PSM for SSH pre-installation tasks

This topic describes prerequisites to the PSM for SSH installation.

 

Before installing or upgrading, ensure that your system still complies with security requirements. To learn more, see Security Fundamentals.

Verify the Operating System

Make sure the operating system installed on your server is supported by PSM for SSH. These are listed in Privileged Session Manager for SSH.

 

PSM for SSH support on SUSE does not include the installation of the CyberArk SSHD service component. If you install PSM for SSH with InstallCyberArkSSHD = Integrated, after the installation you must follow the procedure described in Enable Integrated mode on SUSE.

 

 

Installations on SUSE Linux Enterprise Server 12 might fail due to a SUSE bug on Intel CPU servers. If you encounter this bug, follow the solution provided by SUSE: https://www.suse.com/support/kb/doc/?id=7022289

Verify the installation package digital signature

The RPM installation packages for Red Hat operating system are digitally signed, to protect them from alteration after publication. To verify the digital signature of an RPM package, do the following:

  1. Import the RPM-GPG-KEY-CyberArk public key that is provided with the installation package, by running the following command:

     

    rpm --import RPM-GPG-KEY-CyberArk

  2. Verify the signature of the RPM package, by running the following command:

     

    rpm -K -v <package_name.rpm>

Review compatibility of PAS components

Make sure the components you will install are compatible.

The compatible versions of the PAS Suite components are listed in the Privileged Session Manager for SSH.

Customer license

The CyberArk license defines the number of PSM for SSH servers that you can use. Your CyberArk license will specify the following user type and interface:

User Type Description Allowed Interface
PSMPServer PSM for SSH Server PSMPApp

In addition, your license must allow your end users to use the PSM for SSH interface in order to be able to use PSM for SSH.

Your CyberArk support representative will supply the license file that you need for installation.

 

Until you receive your Customer license, you will not be able to install PSM for SSH.

(Optional) AD Bridge integration with LDAP

Configure LDAP integration so that users and groups will be provisioned in the Vault automatically. For more information about integrating PSM for SSH with LDAP, refer to Integrate PSM for SSH with LDAP authentication.

Install PSM for SSH as a Vault Administrator user

Use an administrative Vault user that will create the environment for PSM for SSH in the Vault during the installation process. You can either use the predefined Administrator user or a different user that has the following permissions in the Vault:

Add Safes
Audit Users
Add/Update Users
Manage Server File Categories

This user must be an owner of the PVWAConfig Safe with the following permissions:

List accounts
Retrieve accounts
View Owners
Manage Safe Owners

Create an administrative user on the PSM for SSH server

Administrative users can connect to the PSM for SSH machine to perform management tasks on the machine itself without being forwarded to a target machine.

For details, see PSM for SSH Administration.

Enable SELinux on the PSM for SSH server

PSM for SSH can be installed in environments where SELinux is enabled. To enable SELinux, it is recommended to enable it on your server before installing PSM for SSH so that the changes required to support SELinux are made automatically during the PSM for SSH installation. It is also possible to enable SELinux at a later stage. For more information, refer to PSM for SSH post-installation tasks.

Prepare the installation environment

  1. On the PSM for SSH machine, create a new directory for the installation files. This directory is where the installation files will be located, for example /opt/CARKpsmp.

  2. From the PSM for SSH installation package, copy the Privileged Session Manager for SSH installation package to the new directory. Make sure you copy the folder and all its contents, including its subfolders.

For a full list of the folders and files in the PSM for SSH installation package, refer to Privilege Session Manager for SSH installation file.

Configure the Vault.ini File for Installation

  1. Open the vault.ini file and specify the parameters of the Vault that will be accessed by PSM for SSH, as shown in the following example.

     

    vi vault.ini

    In the following example, the Address parameter is set to Vault IP 1.1.1.102:

     
    Address=1.1.1.102
  2. During installation, the vault.ini file is copied to the PSM for SSH environment and will be used by PSM for SSH to access the Vault. For more information, refer to Vault Parameter File.

