Before you install PSM for SSH

Before you run the PSM for SSH setup, perform the following procedures.

Check prerequisites

The PSM for SSH machine must have SSHD 7.8 or later version to support the following features:

  • SSH key

  • Smart card authentication methods

  • MFA caching

By default, Red Hat Enterprise Linux 8 includes OpenSSH v7.8, which supports the above features, while Red Hat Enterprise Linux 7 includes OpenSSH v7.4 which does not.

Verify public access

Verify that outbound traffic from the PSM for SSH server is always routed through the same public-facing IP.

Verify the operating system

Make sure that the operating system is supported. For details, see Supported Operating Systems.

Verify the installation package digital signature

The RPM installation packages for Red Hat operating systems are digitally signed, to protect them from alteration after publication.

To verify the digital signature of an RPM package

  1. Import the RPM-GPG-KEY-CyberArk public key that is provided with the installation package, by running the following command:

    rpm --import RPM-GPG-KEY-CyberArk

  2. Verify the signature of the RPM package, by running the following command:

    rpm -K -v <package_name.rpm>

Prepare the installation environment

  1. From the Privilege Cloud software package that you downloaded in Prepare your machine, copy the PSM for SSH installation zip file(s) to an installation folder on your PSM for SSHserver. Select the file that is relevant to your Linux environment, for either RHELinux8 or RHELinux.

  2. Unzip the installation package. The folder and its subfolders are extracted.

  3. Disable the antivirus agent if it is installed on your server.

Create the PSM for SSH parameters file

This file is required for the installation process.

To create the file:

  1. Move psmpparms.sample, from the installation package, to the /var/tmp directory and rename it to psmpparms.

      
    mv psmpparms.sample /var/tmp/psmpparms

  1. In the /var/tmp/ directory, open the psmpparms configuration file:

      
    vi /var/tmp/psmpparms

  1. Specify the following mandatory parameters:

    Parameter Description
    InstallationFolder

    The full path of the installation folder that you created in Prepare the installation environment, and to where you copied the content of the PSM for SSH installation package.
    InstallCyberArkSSHD

    Enter the value Integrated.

    AcceptCyberArkEULA

    Whether or not you accept all the terms of the PSM for SSH end user license agreement. This agreement is in the installation package.

    Open this agreement and read it carefully, then set this parameter to Yes.

    Note: You must accept this agreement in order for the installation to complete.

    Hardening

    Whether or not the PSM for SSH hardening settings will be applied.

    Default: Yes

  2. Optionally when installing an additional PSM for SSH, when on the same host with the same hostname, specify the following parameters:

    Parameter Description

    PSMPAppUser

    Change the default app user name to a unique user name that differs from the first PSM for SSH.

    PSMPGWUser

    Change the default Gateway user name to a unique user name that differs from the first PSM for SSH.

Create the credentials file for Installation

Create a credentials file according to the following steps. The resulting file is to be used by the PSM for SSH installation script to authenticate to Privilege Cloud.
To learn more about the CredFile utility, see CreateCredFile utility.

To create the credentials file:

  1. If required, add the execute permission by running the following command:

      
    chmod 755 CreateCredFile

  2. Create a file called user.cred by running one of the following commands:.

    1. Enter the following command:

        
      ./CreateCredFile user.cred

    2. At the prompt enter your user name and password, and use the Entropy file.

      If the CredFile already exists, the current user name appears as default.

    3. Rotate the password used in the above command.

    4. It is recommended to clean history using history -c command.

    The user credential file must be placed in a folder that is accessible only for the machine or domain administrator who runs the PSM for SSH installation. We highly recommend that you delete the credential file after completing the registration.

Configure the vault.ini file

The vault.ini file contains the parameters for connecting PSM for SSH to Privilege Cloud. It is used during the PSM for SSH set up process.

To configure the file:

  1. Open the vault.ini file for editing.

  2. Set the Address parameter to the Privilege Cloud IP address (provided to you by CyberArk support).

Disable NSCD

On all Linux-based operating systems, NSCD is a daemon that provides a cache for the most common name service requests. Disable it to prevent unexpected behavior.

  1. Run the following command to stop NSCD:

    systemctl stop nscd.service nscd.socket

  2. Run the following command to disable NSCD:

    systemctl disable nscd.service nscd.socket

Some unexpected behavior may occur if you do not disable NSCD. For details, see Using NSCD with SSSD.

Enable SELinux on the PSM for SSH server (optional)

PSM for SSH can be installed in environments where SELinux is enabled. We recommend enabling the server before installing PSM for SSH so that the changes required to support SELinux are made automatically during installation. To enable SELinux after installation, see Enable SELinux on the PSM for SSH server.

Next stepRun the PSM for SSH setup