Kron PAM Server Configuration

1 update the cors configuration in web xml linux cli \[root\@pam ]# sudo vi /pam/gui/conf/web xml 2 locate and update the following lines linux cli /cors … \<param name> cors allowed origins \</param name> \<param value> {rap url} e g , https //remote cloudpam com \</param value> … using the wildcard allows all access, but is not recommended for production environments 3 set the necessary and optional parameters to configure the kron pam remote privileged access management the following parameters are defined on the system config man screen of the kron pam web gui the necessary parameter parameter name default parameter value description rap cloud server http //localhost 7777/connect this parameter defines the remote access portal (rap) address the parameter can be defined as url with ip (e g , https //34 234 69 53/connect) or as url with domain name (e g , https //cloudpam com/connect) optional parameters parameter name default parameter value description rap rdp session duration limit warning before min 1 this parameter defines how many minutes before the rdp session expires that the timeout warning will be sent rap ssh session duration limit warning before min 1 this parameter defines how many minutes before the ssh session expires that the timeout warning will be sent rap http session duration limit warning before min 1 this parameter defines how many minutes before the http container session expires that the timeout warning will be sent rap token expiration period 1 this parameter indicates the lifespan of a token and is used to prevent the creation of long term invitation links rap client otp enabled false this parameter defines whether the mfa feature is used during the login process of rpam rap passcode characters count 8 this parameter shows how many characters are used in the passcode definition this parameter's value should be numeric, and the default value is 8 if the system admin defines this parameter as 4 or fewer, the passcode is created with 4 characters rap passcode only numeric text false this parameter's value should be a boolean, and the default value is false if this parameter's value is set as true, the passcode only contains numeric values; however, if this parameter's value is set as false, the passcode contains alphanumeric values optional parameters for sms feature in kron pam remote privileged access management parameter name example parameter value description rap sms http url https //api xxxxxxx com/v1/send sms this parameter defines the url of sms service that is used to send sms via http for kron pam remote privileged access management tokens rap sms http body \<request>\<authentication>\<username>11111111\</username>\<password>2222222\</password>\</authentication>\<order>\<sender>kron\</sender>\<senddatetime>\</senddatetime>\<message>\<text> \<!\[cdata\[dear %usereid%, please use the passcode below during login phase of your kron pam remote privileged access management connection passcode %passcode% kron pam remote privileged access management connection (access on web browser) %connurl%]]> \</text>\<receipents>\<number>%phonenumber%\</number>\</receipents>\</message>\</order>\</request> this parameter defines the sms message content using http protocol for kron pam remote privileged access management tokens rap sms smpp body (alternative to the previous parameter) {example smpp body} this parameter defines the sms message content when using the smpp protocol for kron pam remote privileged access management tokens rap sms http headers content type\ text/xml this parameter defines the headers that are included in the sms for kron pam remote privileged access management tokens rap sms http encoding utf 8 this parameter defines a character encoding used in the sms for kron pam remote privileged access management tokens rap sms http method post or get this parameter defines the http method used in sms for kron pam remote privileged access management tokens rap sms http delimiter & this parameter defines the delimiter character used in the sms for kron pam remote privileged access management tokens rap sms channel http or smpp this parameter defines the sms channel typefor kron pam remote privileged access management tokens 4 set the users to have at least the following portal functions in order to list devices on the remote access portal and make sessions through them single connect rdp client modulevisibility single connect cli modulevisibility remote access config modulevisibility desktop device group modulevisibility (not required for remote privileged access management, but it is needed if the user lists the devices on the kron pam gui or desktop client ) check the secure boot enabled before the installation by running mokutil sb state command in case the secure boot is enabled, it might cause an error during the wireguard installation please disable it to continue the installation! the firewall rules that must be configured on the network level firewall protecting the network segment where the kron pam server is deployed these following rules apply to the network firewall in front of