Secure Access with an HTML5 Gateway

This topic describes how to configure PSM to work through an HTML5 gateway. PSM HTML5 Gateway allows the users browser-based access to PSM sessions via HTML5 instead of the native RDP-based access.

Configure the PVWA

The following procedure describes how to configure the PVWA to work with the HTML5 Gateway server.

  1. Log into the PVWA with an administrative user.

  2. Go to Administration > Options

  3. Right click on Privileged Session Management and select Add Configured PSM Gateway Servers.

  4. Select the newly added gateway server and enter a unique ID for the PSM HTML5 Gateway.

  5. Expand the newly created gateway server. Enter the following in the Connection Details page:

    Parameter

    Value

    Address

     

    Fully qualified domain name (FQDN) of the server on which the gateway is installed, or the Virtual IP (VIP) of an HTML5 Gateway Server farm.

     

    The address should in be the fully qualified domain name (FQDN) format and should match the SSL certificate of the PSM HTML5 Gateway machine.

    Port

    443

Multiple PSM Servers can work with the same gateway or with different gateways. Repeat steps 3-4 for each PSM server you want to set to use the PSM Gateway.

  1. Log into the PVWA with an administrative user.

  2. Go to Options > Privileged Session Management > Configured PSM Servers

  3. Select the PSM server entry that you want to set to use the PSM Gateway.

  4. Right click Connection Details and select Add PSM Gateway and enter the following:

    Parameter

    Value

    ID

    The ID of the PSM Gateway that you created in Add PSM HTML5 Gateway server.

    Enable

    Yes

Select one of the following options to work with HTML5:

You can use HTML5 sessions exclusively.

  1. Log in to the PVWA with an administrative user.

  2. Go to Options > Privileged Session Management UI.

  3. Set DefaultConnectionMethod to HTML5.

 

HTML5 sessions are triggered only for PSM machines associated with HTML5 Gateway.

You can use a single account for both RDP file and HTML5-based sessions

 

This option is only available in the Version 10 interface.

The use of shared privileged accounts often means that the same account is used by both an external third-party vendor and an internal privileged employee. While the external vendor's access is frequently through an HTML5 browser-based session, the internal employee may prefer to connect with an RDP-file based session.

Users can use either an HTML5-based or RDP-file connection method when connecting to the remote server.

Set the default connection method to the most common method used in the PAS environment.

  1. Log in to the PVWA with an administrative user.

  2. Go to Options > Privileged Session Management UI.

  3. Set DefaultConnectionMethod to either RDP or HTML5. The default value is RDP.

The following procedure describes how to configure the PVWA so that users can select either method.

Perform this procedure for every connection component for which both connection methods should be available.

  1. Log in to the PVWA with an administrative user.

  2. Go to Options > Connection Components > {Connection Component} > User Parameters

  3. Add AllowSelectHTML5. For details, refer to Connection Components.

    1. Ensure Visible is set to Yes.

    2. Set Type to CyberArk.TransparentConnection.BooleanUserParameter, CyberArk.PasswordVault.TransparentConnection.

 

When the AllowSelectHTML5 user parameter is configured on the connection component level, the default value is set according to the AllowSelectHTML5 parameter value.

You can configure a single PSM to enable connectors to use one of the following methods when connecting to the remote server:

  • RDP-file
  • HTML5 Gateway

Set HTML5 as the default connection method:

  1. Log in to the PVWA with an administrative user.

  2. Go to Options > Privileged Session Management UI.

  3. Set DefaultConnectionMethod to HTML5.

Configure a single PSM to set the connection method:

  1. Duplicate the PSM server and give a unique name to the new server. For example, duplicate the PSMServer_RDP server and call the new server PSMServer_HTML5.

  2. On the new server, add and enable the PSM HTML5 Gateway, as described in Add PSM HTML5 Gateway server and Configure the PSM server to use the HTML5 gateway.

  3. Connect all platforms that will use the HTML5 Gateway or that will enable the user to select the connection method to the new server.

 

For platforms that enable the user to select the connection method, you can configure the connection components as described in Single account for RDP/HTML5.

Gateway configuration

This section describes how to configure the Gateway.

