Installing Privileged Access Management
This section will work through the process of installing Privileged Access Management (PAM) to a Windows computer.
System Requirements
The following are minimum requirements to use PAM for Single Server and medium use Production farms.
Please contact us https://support.imprivata.com/ to discuss architecture and system recommendations for large scale farm deployments.
| Single Server, Test or Quick Trial | Medium Use Production Farm | |
| Windows O/S (64-bit only) | Windows Server 2012+ / Windows 10 | Windows Server 2012+ |
| Other O/S (64-bit only) | Red Hat, Ubuntu, Debian, CentOS | Red Hat, Ubuntu, Debian, CentOS |
| Database | Included* | MS SQL, MySQL, Oracle, PostgreSQL |
| Memory (reserved for PAM use) | 4GB+ | 8GB+ |
| Disk Space (reserved for PAM use) | 20GB+ | 50GB+ |
Table: System Requirements
*For Single Server, Test or Quick Trial deployments the recommendation is to use the included, internal database however you can use any of the other supported databases that are available to you.
Software Requirements
-
Web Browsers (latest version is recommended if not specified)
-
Windows Edge, Google Chrome, Mozilla Firefox or Apple Safari
-
External Database
The default installation includes an internal database that can be deployed. If you would prefer to use an existing database in your environment, the following are supported. Please be prepared to supply a valid connection string to your database as well as an appropriate user and password to successfully establish this connection. Please contact your Database Administrator if you need assistance.
NOTE: The installation process does not create its own database or tablespace but rather makes use of an existing one. Also, for Oracle DB you just need to create a user (you do not need to create a new data base). With that in mind, please ensure one with the name “PamDB” already exists as this will be used by the application.
- Apache Derby version 10.12.1.1+
- Microsoft SQL version 2016+ (SQL Authentication only)
- MySQL Community or Enterprise Edition version 5.7+
- Oracle version 11.2+
- PostgreSQL version 9.5+
Installation
The following section will describe each option that is available in the installation wizard.
Software binaries can be downloaded from https://help.xtontech.com/content/more-information/binary-distribution-and-signatures.htm.
To begin, run the setup file from your computer and follow through the wizard.
Depending on the options selected, the following configuration parameters may be available.
Setup Welcome Page
License Agreement
Read and accept the license agreement by clicking the I Agree button to proceed.
The license agreement must be accepted to install the software.
Read and Accept the License Agreement
Components
Choose from the available list of components to install on this computer. If you are looking to deploy a quick test environment, the recommendation is to leave the default options and simply click Next to continue.
If you would like to customize the installation, then please review the following sections to understand the purpose of each component.
When you are finishing customizing your component selection, click Next to continue.
Please note that while you can choose to not install some components on this system, they may still be required for proper software operations.
For example, you may wish to install the Session Manager service on another system for performance optimization.
In this situation, you would choose to not deploy this service on your primary host and then after this initial installation is complete, you would then run this same installer on your other host and only choose the Session Manager option.
Later on in the configuration of the software, you will have the ability to define which workstation is running each service.
Choose Components
Internal Database
This option will define which database to use.
When enabled (checked) the installation will deploy, configure and use its internal database.
If disabled (unchecked), you will be prompted to supply an existing database in your environment to use (connection string, user and password).
Please review the requirements section for more information about External Database support.
For single server or test environments, the recommendation is to enable (check) this option to use the included database.
Directory Service
This option will define which user store to use.
When enabled (checked) the installation will include a local user store that can be used to create users and groups and a database to secure the master password.
When disabled (unchecked) the installation will not deploy this component to the computer; however, this is a required component so it must be deployed to only one other computer and configured post installation in PAM.
To install this component on another host, simply run the installer on that system and enable (check) this option.
The recommendation is to include this option during installation.
Application GUI
This option will define the deployment of the PAM interface (GUI).
When enabled (checked) the installation will include the manager interface (GUI) to this host computer.
When disabled (unchecked) the installation will not deploy the GUI requirements to this host computer.
To install this component on another host, simply run the installer on that system and enable (check) this option.
The recommendation is to include this option during installation.
Job Engine
The Job Engine is required to execute background operations like discovery queries and password resets.
This option defines the deployment of a worker role to this host computer.
When enabled (checked) a Job Engine role will be deployed. When disabled (unchecked) a Job Engine role will not be deployed to this computer.
To install this component on another host, simply run the installer on that system and enable (check) this option.
Please note that at least one job engine should be present in the farm to execute password reset, remove script execution or discovery queries.
The recommendation is to include this option during installation.
Session Manager
The Session Manager component is required to establish, control and record privileged sessions.
This option defines the deployment of a session manager service to this host computer.
When enabled (checked) a session manager service will be deployed, configured and run from this host. When disabled (unchecked) a session manager service will not be deployed.
To install this component on another host, simply run the installer on that system and enable (check) this option.
