CyberArk PAS (PTA) Installation - Part 5 - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Tuesday, June 16, 2020

CyberArk PAS (PTA) Installation - Part 5

This post is to record the steps I used to install PTA. There are lots of mistakes I made during installing PTA and integrating it with Vault and PVWA.

I used VM Installation - Hyper-V image. During lab, I used 16G RAM and 8 vCPU.

Architecture



CyberArk PAS (Privileged Access Security) solution


PTA-PSM Integration Architecture




Web GUI: https://<IP>
Monitoring : https://<IP>/monitoring


Where are events/logs from?




Install Wizard

Install PTA using the Wizard. It will be ran a couple of times. First time it will be used to change root password and set up network configuration. We also are able to see Web GUI to load license but it won't be able to integrate with PAS Vault and PVWA. 
1.On the system console, log in as the root user using the following password: DiamondAdmin123!
2.Navigate to the prepwiz folder using the PREPWIZDIR command.
3.At the command line, run the following command:
./run.sh
The installation wizard begins. Default values are displayed in brackets. For any optional tasks, chose no. 



Log into Web GUI


https://<IP>

Username : administrator
Password : Administrator

You will need a license file to continue logging into Web GUI.





Generate CSR and Send to CA to Sign

Note:  Import your Organization's SSL Certificate.

Generate a Certificate Signing Request for the PTA Server
The Certificate Signing Request (CSR) is created in the pta_server.csr file located at /opt/tomcat/ca.
5.Provide the CSR to your organization's Certificate Authority (CA).
6.The CA generates the Certificate and the Certificate Chain.

Paste CSR into CA Advanced Certificate Request page and generate certificate.
1. Download Certificate, not the certificate chain.
2.  From CA http://localhost/certsrv/ page, download CA certificate, not certificate chain.



Imported Signed Certificate and CA Certificate


1.Upload the Certificate and the Certificate Chain using WinSCP to the PTA Server machine. 
2.On the system console, log in as the root user using the password you specified during installation.
3.Start the PTA utility by running the following command:
/opt/tomcat/utility/run.sh
4.Select 15. Installing SSL Certificate Chain (Root, Intermediate(s), PTA Server certificates).
You can also install the Certificate Chain by running the /opt/tomcat/utility/sslCertificateInstallationUtil.sh command.
5.Specify the SSL certificate chain details of the PTA Server.
This step requires Vault Admin credentials using CyberArk authentication, and a restart of PTA services.
Installing SSL Certificate Chain (Root, Intermediate(s), PTA Server certificates):
a.Specify the PTA Server Certificate location:
Specify PTA Server Certificate full path:
Do you have a Root Certificate (y/n)?:y
c.Specify the root certificate location:
Specify your Root Certificate full path (for example: /tmp/RootCertificate.crt):
d.Specify the first intermediate certificate location, if it exists:
Do you have Intermediate certificate(s) (y/n)?:n
Specify Intermediate Certificate full path:
e.Continue to specify each additional intermediate certificate location, in order.
f.The SSL Server Certificate is installed:
SSL Certificate Chain installed successfully





Run Install Wizard Again










YouTube Video:





References












No comments:

Post a Comment