Secure access with a PSM HTML5 gateway
This topic describes how to configure PSM to work through an HTML5 gateway.
Configure the PVWA
The following procedure describes how to configure the PVWA to work with the PSM HTML5 gateway server.
-
Log in to the PVWA with an administrative user.
-
Go to Administration > Options
-
Right click Privileged Session Management and select Add Configured PSM Gateway Servers.
-
Right click Configured PSM Gateway Servers and select Add PSM Gateway Server.
-
Select the newly added gateway server and enter a unique ID for the PSM HTML5 gateway.
-
Expand the newly created gateway server. Enter the following details on the Connection Details page:
Parameter
Value
Address
Fully qualified domain name (FQDN) of the server on which the gateway is installed, or the Virtual IP (VIP) of a PSM HTML5 Gateway Server farm.
The address should in be the fully qualified domain name (FQDN) format and should match the SSL certificate of the PSM HTML5 gateway machine.
Port
8443
Multiple PSM Servers can work with the same gateway or with different gateways. Repeat steps 3-4 for each PSM server you want to set to use the PSM Gateway.
-
Log in to the PVWA with an administrative user.
-
Go to Options > Privileged Session Management > Configured PSM Servers
-
Select the PSM server entry that you want to set to use the PSM Gateway.
-
Right click Connection Details and select Add PSM Gateway and enter the following:
Parameter
Value
ID
The ID of the PSM Gateway that you created in Add the PSM HTML5 gateway server.
Enable
Yes
-
Set the default connection method to define the connection method you want to use for most of the PSM connections. Then define the toggle per account option for account platforms where you can want the user to have the option to use both connection methods (RDP\HTML5). Or you can duplicate PSM entries.
Set the default connection method:
This method requires PVWA 12.2.
-
Log into the PVWA with an administrator user.
-
Go to Options > Privileged Session Management UI.
-
Set DefaultConnectionMethod to HTML5 or RDP.
HTML5 sessions are triggered only for the PSM machines associated with HTML5 Gateway.
Platforms that are connected to the PSM server, that is configured to connect with an RDP file, ignore the AllowSelectHTML5 parameter and automatically connect using RDP.
Set one of the following options:
This method is only available in the Version 10 interface.
The use of shared privileged accounts often means that the same account is used by both an external third-party vendor and an internal privileged employee. While the external vendor's access is frequently through an HTML5 browser-based session, the internal employee may prefer to connect with an RDP-file based session.
Users can use either an HTML5-based or RDP-file connection method when connecting to the remote server. The following steps describe how to configure the PVWA so that users can select either method.
Perform these steps for every connection component for which both connection methods should be available.
To set a single account for both RDP and HTML5-sessions:
-
Log in to the PVWA with an administrative user.
-
Go to Options > Connection Components > {Connection Component} > User Parameters.
-
Add AllowSelectHTML5. For details, refer to Connection Components.
Configure a single PSM to enable connectors to use either RDP file or HTML5 Gateway, when connecting to the remote server:
In PVWA 12.2 and above you must set DefaultConnectionMethod to HTML5.
-
Duplicate the PSM server and give a unique name to the new server. For example, duplicate the PSMServer_RDP server and call the new server PSMServer_HTML5.
-
On the new server, add and enable the PSM HTML5 Gateway, as described in Add PSM HTML5 Gateway server and Configure the PSM server to use the HTML5 Gateway.
-
Connect all platforms that will use the HTML5 Gateway or that will enable the user to select the connection method to the new server.
For platforms that enable the user to select the connection method, configure the connection components as described in Secure access with a PSM HTML5 gateway.
-
For additional configuration options, refer to Gateway configuration.
Interaction between local and remote machines
When working in HTML5 browser-based PSM sessions, you can copy files and text between the local workstation and the remote target.
Copy files
When you connect to the remote target through the PVWA, you can copy files from the local workstation to the remote target. Drag a file to the remote target and the Upload Files window opens, showing the progress of the file upload and all previous files uploads.
|
|
|
Click Cancel to cancel the upload. Any canceled or failed uploads are shown with a red X.
Click Clear to remove a specific file upload from the list.
You can also click Clear Failed Files to remove all canceled and failed uploads from the list or click Clear Completed Files to remove all completed uploads from the list.
Click Close to close the window. You can also minimize the window to show only a summary of the number of current, completed, and failed or canceled file uploads.