Review the following section if you intend to install Session Manager on a remote computer(s): Remote Session Manager Configuration
Please note that if a session manager service is not defined during installation, you will need to add one during system configuration before sessions can be established.
The recommendation is to include this option during installation.
Federated Sign-In
This option defines the deployment of a federated sign-in component that can be used to establish user authentication.
When enabled (checked) you will need to supply your federated sign-in server connection parameters.
When disabled (unchecked) a SSO server will not be configured and the default login authentication will be used.
To install this component on another host, simply run the installer on that system and enable (check) this option.
This is an advanced option and should only be included if necessary. For single server or test environments, the recommendation is to not include this option.
NOTE: The Federated Sign-In component requires the use of a properly trusted (not self-signed) SSL certificate which is used to communicate over a secure HTTPS connection. This ensures that both the client browsers and server side components trust the certificate. If you do not want to deploy and configure a trusted certificate, then do not include this component during installation.
Installation Location
Enter or select the location where the PAM software will be downloaded and installed.
Click Next to continue.
Choose Installation Location
System Administrator
Enter the required parameters to create your default System Administrator login to PAM.
The account specified here may be used as the first System Administrator, so be sure to choose a memorable login (default login is “pamadmin”) with a strong password (maximum of 30 characters).
Both the user login and password will be displayed later when they can be saved to a file for safe keeping.
Click Next to continue.
Create PAM System Admin Account
SSO Connect
To define a managed path to be used with federated sign in, enable (check) the Enable SSO box and then enter that valid path in the Managed Path field.
If PAM is to be used with an SSL certificate, then this option should be enabled and the managed path needs to be defined with a secure path (for example, https://host.example.com).
Click Next to continue.
Enable and Define Federated Connection (optional)
External Database
If the Database option was left disabled (unchecked) earlier, then you will now need to define your connection to your external database.
Select your Database type and then enter the required parameters to establish a successful connection.
If further assistance is required, please contact your Database Administrator.
Click Next to continue.
NOTE: The installation process does not create its own database or tablespace but rather makes use of an existing one. With that in mind, please ensure oe with the name “PamDB” already exists as this will be used by the application.
Example strings are listed below.
Apache DerbyExample connection string: db-host or db-host:port
- Microsoft SQL Server
Example connection string: db-host or db-host:port
A database with the name “PamDB” must already exist and will be used for the application. Ensure the supplied account is the “owner” of this database and it is a SQL account for authentication. Active Directory accounts are not supported.
- MySQL
Example connection string: db-host or db-host:port
A schema with the name “pamdb” must already exist and will be used for the application. Ensure the supplied account has ALL schema privileges assigned.
- Oracle
Example service: db-host/db-service
Example instance: db-host:port:SID
Grant (at a minimum) “CONNECT, RESOURCE, UNLIMITED TABLESPACE” to the supplied user account.
- PostgreSQL
Example connection string: db-host or db-host:port
A database with the name “PamDB” must already exist and will be used for the application. Ensure the supplied account is the “owner” of this database or has been provided with “ALL” privileges to it (CTc).
Connect to an External Database (optional)
Active Directory Integration
Optionally, you may choose to integrate PAM with your existing Active Directory or LDAP server. Enter your LDAP Server FQDN, your Active Directory or LDAP User (user@domain.com or domain\user), its Password and then click Connect.
If the connection is successful, this user may become a System Administrator in PAM and you may continue.
If you cannot or do not want to integrate with Active Directory or LDAP, you may leave these parameters empty.
Click Next to continue.
Active Directory or LDAP Server Integration
Summary
The summary screen will display all the services, accounts and password that were created during installation.
It is extremely important that all this information be saved to a file and kept in a safe location.
The Master Password displayed will be required in a “break glass" or database transfer scenario and no one will be able to identify nor update this password if it is ever lost.
Summary Screen with Passwords (save this information to a file for safe keeping)
If you do not see these passwords or receive any errors in this Summary screen the installation was not successful.
Complete the installation and then uninstall to try again.
Do not initialize Privileged Access Management without a successful deployment and a safe and secure copy of the logins and passwords shown in the example Summary screen.
The Next button will be disabled until all the services have been started and are available on this computer.
This process may take a few minutes to complete.
When the services are ready, check the box to confirm that your passwords have been saved to a file in a safe location and then the Next button will become available.
Click Next to continue.
Summary Screen with Confirmation
NOTE: It is extremely important that all the passwords displayed in this section are saved to a file and this file is stored in a safe location. These passwords cannot be retrieved by software developers or anyone else once the installation is complete.
Completing the Installation
On the final page, confirmation that the installation has been completed will appear.
Enable (check) the box to launch the sign-in page or disable (uncheck) the option to not open the page.
Click Finish to close the installation wizard.
The software is now installed.
The default location for PAM is https://localhost:6443/xtam/.
Installation Complete
