This post is going to record some procedures to install PSM HTML5 gateway in my lab environment. I have got some problems during installation.

This post is still under writing. I hope it can be done in next few weeks.

Install PSM HTML5 GW from Package

You will need to get installation package from PSM installation files. It is under C:\PSMInstallation\HTML5 Gateway\RHELinux7-Intel64 after you unzipped your PSM zip file to folder PSMInstallation.

Hardware specifications:

Small + Mid-range implementations
(1-50 concurrent RDP/SSH sessions)
Mid-range + Large implementations
(51-100 concurrent RDP/SSH sessions)
Very large implementations
(101-200 concurrent RDP/SSH sessions)
  • 2 core processors (Intel compatible)
  • 4 GB RAM
  • 4 core processors (Intel compatible)
  • 8 GB RAM
  • 8 core processors (Intel compatible)
  • 16 GB RAM

Here are installation steps I went through after copied over whole package folder RHELinux7-Intel64:

[root@html5 ~]# keytool -delete -alias html5.51sectest.dev  -keystore  /opt/tomcat/keystore

[root@html5 ~]# keytool -genkey -alias html5 -keyalg RSA -keystore  /opt/tomcat/keystore
Enter keystore password:
What is your first and last name?
  [Unknown]:  *.51sectest.dev
What is the name of your organizational unit?
  [Unknown]:  IT
What is the name of your organization?
  [Unknown]:  51sectest
What is the name of your City or Locality?
  [Unknown]:  Toronto
What is the name of your State or Province?
  [Unknown]:  ON
What is the two-letter country code for this unit?
  [Unknown]:  CA
Is CN=*.51sectest.dev, OU=IT, O=51sectest, L=Toronto, ST=ON, C=CA correct?
  [no]:  yes
Enter key password for <html5>
        (RETURN if same as keystore password):
[root@html5 ~]#


[root@html5 ~]# keytool -list  -keystore  /opt/tomcat/keystore
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 2 entries
html5, Jul 5, 2020, PrivateKeyEntry,
Certificate fingerprint (SHA1): A5:00:6C:BE:AD:01:E3:92:FB:20:29:91:59:F4:3A:A4:CE:69:4D:30
root, Jul 5, 2020, trustedCertEntry,
Certificate fingerprint (SHA1): 9C:33:F6:48:C5:C7:D2:52:FF:02:62:D4:0F:0C:E6:79:85:99:7B:64
[root@html5 ~]#

[root@html5 ~]# keytool -certreq -keyalg RSA -alias html5 -file certreq.csr -keystore /opt/tomcat/keystore
Enter keystore password:
[root@html5 ~]#

[root@html5 ~]# ll
total 9432
-rw-------. 1 root root     951 Apr  7 21:34 anaconda-ks.cfg
-rw-r--r--. 1 root root 9648795 Jul  4 19:34 apache-tomcat-7.0.104.tar.gz
-rw-r--r--. 1 root root    1093 Jul  5 08:47 certreq.csr
drwxr-xr-x. 2 root root      82 Jul  4 20:15 RHELinux7-Intel64
[root@html5 ~]#


[root@html5 ~]# keytool -import -alias html5 -keystore /opt/tomcat/keystore -file certnew.p7b
Enter keystore password:
Certificate reply was installed in keystore

Install PSM HTML 5 GW Docker 

Install Docker

#CentOS 7, Debian, Ubuntu 
curl -sSL https://get.docker.com/ | sh 
systemctl start docker 
systemctl enable docker
When you run the HTML5 Gateway container using the docker run command, make sure you specify the following options:
  • JWT validaton – Set EnableJWTValidation=no. For more details, see Disable JWT Validation.
  • PSM certificate settings – Set either PSMCAFile or IgnorePSMCertificateErrors. For more details, see Validate the PSM remote certificate.  
    • -e IgnorePSMCertificateErrors=yes
    • This option is to ignore PSM certificate errors. Specify -e IgnorePSMCertificateErrors=yes. Specify either this option or -e PSMCAFile.
  1. Copy the HTML5 Gateway\PSMGWDocker directory located in the CD image to the Linux host.
  2. Go to that directory.
  3. Grant execution permissions for the script by running the following command:
    chmod +x html5_installation.sh
  4. Execute the script by running the following command:
    sudo ./html5_installation.sh localimage
  5. Run the container with an auto-created SSL certificate

Or Run the container with an imported SSL certificate

Post-Installation

You might want to add “-e IgnorePSMCertificateErrors=yes” this into your docker command:

sudo docker run --restart unless-stopped -ti -p 443:8443 -v /opt/cert/:/opt/import:ro -d --cap-drop=all --cap-add={CHOWN,DAC_OVERRIDE,FOWNER,SETGID,SETUID} -e AcceptCyberArkEULA=yes -e PSMCert=psmca.pem --hostname html5.51sectest.dev --name html5.51sectest.dev cahtml5gw:11_3_0_236 -e IgnorePSMCertificateErrors=yes

sudo docker run –restart unless-stopped -ti -p 443:8443 -v /opt/cert/:/opt/import:ro -d –cap-drop=all –cap-add={CHOWN,DAC_OVERRIDE,FOWNER,SETGID,SETUID} -e AcceptCyberArkEULA=yes -e PSMCert=psmca.pem –hostname html5.51sectest.dev –name html5.51sectest.dev cahtml5gw:11_3_0_236 -e IgnorePSMCertificateErrors=yes


Configure PVWA

Add PSM HTML5 Gateway Server into PVWA

  1. Log into the PVWA with an administrative user.
  2. Go to Administration > Options
  3. Right click on Privileged Session Management and select Add Configured PSM Gateway Servers. Right click Configured PSM Gateway Servers, Add PSM Gateway Server.

  4. Select the newly added gateway server and enter a unique ID (e.g. HTML5) for the PSM HTML5 Gateway.
  5. Expand the newly created gateway server. Enter the following in the Connection Details page:
    Parameter
    Value
    Address
    Fully qualified domain name (FQDN) of the server on which the gateway is installed, or the Virtual IP (VIP) of an HTML5 Gateway Server farm.
    The address should in be the fully qualified domain name (FQDN) format and should match the SSL certificate of the PSM HTML5 Gateway machine. For example: html5.51sectest.dev
    Port
    443

Configure PSM

Multiple PSM Servers can work with the same gateway or with different gateways. Repeat steps 3-4 for each PSM server you want to set to use the PSM Gateway.
  1. Log into the PVWA with an administrative user.
  2. Go to Options > Privileged Session Management > Configured PSM Servers
  3. Select the PSM server entry that you want to set to use the PSM Gateway.
  4. Right click Connection Details and select Add PSM Gateway and enter the following:

    Parameter
    Value
    ID
    The ID of the PSM Gateway that you created. (e.g. HTML5)
    Enable
    Yes

Use a Single Account for both RDP file and HTML5-based sessions

Users can use either an HTML5-based or RDP-file connection method when connecting to the remote server. The following procedures describe how to configure the PVWA so that users can select either method. Perform this procedure for every connection component for which both connection methods should be available.

  1. Log in to the PVWA with an administrative user.
  2. Go to Options > Connection Components > {Connection Component} > User Parameters
  3. Add AllowSelectHTML5.

There is a way to configure user to select either use RDP-File or HTML5 Gateway or User selection to connect to remote. You will just need to copy / duplicate PSM server and give another unique name to this server.

References

from Blogger http://blog.51sec.org/2020/07/cyberark-psm-html5-gateway-installation.html

By Jonny

Leave a Reply