  1. If the PSM HTML5 Gateway is running within a Docker container, open a terminal inside the container:

      
    sudo docker exec -ti <container name> bash

    For example:

     

    sudo docker exec -ti <PSM gateway FQDN> bash

  2. For v13.0.1 and higher, if the PSM HTML5 Gateway is running within a Podman container, open a terminal inside the container:

      
    sudo podman exec -ti <container name> bash

    For example:

     

    sudo podman exec -ti <PSM gateway FQDN> bash

  3. Set the following parameters in the daemon configuration file deployed in /etc/guacamole/guacd.conf:

    Parameter

    Description

    log_level

    The output level of the Gateway service log:

    • debug
    • info
    • warning
    • error

  4. If the PSM HTML5 Gateway is running within a container, run the exit command to return to the host terminal and then run the following commands to restart the container:

    • v13.0

        
      sudo docker kill <container name>
      sudo docker start <container name>

      For example:

       

      sudo docker kill <PSM gateway FQDN>
      sudo docker start <PSM gateway FQDN>

    • v13.0.1 and higher

        
      sudo ./html5_console.sh purge <container name>
      sudo ./html5_console.sh start <container name>

      For example:

       

      sudo ./html5_console.sh purge <PSM gateway FQDN>
      sudo ./html5_console.sh start <PSM gateway FQDN>

Otherwise, restart the guacd with the following command:

  
/etc/init.d/guacd restart

  1. If the PSM HTML5 Gateway is running within a container, open a terminal inside the container:

    • v13.0

        
      sudo docker exec -ti <container name> bash

      For example:

       

      sudo docker exec -ti <PSM gateway FQDN> bash
    • v13.0.1 and higher

      • Docker

         
        sudo docker exec -ti <container name> bash

        For example:

         

        sudo docker exec -ti <PSM gateway FQDN> bash

      • Podman

         
        sudo podman exec -ti <container name> bash

        For example:

         

        sudo podman exec -ti <PSM gateway FQDN> bash

  2. Edit the webapp configuration file deployed in /etc/opt/CARKpsmgw/webapp/psmgw.conf:

    TargetCommunicationType

    Description

    The communication type with PSM

    Default = RDP

    Accepted Values

    • TLS

    • RDP

    InternalCommunicationType

    Description

    The communication between the webapp and the daemon service

    Default = TLS

    For TLS to work, Secure Access with an HTML5 Gateway.

    For non-production environments, you can change this parameter to Normal, eliminating the need to secure the connection between the guacd and the webapp

    Accepted Values

    • TLS

    • Normal

    IgnoreCertificateVerification

    Description

    Whether to ignore foreign certificates when connecting to PSM

    Default = false

    Accepted Values

    • true

    • false

    EnableCORS

    Description

    Note: For PVWA versions earlier than 11.2, you must set EnableCORS to Yes to enable HTML5 sessions.

    Whether to enable or disable Cross Origin Resource Sharing. Once enabled, the following headers are added:

    • Access-Control-Allow-Origin - The origin of the request. If AllowedOrigins is not set to ALL, the origin is only added if it exists on the allowed origins list.
    • Access-Control-Allow-Methods= POST, GET, OPTIONS
    • Access-Control-Allow-Credentials = true
    • Access-Control-Max-Age = 3600
    • Access-Control-Allow-Headers = x-requested-with, x-ca66666, content-type, accept, authorization

    Default = No

    Accepted Values

    • Yes

    • No

    AllowedOrigins

    Description

    Define the allowed origins to Cross Origin Resource Sharing. Use this parameter when the EnableCORS parameter is set to Yes

    Default = All

    Accepted Values
    • All - Accept all origins from all requests

    • Comma separated values - A comma separated list of values of allowed origins of requests

      For example: <first domain name>.com,<second domain name>.com,<third domain name>.com

    ClipboardControl

    Description

    Enhance security by restricting the ability to copy text to/from the remote target

    Default = Bidirectional

    To use the clipboard tool, see Interaction between the local and remote machines

    Accepted Values
    • Bidirectional - Enables users to copy text to and from the local workstation and remote target, in both directions
    • ClientToServer - Enables users to copy text from the local workstation to the remote target
    • ServerToClient - Enables users to copy text from the remote target to the local workstation
    • None - Disables any copying of text to and from the local workstation and remote target

    EnableFileTransfer

    Description

    Enable copying files to and from the remote target

    Default = Yes

     

    You cannot copy folders.

    To copy files, see Interaction between the local and remote machines

    When connecting using a PSM-WinSCP connection, WinSCP must be configured to properly copy large files. See WinSCP for details

    Accepted Values

    • Yes - Enables users to copy files to and from the local workstation and remote target, in both directions

       

      The AllowMappingLocalDrives parameter must also be enabled to copy files.

    • No - Disables any copying of files to and from the local workstation and remote target

       

      To disable the copy files function, the EnableFileTransfer must be set to No . It is not enough to disable the AllowMappingLocalDrives parameter.

