PSM for SSH installation

Before you begin

  • Make sure you review the information in PSM for SSH pre-installation tasks.

  • Staring from version 12.0, the default installation mode of PSM for SSH is set to Integrated (InstallCyberArkSSHD = Integrated). The Integrated mode preserves the native SSHD on the PSM for SSH machine and interacts with it using dedicated PAM (Pluggable Authentication Module) and NSS (Name Service Switch) modules. This makes the product less invasive and enables each customer to perform the desired configurations and updates according to organizational policies, without making an impact on the PSM for SSH functionality.

    When installing PSM for SSH in Integrated mode, we highly recommend that the SSHD service is hardened locally according to your organizational and industry best practices.

    PSM for SSH support on SUSE does not include the installation of the CyberArk SSHD service component. If you install PSM for SSH with InstallCyberArkSSHD = Integrated, after the installation you must follow the procedure described in Enable Integrated mode on SUSE.

    To review the use of the SSHD service and the PSM for SSH features that are affected by this service, see InstallCyberArkSSHD parameter.

Installation

  1. Prerequisite for PSM for SSH-ADBridge: If you are using PSM for SSH with AD Bridge, from the installation's Prerequisites folder run the following:

    Root user
      
    rpm –i libssh-<version>-<build_number>.<arch>.rpm
    Sudo user
      
    sudo rpm –i libssh-<version>-<build_number>.<arch>.rpm

  2. On the system console, do one of the following to run the installation:

    Method

    InstallCyberArkSSHD= Yes

    InstallCyberArkSSHD=No

    InstallCyberArkSSHD = Integrated

    (this is the default method)
    Root user
      
    rpm –i <rpm-file-name>
      
    rpm –i <infra rpm location >/CARKpsmp-infra-<version>.<arch>.rpm
    rpm –i <CARKpsmp rpm location>/CARKpsmp-<version>.<arch>.rpm
    Sudo user
      
    sudo rpm –i <rpm-file-name>
      
    sudo rpm –i <infra rpm location >/CARKpsmp-infra-<version>.<arch>.rpm
    sudo rpm –i <CARKpsmp rpm location>/CARKpsmp-<version>.<arch>.rpm
     

    The CARKpsmp-infra package is located in the IntegratedMode folder.

     

     

    • For a list of limitations associated with the Integrated and No methods, see Limitations.

For more information during installation, use the following switches for the rpm command:

  • -v – Displays additional information while installing.

  • -h – Prints hash marks (#) as installation progresses.

The installation runs automatically and does not require any interactive response from the user. When the installation is complete, the following message appears:

  
“Installation process completed successfully.”

psmpsrv is installed in /etc/init.d/.

In RHEL8, psmpsrv is installed in /usr/lib/systemd/system.

Troubleshoot the PSM for SSH Installation

Installation ended with an error

Problem: The installation ended with an error message
Solution: Check the installation log files. The following installation log files are created during installation. View these files and check that the PSM for SSH installation was successful.
/var/tmp/psmp_install.log – This log file describes the activities that occurred during the installation process.
/var/opt/CARKpsmp/temp/EnvManager.logThis log file describes the activities that occurred when the Vault environment for PSM for SSH  was created.

General installation problems

Problem: During installation, the following message was written in the log file:
“Make sure that the InstallationFolder and the InstallCyberarkSSHD parameters were set correctly in the /var/tmp/psmpparms configuration file.”
Solutions:
Make sure the /var/tmp/psmpparms file is in Unix format. If not, run dos2unix.
Make sure that the directory specified in the InstallationFolder parameter exists.
Make sure the InstallCyberarkSSHD parameter is set with a Valid value (Integrated, Yes, or No).
Problem: During installation, the following message was written in the log file:
“error: Installation failed. Reason: installation parameters file [/var/tmp/psmpparms] doesn't exist.”
Solution:

Make sure that the parameter file is in the /var/tmp directory.

Problem:

During installation, the following message was written in the log file:

Installing PSM for SSH  with "InstallCyberArkSSHD=integrated" requires installing CARKpsmp-infra package.

Solution:

Install the required package, CARKpsmp-infra (located in the IntegratedMode folder). Then run the PSM for SSH  installation again.

TCP port 18923 is used by another process on the local machine

Problem: The TCP port 18923 is being used by another process on the local machine and cannot be used by PSM for SSH  to listen for additional command requests.
Solution: Stop the psmpsrv service and use netstat –na to check whether the port is being used. If the port is being used by another process, configure PSM for SSH to use a different TCP port. For more information, refer to Privileged Session Manager for SSH parameter files.