the kron pam server, not to any host based firewall running on the kron pam server itself required firewall rules on the network firewall protecting the pam server 1) https traffic from remote access portal to pam server(tcp) allow the pam server to receive https traffic from the remote access portal over the wireguard tunnel 2) wireguard tunnel traffic from portal (udp) allow the pam server to communicate with the remote access portal over wireguard stateful network firewall (recommended and most common) stateful firewall examples include enterprise and cloud firewalls such as palo alto networks, fortigate, check point, cisco asa/ftd, juniper srx, and aws security groups required rule stateless network firewall in stateless firewall environments, traffic is evaluated per packet and connection state is not tracked required rules 5 download the kron pam server’s installation script on the kron pam server the support team can provide the installation script after downloading the script, unzip the kron pam server’s installation script on the kron pam server you can use the unzip command to extract the files from the downloaded archive linux cli \[root\@kron ]# unzip rap onpam 1 4 0 zip in case bash unzip command not found error is shown, install the unzip package with the sudo dnf install y unzip command if somehow the user needs to start the script again (maybe, because of the wrong input or missing file etc…), please remove all installation files except for compressed kron pam server’s installation script file and unzip the compressed installation script file again after this you can execute the script we highly recommend this method, since the extracted files might be modified after the script execution for the first time and keep executing the script with modified files might cause a problematic installation! 6 navigate to the pam directory linux cli \[root\@kron ]# cd pam / 7 run the configuration script linux cli \[root\@pam ]# sh configure sh in case you need to set script permissions to execute it, you need to run chmod +x configure sh command you need root privileges to run this script 8 the kron pam server’s installation script asks user either a for the first time installation on the kron pam server , the wireguard configuration on the kron pam server should be configured from scratch, thus, the first option should be selected by entering 1 and pressing the enter key the kron pam server’s installation script asks several configuration details o the wireguard ip address that will be assigned to kron pam server ’s side, o aws public ip address of remote access portal (rap) environment, o the port number of wireguard, o the ip segment of wireguard, o a public key generated by the remote access portal (rap)’s script description example values wireguard ip address that will be assigned to the kron pam server ’s side 10 0 0 2 aws public ip address of remote access portal (rap) environment 107 22 27 29 the port number of wireguard 51820 the ip segment of wireguard 10 0 0 0/29 wireguard ip address assigned to the remote access portal 10 0 0 1 a public key generated by the remote access portal (rap)’s script 9lbf3tzer8t3reshotftb+srqd5jrqa0jhdnbizkvfa= after every information field is filled in, press y to continue if you fail to fill in every information successfully (either missing or wrong info), press n to reenter information again once the kron pam server’s installation script asks the user to enter the public key, if the user doesn’t know the public key generated by the remote access portal (rap)’s installation script yet, the user can set temporary public key for now (e g , 9lbf3tzer8t3reshotftb+srqd5jrqa0jhdnbizkvfa=) but please do not forget to set the public key by using the kron pam server’s installation script (please check 7 b at the section below), after the remote access portal (rap)’s installationscript generates a public key at the end of kron pam server’s installation script, the public key generated by this script is ready to use on the remote access portal (rap) environment (e g , ha3ebu4klphptxk86b+legmq6mgqyicpk+umg1ezyd8=) please do not forget to add this info on the remote access portal (rap) environment by using remote access portal (rap)’s installation script ( remote access portal (rap) configuration docid 4be1gmmgklp8nlfy4blya ) b once the kron pam server ’s wireguard configuration has been fully installed, only one configuration is missing here regarding public key that would be generated by the remote access portal (rap)’s installation script if the user executes the remote access portal (rap)’s installation script on the cloud (please, check 6 a at the section 4 2), it generates a public key which would be used in the kron pam server here, thus now this option can configure the secure tunnel configuration file with the generated public key from remote access portal (rap) ’s side select the second option by entering 2 and pressing the enter key set the public key data of the secure tunnel configuration file with a public key generated by the remote access portal’s script (e g , ftwteku3ge6yrhj8sswm279kdrkm/5l8isjajwyyeg0=)