    EnableJWTValidation

    Description

    Enable or disable JWT validation to authenticate the requests to the HTML5 gateway

    Default = yes

    Accepted Values

    • yes

    • no

    EndPointAddress

    Description

    The address of the API that generates the token for JWT validation. For example, https://<PVWA hostname>/passwordvault

    If EnableJWTValidation = no, there is no need to set this parameter

    For details, see JWT validation

    Accepted Values

    		  

    ServerKeyboardLayout

    Description

    The type of keyboard layout to implement.

    Default = en-us-qwerty

    Accepted Values
    • fr-fr-azerty
    • fr-be-azerty
    • fr-ch-qwertz
    • de-ch-qwertz
    • de-de-qwertz
    • en-us-qwerty
    • en-gb-qwerty
    • hu-hu-qwertz
    • it-it-qwerty
    • ja-jp-qwerty
    • pt-br-qwerty
    • es-es-qwerty
    • es-latam-qwerty
    • sv-se-qwerty
    • tr-tr-qwerty
    • ca-psm-unicode
    • failsafe

    EnableFontSmoothing

    Description

    Set text rendering with smooth edges for improved session quality

    Accepted Values

    • true

    • false

    PSMFirstConnectionTimeout

    Description

    The maximum time in milliseconds that the HTML5 gateway waits for the first connection response from PSM

    This improves tolerance in environments with network latency.

    Default = 9000

    Accepted Values

    1 – 59000

  3. Restart the web server.

  4. If the PSM HTML5 Gateway is running within a container, run the following commands on a terminal inside the container:

      
    sh /opt/tomcat/bin/shutdown.sh
    sh /opt/tomcat/bin/startup.sh

    Otherwise, run the following command:

      
    sudo service tomcat restart

JWT validation

JWT validation is a security layer that ensures that only authenticated sessions are allowed via HTML5 Gateway. When a user establishes an HTML5 connection through PVWA, the HTTP response includes JWT, which is used by HTML5 Gateway to validate the HTTP request by the client. When validation fails the connection is not established.

Requirements

  • Vault 11.5 or higher
  • PVWA 11.5 or higher
  • HTML5 Gateway 11.6 or higher

Configuration:

Keyboard layouts

The HTML5 gateway supports the keyboard layouts listed above in the description of the ServerKeyboardLayout parameter.

You can also set the keyboard layout in the PVWA:

  1. Log in to the PVWA with an administrative user.

  2. Go to Options > Privileged Session Management > Configured PSM Gateway Servers.

  3. Right-click the relevant Gateway server and select Add server settings.

  4. Enter the KeyboardLayout parameter to set the type of keyboard layout to implement in HTML5 sessions. The values are the same as the ServerKeyboardLayout parameter.

     

    • If this parameter is not valued, the keyboard layout value is taken from ServerKeyboardLayout.

    • This parameter is only supported for PSM HTML5 gateway version 12.0 or higher.

Configure a non-default keyboard layout

The default keyboard layout value is en-us-qwerty.

There are three possible non-default keyboard layout values:

  1. In environments with one of the following keyboard layouts, value ServerKeyboardLayout or KeyboardLayout with that layout:

    • fr-fr-azerty
    • fr-be-azerty
    • fr-ch-qwertz
    • de-ch-qwertz
    • de-de-qwertz
    • en-us-qwerty
    • en-gb-qwerty
    • hu-hu-qwertz
    • it-it-qwerty
    • ja-jp-qwerty
    • pt-br-qwerty
    • es-es-qwerty
    • es-latam-qwerty
    • sv-se-qwerty
    • tr-tr-qwerty

    For RDP sessions, align the keyboard layout on the target machine. For all other sessions, align the keyboard layout on the PSM machine.

  2. In an environment with keyboard layouts not included in the above list, or in an environment with targets and PSM machines that use different keyboard layouts, set the keyboard layout value to failsafe. This option sends only unicode events and does not support any key combinations that include letters.

     

    This option should work for any keyboard, though not necessarily all RDP servers or applications.

  3. If the targets and PSM machines in your environment use different keyboard layouts, but all layouts are en-us-qwerty, fr-fr-azerty, or de-de-qwertz, you can set the keyboard layout value to ca-psm-unicode. This option is based on unicode, but supports the following key combinations:

    • Ctrl+C
    • Ctrl+D
    • Ctrl+F
    • Ctrl+G
    • Ctrl+H
    • Ctrl+N
    • Ctrl+P
    • Ctrl+R
    • Ctrl+S
    • Ctrl+T
    • Ctrl+V
    • Ctrl+X

Configure universal keystrokes audit for PSM-RDP sessions

By default, PSM-RDP is configured with WindowsEventsAudit. To work with KeystrokesAudit, you must configure it instead of WindowsEventsAudit. For details, see Configure universal keystrokes text recording and universal keystrokes auditing.

