CyberArk PSM HTML5 Gateway Installation and Configuration - Part 6 - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Thursday, July 16, 2020

CyberArk PSM HTML5 Gateway Installation and Configuration - Part 6

This post is going to record some procedures to install PSM HTML5 gateway in my lab environment.  There are two ways to install this, using Docker or RPM package. Both are working very well as long as following CyberArk doc.

I would prefer to use Docker if you have some basic knowledge and knows how to install docker. You can find out docker introduction page on my previous post.

For your lab testing, self-signed certificate installation will be even easier. For CA signed certificate installation is also not that complicated as long as your CA is ready.

Related Posts:

Following diagram shows how HTML5 Gateway postioned in the CyberArk PAS infrastrucutre.

Install PSM HTML5 GW from Package

You will need to get installation package from PSM installation files. It is under C:\PSMInstallation\HTML5 Gateway\RHELinux7-Intel64 after you unzipped your PSM zip file to folder PSMInstallation.

Hardware specifications:

Small + Mid-range implementations
(1-50 concurrent RDP/SSH sessions)
Mid-range + Large implementations
(51-100 concurrent RDP/SSH sessions)
Very large implementations
(101-200 concurrent RDP/SSH sessions)
  • 2 core processors (Intel compatible)
  • 4 GB RAM
  • 4 core processors (Intel compatible)
  • 8 GB RAM
  • 8 core processors (Intel compatible)
  • 16 GB RAM

Here are installation steps I went through after copied over whole package folder RHELinux7-Intel64:
[root@html5 ~]# keytool -delete -alias  -keystore  /opt/tomcat/keystore

[root@html5 ~]# keytool -genkey -alias html5 -keyalg RSA -keystore  /opt/tomcat/keystore
Enter keystore password:
What is your first and last name?
  [Unknown]:  *
What is the name of your organizational unit?
  [Unknown]:  IT
What is the name of your organization?
  [Unknown]:  51sectest
What is the name of your City or Locality?
  [Unknown]:  Toronto
What is the name of your State or Province?
  [Unknown]:  ON
What is the two-letter country code for this unit?
  [Unknown]:  CA
Is CN=*, OU=IT, O=51sectest, L=Toronto, ST=ON, C=CA correct?
  [no]:  yes
Enter key password for <html5>
        (RETURN if same as keystore password):
[root@html5 ~]#

[root@html5 ~]# keytool -list  -keystore  /opt/tomcat/keystore
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 2 entries
html5, Jul 5, 2020, PrivateKeyEntry,
Certificate fingerprint (SHA1): A5:00:6C:BE:AD:01:E3:92:FB:20:29:91:59:F4:3A:A4:CE:69:4D:30
root, Jul 5, 2020, trustedCertEntry,
Certificate fingerprint (SHA1): 9C:33:F6:48:C5:C7:D2:52:FF:02:62:D4:0F:0C:E6:79:85:99:7B:64
[root@html5 ~]#

[root@html5 ~]# keytool -certreq -keyalg RSA -alias html5 -file certreq.csr -keystore /opt/tomcat/keystore
Enter keystore password:
[root@html5 ~]#

[root@html5 ~]# ll
total 9432
-rw-------. 1 root root     951 Apr  7 21:34 anaconda-ks.cfg
-rw-r--r--. 1 root root 9648795 Jul  4 19:34 apache-tomcat-7.0.104.tar.gz
-rw-r--r--. 1 root root    1093 Jul  5 08:47 certreq.csr
drwxr-xr-x. 2 root root      82 Jul  4 20:15 RHELinux7-Intel64
[root@html5 ~]#

[root@html5 ~]# keytool -import -alias html5 -keystore /opt/tomcat/keystore -file certnew.p7b
Enter keystore password:
Certificate reply was installed in keystore

Install PSM HTML 5 GW Docker 

Install Docker
#CentOS 7, Debian, Ubuntu 
curl -sSL | sh 
systemctl start docker 
systemctl enable docker
When you run the HTML5 Gateway container using the docker run command, make sure you specify the following options:
  • JWT validaton - Set EnableJWTValidation=no. For more details, see Disable JWT Validation.
  • PSM certificate settings - Set either PSMCAFile or IgnorePSMCertificateErrors. For more details, see Validate the PSM remote certificate.  
    • -e IgnorePSMCertificateErrors=yes
    • This option is to ignore PSM certificate errors. Specify -e IgnorePSMCertificateErrors=yes. Specify either this option or -e PSMCAFile.

