Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

[CPAM] Issue with PAM bootstrapping the on-prem Linux accounts

Sankhadeep
New Contributor
New Contributor

We are trying to set up the basic PAM use cases for Linux platform in POC environment, and to do that we have deployed an on-prem Linux server, configured the master connection in Saviynt, provisioned the Linux local accounts. However we are stuck in PAM bootstrapping these local Linux accounts. Below are the detailed steps performed so far – please can anyone guide us with the next steps

 

Steps performed:

  1. Prepared CPAM setup following the guide - Preparing for PAM Configuration (saviyntcloud.com)
  2. Deployed the Linux pre-requisites following the guide - Preparing Target Workloads for PAM Integration (saviyntcloud.com)
  3. Created a master connection (UNIXPOCMaster) for Linux using the template - MASTER_UNIX_PAM_TEMPLATE (UNIX) , following the guide - Configuring PAM for Linux/SSH (saviyntcloud.com)
  4. Created a Security system (UNIXPOC) and Endpoint (UNIXPOX_END) configured with the master connection (UNIXPOCMaster) created in step 3. Guide followed - Configuring PAM for On-Premises (saviyntcloud.com)
  5. However as the Master Unix template does not have the PAM_Config parameter so we have created another Linux connection (unixPAMConfig) using the On-premise template. JSON defined for the PAM_Config is as follows (values in BOLD are environment specific, rest all are from default template values)

 

 

{

   "Connection":"On-Premise",

   "encryptionMechanism":"ENCRYPTED",

   "EVQuery":"ev.customproperty40=’PAM_BOOTSTRAP'",

   "UNIX":{

      "defaultCredentialConnection":{

         "changeConnectionCredentials":true,

         "connectionName":"UNIXPOCMaster"

      },

      "defaultSecuritySystemDetails":{

         "securitySystemName":"UNIXPOC",

         "workflow":"AutoWorkflow",

         "passwordPolicy":"POC_Password_Policy"

      },

      "actions":{

         "restricted":"visudo,apt,install,iptables,rm,mkfs,alias,ssh,telnet,scp,kill,shutdown,passwd,cron,traceroute",

         "risky":{

            "high":"file,wget,scp,curl,df,chmod,chown,echo,exit,uname,netstat",

            "medium":"yum,sudo,cat,vi,touch,find,history,awk,grep"

         }

      },

      "shareableAccounts":{

         "IDQueryCredentialless":"acc.name like ('linuxadmin%')",

         "IDQueryCredentials":"acc.name like ('linuxpocuser%')"

      },

      "maxConcurrentSession":"51",

      "maxCredSessionRequestTime":"14400",

      "maxCredlessSessionRequestTime":"14400",

      "maxIDRequestableTime":"86400",

      "skipOpenPorts":"true",

      "skipPushKeys":"true",

      "endpointAccessQuery":"where users.USERNAME is not null"

   }

}

 

  1. Created a Security system (UnixLocalPAM) and Endpoint (UnixLocalPAMEP) which is configured with connection (unixPAMConfig), guide followed - Configuring and Executing Jobs (saviyntcloud.com)
  2. Created a job rule (UNIXPOC_PAM_Bootstrap) to provision the accounts, access & audit using the master connection. Accounts provisioned successfully and can see the list of Linux accounts in the EndPoint account list.

Sankhadeep_0-1683556127411.jpeg

 

 

  1. Created a job rule to PAM-bootstrap the Linux accounts, this is where we are stuck as the accounts are failed to bootstrap

Sankhadeep_1-1683556127412.jpeg

 

 

6 REPLIES 6

NageshK
Saviynt Employee
Saviynt Employee

@Sankhadeep It appears that the steps followed are not appropriate. 

The thumb rule is that every target will be represented by 3 objects in Saviynt : Connection, Security System and Endpoint. As you are onboarding workloads of onpremise, you will first need a connection, security system and endpoint to represent your onprem itself. This is covered in the sections "Creating an On-Premise Connection", "Configuring a Security System" and "Creating an Endpoint" of the article Configuring-PAM-for-OnPremises.  

Then we will need the same 3 objects for every workload being onboarded. The master connection for Unix acts like a template so that EIC creates individual connections for every linux server being onboarded. And PAM_CONFIG in On-premise connection defines how each server type (linux, windows, db) has to get onboarded to Saviynt. The onboarding process itself is explained here : Discover-On-Premise-Workloads. Please note that PAM_CONFIG is always present in the platform level connections (AWS, GCP, On-Premise) and not in the individual workload connections

And finally, in the PAM_CONFIG keep the value of "securitySystemName" as new itself. This indicates the system that for every linux/windows/db server being onboarded a new security system will be created. 

Please go through the articles once more and retry the bootstrap process

Thanks,

Nagesh K

 

Thanks @NageshK 

followed the steps as per the guide 

- Configuring PAM for On-Premises (saviyntcloud.com))

while configuring the PAM bootstrap microservice job, we need to provide the sskey details in the URL value, do you where can find the sskey value ?

NageshK
Saviynt Employee
Saviynt Employee

@Sankhadeep As disucssed on 05/12, Bootstrap was successful after adding the entitlement types and triggering the Extension jar. Also, as suggested please use proper names for the objects (Connection, SS and EP) representing Onprem so that it is easier to identify them.

If there are no further questions, please confirm the solution and we can close this thread

Thanks,

Nagesh K

Hi Nagesh,

 

I have shared the Linux logs with you on 16th May, PAM bootstrapping failed as the password change failed after account onboarding

NageshK
Saviynt Employee
Saviynt Employee

@Sankhadeep Since change pwd is working fine for credentials based account, can you try placing one of the credless account (IDQueryCredentialless) into the cred section (IDQueryCreds) and retrigger bootstrap? 

Thanks,

Nagesh K

theosveg
Regular Contributor II
Regular Contributor II

Hello, noob here,  trying to get the master linux connection to work, did you have to upload a .pem file to file directory -> connector files, if so what is the path to be specified. I have used the template as is with no changes. I keep getting test connection failed. Any insight or help would be appreciated.

Thank you!