PSM for SSH pre-installation tasks

This topic describes prerequisites to the PSM for SSH installation.

 

Before installing or upgrading, ensure that your system still complies with security requirements. To learn more, see Security Fundamentals.

Verify the operating system

Make sure the operating system installed on your server is supported by PSM for SSH. These are listed in Privileged Session Manager for SSH.

 

PSM for SSH support on SUSE does not include the installation of the CyberArk SSHD service component.

 

Installations on SUSE Linux Enterprise Server 12 might fail due to a SUSE bug on Intel CPU servers. If you encounter this bug, follow the solution provided by SUSE: https://www.suse.com/support/kb/doc/?id=7022289

Verify the installation package digital signature

The RPM installation packages for Red Hat operating system are digitally signed, to protect them from alteration after publication. To verify the digital signature of an RPM package, do the following:

  1. Import the RPM-GPG-KEY-CyberArk public key that is provided with the installation package, by running the following command:

     

    rpm --import RPM-GPG-KEY-CyberArk

  2. Verify the signature of the RPM package, by running the following command:

     

    rpm -K -v <package_name.rpm>

Review compatibility of PAM - Self-Hosted components

Make sure the components you will install are compatible.

The compatible versions of the PAM - Self-Hosted Suite components are listed in the Privileged Session Manager for SSH.

Customer license

The CyberArk license defines the number of PSM for SSH servers that you can use. Your CyberArk license will specify the following user type and interface:

User Type Description Allowed Interface
PSMPServer PSM for SSH Server PSMPApp

In addition, your license must allow your end users to use the PSM for SSH interface in order to be able to use PSM for SSH.

Your CyberArk support representative will supply the license file that you need for installation.

 

Until you receive your Customer license, you will not be able to install PSM for SSH.

(Optional) AD Bridge integration with LDAP

Configure LDAP integration so that users and groups will be provisioned in the Vault automatically. For more information about integrating PSM for SSH with LDAP, refer to Integrate PSM for SSH with LDAP authentication.

Install PSM for SSH

The user who will create the environment for PSM for SSH in the Vault during the installation process must have the following permissions in the Vault:

Add Safes
Audit Users
Add/Update Users
Manage Server File Categories

This user must be an owner of the PVWAConfig Safe with the following permissions:

List accounts
Retrieve accounts
View Owners
Manage Safe Owners

Create an administrative user on the PSM for SSH server

Administrative users can connect to the PSM for SSH machine to perform management tasks on the machine itself without being forwarded to a target machine.

For details, see PSM for SSH Administration.

Enable SELinux on the PSM for SSH server

PSM for SSH can be installed in environments where SELinux is enabled. To enable SELinux, it is recommended to enable it on your server before installing PSM for SSH so that the changes required to support SELinux are made automatically during the PSM for SSH installation. It is also possible to enable SELinux at a later stage. For more information, refer to PSM for SSH post-installation tasks.

To correctly install the PSM for SSH SELinux policy, you must install the policycoreutils-python-utils package, using the following command:

yum install -y policycoreutils-python-utils

Prepare the installation environment

  1. On the PSM for SSH machine, create a new directory for the installation files. This directory is where the installation files will be located, for example /opt/CARKpsmp.

  2. From the PSM for SSH installation package, copy the Privileged Session Manager for SSH installation package to the new directory. Make sure you copy the folder and all its contents, including its subfolders.

For a full list of the folders and files in the PSM for SSH installation package, refer to Privileged Session Manager for SSH installation file.

Configure the Vault.ini file for installation

  1. Open the Vault.ini file and specify the parameters of the Vault that will be accessed by PSM for SSH.

    During installation, the vault.ini file is copied to the PSM for SSH environment and is used by PSM for SSH to access the Vault. For more information, see Vault.ini.

     

    vi vault.ini
  2. Value the Address parameter with the Vault IP.

     
    Address=1.1.1.102
  3. For high availability implementations and DR, you can specify more than one Vault IP address, separated by commas, as shown in the following example:

     
    Address=1.1.1.102,1.1.1.232

    The first Vault IP address that is specified is used when creating the PSM for SSH environment during installation.

    When PSM for SSH is running, if it cannot access the first Vault IP address, it automatically tries to access the next Vault IP address transparently, and no human intervention is required.

  4. It is possible to use TLS as the communication protocol to the Vault. The Vault must be version 14 or later. For details, see Configure TLS protocol for the Vault.

    To enable TLS communication to the Vault, update the following Vault.ini parameters:

    Parameter

    Description

    VaultCommunicationProtocol

    TLS

    TLSPort

    Enter the same value as the TLSPort parameter set on the Vault side, 443 by default.

    VaultCertificateStore

    Enter the following information:

    • Path to the system certificate store

    • Path to a specific CA certificate

    • Path to any other directory that holds the CA Certificate

Create the credentials file for installation

  1. If you need to add execute permission for the CreateCredFile file, first run the following command:

    chmod 755 CreateCredFile
  2. Then, run CreateCredFile to create a credentials file for the user that will create the Vault environment during installation. This file must be called user.cred.

    ./CreateCredFile user.cred

    You will be prompted for the user name and password. For versions 12.1.1 and later, you will also be prompted to use the Entropy file.

    Rotate the password use in this command.

    We recommend that you clean the history by using the history -c command.

    The user credential file must be placed in a folder that is accessible only for the machine or domain administrator who runs the PSM for SSH installation. We recommend that you delete the credential file after completing the registration.

Create the PSM for SSH parameters file for installation

Disable NSCD

On all Linux-based operating systems, NSCD is a daemon that provides a cache for the most common name service requests. Disable it to prevent unexpected behavior.

  1. Run the following command to stop NSCD:

    systemctl stop nscd.service nscd.socket
  2. Run the following command to disable NSCD:

    systemctl disable nscd.service nscd.socket

Some unexpected behavior may occur if you do not disable NSCD. For details, see Using NSCD with SSSD.

Limitations

  • Multi-byte characters for username and password are not supported.

For a full list of parameters in the psmpparms file, refer to Privileged Session Manager for SSH installation file.