Securing Traffic Between a Load Balancer and PAM
Although some people consider securing the internal traffic inside PAM server farm an unnecessary overkill, others may consider it a potential security vulnerability.
Regardless of either position, the PAM solution does provide a rather straightforward process to secure the traffic between a load balancer and your PAM web container(s).
Before you begin, please consider the following:
- This applies to deployments where one or more PAM nodes are configured behind a load balancer (as shown in the graphic above) or it could be used to secure external traffic to the PAM server without the use of a load balancer.
- This requires that you have possession of a SSL certificate from a trusted CA. One is required if it is configured for wildcards, however multiple may be necessary if the URL is explicitly defined.
- If your security certificates are packaged in a format different than PFX, please contact our Support Team https://support.imprivata.com/ for additional assistance.
- If your PAM instance was deployed prior to April 2, 2018, please contact our Support Team https://support.imprivata.com/ for additional assistance.
- If you are unsure if this is necessary for your deployment, please consult with your security or IT department.
Pre-requisites
- A deployed PAM instance that is accessible from a load balancer, not configured to use localhost. Your PAM instance should be using a URL like https://pam.company.com:8080/xtam.
- Your Load Balancer (Microsoft IIS or Apache HTTPD Server) is configured to pass external traffic to PAM server using re-write rules to HTTP port 8080.
- Trusted SSL certificate file in PFX format and its associated password for your domain name like in item 1 above. In our example, that certificate would be for pam.company.com or *.company.com.
Note: If you are using Apache, then the .pfx file will need to be converted from individual certificate and private key files.
Configuring your PAM Web Container(s) to accept HTTPS Traffic
- Login to the server that is hosting your PAM server.
- Open a command window and navigate to $PAM_HOME. This is the installation folder for PAM.
- Next, we will need to encrypt your SSL certificate password by using the command below. This will generate your encrypted certificate password that will be used in a later step.
-
Open the file $PAM_HOME/web/conf/server.xml. Locate this line in the file:
Copy<!-- Define an AJP 1.3 Connector on port 8009 -->
Immediately before that line, paste the following text:
Copy<Connector
keystoreFile="PATH_TO_CERTIFICATE.pfx" keystorePass="ENCRYPTED_OR_CLEAR_PASSWORD"
protocol="com.pam.config.Http11NioEncryptedProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true" proxyPort="443"
clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"/> -
In the above pasted text, replace
keystoreFile=”PATH_TO_CERTIFICATE.pfx” with your SSL certificate location;
keystorePass=”ENCRYPTED_OR_CLEAR_PASSWORD” with your encrypted password from step 3, that includes everything in the output except Ok:
-
Save and close this server.xml file.
-
Restart the PamManagement (Windows) or pammanager (Linux) service.
-
When the service is running again (takes ~ 60 seconds), check the PAM server availability to server SSL traffic from the load balancer server using a URL similar to this: https://pam.company.com:8443/xtam/
-
Re-write your load balancer rules referenced in Pre-requisite #2 to access the downstream PAM server using the HTTPS protocol. When finished, restart IIS or Apache.
-
Test PAM accessibility from all available locations, internally and optionally externally, to ensure communication and functionality is working as it was previously.
-
(Optional) You may now disable the connector on port 8080 also configured in the server.xml file. The disabled connector will look like this:
Copy<!--
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000" secure="true"
redirectPort="8443" />
--> -
Restart the PamManagement (Windows) or pammanager (Linux) service.