Installing Xton Access Manager

This section will work through the process of installing Xton Access Manager to a Unix computer.

System Requirements

The following are minimum requirements to use XTAM for Single Server and medium use Production farms. 

Please contact us to discuss architecture and system recommendations for large scale farm deployments.

NOTE:  Do not install XTAM using a root account. This is not recommended nor best practices for installing or configuring any software in a Unix environment. The recommendation is to create a new user and give it su or sudo(or add to the sudo group) privileges to perform the installation.

 

Single Server, Test or Quick Trial

Medium Use Production Farm

Windows O/S (64-bit only)

Windows Server 2012+ / Windows 10

Windows Server 2012+

Other O/S

(64-bit only)

Red Hat, Ubuntu, Debian, CentOS

Red Hat, Ubuntu, Debian, CentOS

Database

Included *

MS SQL, MySQL, Oracle, PostgreSQL

Memory (reserved for XTAM use)

4 GB+

8 GB+

Disk Space (reserved for XTAM use)

20 GB+

50 GB+

Table: System Requirements

*For Single Server, Test or Quick Trial deployments the recommendation is to use the included, internal database however you can use any of the other supported databases that are available to you.

Software Requirements

  • Web Browsers (latest version is recommended if not specified)

    • Internet Explorer 10+, Windows Edge, Google Chrome, Mozilla Firefox or Apple Safari

External Database

The default installation includes an internal database that can be deployed. If you would prefer to use an existing database in your environment, the following are supported. 

Please be prepared to supply a valid connection string to your database as well as an appropriate user and password to successfully establish this connection. Please contact your Database Administrator if you need assistance.

NOTE: The installation process does not create its own database or tablespace but rather makes use of an existing one. With that in mind, please ensure one with the name “PamDB” already exists as this will be used by the application.

  • Apache Derby version 10.12.1.1+

  • Microsoft SQL version 2008+

  • MySQL Community or Enterprise Edition version 5.7+

  • Oracle version 11.2+

  • PostgreSQL version 9.5+

Installation

The following section will describe each option that is available when executing the Unix installation shell script.

To begin, run the shell script from the location where you want to install the software.

Depending on the options selected, the following configuration parameters may be available.

TIP: Rather than using the Unix /tmp folder to perform the installation, create a new folder because background processes on the host may attempt to “clean” this directory during this process. Suggested locations would be either /opt/xtam or /urs/local/xtam.

 

Execute Installation Shell Script

License Agreement

Press <ENTER> to read the license agreement and enter <Q> when complete. 

When prompted, accept the license agreement by entering <Y> to continue. 

The license agreement must be accepted to install the software.

Read and Accept the License Agreement

Components

Choose from the available list of components to install on this computer. 

If you are looking to deploy a quick test environment, the recommendation is to accept the default options by pressing the <Enter> for each component.

If you would like to customize the installation, then please review the following sections to understand the purpose of each component and enter the <N> key to exclude a component.

Please note that while you can choose to not install some components on this computer, they may still be required for proper software operations. 

For example, you may wish to install the Session Manager service on another system for performance optimization.

In this situation, you would choose to not deploy this service on your primary host and then after this initial installation is complete, you would then run this same script on your other host and only choose the Session Manager option.

Later on in the configuration of the software, you will have the ability to define which workstation is running each service.

Choose Components

Internal Database

This option will define which database to use.

When included (<Y>) the installation will deploy, configure and use its internal database.

If excluded (<N>), you will be prompted to supply an existing database in your environment to use (connection string, user and password).

Please review the requirements section for more information about External Database support.

For single server or test environments, the recommendation is to include (<Y>) this option to use the included database.

Directory Service

This option will define which user store to use.

When included (<Y>) the installation will include a local user store that can be used to create users and groups and a database to secure the master password. 

When excluded (<N>) the installation will not deploy this component to the computer; however, this is a required component so it must be deployed to only one other computer and configured post installation in XTAM.

To install this component on another host, simply run the script on that system and include (<Y>) this option.

The recommendation is to include (<Y>) this option during installation.

 

Application GUI

This option will define the deployment of the XTAM interface (GUI). When included (<Y>) the installation will include the manager interface (GUI) to this host computer.

When excluded (<N>) the installation will not deploy the GUI requirements to this host computer.

To install this component on another host, simply run the script on that system and include (<Y>) this option.

The recommendation is to include (<Y>) this option during installation.

 

Job Engine

The Job Engine is required to execute background operations like discovery queries and password resets.

This option defines the deployment of a worker role to this host computer.

When included (<Y>) a Job Engine role will be deployed. 

When excluded (<N>) a Job Engine role will not be deployed to this computer.

To install this component on another host, simply run the script on that system and include (<Y>) this option.

Please note that at least one job engine should be present in the farm to execute password reset, remove script execution or discovery queries.

The recommendation is to include (<Y>) this option during installation.

Session Manager

The Session Manager component is required to establish, control and record privileged sessions.

This option defines the deployment of a session manager service to this host computer. 

When included (<Y>) a session manager service will be deployed, configured and run from this host.

When excluded (<N>) a session manager service will not be deployed.

To install this component on another host, simply run the script on that system and include (<Y>) this option.

