Tenant Connector
The Tenant Connector provides secure remote data center connections to different tenants who want to use Kron PAM’s features, such as preventing password theft and eliminating unsupervised access, and need a secure connection between their remote data centers and the central Kron PAM server. This section describes how the tenant connector is added and matched with devices.
Kron PAM supports the installation of 2 tenant connectors per tenant. We do not support more than that.
Tenants who already have an OpenVPN server in the remote data center or want to use OpenVPN in their remote data center connections can use this feature.
To create an OpenVPN Connector:
- Navigate to Tenant Connector.
- Open the Connector Sites tab.
- Click the Add button, enter the remote site name and description, and click Save
- Open the Connector Nodes tab.
- Click the Add button and select the OpenVPN option.
- Select the connector site, enter the OpenVPN credentials, copy the OpenVPN configuration, and click Save.
Tenants who do not have an OpenVPN license and want to use Kron PAM’s secure connection can use its Built-in VPN option. Connector installation packages are uploaded tofilerepo.krontech.com SFTP Server. The Kron support team provides credentials and the OVA installer filename. Refer to the Tenant Connector Reference Guide.
To create a Built-In VPN Connection:
- Navigate to Tenant Connector.
- Open the Connector Sites tab.
- Click the Add button, enter the remote site name and description, and click Save.
- Open the Connector Node tab.
- Click the Add button and select the Built-In VPN option.
- Select the remote site name, enter the node name, tunnel port, connection port, connector node external IP, and the SSH RSA Key created during the connector node installation, and click Save.
Connectors send heartbeat messages to Kron PAM servers at regular intervals. This information can be used to monitor whether the connectors are working properly.
To check the heartbeat messages:
- Navigate to Tenant Connector.
- Open the Connector Nodes tab.
- Click the List view button, select the connector node, and click the Heartbeat button.
In order to access the devices located at remote data centers through the connector, these devices must be associated with the connector sites.
To associate a device with a connector site:
- Navigate to Device Management > Device Inventory.
- Click the New Device Discovery button.
- Fill out the relevant device information, select the connector site, and save by clicking Discover and Add.
If you have a connector in your environment, every account request (check password, reset password etc.) is run over the connector server. The connector supports WinRM, SSH, SSH-Keys, and LDAPSand databases(e.g., MySQL, Oracle, Teradata).
Some accounts (for example: AD/LDAPS, MySQL)need to be edited on SAPM Configuration.
LDAPS | AD hostname with FQDN, ${devicePort} | ldaps://windows-server0.krontech.test:${devicePort} You must add the connector IP in the host file of SC. example(192.168.0.1 windows-server0.krontech.test)  ldap.port  636 |
|---|---|---|
MySQL | ${deviceIP}, ${devicePort} | jdbc:mysql://${deviceIp}:${devicePort}/testdb |
Enter the related configuration parameters and select the Connector Site name on the LDAP Advanced filter then click the Save button.
Refer to LDAP/AD Integration
Add the parameter name syslog.connector.sitename and value is your connector site name in the System Config Man.
Refer to SIEM Configuration