This post summarizes some steps to install PVWA (Password Vault Web Access) component. 

Diagram

System Requirements

Refer to this doc:
OS: 2019. 2016 (Preferred by installation guide), 2012 (Special requirements)
Application: Multi-language, Certificate, HSM, LDAP, Cipher suites for Syslog, SMTP over SSL
Protocols: RDP 
PVWA should close to end users who should sign into it. 

Architecture 

Document from CyberArk, or my post:

Consider

Details

Network topology

  • How many Vaults does your implementation require?

  • Where will they be positioned? In the internal network? In the external network? In the DMZ?

  • From where will the Vault(s) be managed?

  • From where will the Vault(s) be accessed?

High availability

  • How many passwords will you store in the Vault?

  • How frequently are your passwords accessed?

  • How essential is it to have 24/7 access?

Multiple CPMs/PSMs

Does your implementation require multiple CPMs/PSMs for

  • Distributed architecture

  • High Availability

Multiple PVWAs

Does your implementation require multiple PVWAs for

  • Distributed architecture

  • High Availability

  • Different authentication types

  • Access from different networks

Pre-Installation Tasks

1 Clean installation of Windows 2016 standard. Update windows system to latest with all patches. 
2 Log on Windows as the administrator users
3 Run PVWA server pre-requisites script

Pre-requisites script will execute following tasks:
  • Verifies .NET version
  • Installs Web server roles, for details, see Web server roles
  • Disables IPv6
  • Configures the self-signed certificate
  • Sets IIS SSL TLS configuration
Steps to execute the scrip:
  1. Copy the PVWA folder from the installation package to the component server, and unzip the folder.
  2. In the InstallationAutomation folder, locate the PVWA_Prerequisites.ps1 file.
  3. Open the PowerShell window, and run the PVWA_Prerequisites.ps1 file as an administrator.
  4. Open IIS Manager Console (inetmgt) and replace self-signed SSL certificate with CA signed SSL certificate. Regarding how to generate a CSR, how to sign CSR to get CA-signed new certificate and how to apply new cert to Default Web Site, please refer to this post: 
  5. Enable Require SSL configuration for Default Web Site

  6. Vault IP and Vault administrator account for connection to vault.

Installation PVWA Using Scripts (Recommended)

The PVWA can be automatically installed and deployed using scripts, or installed by using the Installation wizard. CyberArk recommend that you use the automated scripts.

1 In the PVWA\InstallationAutomation\Installation folder, locate and open the InstallationConfig.xml file.

2 In the InstallationConfig.xml file, specify the following parameters:

Parameter

Description

Username

The name of the user running the installation.

Valid values: Username

Company

The name of the company running the installation.

Valid values: Company name

PVWAApplicationDirectory

The location of the PVWA IIS web application.

Valid values: Pathname

Default value: C:\inetpub\wwwroot\PasswordVault\

PVWAInstallDirectory

The path where PVWA is installed.

Valid values: Pathname

Default value: C:\CyberArk\Password Vault Web Access\

PVWAApplicationName

The name of the PVWA IIS web application.

Valid values: Application name

Default value: PasswordVault

PVWAAuthenticationList

The authentication types that PVWA supports. Separate multiple values with semicolons (;).

Valid values: CyberArk, Windows, Radius, PKI, LDAP, Oracle SSO, SAML

Default value: CyberArk;

 
  • Some of the selected authentication types must be installed and configured on the Vault before they can be configured for the PVWA. For more information, see Authenticate to Privileged Access Manager .

  • Make sure that the administrator user for testing can authenticate to the Vault with one of the selected authentication methods so that you will be able to test the installation.

  • To customize third-party authentication servers, see Set up customized authentication modules.

pvwaUrl

The URL of the default PVWA to access.

Valid values: URL

Default value: https://127.0.0.1/PasswordVault

isUpgrade

Indicates whether the registration is for an upgrade or a clean installation.

Default value: False

Valid values: True\False

3 In a PowerShell window, run the PVWAInstallation.ps1 script as Administrator.
4 Registration


The registration process connects the PVWA to the Vault.
  1. In the PVWA\InstallationAutomation\Registration folder, locate and open the PVWARegisterComponentConfig.xml file.

  2. In the PVWARegisterComponentConfig.xml file, specify the following parameters:

    Parameter

    Description

    accepteula

    Acceptance of the end user License agreement.

    Valid values: Yes/No

    vaultIP

    The IP address or hostname of the Vault server.

    When you register PVWA to a DR Vault environment, specify vaultip with <vault ip>,<DR ip>

    Valid values: IP address or hostname

    vaultport

    The Vault’s configured communication port.
    Recommended default Vault port: 1858

    Valid values: Port number

    vaultuser

    The name of the Vault user performing the installation.

    Valid values: Username

     

    We recommend using the Vault administrator user to install PVWA as this user has the appropriate Vault authorizations, and is created in the appropriate location in the Vault hierarchy.