The file is copied to a new drive, usually the Z: drive, that is mapped to the remote target to support the file transfer. In non-RDP connections, the drive is named File Transfer. In RDP connections, the drive is named the PSM hostname.
Open the new drive, or refresh it if it is already opened, and drag each file from the new drive to the desired location on the remote target to complete the copy process. The new drive is deleted at the end of the session.
You can copy files from the remote target to the local workstation.
Drag the file to the Download folder in the new drive, usually the Z: drive, that is mapped to the remote target to support the file transfer. In non-RDP connections, the drive is named File Transfer. In RDP connections, the drive name is the PSM hostname.
The file is automatically downloaded to the local workstation using the browser download. You can download up to 2GB or 120 files per session.
You can configure WinSCP during your session and the configuration will remain for all your sessions.
- In WinSCP, click Options > Preferences.
- Select Transfer > Endurance.
- Under Enable transfer resume/transfer to temporary filename for, select Disable.
Copy text
When you connect to the remote target through the PVWA, you can click Ctrl +Alt + Shift to display the Clipboard Control tool on the remote desktop. In Internet Explorer, the Clipboard Control tool does not appear. Instead, you can use the standard keyboard shortcuts for copying and pasting text. See Internet Explorer for details.
Copy the text from the local workstation and paste the text to the Clipboard Control tool. In the Clipboard Control tool, click Ctrl + V or right-click and select Paste . In the desired location on the remote target, paste the text.
You can copy text from the remote target to the Clipboard Control tool and select the text to copy to the local workstation.
In Internet Explorer, you can use CTRL + C and CTRL + V to copy and paste between the remote target and the local workstation.
When you attempt to copy data from the remote target for the first time in a session, the following message appears:
Click Allow access to enable the copy.
To avoid this message:
- Go to Tools -> Internet Options.
- Go to the Security tab.
- Select the Internet zone, then click Custom level… .
- Scroll down to the Scripting section.
- Under the Allow Programmatic clipboard access option, select Enable.
- Click Ok twice to exit Internet Options.
Following those steps, the browser will allow programmatic clipboard access from every website in the browser.
Keyboard layouts
The HTML5 gateway supports multiple keyboard layouts, as described below.
Keyboard layouts in v11.5
The HTML5 gateway v11.5 supports the following keyboard layouts:
|
Keyboard layout |
Description |
|---|---|
|
en-us-qwerty (default) |
English (US) keyboard |
|
fr-fr-azerty |
French keyboard (azerty) |
|
de-de-qwertz |
German keyboard (qwertz) |
|
ca-psm-unicode |
A CyberArk custom Unicode keyboard. Most characters pass as Unicode data and not as keystrokes. Functionality that depends on capturing keystrokes might be affected. |
Implement a non-default keyboard layout in v11.5
-
Deploy the HTML5 Gateway Docker image as described in Install the HTML5 Gateway for PSM (side-by-side).
-
Add the following parameter to the docker run command:
Parameter
Description
-e ServerKeyboardLayout
The type of keyboard layout to implement. Specify any of keyboard layouts as displayed above.
For example, to implement the unicode keyboard:
sudo docker run --restart unless-stopped -ti -v <certificates directory>:/opt/import:ro -d --cap-drop=all --cap-add={CHOWN,DAC_OVERRIDE,FOWNER,SETGID,SETUID} -e AcceptCyberArkEULA=yes -e EnableJWTValidation=no -e PSMCAFile=psmca.pem -e ServerKeyboardLayout=ca-psm-unicode --net=cyberark --hostname <container name> --name <container name> docker.io/alerocyberark/psmhtml5 -
In environments with only one keyboard layout (qwerty\ azerty\ qwertz) , set ServerKeyboardLayout to one of the following keyboard layouts:
-
en-us-qwerty (default)
-
fr-fr-azerty
-
de-de-qwertz
For RDP sessions, align the keyboard layout on the target machine.
For all other sessions, align the keyboard layout on the PSM machine.
-
-
In environments with targets and PSM machines that use different keyboard layouts, set ServerKeyboardLayout to ca-psm-unicode.
Certain key combinations are not supported in this mode. For example:
-
Ctrl+a (select all)
-
Ctrl+z (undo)
-
Ctrl+y (redo)
For PSM-RDP sessions, to work with universal keystrokes audit, set WindowsKeystrokesSingleLanguage=No. For more details, see Configure universal keystrokes for Windows connections when an additional language is used in the PAS docs.
