Kron PAM Server Configuration

1 update the cors configuration in web xml linux cli \[root\@pam ]# sudo vi /pam/gui/conf/web xml 2 locate and update the following lines linux cli /cors … \<param name> cors allowed origins \</param name> \<param value> {rap url} e g , https //remote cloudpam com \</param value> … using the wildcard allows all access, but is not recommended for production environments 3 set the necessary and optional parameters to configure the kron pam secure remote access the following parameters are defined on the system config man screen of the kron pam web gui the necessary parameter parameter name default parameter value description rap cloud server http //localhost 7777/connect this parameter defines the remote access portal (rap) address the parameter can be defined as url with ip (e g , https //34 234 69 53/connect) or as url with domain name (e g , https //cloudpam com/connect) optional parameters parameter name default parameter value description rap rdp session duration limit warning before min 1 this parameter defines how many minutes before the rdp session expires that the timeout warning will be sent rap ssh session duration limit warning before min 1 this parameter defines how many minutes before the ssh session expires that the timeout warning will be sent rap token expiration period 1 this parameter indicates the lifespan of a token and is used to prevent the creation of long term invitation links optional parameters for sms feature in kron pam secure remote access parameter name example parameter value description rap sms http url https //api xxxxxxx com/v1/send sms this parameter defines the url of sms service that is used to send sms via http for kron pam secure remote access tokens rap sms http body \<request>\<authentication>\<username>11111111\</username>\<password>2222222\</password>\</authentication>\<order>\<sender>kron\</sender>\<senddatetime>\</senddatetime>\<message>\<text> \<!\[cdata\[dear %usereid%, please use the passcode below during login phase of your kron pam secure remote access connection passcode %passcode% kron pam secure remote access connection (access on web browser) %connurl%]]> \</text>\<receipents>\<number>%phonenumber%\</number>\</receipents>\</message>\</order>\</request> this parameter defines the sms message content using http protocol for kron pam secure remote access tokens rap sms smpp body (alternative to the previous parameter) {example smpp body} this parameter defines the sms message content when using the smpp protocol for kron pam secure remote access tokens rap sms http headers content type\ text/xml this parameter defines the headers that are included in the sms for kron pam secure remote access tokens rap sms http encoding utf 8 this parameter defines a character encoding used in the sms for kron pam secure remote access tokens rap sms http method post or get this parameter defines the http method used in sms for kron pam secure remote access tokens rap sms http delimiter & this parameter defines the delimiter character used in the sms for kron pam secure remote access tokens rap sms channel http or smpp this parameter defines the sms channel typefor kron pam secure remote access tokens prerequisite check the secure reboot enabled status before the installation by running mokutil sb state command in case the secure reboot is enabled, it might cause an error during the wireguard installation please disable it to continue the installation!!! 4 download the kron pam server’s installation script on the kron pam server the support team can provide the installation script after downloading the script, unzip the kron pam server’s installation script on the kron pam server the user can use unzip command to extract the files from the installation script file linux cli \[root\@kron ]# unzip rap mtc onpam 1 2 0 zip in case bash unzip command not found error is shown, the unzip package should be installed via sudo dnf install y unzip command if somehow the user needs to start the script again (maybe, because of the wrong input or missing file etc…), please remove all installation files except for compressed kron pam server’s installation script file and unzip the compressed installation script file again after this you can execute the script we highly recommend this method since the extracted files might be modified after the script execution for the first time, and executing the script with modified files might cause the problematic installation! 5 navigate to the pam directory linux cli \[root\@kron ]# cd pam / 6 run the configuration script linux cli \[root\@pam ]# sh configure sh in case you need to set script permissions to execute it, you need to run chmod +x configure sh command you need root privileges to run this script 7 the kron pam server’s installation script asks user either a for the first time installation on the kron pam server , the wireguard configuration on the kron pam server should be configured from scratch, thus, the first option should be selected by entering 1 and pressing the enter key the kron pam server’s installation script asks several configuration details o the wireguard ip address that will be assigned to kron pam server ’s side, o aws public ip address of remote access portal (rap) environment, o the port number of wireguard, o the ip segment of wireguard, o a public key generated by the remote access portal (rap)’s script description example values wireguard ip address that will be assigned to the kron pam server ’s side 10 0 0 2 aws public ip address of remote access portal (rap) environment 204 236 208 204 the port number of wireguard 51820 the ip segment of wireguard 10 0 0 0/29 a public key generated by the remote access portal (rap)’s script hhhhhhhegwbkribgwzpq8neiake7egv8iwt811t69eg= after every information are filled in, the user should press y to continue, however, if the user fails to fill in every information successfully (either missing or wrong info), the user can press n to reenter information again once the kron pam server’s installation script asks the user to enter the public key, if the user doesn’t know the public key generated by the remote access portal (rap)’s installation script yet, the user can set temporary public key for now (e g , aaaaaaa0nn0751jbnxoj5r8m3utw8nmaktgi5bly4=) but please do not forget to set the public key by using the kron pam server’s installation script (please check 7 b at the section below), after the remote access portal (rap)’s installationscript generates a public key at the end of kron pam server’s installation script, the public key generated by this script is ready to use on the remote access portal (rap) environment (e g , ccccccc8tpc6nmnezizutnxnuvepgdpvyf6rfhybdmu= ) please do not forget to add this info on the remote access portal (rap) environment by using remote access portal (rap)’s installation script (please check 6 b at the section 4 2) b once the kron pam server ’s wireguard configuration has been fully installed, only one configuration is missing here regarding public key that would be generated by the remote access portal (rap)’s installation script if the user executes the remote access portal (rap)’s installation script on the cloud (please, check 6 a at the section 4 2), it generates a public key which would be used in the kron pam server here, thus now this option can configure the secure tunnel configuration file with the generated public key from remote access portal (rap) ’s side the user should select the second option by entering 2 and pressing the enter key set the public key data of the secure tunnel configuration file with a public key generated by the remote access portal’s script (e g , h7thxcly28p4pen/ya2fj0ngugiwsv40nmbryiz3iri=)