    For more information about the required authorizations, see Vault user authorizations.

    pocmode

    Whether or not PVWA is installed in POC mode.

    Valid values: True/False

    authenticationlist

    The authentication types that PVWA supports. Separate multiple values with semicolons (;).

    Valid values: CyberArk, Windows, Radius, PKI, LDAP, Oracle SSO, SAML

    installpackagedir

    The full path to the installation package directory (the directory that includes setup.exe).

    Edit this parameter only when pocmode is set to true.

    Do not edit if pocmode is set to false.

    Valid values: Pathname

    vaultname

    The name of the Vault where the PVWA configuration files will be stored.

    Valid values: Vault name

    virtualDirectoryPath

    The root path of the web application.

    Specify the same value as the PVWAApplicationDirectory parameter value in the InstallationConfig.xml file.

    Default value: C:\inetpub\wwwroot\PasswordVault

    Valid values: Pathname

    configFilesPath

    The path where the PVWA configuration files are installed.

    Specify the same value as the PVWAInstallDirectory value in the InstallationConfig.xml file.

    Default value: C:\CyberArk\Password Vault Web Access

    Valid values: Pathname

    pvwaUrl

    The URL of the default PVWA to access.

    Valid values: URL

    isUpgrade

    Indicates whether the registration is for an upgrade or a clean installation.

    Default value: False

    Valid values: True\False

    PVWAApplicationName

    The name of the PVWA IIS web application.

    Default value: PasswordVault

    Valid values: Application name

  3. In PowerShell window run the PVWARegisterComponent.ps1 script as Administrator, and provide the Vault password in one of the following ways:

    Method

    Command

    As a secure string (recommended) 

    CD “<installation package Path>InstallationAutomation\Registration” .\PVWARegisterComponent.ps1 -spwdObj <vaultpassword>

    Using a Windows authentication window (recommended for manual runs)

    CD “<installation package Path>InstallationAutomation\Registration” .\PVWARegisterComponent.ps1

    As clear text (not recommended)

    CD “<installation package Path>InstallationAutomation\Registration” .\PVWARegisterComponent.ps1 -pwd <vaultpassword>


Install PVWA Using Installation Wizard (Easiest)

You also can install PVWA using the installation wizard as shown from this doc
  1. On the PVWA machine, create a new folder, and copy the Password Vault Web Access folder from the installation package to the new folder.

  2. Start the installation procedure by doing one of the following actions:

    • On systems that are UAC-enabled, right-click Setup.exe, and then select Run as Administrator.

    • The Setup window appears.

      Make sure you have closed any open Windows applications. It might prompt you to install Visual C++ package, click install to install them.

       

      You can exit installation at any time by clicking Cancel. You can return to the previous installation window by clicking Back, where applicable.

  3. Click Next and accept the terms of the License Agreement.

  4. Read the license agreement, and then click Yes.

  5. In the Customer Information window, enter your name and Company name in the appropriate fields, and then click Next.

  6. In the Web application destination window, do one of the following actions:

    • Click Next to accept the default location where the PVWA will be installed (displayed in the Destination Folder area). It is recommended not to change destination folder, at least keep folder structure if you really have to change to a different disk rather than using C drive. 

    • Click Browse, select another location, and then click Next.

  7. In the Configuration files destination window, select the folder on your computer where the configuration and connection files for the PVWA will be installed. Do one of the following actions:

    • Click Next to accept the default location provided by the installation (as displayed in the Destination Folder area).

    • Click Browse, select another location, and then click Next.

     

    Since some of the files under this folder require full access permissions by the user that runs the web application (for example, ASPNET/NETWORKSERVICE), it is highly recommended to leave the default location. Specifically, this location must not be changed to ‘wwwroot’ or ‘Program Files.

    The Setup Type window appears.

  8. Select the type of PVWA that you want to install, and then click Next.

    • Full Password Vault Web Access – Installs the PVWA for desktop browsers.

    • Mobile Password Vault Web Access – Installs a PVWA interface that is specifically for mobile devices.

  9. In the Web application details window, enter the website name, application name, and authentication type(s) for the web application.

    1. Select the site name from the list of installed site names. If the operating system does not support multiple web sites, the site name will be disabled and you will not be able to select from a list of additional site names.

    2. Enter the application name or leave the default application name.

    3. Select one or more authentication types that the PVWA supports. Choose CyberArk,  LDAP and Windows for authentication type if you want to keep the installation simple. The settings can be changed later by integrating other authentication types, such as Radius, PKI, etc. 

       
      PVWA. For more information, see Authenticate to Privileged Access Manager .
      Set up customized authentication modules.
    4. Select the default authentication method that the PVWA will display when users open the web browser.

    5. Select the default authentication type that the Mobile PVWA will display when users access the Mobile PVWA URL.

    6. To enable each user to display the authentication login page for their authentication method, select Remember last used authentication (requires cookies).

  10. Click Next. If the application name has already been specified for a different application, the following message appears.

  11. Click OK, and then change the application name.

    The PVWA configures the installation.

