Securing Traffic Between a Load Balancer and PAM

Although some people consider securing the internal traffic inside PAM server farm an unnecessary overkill, others may consider it a potential security vulnerability.

Regardless of either position, the PAM solution does provide a rather straightforward process to secure the traffic between a load balancer and your PAM web container(s).

 

LoadBalancer-XTAM-SSL

 

Before you begin, please consider the following:

  • This applies to deployments where one or more PAM nodes are configured behind a load balancer (as shown in the graphic above) or it could be used to secure external traffic to the PAM server without the use of a load balancer.
  • This requires that you have possession of a SSL certificate from a trusted CA. One is required if it is configured for wildcards, however multiple may be necessary if the URL is explicitly defined.
  • If your security certificates are packaged in a format different than PFX, please contact our Support Team https://support.imprivata.com/ for additional assistance.
  • If your PAM instance was deployed prior to April 2, 2018, please contact our Support Team https://support.imprivata.com/ for additional assistance.
  • If you are unsure if this is necessary for your deployment, please consult with your security or IT department.

Pre-requisites

  1. A deployed PAM instance that is accessible from a load balancer, not configured to use localhost. Your PAM instance should be using a URL like https://pam.company.com:8080/xtam.
  2.  

  3. Your Load Balancer (Microsoft IIS or Apache HTTPD Server) is configured to pass external traffic to PAM server using re-write rules to HTTP port 8080.
  4.  

  5. Trusted SSL certificate file in PFX format and its associated password for your domain name like in item 1 above. In our example, that certificate would be for pam.company.com or *.company.com.
  6.  

Note: If you are using Apache, then the .pfx file will need to be converted from individual certificate and private key files.

Configuring your PAM Web Container(s) to accept HTTPS Traffic

  1. Login to the server that is hosting your PAM server.
  2.  

  3. Open a command window and navigate to $PAM_HOME. This is the installation folder for PAM.
  4.  

  5. Next, we will need to encrypt your SSL certificate password by using the command below. This will generate your encrypted certificate password that will be used in a later step.
    1. For Windows, substitute your SSL certificate password with {PASSWORD} and issue this command:

      Copy
      bin\PamDirectory Encrypt {PASSWORD}
    2.  

    3. For Unix, substitute your SSL certificate password with {PASSWORD} and issue this command:

      Copy
      bin/PamDirectory.sh Encrypt {PASSWORD}
  6.  

  7. Open the file $PAM_HOME/web/conf/server.xml. Locate this line in the file:

    Copy
    <!-- Define an AJP 1.3 Connector on port 8009 -->

     

    Immediately before that line, paste the following text:

    Copy
    <Connector
               keystoreFile="PATH_TO_CERTIFICATE.pfx" keystorePass="ENCRYPTED_OR_CLEAR_PASSWORD"
               protocol="com.pam.config.Http11NioEncryptedProtocol"
               port="8443" maxThreads="200"
               scheme="https" secure="true" SSLEnabled="true" proxyPort="443"
               clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"/>
  8.  

  9. In the above pasted text, replace

     

    keystoreFile=”PATH_TO_CERTIFICATE.pfx” with your SSL certificate location;

    keystorePass=”ENCRYPTED_OR_CLEAR_PASSWORD” with your encrypted password from step 3, that includes everything in the output except Ok:

     

  10. Save and close this server.xml file.

  11.  

  12. Restart the PamManagement (Windows) or pammanager (Linux) service.

  13.  

  14. When the service is running again (takes ~ 60 seconds), check the PAM server availability to server SSL traffic from the load balancer server using a URL similar to this: https://pam.company.com:8443/xtam/

  15.  

  16. Re-write your load balancer rules referenced in Pre-requisite #2 to access the downstream PAM server using the HTTPS protocol. When finished, restart IIS or Apache.

  17.  

  18. Test PAM accessibility from all available locations, internally and optionally externally, to ensure communication and functionality is working as it was previously.

  19.  

  20. (Optional) You may now disable the connector on port 8080 also configured in the server.xml file. The disabled connector will look like this:

    Copy
    <!--
            <Connector port="8080" protocol="HTTP/1.1"
                   connectionTimeout="20000" secure="true"
                   redirectPort="8443" />
    -->
  21.  

  22. Restart the PamManagement (Windows) or pammanager (Linux) service.