accounts, and application users by providing controlled super user/privileged access to administrators, allowing them to perform jobs without needlessly exposing root account credentials. It also provides a centralized activity log across multiple platforms.

Please refer to the PAM Documentation https://www.netiq.com/documentation/privileged-account-manager-3/

    • Secure shell relay (SSH relay) is a feature in PAM that enables delegation of privileged credentials. This feature makes use of the underlying SSH functionality of Unix/Linux systems to provide privileged access and monitoring of the activities after the delegation.

 

    • Remote Desktop Protocol Relay (RDP Relay) feature offers Single Sign-on capability and remote access to desktops through a secured connection. In a privileged session, an administrator user who is allowed to access various devices can sign on to many managed devices from a single workstation without knowing the authentication passwords of those devices.



Creation of Privileged Account


A privileged account is someone who already has administrative access to critical systems but those credentials cannot be shared. Ex: system root and system administrators.

Before we can integrate PAM to use the authentication domain, the account domain details need to be added to the PAM manager. The PAM manager supports creation of the account domain under the command control console installed as part of default manager installation.

To create the privileged accounts in PAM, follow the steps below:

The various steps to add the authentication account domain to PAM are as follows:

    1. Go to PAM Home->Enterprise Credential Vault ->SSH.

 

    1. Now choose the option, Add Account Domain to add a new account domain to the PAM manager framework.

 

    1. Provide all the details as shown in the picture below. Name and SSH host should target machine IP address.



image 1

    1. Provide all the details as shown in the picture below. Name should be domain name and LDAP URL should be target machine IP address.



image 2

By this we are storing the Target machine root / administrator level user credentials, in PAM in a secured and encrypted manner.

Creation of Command Control Rule


After adding the Privileged account details, the next step is to create rules in Command Control so that authorization to access the SSH relay / RDP Relay host is given based on the rule. This can be achieved by following the steps below:

    1. Go to Home/Command Control -> Rules.
      Choose Add rule option from the left panel and add 2 rules "Root access rule" and "Admin access rule".

 

    1. For Linux, Modify Root access rule, Set Session capture to “On” and Authorize to Yes and Stop, Select credential as root@164.99.90.192 and run user as root.
      For Windows, Modify “Admin Access Rule, Set Session capture to On and Authorize to Yes and Stop, Select credential as administrator@ 164.99.162.135 and run user as administrator.



How to Execute Rules


After adding the Privileged account details and rules, the next step is to execute the commands. Follow the steps below:

For Linux:

    • Connect to the any Linux machine using SSH client and login as non-root user.

 

    • On the shell prompt execute "ssh –X -t -p 2222 admin@<PAM_Manager_IP_address> command and press enter, you would be asked to provide PAM Manager console password, provide that and press enter.

 

    • You would be asked to select the rule, select the rule and NOW you are "root user" at target machine (where IDM 4.6 installation needs to be done).

 

    • Please proceed with IDM ISO installation.



For Windows:

    • Access https:// PAM_Manager_IP_address/myaccess page.

 

    • Login with PAM credentials

 

    • Under privileged session, select the rule and the user will be connected to the target machine "as administrator" (where IDM 4.6 installation needs to be done).



Root level user credentials are not required each and every time, it will be useful during POCs and installing IDM 4.6 as a non-root user.

Labels:

How To-Best Practice
Support Tip
Comment List
Anonymous
Related Discussions
Recommended