  12. Click Next to continue.

  13. In the Vault connection details window, enter the connection details of the Password Vault and the PVWA

    1. Specify the IP or DNS address and the port number of the Password Vault.

      For high availability implementations and DR: After installation, open the Vault.ini file and specify multiple Vault IP addresses, separated by commas, in the Address parameter. Currently there is no limit to the number of IP addresses that you can specify.

    2. Specify the URL of the PVWA. DNS record will need to created to map FQDN name to an IP address. For example,  https://comp01.51sectest.corp/PasswordVault.

      In deployments that use a load balancer (DNS record need to created for pvwa.51sectest.corp): Specify the URL of the PVWA‘s load balancer. For example: https://pvwa.51sectest.corp/PasswordVault

      If the specified URL is invalid, the following message appears.

    3. Click OK, and then enter the correct PVWA URL.

      In deployments that support multiple PVWAs: Enter the URL of the PVWA. The installation process adds the URL to the ApplicationRoot parameter in the PVWA configuration file. If this URL is not yet entered, the installation will add it to the existing URL, separated by a comma.

    • DefaultMethod can be changed to None, which will show you the homepage with all authentication methods are available. Don’t forget to iisreset once made any change here to take change into effect.
  14. Click Next.

    The Vault’s username and password details window appears.

    1. Enter the logon details of the Vault user.

      If the Vault IP or the port number was not specified, the following message or a similar one appears.

      message 2

    2. Do one of the following actions:

      • Click Yes to skip to the end of the installation. You will have to create the PVWA environment later.

         

        You can only use the PVWA after it is connected to the Vault (Registration step). To connect to the Vault, see Registration.

      • Click No to return to the Vault connection details window, and enter the Vault’s connection details, and then click Next.

  15. In the Vault’s user name and password details window, enter the user name and password of the Vault user performing the installation, and then click Next.

    The PVWA environment is created.

     

    It is recommended to use the Vault Administrator user for this installation as this user has the appropriate Vault authorizations and is created in the appropriate location in the Vault hierarchy. For more information about the required permissions, see Vault user authorizations.

    If the installation cannot use the specified user and password to log on to the Vault and complete the installation, this step appears again.

    If the user name or password was not entered, the following message appears.

    message 3

    • Do one of the following:

      • Click Yes to skip to the end of the installation. You will have to create the PVWA environment later.

         

        This option is strongly not recommended.

      • Click No to return to the Vault’s username and password details window, enter the username and password, and then click Next to create the PVWA environment.

  16. In the Setup Complete window, click Finish to complete the installation.

  17. Restart the machine.

Post-Installation

More can be found from this doc:

1 Check the installation log files. Open %temp% folder to check related PVWAinstall*.log files.
2 Check the user permissions on the web server

3 Configure additional authentication methods (LDAP, Radius, 2FA etc) to log into PVWA
4 Replace self-signed certificate

More details can be found from this post:

5 For high availability, specify multiple vault ip addresses 

It will be shown in my advanced lab.

Hardening

 

You can harden the PVWA server automatically using a script file (if PSM is going to be on the same machine, the script may affect the PSM installation). Here is CyberArk Doc for hardening:
  • Before you run the hardening script, in the PVWA\InstallationAutomation folder, locate and open the PVWA_Hardening_Config.xml file, and set the IsPSMInstalled parameter to True.
  • In a PowerShell window, run the PVWA_Hardening.ps1 script as Administrator.
  • After ran script, execute following post-auto-hardening tasks
    • Remove or disable other protocols, services, or clients
      • Client for Microsoft Network
      • File and Printer Sharing for Microsoft Network
      • Internet Protocol Version 4 (TCP/IPv4)
      • IPv6 disable
    • Remove all unused application pool (only keep defaultapppool and PasswordVaultWebAccessPool)
    • Remove adobe flash
    • Rename default accounts (administrator, guest)

Multiple PVWA installations

Multiple PVWAs in a single Vault environment


A single Vault can work with multiple instances of PVWA that are installed on different machines and which access the same Vault. This is true for a single Vault environment and for a Disaster Recovery Vault environment, and enables you to work with high availability or load balancing scenarios. In both scenarios, the same PVWA version must be installed on all machines.

Load balancer requirements

  • The load balancer must not alter page content, or it should include a mechanism to prevent pages from being altered.

  • The load balancer must not alter the application path hierarchy (leave the default application path as it is).

  • The load balancer must support ‘sticky sessions’.

Configure the PVWA to work with the load balancer

  • In the web.config file, for the LoadBalancerClientAddressHeader parameter, enter the HTTP Header field name from which the PVWA reads the client IP. For more information, see the LoadBalancerClientAddressHeader parameter in PVWA Parameter File (Web.config).


By the way, you can change favicon.ico file under c:\inetpub\wwwroot\PasswordVault\v10 file to know which pvwa server you are hitting to. Change the color from blue to red on one of your PVWA server so you know which server it is once you see the icon become red.



By netsec

Leave a Reply