Imprivata Privileged Access Management Product Update 2.3.202010252237

October 25, 2020

PAM Update: Added Transparent Perimeter option to access isolated networks behind firewall and added account management for PostgreSQL

This update adds Transparent Perimeter deployment option providing access to closed isolated networks behind a firewall and also adds support for PostgreSQL database account management.

Transparent Perimeter deployment option providing access to closed isolated networks

The update added a Transparent Perimeter deployment option providing access to closed isolated networks behind a firewall based on the reverse tunnel architecture.

The option improves the security of the isolated network under management by allowing external parties to access assets inside the network with no requirements to open ports in the network firewall.

Transparent Perimeter deployment is a useful addition to an MSP looking to manage client networks with no interference with the network perimeter.

The option is also useful for organizations accessing on-premises or multi-cloud datacenters using cloud-deployed Master PAM clusters.

The Transparent Perimeter feature complements the existing Remote Node deployment scenario that requires a firewall rule to open the port in the isolated network to provide secure encrypted Master Node connectivity to the Remote Node.

The Transparent Perimeter feature might be used to provide low traffic connectivity to networks with high-security requirements or to quickly investigate test scenarios.

This deployment scenario requires hosts of PAM Master nodes to provide SSH Tunneling capability for the remote node.

In this configuration, PAM Remote Node is deployed to the closed isolated network builds and maintains reverse SSH tunnels back to the master nodes using a configured port on the master node.

It allows administrators to configure Session Manager Proximity Group in PAM Master node for the localhost port exposing remote session manager inside the isolated network.

The configuration for the reverse tunnels is performed using the following properties on the remote node in $PAM_HOME/web/conf/catalina.properties file:

  • xtam.reverse.tunnel[0].remoteHost=Master node host for SSH connection
  • xtam.reverse.tunnel[0].remotePort=Master node port for SSH connection
  • xtam.reverse.tunnel[0].remoteUser=Master node user for SSH connection
  • xtam.reverse.tunnel[0].remotePassword=Master node user password or Private Key password for SSH connection
  • xtam.reverse.tunnel[0].remoteKey=Path to master node Private Key for SSH connection as an alternative for remoteUser
  • xtam.reverse.tunnel[0].forwardHost=Session manager host in the isolated network in the local isolated network space
  • xtam.reverse.tunnel[0].forwardPortLocal=Session manager port in the isolated network
  • xtam.reverse.tunnel[0].forwardPortRemote=Session manager port on the master node to use in the proximity group
  • xtam.reverse.tunnel[0].forwardBindingAddress=Binding address on the master node to expose the port to other interfaces

Note that index in xtam.reverse.tunnel configuration allows specifying multiple tunnels maintained by the remote node. Reverse tunnel SSH connection could be established using user/password or user / private key (optionally with password).

Added support for PostgreSQL database account management

The update added support to manage accounts in the PostgreSQL database including Check Status and Password Reset tasks including direct and shadow account access as well as permission and workflow-based password unlock and custom script execution.

PostgreSQL is a popular open-source database server with a commercial-friendly license.

The update added initially hidden record type for PostgreSQL database including check status and password reset tasks based on the PostgreSQL Connection string given by host:port/database, host/database, host[:port]/database or full JDBC connection string jdbc:postgresql://host[:port]/database.