  1. Copy the HTML5 Gateway\PSMGWDocker directory located in the CD image to the Linux host.
  2. Go to that directory.
  3. Grant execution permissions for the script by running the following command:
    chmod +x
  4. Execute the script by running the following command:
    sudo ./ localimage
Run the container with an auto-created SSL certificate
when you launch your RDP session with AllowSelectHTML5 parameter set to Yes, your web browser will launch a new page with a certification warning since HTM5 docker is using a self-signed certificate.

To avoid that page, you will have to use an imported SSL certificate to be imported into your Docker as show below.
Run the container with an imported SSL certificate
You might want to add "-e IgnorePSMCertificateErrors=yes" this into your docker command:

sudo docker run --restart unless-stopped -ti -p 443:8443 -v /opt/cert/:/opt/import:ro -d --cap-drop=all --cap-add={CHOWN,DAC_OVERRIDE,FOWNER,SETGID,SETUID} -e AcceptCyberArkEULA=yes -e PSMCert=psmca.pem --hostname --name cahtml5gw:11_3_0_236 -e IgnorePSMCertificateErrors=yes

sudo docker run --restart unless-stopped -ti -p 443:8443 -v /opt/cert/:/opt/import:ro -d --cap-drop=all --cap-add={CHOWN,DAC_OVERRIDE,FOWNER,SETGID,SETUID} -e AcceptCyberArkEULA=yes -e PSMCert=psmca.pem --hostname --name cahtml5gw:11_3_0_236 -e IgnorePSMCertificateErrors=yes

Configure PVWA

Add PSM HTML5 Gateway Server into PVWA
  1. Log into the PVWA with an administrative user.
  2. Go to Administration > Options
  3. Right click on Privileged Session Management and select Add Configured PSM Gateway Servers. Right click Configured PSM Gateway Servers, Add PSM Gateway Server.
  4. Select the newly added gateway server and enter a unique ID (e.g. HTML5) for the PSM HTML5 Gateway.
  5. Expand the newly created gateway server. Enter the following in the Connection Details page:

    Fully qualified domain name (FQDN) of the server on which the gateway is installed, or the Virtual IP (VIP) of an HTML5 Gateway Server farm.
    The address should in be the fully qualified domain name (FQDN) format and should match the SSL certificate of the PSM HTML5 Gateway machine. For example:

Configure PSM

Multiple PSM Servers can work with the same gateway or with different gateways. Repeat steps 3-4 for each PSM server you want to set to use the PSM Gateway.
  1. Log into the PVWA with an administrative user.
  2. Go to Options > Privileged Session Management > Configured PSM Servers
  3. Select the PSM server entry that you want to set to use the PSM Gateway.
  4. Right click Connection Details and select Add PSM Gateway and enter the following:
    The ID of the PSM Gateway that you created. (e.g. HTML5)

Use a Single Account for both RDP file and HTML5-based sessions

Users can use either an HTML5-based or RDP-file connection method when connecting to the remote server. The following procedures describe how to configure the PVWA so that users can select either method. Perform this procedure for every connection component for which both connection methods should be available.
  1. Log in to the PVWA with an administrative user.
  2. Go to Options > Connection Components > {Connection Component} > User Parameters
  3. Add AllowSelectHTML5.

There is a way to configure user to select either use RDP-File or HTML5 Gateway or User selection to connect to remote. You will just need to copy / duplicate PSM server and give another unique name to this server.

YouTube Video:



  1. Hey Johnny, thank you for sharing this. This is very interesting to implement. i am working at my job to upgrade and expand components to start using the HTML5 Gateway. But I al working on rebuilding my home lab to be able to setup an environment for me to learn more. If you have any advise, please share.

  2. Thanks for comments on my post, MIlt. Having fun with your lab. Let me know how it goes.