Install PSM HTML5 Gateway via Docker

This topic describes how to install the PSM HTML5 gateway via Docker.

Software prerequisites

Red Hat Enterprise Linux 7.x versions with Docker

Install the HTML5 Gateway

This section describes how to install the PSM HTML5 Gateway as a docker.

  1. Copy the HTML5 Gateway\PSMGWDocker directory located in the CD image to the Linux host.

  2. Go to that directory.

  3. Run the following command to grant execution rights to the setup script.

     
    chmod +x html5_installation.sh
  4. Run the following command to execute the setup script

     
    sudo ./html5_installation.sh localimage

Launch the PSM HTML5 gateway Docker container

 

BY RUNNING PSM HTML5 GATEWAY DOCKER CONTAINER OR OTHERWISE USING THE SOFTWARE, YOU AGREE TO THE TERMS AND CONDITIONS OF THE SOFTWARE LICENSE AGREEMENT. IF YOU DO NOT AGREE TO THIS AGREEMENT, DO NOT INDICATE CONSENT ELECTRONICALLY AND MAKE NO FURTHER USE OF THE SOFTWARE.

The PSM HTML5 gateway must use an SSL certificate to provide secure communication. You can choose whether to create an SSL certificate automatically when the container starts, or to import an existing certificate.

Validate the PSM remote certificate

The PSM HTML5 gateway in the Docker image is preconfigured to use TLS to establish secured communication with PSM. It is highly recommended to supply a certificate file that allows it to verify PSM's certificate, such as the certificate of the signing CA.

  1. Place the .pem file of the CA that signed the PSM's certificate in a directory on the host machine. For example, in /opt/cert.

    If you have the CA certificate in .cer file form, run the following command to convert it to a .pem file:

     
    openssl x509 -inform DER -in <.cer file path> -out <output .pem file path>
  2. To import the certificate into the PSM HTML5 gateway, use the -e PSMCert option when running the PSM HTML5 gateway container, as shown in the following command:

     
    sudo docker run --restart unless-stopped -ti -p 443:8443 -v <certificates directory>:/opt/import:ro -d --cap-drop=all --cap-add={CHOWN,DAC_OVERRIDE,FOWNER,SETGID,SETUID} -e AcceptCyberArkEULA=yes -e PSMCert=<PSM certificate .pem filename> --hostname <container name> --name <container name> cahtml5gw:<version_tag>

    Replace <version_tag> with the specific version of the cahtml5gw image. Run sudo docker images and replace <version_tag> with the value under TAG.

    For example:

     
    sudo docker run --restart unless-stopped -ti -p 443:8443 -v /opt/cert/:/opt/import:ro -d --cap-drop=all --cap-add={CHOWN,DAC_OVERRIDE,FOWNER,SETGID,SETUID} -e AcceptCyberArkEULA=yes -e PSMCert=psmca.pem --hostname psmgw.com --name psmgw.com cahtml5gw:11_3_0_236

Hardening

Harden the host machine by executing the following command:

 
sudo sh RHEL7-CIS/harden.sh

Post-installation configuration

After installation, configure the HTML5 Gateway. For details, see Secure Access with an HTML5 Gateway.

Load balancing

The PSM HTML5 gateway can be load balanced as you would load balance any other web server (or the PVWA).

You can deploy farms of HTML5 gateway servers behind a load balancer. Then when adding a configured PSM Gateway server, use the relevant farm's Virtual IP (VIP) in the Address parameter. For details, see Add PSM HTML5 Gateway server.

In deployments where multiple connectors point to the same load-balanced URL, and multiple HTML5 gateways are behind this URL, the HTML5 copy files capability works if the Load Balancer has been configured with sticky sessions so that all requests for a particular user session are routed through the same HTML5 gateway.

Upgrade the PSM HTML5 Gateway

To upgrade the PSM HTML5 gateway, do the following:

  1. Stop the running PSM HTML5 gateway container:

     
    sudo docker kill <container name>

    For example:

     
    sudo docker kill psmgw.com
  1. Delete the PSM HTML5 gateway container from the local Docker system:

     
    sudo docker rm <container name>

    For example:

     
    sudo docker rm psmgw.com
  1. Install the PSM HTML5 Gateway from the latest image, as described in Install the HTML5 Gateway.

 
TruePrivileged Access Security11.5