How to install Soffid PAM?
Introduction
Once you have installed Soffid Console and Sync Server, you could intall Soffid PAM. In this case we are going to see how to install PAM using Docker compose.
To install Soffid Console and Sync Server you can follow this documentation: https://bookstack.soffid.com/books/pam-install-config/chapter/installing-pam-using-docker-compose
Steps to install Soffid PAM
1. First of all, you must create a folder to save the yaml files you are going to create.
mkdir lab-soffid-pam2. Go inside the folder
cd lab-soffid-pam3. Create two folder, one to the store and other to the launcher
mkdir 01storemkdir 02launcher4. JKS
{{@1335}}If you want a secure environment protected by TLS you will need certificates signed by a trusted third-party Certificate Authority (CA).
To work in your environment lab, you can use self-signed certificates. Visit this link to create the JKS files: https://bookstack.soffid.com/books/soffid-internal-documentation/page/1-generate-jks-files
5. Create the Store container
5.1. Go inside the folder 01store
cd 01store5.2. Once you are inside the folder, you must create a docker-compose.yaml file with the Store service definition. To create the YAML files you can use your usual text editor.
version: '3.8'
services:
pam-store:
image: soffid/pam-store:1.4.48
environment:
JAVA_KEYSTORE: /opt/soffid/tomee/certificates/<STORE.jks>
KEYSTORE_PASS: YOUR_KEYSTORE
#ports:
#- "8081:8443"
networks:
- network
volumes:
- store-trustedcerts:/opt/soffid/tomee/trustedcerts
- store-certificates:/opt/soffid/tomee/certificates
- store-data:/opt/soffid/tomee/data
networks:
network:
name: YOUR_NETWORK
driver: bridge
volumes:
store-trustedcerts:
name: soffid-pam-store-trustedcerts
store-certificates:
name: soffid-pam-certificates
store-data:
name: soffid-pam-store5.3 Execute this command to initilize the Store container (thanks to the -d option, containers will continue to run in the background, even if you close the terminal)
sudo docker-compose up -d5.4. Check the containers: to check the container you can use a docker or a docker-compose command, depend on what you want to check.
5.4.1. In the folder: you can use a docker-compose command
sudo docker-compose ps5.4.2. All of them: you can use a docker command
sudo docker ps5.5. Check the logs: docker logs are detailed records of the activities that occur within containers. They are like a diary that records everything that happens, from starting and stopping the container to error messages, application outputs, and any other interactions.
5.5.1. You can use a docker-compose command
sudo docker-compose logs <SERVICE_NAME>5.5.2. Or you can use a docker command
sudo docker logs -f <CONTAINER_NAME/CONTAINER_ID>5.6. If you need to stop the container:
sudo docker-compose down6. Create users: the Store container must be up.
6.1. Create Launcher user: once you execute this command, the terminal will return a password that you will need later. Keep it carefully.
sudo docker exec <STORE_CONTAINER> /opt/soffid/tomee/bin/add-user.sh user-launcher launcher6.2. User Console user: once you execute this command, the terminal will return a password that you will need later. Keep it carefully.
sudo docker exec <STORE_CONTAINER> /opt/soffid/tomee/bin/add-user.sh user-console console7. Create Launcher contaner
7.1. Go inside the folder 01launcher
cd 02launcher7.2. Once you are inside the folder, you must create a docker-compose.yaml file with the Store service definition. To create the YAML files you can use your usual text editor.
version: '3.8'
services:
pam-launcher:
image: soffid/pam-launcher:1.4.48
environment:
JAVA_KEYSTORE: /opt/soffid/tomee/certificates/<LAUNCHER.jks>
KEYSTORE_PASS: <YOUR_KEY_PASSWORD>
STORE_SERVER: https://<URL_STORE>:8443 or http://<URL_STORE>:8081
STORE_USER: user-launcher
STORE_PASSWORD: <USER_LAUNCHER_PASSWORD>
ports:
- "8082:8443"
networks:
- network
volumes:
- launcher-trustedcerts:/opt/soffid/tomee/trustedcerts
- launcher-certificates:/opt/soffid/tomee/certificates
- launcher-data:/opt/soffid/tomee/launcher
- /var/run/docker.sock:/var/run/docker.sock
networks:
network:
name: YOUR_NETWORK
driver: bridge
volumes:
launcher-trustedcerts:
name: soffid-pam-launcher-trustedcerts
launcher-certificates:
name: soffid-pam-certificates
launcher-data:
name: soffid-pam-launcher7.3 Execute this command to initilize the Launcher container (thanks to the -d option, containers will continue to run in the background, even if you close the terminal)
sudo docker-compose up -d7.4. Check the containers: to check the container you can use a docker or a docker-compose command, depend on what you want to check.
7.4.1. In the folder: you can use a docker-compose command
sudo docker-compose ps7.4.2. All of them: you can use a docker command
sudo docker ps7.5. Check the logs: docker logs are detailed records of the activities that occur within containers. They are like a diary that records everything that happens, from starting and stopping the container to error messages, application outputs, and any other interactions.
7.5.1. You can use a docker-compose command
sudo docker-compose logs <SERVICE_NAME>7.5.2. Or you can use a docker command
sudo docker logs -f <CONTAINER_NAME/CONTAINER_ID>7.6. If you need to stop the container:
sudo docker-compose down8. Copy the JKS files toand restart the containers
8.1. To the Store container
&&TODO&&
docker cp <PAM_STORE.jks> <PAM_STORE_CONTAINER>:/opt/soffid/tomee/certificatesdocker compose downdocker compose up -d98.2. CopyTo the JKS files to Launcher container
docker cp <PAM_LAUNCHER.jks> <PAM_LAUNCHER_CONTAINER>:/opt/soffid/tomee/certificatesdocker compose downdocker compose up -d&&TODO&&9. System monitoring
9.1. Store: to connect the store the user and password will be required
https://<your-host>/store/check10.9.2. SystemLauncher
https://<your-host>/launch/status&&TODO&&
11.10. Configure Soffid Console
&&TODO&&https://bookstack.soffid.com/books/soffid-internal-documentation/page/4-configure-soffid-console/
12.10.1. Add the PAM certificates to the Console container.
a. Check if the folder trustedcerts exists into the conf folder of the console container
docker exec -it <CONSOLE_CONTAINER> bashcd /opt/soffid/iam-console-3/trustedcertsb. If this folder does not exits, you need create a volume to save the certificates and add the volume to the Console container
sudo docker volume create certificates-trustedcerts-console... add the volume to the Console container and restart the container
b. Copy the certificates into this volume
docker exec -it <CONSOLE_CONTAINER> bashcd /opt/soffid/iam-console-3/trustedcertsc. Get Store certificate
openssl s_client -connect URL_STORE:8443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > URL_STORE.crtd. Get Launcher certificate
openssl s_client -connect URL_LAUNCHER:8082 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > URL_LAUNCHER.crtYou do not need to add the certificates to cacerts, this process will be automatic when you restart the container.
10.2. Restart the console:
docker restart <CONSOLE_CONTAINER>10.3. Configute PAM sessions:
Once you have running all the Soffid containers (Repository, Console, SyncServer, Store and Launcher), you must connect to the console (http://localhost:8080/soffid) to contigure the PAM sessions. Browse to > Administration > Configuration > Security settings > Configure PAM session servers
Now you can configure the conection. You need to type a Group name (whatever) and a description.
Then you need the user and password created previously when you create the Store container.
And finally you need to type the URL to connect to the Store and to the Launcher (or Jump Server).
Image
11. Configure Sync Server
&&TODO&&
13.12. Configure Launcher
&&TODO&&