Import your Organization's SSL Certificate

The following instructions show you how to install your PTA private certificate that is signed by your organization's certificate authority and how to upload your organization's public certificate chains for use when PTA communicates with other servers, such as PVWA.

Privileged Threat Analytics (PTA) is now a part of the PAM - Self-Hosted solution. Data is shared between the PTA and PVWA servers, and the connection between the servers must be secure. To accomplish this, your organization's SSL certificate will be shared between the two servers, allowing each server to recognize the other.

Perform the following two procedures to install the private certificate on the PTA Server. If you are using a PKCS #12 (.pfx or .p12) certificate, only perform the second procedure.

1. On the system console, log in as the root user using the password you specified during installation.
2. Start the PTA utility by running the following command:

/opt/tomcat/utility/run.sh

3. Select 14. Generating a Certificate Signing Request (CSR).
 

You can also generate a Certificate Signing Request by running the /opt/tomcat/utility/certificateSigningRequestGenerationUtil.sh command.
4. Specify the certificate details.
  • PTA Host name
  • Organization
  • Department
  • City
  • State
  • Country Code
  • PTA Server shared FQDN (this is optional for disaster recovery mode)
  • Subject Alternative Names (SAN)
 
Enter multiple alternative DNS and/or IP values in the Subject Alternative Names field. The DNS name must include the FQDN name of the PTA server.The format is <field name>:<alternative_name>,<field name>:<alternative_name>. For example, dns:ptaserver1.pta.com,ip:10.10.10.10,dns:ptaserever2.pta.com,ip:11.11.11.11
In a disaster recovery environment, each certificate must contain in the Subject Alternative Names field the following:
Specific DNS name for the PTA Server - Primary or Secondary
DNS name for the PTA shared FQDN
Specific IP of the PTA Server - Primary or Secondary

For example, dns:ptaserver1.ptadr.com,dns:ptaserver.ptadr.com,ip:11.11.22.22 for the Primary Server and dns:ptaserver2.ptadr.com,dns:ptaserver.ptadr.com,ip:11.11.33.33 for the Secondary Server

The Certificate Signing Request (CSR) is created in the pta_server.csr file located at /opt/tomcat/ca.

5. Provide the CSR to your organization's Certificate Authority (CA).
6. The CA generates the Certificate and the Certificate Chain. For more details, see Certificate Requirements.
1. Upload the Certificate and the Certificate Chain using WinSCP to the PTA Server machine. In a disaster recovery environment, upload the appropriate certificate to each PTA Server - Primary or Secondary.
2. On the system console, log in as the root user using the password you specified during installation.
3. Start the PTA utility by running the following command:

/opt/tomcat/utility/run.sh

4. Select 15. Installing SSL Certificate Chain (Root, Intermediate(s), PTA Server certificates).
 

You can also install the Certificate Chain by running the /opt/tomcat/utility/sslCertificateInstallationUtil.sh command.
5. Specify the SSL certificate chain details of the PTA Server.

This step requires Vault Admin credentials using CyberArk authentication, and a restart of PTA services.
Installing SSL Certificate Chain (Root, Intermediate(s), PTA Server certificates):

a. Specify the PTA Server Certificate location:

Specify PTA Server Certificate full path:

b. If you are using a  PKCS #12 (.pfx or .p12) certificate, specify the certificate's password:

Specify your Specify your PKCS #12 (.pfx or .p12) Certificate password:

 

If you are using a PKCS #12 (.pfx or .p12) certificate, the SSL Server Certificate is installed without specifying any certificate locations.
c. Specify the root certificate location:

Do you have a Root Certificate (y/n)?:
Specify your Root Certificate full path (for example: /tmp/RootCertificate.crt):

d. Specify the first intermediate certificate location, if it exists:

Do you have Intermediate certificate(s) (y/n)?:
Specify Intermediate Certificate full path:

e. Continue to specify each additional intermediate certificate location, in order.
f. The SSL Server Certificate is installed:

SSL Certificate Chain installed successfully

g. If PTA is configured to communicate with the Vault, you must run the Vault Permissions Validations:

Vault Permissions Validation...
    PTA Vault user permissions validation...         [ OK ]
    PTAApp Vault user permissions validation...      [ OK ]
    PAS Account validation...                        [ FIX ]
    PAS Groups validation...                         [ OK ]

Fix the PAM - Self-Hosted Account permissions using Vault Admin user credentials:

PTA has detected missing permissions for PTA Vault user, PTAApp Vault user, PAS Account, and PAS Groups which are needed for running PTA.
Fixing permissions requires Vault Admin credentials using CyberArk authentication.
We recommend fixing the needed permissions now, but you can return to this step manually at a later stage.
Would you like to fix the needed permissions now?(Y/N)[Y]:
[Step 1/1 - VaultPermissionsRepair]
Vault Admin username [Administrator]:
Vault Admin password:
Retype Vault Admin password:
    Fixing PTA Vault user permissions...             [ OK ]
    Fixing PTAApp Vault user permissions...          [ OK ]
    Fixing PAS account...                            [ OK ]
    Fixing PAS Groups...                             [ OK ]
Vault permissions validation passed successfully. No additional actions required.
Vault Permissions Validation...
    PTA Vault user permissions validation...         [ OK ]
    PTAApp Vault user permissions validation...      [ OK ]
    PAS Account validation...                        [ OK ]
    PAS Groups validation...                         [ OK ]

h. PTA services is restarted.

Restarting PTA services...

1. Upload the Certificate Chains using WinSCP to the client machine.
2. On the system console, log in as the root user using the password you specified during installation.
3. Start the PTA utility by running the following command:

/opt/tomcat/utility/run.sh

4. Select 16. Installing SSL Client Certificate Issuer Chain (Root, Intermediate(s)).
 

You can also install the Client Certificate Chain by running the /opt/tomcat/utility/sslClientCertificateChainInstallationUtil.sh command.
5. Specify the SSL client certificate chain details.
a. Specify the root certificate location:

Do you have a Root Certificate (y/n)?:
Specify your Root Certificate full path (for example: /tmp/RootCertificate.cer):

b. Specify the first intermediate certificate location, if it exists:

Do you have Intermediate certificate(s) (y/n)?:
Specify Intermediate Certificate full path:

c. Continue to specify each additional intermediate certificate location, in order.
d. Specify any additional SSL Client Certificate Issuer Chains:

Do you have an additional SSL Client Certificate Issuer Chain(y/n)?:

e. The SSL Client Certificate is installed:

SSL Certificate Chain installed successfully