PSM for SSH post-installation tasks

The following topic describes tasks that may need to be performed following the PSM for SSH installation.

Verify AD Bridge services are running

After PSM for SSH has been installed successfully, it will be started automatically. Use the following commands or log files to verify that the psmpsrv service is running.

Platform/File

Command/Location

RHEL7, SUSE11, SUSE12

 
service psmpsrv status psmpadb

RHEL8

 
systemctl status psmpsrv-psmpadbserver

PSMPConsole.log

/var/opt/CARKpsmp/logs

ADBConsole.log

/var/opt/CARKpsmpadb/logs

Delete installation files and installation utility (optional)

Integrate PSM for SSH with LDAP authentication

Integrate PSM for SSH with Radius Authentication

Make sure the Vault is configured to work with Radius authentication. For more information, refer to RADIUS Authentication.

Harden the PSM for SSH server

The PSM hardening procedure on the PSM for SSH server machine enhances PSM for SSH security.

The following table describes hardening methods for supported platforms.

Platform

Hardening Method

How to

  • Red Hat Linux

  • Centos

Automatic

Automatically harden the PSM for SSH server

  • SUSE

Manual

Manually harden the PSM for SSH server

 

When installing the PSM for SSH on AWS, refer to Manually Install the Privileged Session Manager, before hardening the PSM for SSH server.

Automatically harden the PSM for SSH server

The PSM for SSH server is automatically hardened during installation on the following platforms:

  • Red Hat Linux

  • CentOs

This hardening enforces security best practices recommended for these platforms.

The following table describes the additional manual steps you need to do to harden the PSM for SSH server after installation:

While not recommended, you can bypass the automatic hardening by setting the Hardening parameter in the PSM for SSH parameters file. For more details, see Create the PSM for SSH parameters file for installation.

Manually harden the PSM for SSH server

Query the installed PSM for SSH

You can view information about the PSM for SSH installation using the following commands:

Use the following command to query information about the PSM for SSH that has been installed:
 
rpm –q CARKpsmp
Use the following command to print all the files in the PSM for SSH package:
 
rpm –ql CARKpsmp
Use the following command to print all the PSM for SSH package information:
 
rpm –qi CARKpsmp

Enable sftp-server

Manually enable the sftp-server definition, which was disabled during hardening. In the sshd_config file, remove the # at the beginning of the following line:

 
#Subsystem sftp /usr/libexec/openssh/sftp-server

Enable SELinux on the PSM for SSH server

When installing the PSM for SSH on servers where SELinux was enabled prior to the installation, no further changes are required.

When enabling SELinux on the server after PSM for SSH was already installed, perform the following steps to enable SELinux support.

Post-installation procedure on SUSE

Once you have installed PSM for SSH, you must perform the following post-installation procedure.

  1. Do one of the following:

    • Disable the nscd module

      Run the following command:

       
      rcnscd stop && chkconfig nscd off

      This fully disables the nscd module.

    • Disable password caching in /etc/nscd.conf

      When you disable passwd caching, nss modules work without caching.

      1. In /etc/nscd.conf, change

         
        enable-cache passwd yes

        to

         
        enable-cache passwd no
      2. Run the following command:

         
        rcnscd restart
  2. In sshd_config, ensure that PermitEmptyPasswords is set to no.