By default, PSM-RDP is configured with WindowsEventsAudit. To work with KeystrokesAudit, you need to configure it instead of WindowsEvents.
-
Keyboard layouts in v11.7
The HTML5 gateway v11.7 supports the following keyboard layouts:
|
Keyboard layout |
Description |
|---|---|
|
en-us-qwerty (default) |
English (US) keyboard |
|
en-gb-qwerty |
English (UK) keyboard |
|
de-ch-qwertz |
Swiss German keyboard (qwertz) |
|
de-de-qwertz |
German keyboard (qwertz) |
|
fr-be-azerty |
Belgian French keyboard (azerty) |
|
fr-fr-azerty |
French keyboard (azerty) |
|
fr-ch-qwertz |
Swiss French keyboard (qwertz) |
|
hu-hu-qwertz |
Hungarian keyboard (qwertz) |
|
it-it-qwerty |
Italian keyboard |
|
ja-jp-qwerty |
Japanese keyboard |
|
pt-br-qwerty |
Portuguese Brazilian keyboard |
|
es-es-qwerty |
Spanish keyboard |
|
es-latam-qwerty |
Latin American keyboard |
|
sv-se-qwerty |
Swedish keyboard |
|
tr-tr-qwerty |
Turkish-Q keyboard |
|
ca-psm-unicode |
A CyberArk custom Unicode keyboard. Most characters pass as Unicode data and not as keystrokes. Functionality that depends on capturing keystrokes might be affected. |
|
failsafe |
A full Unicode keyboard. All characters pass as Unicode data and not as keystrokes. Functionality that depends on capturing keystrokes might be affected. |
Implement a non-default keyboard layout in v11.7
-
Deploy the HTML5 Gateway Docker image as described in Install the HTML5 Gateway for PSM (side-by-side).
-
Set ServerKeyboardLayout to a non-default value. For details, see Secure access with a PSM HTML5 gateway.
The default value for ServerKeyboardLayout is en-us-qwerty.
-
In environments with one of the following keyboard layouts, set the ServerKeyboardLayout value with that layout:
fr-fr-azerty
fr-be-azerty
fr-ch-qwertz
de-ch-qwertz
de-de-qwertz
en-us-qwerty
en-gb-qwerty
hu-hu-qwertz
it-it-qwerty
ja-jp-qwerty
pt-br-qwerty
es-es-qwerty
es-latam-qwerty
sv-se-qwerty
tr-tr-qwerty
For RDP sessions, align the keyboard layout on the target machine. For all other sessions, align the keyboard layout on the PSM machine.
-
In an environment with keyboard layouts not included in the above list, or in an environment with targets and PSM machines that use different keyboard layouts, set ServerKeyboardLayout to failsafe. This option sends only unicode events and does not support key combinations that include letters, such as:
-
Ctrl+a (select all)
-
Ctrl+z (undo)
-
Ctrl+y (redo)
This option should work for any keyboard, though not necessarily all RDP servers or applications.
-
-
If the targets and PSM machines in your environment use different keyboard layouts, but all layouts are en-us-qwerty, fr-fr-azerty, or de-de-qwertz, you can set ServerKeyboardLayout to ca-psm-unicode. This option is based on unicode, but supports some key combinations, such as Ctrl+c and Ctrl+v.
For PSM-RDP sessions, to work with universal keystrokes audit, set WindowsKeystrokesSingleLanguage=No. For details, see Configure universal keystrokes for Windows connections when an additional language is used in the PAS docs.
By default, PSM-RDP is configured with WindowsEventsAudit. To work with KeystrokesAudit, you must configure it instead of WindowsEventsAudit.
-
Logs
Logs are generated for the PSM HTML5 gateway web application and the guacd daemon service.
Run the following command to print the PSM HTML5 gateway container main output:
|
For example:
|
This includes output from the container initialization, as well as subsequent log entries by the guacd daemon inside the PSM HTML5 gateway.
-
Open a shell prompt for the running PSM HTML5 gateway container:
sudo docker exec -ti <container name> bash -
Once inside the container's shell, you can access the PSM HTML5 gateway web application logs in /var/opt/CARKpsmgw/logs/webapp.
Log file
Description
cyberark-psm-gateway-webapp.log
Log file for the web application
cyberark-psm-gateway-tomcat.<date>.log
Log file for the Tomcat infrastructure related to the web application
/opt/tomcat/logs/catalina.out
Log file for the Tomcat process
