Remote Access Configuration in Kron PAM

remote access configuration page enables administrators to create/edit/delete rpam requests in kron pam before making requests, administrators need to set following system config parameters add the cloud server system config parameter for the link attached to the email 1 navigate to administration > system config man 2\ set the following parameter as the remote access portal (cloud server) address and save parameter name default parameter value description rap cloud server http //localhost 7777/connect this parameter defines the remote access portal address the parameter can be defined as url with ip (e g , https //34 234 69 53/connect) or as url with domain name (e g , https //cloudpam com/connect) there are also optional parameters that can be defined to tune remote access configuration up parameter name example parameter value description rap rdp session duration limit warning before min 1 this parameter defines how many minutes before an rdp session expires that the timeout warning will be sent rap ssh session duration limit warning before min 1 this parameter defines how many minutes before an ssh session expires that the timeout warning will be sent rap http session duration limit warning before min 1 this parameter defines how many minutes before a container based http/https session expires that the timeout warning will be sent rap token expiration period 1 this parameter indicates the lifespan of a token and is used to prevent the creation of long term invitation links rap client otp enabled false this parameter is used to enable or disable multi factor authentication (mfa) for the remote privileged access management login default value is false rap passcode characters count 12 this parameter shows how many characters are used in the generated passcodes this parameter's value should be numeric, and the default value is 8 if the system admin defines this parameter as 4 or fewer, the passcode is\[dt1 1] created with 4 characters rap passcode only numeric text true/false this parameter's value should be a boolean, and the default value is false if this parameter's value is set as true, the passcode only contains numeric values; however, if this parameter's value is set as false, the passcode contains alphanumeric values the passcodes of rpam requests are sent via email and optionally sms services in the case of the sms service is employed, the sms parameters related to remote privileged access management should be defined on sms integrations subscreen of the integration tab under system configuration management screen to configure sms services for remote privileged access management, please follow the steps explained in remote privileged access management integration docid\ wfszz8ljkq452wtodnz3x here are some example values of sms integration for remote privileged access management http sms parameters example values http url https //api sms com/v1/send sms http method post or get http headers content type\ text/xml http body \<request>\<authentication>\<username>username\</username>\<password>password\</password>\</authentication>\<order>\<sender>kron\</sender>\<senddatetime>\</senddatetime>\<message>\<text> \<!\[cdata\[ dear %usereid%, please use the passcode below during login phase of your remote privileged access management connection passcode %passcode% remote privileged access management connection (access on web browser) %connurl% ]]> \</text>\<receipents>\<number>%phonenumber%\</number>\</receipents>\</message>\</order>\</request> http encoding utf 8 http delimiter & smpp integration parameters example values sms channel smpp ip localhost password netright(encrypted) system id netright source address 2222 receive timeout 30 port 16000 then allow access from the cloud server to kron pam 1 edit the tomcat cors file with the cloud url in the web xml file a open the web xml vi /pam/gui/conf/web xml b fill the cors allowed origins field i example; \<param name> \<font color="#ef4444">cors allowed origins\</font> \</param name> \<param value> \<font color="#ef4444">https //remote cloudpam com\</font> \</param value> the wildcard allows all access, but this usage is not recommended for product environments the rpam requests can be created by clicking the + add button the vendor needs to have single connect rdp client modulevisibility , single connect cli modulevisibility , remote access config modulevisibility and aioc device group modulevisibility portal rights to make rdp/vnc/ssh/container based http(s) sessions via remote privileged access management netright license modulevisibility portal right is needed to assign the pamlimited\&rpam user type to the users after creating the rpam request for the user, the request can be edited or deleted by clicking the options button to the right side of the request admins can verify the details of the request by clicking on the request to create rpam request 1 navigate to users > remote access config 2 click the + add button 3 fill in the username/user group and device/device group and optionally select whether the sms service for sending rpam requests, lastly, click next if the user hasn’t required realm rights, the warning pops up and says “the realm right is not sufficient for the selected user(s) or user group(s)” 4 fill in the start and end time and select the days admins can also set specific working hours for vendors by enabling set time by day 5 click the save button users receive an email with a portal uel and a passcode when the working time starts, users can click on the url, enter their passcode first, then enter their kron pam account password and start working if the otp parameter ( rap client otp enabled ) is set to true , after entering the kron pam user’s password, the user must enter the otp value which is accessible on the kron pam mobile client application or email the device list is shown on the remote access portal the user can access the target device by clicking the action button if the working time ends, the following timeout screen is shown to the user