For PSM-RDP sessions with the non-default ServerKeyboardLayout value, set WindowsKeystrokesSingleLanguage=No to work with universal keystrokes audit. For details, see Configure universal keystrokes for Windows connections when an additional language is used.

Logs when you install using an RPM package

Logs are provided for the webapp and the daemon service.

The webapp logs can be found in /var/opt/CARKpsmgw/logs/webapp

Logs

Description

cyberark-psm-gateway-webapp.log

Log files for the actual java webapp

Change the log level:

  1. Run the following command:

      
    cd $CATALINA_HOME/webapps/guac/WEB-INF/classes

    Edit the logback.xml file and change the log level to one of the following:

    • trace
    • debug
    • info
    • warn
    • error

  2. Restart Tomcat

cyberark-psm-gateway-tomcat.*.log

Log files for the tomcat infrastructure related to the webapp

Change the log level:

  
cd $CATALINA_HOME/webapps/guac/WEB-INF/classes

  1. Edit the logging.properties in the FileHandler to one of the following:

    • ALL
    • FINEST
    • FINER
    • FINE
    • CONFIG
    • INFO
    • WARNING
    • SEVERE

  2. Restart Tomcat

The daemon logs can be found on /var/log/messages

Change the level of the logs:

1. Run the following command:
  
cd /etc/guacamole
2. Edit guacd.conf and change log_level to one of the following:
  • debug
  • info
  • warning
  • error
3. Restart the guacd service
  
/etc/init.d/guacd restart

Logs when you install via a container

Logs are generated for the PSM HTML5 gateway web application and the guacd daemon service.

Run the following command to print the PSM HTML5 gateway container main output:

  • Docker:

      
    sudo docker logs <container name>

  • Podman:

      
    sudo podman logs <container name>

For example:

  • Docker:

     

    sudo docker logs <PSM gateway FQDN>

  • Podman:

     

    sudo podman logs <PSM gateway FQDN>

This includes output from the container initialization, as well as subsequent log entries by the guacd daemon inside the PSM HTML5 gateway.

  1. Open a shell prompt for the running PSM HTML5 gateway container:

    • Docker

        
      sudo docker exec -ti <container name> bash

    • Podman

        
      sudo podman exec -ti <container name> bash

  2. Once inside the container's shell, you can access the PSM HTML5 gateway web application logs in /var/opt/CARKpsmgw/logs/webapp.

    Logs

    Description

    cyberark-psm-gateway-webapp.log

    Log files for the web application

    cyberark-psm-gateway-tomcat.<date>.log

    Log file for the Tomcat infrastructure related to the web application

    /opt/tomcat/logs/catalina.out

    Log file for the Tomcat process

Troubleshooting

The following error codes are displayed in the HTML5 connection tab when the end-user fails to establish a connection. The end-user sees the error message code, and you can use this table to troubleshoot the issue:

Error message

Possible cause

Troubleshooting

PSMGW0001E

An issue in the HTML5 security layer.

The session was not authenticated during the JWT flow.

  • Ensure that the PVWA endpoint for JWT validation is correct

  • Ensure that the certificate of the CA that signed the PVWA was imported correctly (required for PSMGW to trust the PVWA)

  • JWT token expired or invalid for some other reason

PSMGW0002E

Websocket connection cannot be established - TLS handshake

Verify the HTML5 Gateway certificate. Refer to Run the container with an imported SSL certificate

PSMGW0003E

PSMGW is reachable, but busy/unavailable

  • Try again later

  • Check tomcat service status

  • Restart tomcat

PSMGW0004E

PSMGW0005E

PSMGW0006E

PSMGW0007E

PSM is unreachable

  

Guacd is down

  

Check PSM logs and status

  

Check guacd service status - Run the service guacd status command

  

PSMGW0008E

Failed to connect to PSM

  • Check the PSM status or logs

  • Check the HMTL5 gateway logs for possible reasons for the RDP connection failure

    • If the Failed connecting to RDP server message appears along with a Certificate validation failed error, check the PSM CA certificate

    • Otherwise, this is a TLS/network issue:

      • Check the traffic between the HTML5 gateway and PSM

      • Run the HTML5 gateway task with a higher debug level

      • Check the TLS configuration on the PSM side to verify that it allows TLS communication

PSMGW1001E

Unexpected error code or bad error page redirection

 

 

 

If the PSMGW session tab is closed immediately after establishing the session, either PSM or guacd crashed or experienced an unexpected error. Check the PSM and guacd logs and status.