Review the following section if you intend to install Session Manager on a remote computer(s):  Remote Session Manager Configuration

Please note that if a session manager service is not defined during installation, you will need to add one during system configuration before sessions can be established.

The recommendation is to include (<Y>) this option during installation.

 

Federated Sign-In

This option defines the deployment of a federated sign-in component that can be used to establish user authentication. 

When included (<Y>) you will need to supply your federated sign-in server connection parameters.

When excluded (<N>) a SSO server will not be configured and the default login authentication will be used.

To install this component on another host, simply run the script on that system and include (<Y>) this option.

This is an advanced option and should only be included if necessary. For single server or test environments, the recommendation is to not include (<N>) this option.

NOTE: The Federated Sign-In component requires the use of a properly trusted (not self-signed) SSL certificate which is used to communicate over a secure HTTPS connection. This ensures that both the client browsers and server side components trust the certificate. If you do not want to deploy and configure a trusted certificate, then do not include this component during installation.

System Administrator

Enter the required parameters to create your default System Administrator login to XTAM

The account specified here may be used as the first System Administrator, so be sure to choose a memorable login (default login is “xtamadmin”) with a strong password (maximum of 30 characters).

Both the user login and password will be displayed later when they can be saved to a file for safe keeping.

Press the <Enter> key after each field to continue.

Create XTAM System Admin Account

SSO Connect

To define a managed path to be used with federated sign in, select (<Y>) the SSO option and then enter that valid path in the Managed Path field. 

If XTAM is to be used with an SSL certificate, then this option should be enabled and the managed path needs to be defined with a secure path (for example, https://host.example.com). 

Press the <Enter> key to continue.

Enable and Define Federation Connection (optional)

External Database

If the Internal Database option was excluded (<N>) earlier, then you will now need to define your connection to your external database.

Choose your database type by entering the number to the left of its name and then press <Enter>

You will then be required to enter the database host, connection and a user and password to establish a successful connection. 

If further assistance is required, please contact your database administrator.

NOTE: The installation process does not create its own database or tablespace but rather makes use of an existing one. With that in mind, please ensure one with the name “PamDB” already exists as this will be used by the application.

Example strings are listed below.

  • Remote Embedded Database [1]

    • Example connection string:  db-host or db-host:port

  • Microsoft SQL Server [2]

    • Example connection string:  db-host or db-host:port

      • A database with the name “PamDB” must already exist and will be used for the application. Ensure the supplied account is the “owner” of this database.

  • Oracle [3]

    • Example service:  db-host/db-service

    • Example instance:  db-host:port:SID

      • Grant (at a minimum) “CONNECT, RESOURCE, UNLIMITED TABLESPACE” to the supplied user account.

  • MySQL [4]

    • Example connection string:  db-host or db-host:port

      • A schema with the name “pamdb” must already exist and will be used for the application. Ensure the supplied account has ALL schema privileges assigned.

  • PostgreSQL [5]

    • Example connection string:  db-host or db-host:port

      • A database with the name “PamDB” must already exist and will be used for the application. Ensure the supplied account is the “owner” of this database or has been provided with “ALL” privileges to it (CTc).

 

Connect to an External Database (optional)

Active Directory Integration

Optionally, you may choose to integrate XTAM with your existing Active Directory or LDAP server

Enter your LDAP Server FQDN, your Active Directory or LDAP User (user@domain.com or domain\user), its Password, Repeat the Password and then the <Enter> key. 

If the connection is successful, this user may become a System Administrator in XTAM and you may continue. 

If you cannot or do not want to integrate with Active Directory or LDAP, simply enter <N> at the prompt and <Enter> to continue with the setup.

Active Directory or LDAP Server Integration

Installation Complete

When the installation is complete and all services are started, the following summary will appear. 

The summary will display the services, accounts and passwords that were created during installation. 

It is extremely important that the example information highlighted in the yellow box below be saved to a file and kept in a safe location.

The Master Password displayed will be required in a “break glass” or database transfer scenario and no one will be able to identify nor update this password if it is ever lost.

Summary Screen with Passwords (save this information to a file for safe keeping)

If you do not see these passwords or receive any errors in this Summary screen the installation was not successful. 

Complete the installation and then uninstall to try again. 

Do not initialize Xton Access Manager without a successful deployment and a safe and secure copy of the logins and passwords shown in the example Summary screen.

Xton Access Manager is now installed and ready for initialization. You can now exit the installation session and login to XTAM at https://localhost:6443/xtam/.

NOTE: It is extremely important that all the passwords displayed in this section are saved to a file and this file is stored in a safe location. These passwords cannot be retrieved by Xton Technologies or anyone else once the installation is complete.

Linux deployment of HA and DR nodes

The option to Linux installation script to deploy the new system with the provided master password instead of generated one to simplify deployment of High Availability or recovery nodes.

This is simplifies deployment of additional or disaster recovery nodes based on the main node master key to decrypt system data.

Previously the option was available in a post-installation script replacing system master password with a new one.

To activate the feature use -mp MASTER-PASSWORD option in Linux installation script replacing MASTER-PASSWORD place-holder with the master password of the main node.