  3. For high availability implementations and DR, you can specify more than one Vault IP address, separated by commas, as shown in the following example:

     
    Address=1.1.1.102,1.1.1.232

The first Vault IP address that is specified is used when creating the PSM for SSH environment during installation.

When PSM for SSH is running, if it cannot access the first Vault IP address, it automatically tries to access the next Vault IP address transparently, and no human intervention is required.

Create the Credentials File for Installation

1. If you need to add execute permission for the CreateCredFile file, first run the following command:

chmod 755 CreateCredFile

2. Then, run CreateCredFile to create a credentials file for the administrative user that will create the Vault environment during installation.

This file must be called user.cred.

For 12.1 and earlier:

./CreateCredFile user.cred

For 12.1.1 and later:

./CreateCredFile user.cred Password -Username <username> -Password <password> -EntropyFile

For more information about creating user credentials files, refer to CreateCredFile utility.

Create the PSM for SSH parameters file for installation

InstallCyberArkSSHD parameter

When you install PSM for SSH, you configure how to handle the installation of the SSHD service. You can select from one of the following options:

Value Description

Integrated

The local SSHD service is configured to work thorough the PAM (Pluggable Authentication Module). The PAM module is deployed as part of the PSM for SSH installation. A few limitations apply, as described in Limitations.

This is the default value.

Yes

Override the local SSHD service with a CyberArk customized SSHD service to benefit from full PSM for SSH functionality.

Note: PSM for SSH support on SUSE does not include the installation of or integration with the SSHD service when set to Yes.

No Do not install the CyberArk SSHD service. Significant functional limitations apply, as described in Limitations.

Parameter changes

If you select Yes, the following parameters are valued as shown:

After installation and hardening, in the sshd_config file:

Parameter Description
Subsytem sftp

Commented out

The sftp protocol is disabled

GatewayPorts

No

Remote hosts cannot connect to ports forwarded from the client

AllowTcpForwarding

No

PrintLastLog

No

PermitEmptyPasswords

Yes

Enable users to connect with an empty password.

UseDNS

No

Do not enable connections with a DNS name instead of an IP

UsePAM

Yes

PAM flow is mandatory

ChallengeResponseAuthentication

No

PAM-conversation is not enabled

In the etc/profile and etc/bashrc files:

Parameter Description
umask 027

By default, files created by users have the 750 permissions

These files can be read only by users in the same group

Limitations

If you select Integrated the following limitations apply:

  • Connections without specifying all mandatory syntax parameters are not supported.

  • SSH Tunneling is not supported.

  • Multi-byte characters for username and password are not supported.

  • Including the target password as part of the connection string is not supported.

If you select No, the following limitations apply:

  • You cannot use the native syntax of SSH command to connect through PSM for SSH.

    You can only use the following syntax:

     
    <ssh client> [–L <srcport>:localhost:target_port] -t PSMConnect@<proxyaddress> <vaultuser> <targetuser> <targetmachine> [-protocol <telnet|ssh>] [-port <port>] [-vp <vault-password>] [–tpw < targetpassword>] [-tunnel <target_port>]

    This is described in Connect through PSM for SSH.

  • You cannot connect with domain accounts

  • You cannot copy files securely with SFTP client or the SCP command
  • You cannot use Remote SSH Command Execution through PSM for SSH

  • SSH tunneling is not supported.

    SSH tunneling is supported only with the following syntax, but still requires CyberArk SSH service installation

     
    <ssh client> [–L <srcport>:localhost:target_port] -t PSMConnect@<proxyaddress> <vaultuser> <targetuser> <targetmachine> [-protocol <telnet|ssh>] [-port <port>] [-vp <vault-password>] [–tpw < targetpassword>] [-tunnel <target_port>]

For a full list of parameters in the psmpparms file, refer to Privilege Session Manager for SSH installation file.