The PSM for SSH user has already been created in the Vault

Problem: You specified the name of a PSM for SSH user who has already been created in the Vault.
Solution: A new credentials file will not be created for this user. You need to create the credentials file manually so that PSM for SSH can connect to the Password Vault and work properly. For more information about creating credentials files, refer to User credential files.

Problems during service startup

Problem: PSM for SSH failed to start.
Solution: Open the console log, PSMPConsole.log, in the logs folder and identify the relevant errors.
Logs are archived in the folder called old.
If PSM for SSH cannot write to the log files, it will write errors to the messages file specified in the syslog.conf file.

Problems while trying to connect with ssh to the PSM for SSH machine after the installation

Problem: Access with root user to the PSM for SSH machine was denied when trying to connect with SSH.
Solution: In order to secure the PSM for SSH server more effectively, after PSM for SSH installation, the root user will not be able to authenticate to this server remotely using a password. You can connect remotely through SSH either with the root user using SSH key authentication or with a different administrative user that is configured in the PSM for SSH  as a maintenance user. For more information about configuring administrative users, refer to PSM for SSH Administration.

TCP port 19923 is used by another process on the local machine

Problem: The TCP port 19923 is being used by another process on the local machine and cannot be used by the PSM for SSH  to listen for additional command requests.
Solution: Stop the psmpsrv service and use netstat –na to check whether the port is being used.

The ADBridge user has already been created in the Vault

Problem: You specified the name of a PSM for SSH user who has already been created in the Vault.
Solution: A new credentials file will not be created for this user. You need to create the credentials file manually so that the ADBridge can connect to the Password Vault and work properly. For more information about creating credentials files, refer to User credential files.

Problems during service startup

Problem: The ADBridge failed to start.
Solution: Open the console log, ADBConsole.log, in the logs folder and identify the relevant errors.Notes:
Logs are archived in the folder called old.
If the ADBridge cannot write to the log files, it will write errors to the messages file specified in the syslog.conf file.
Problem: Failure when trying to connect to target with the following message: "PSPSD072E Perform session error occurred. Reason: PDKOS107E A failure ocurred when trying to connect to the domain socket. Reason: PDKOS106E Failed to connect to the server domain socket. Error Code: [13]. (Codes: -1, -1)"
Solution: SELinux was enabled on the PSM for SSH  server after PSM for SSH  was already installed. For instructions about how to enable SELinux support for PSM for SSH, refer to Enable SELinux on the PSM for SSH server.

Restore PSM for SSH connectivity

Problem:

PSM for SSH can sometimes be disconnected from the Vault. You may need to reset the PSM for SSH credentials.

The most common reasons are:

  • Network issues. First check your network. If there are no issues, continue below.

  • Sync issues. PSM for SSH can no longer authenticate to the Vault.
Solution:

Reset the PSM for SSH credentials:

In the PrivateArk Administrative Client:

  1. Log onto the Vault with the Vault user who installed PSM for SSH.

  2. Change the passwords of the following users:

    • appuser

    • gwuser

    • adbuser

On the PSM for SSH server machine:

  1. Stop the PSM for SSH Server service.

  2. Go to the path where the cred files are located.

    • For appuser and gwuser - /etc/opt/CARKpsmp/vault

    • For adbuser - /etc/opt/CARKpsmpadb/vault

  3. Use the CreateCredFile utility to create new credentials files for appuser, gwuser, and adbuser.

    For version 12.1 and earlier:

      
    CreateCredFile <filename> Password –Username <username> -Password <password>

    For version 12.1.1 and later:

    • For appuser:

        
      ./CreateCredFile psmpappuser.cred Password -Username <appusername> -Password <app_user_password> -OSUsername root -AppType PSMPApp -ExePath /opt/CARKpsmp/bin/psmpserver  -EntropyFile

    • For gwuser:

        
      ./CreateCredFile psmpgwuser.cred Password -Username <gwusername> -Password <gw_user_password> -OSUsername root -AppType PSMPApp -ExePath /opt/CARKpsmp/bin/psmpserver  -EntropyFile

    • For adbuser:

        
      ./CreateCredFile psmpadbridgeserveruser.cred Password -Username <appusername> -Password <adb_user_password> -OSUsername root -AppType PSMPApp -ExePath /opt/CARKpsmpadb/bin/psmpadbserver  -EntropyFile

  4. Start the PSM for SSH service.

For more information, refer to User credential files.