# Installing PAM using Docker Compose

How to Install PAM using Docker Compose

# PAM Jump Server Installation

The purpose of this tutorial is to show how to install Jump servers and configure PAM using Docker compose, to use critical resources without knowing the password required.

### Jump Server

> A jump server, jump host or jump box is a system on a network used to access and manage devices in a separate security zone. A jump server is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. (\*)

## Installation

### 1. Execute the Store YAML

```YAML
version: '3.8'

services:
  pam-store:
    image: soffid/pam-store:1.4.48
    environment:
      JAVA_KEYSTORE: /opt/soffid/tomee/certificates/YOUR_soffid-pam-store.jks 
      KEYSTORE_PASS: YOUR_KEYSTORE
    ports:
      - "8081:8443"
    networks:
      - network
    volumes:
      - store-trustedcerts:/opt/soffid/tomee/trustedcerts
      - store-certificates:/opt/soffid/tomee/certificates
      - store-data:/opt/soffid/tomee/data

networks:
  network:
    name: YOUR_NETWORK
    driver: bridge

volumes:
  store-trustedcerts:
    name: soffid-pam-store-trustedcerts
  store-certificates:
    name: soffid-pam-certificates
  store-data:
    name: soffid-pam-store
```

Execute:

```
sudo docker compose up -d
```

### 2. Create a user in the Store to use it in the Launcher

Once, we are connected to the Store, we need to run a script to create the user. This script has two parameters, the user name, and the role. We have to type launcher in the role parameter.

```shell
docker exec YOUR_pam-store_CONTAINER /opt/soffid/tomee/bin/add-user.sh user-launcher launcher
```

Result:

```
/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
Password: cccccc/Qul9NFIqQnDU73gYccccVHThyew7Qt8Hqpf0rEzVq1Ft7azccccccc
```

As a result of the script, we receive the password for the created user. This password will be needed later when we create the launcher container.

### 3. Create a user in the Store to use it in the Console

Once, we are connected to the Store, we need to run a script to create the user. This script has two parameters, the user name, and the role. We have to type console in the role parameter.

```shell
docker exec YOUR_pam-store_CONTAINER /opt/soffid/tomee/bin/add-user.sh user-console console
```

Result:

```
/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
Password: asdadadasdads/Qul9NFIqQnDU73gYccccVHThyew7Qt8Hqpf0rEzVq1Ft7aadadadasd
```

As a result of the script, we receive the password for the created user. This password will be needed later when we configure PAM in the Soffid Console.

### 4. Execute the Launcher YAML

YAML example to create the Launcher using traefik as Ingress Controller

```YAML
version: '3.8'

services:
  pam-launcher:
    image: soffid/pam-launcher:1.4.36
    environment:
      JAVA_KEYSTORE: /opt/soffid/tomee/certificates/YOUR_soffid-pam-launcher.jks 
      KEYSTORE_PASS: YOUR_KESYSTORE
      STORE_SERVER: https://YOUR_pam-store_CONTAINER:8443
      STORE_USER: user-launcher
      STORE_PASSWORD: cccccc/Qul9NFIqQnDU73gYccccVHThyew7Qt8Hqpf0rEzVq1Ft7azccccccc
    ports:
      - "8082:8443"
    networks:
      - network
    volumes:
      - launcher-trustedcerts:/opt/soffid/tomee/trustedcerts
      - launcher-certificates:/opt/soffid/tomee/certificates
      - launcher-data:/opt/soffid/tomee/launcher
      - /var/run/docker.sock:/var/run/docker.sock
networks:
  network:
    name: YOUR_NETWORK
    driver: bridge

volumes:
  launcher-trustedcerts:
    name: soffid-pam-launcher-trustedcerts
  launcher-certificates:
    name: soffid-pam-certificates
  launcher-data:
    name: soffid-pam-launcher
 
```

Execute:

```
sudo docker compose up -d
```

### 5. Configure the Console

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2024-08/scaled-1680-/8Cn4v2ygTQZZjLXo-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2024-08/8Cn4v2ygTQZZjLXo-image.png)

### Privileged Account Session Recording

Be in mind that you need to download the latest image of the required Privileged Account Session Recording that you need depending on the protocol.

- soffid-pasr-ssh
- soffid-pasr-rdp
- soffid-pasr-jdbc
- soffid-pasr-http
- soffid-pasr-https
- soffid-pasr-tn5250
- soffid-pasr-kube

##### Examples

Linux

```
docker pull soffid/soffid-pasr-ssh
```

Windows

```
docker pull soffid/soffid-pasr-rdp
```

---

To save a Web session you will need to add some parameters to the launcher system.properties (/opt/soffid/tomee/conf/system.properties)

Parameters to add:

```shell
SOFFID_PAM_PARAMS_http=--shm-size=1024m  --privileged -eVNCSERVER=yes
SOFFID_PAM_PARAMS_https=--shm-size=1024m  --privileged -eVNCSERVER=yes
```

---

*(\*) [https://en.wikipedia.org/wiki/Jump\_server](https://en.wikipedia.org/wiki/Jump_server)*

# Full PAM installation using Docker Compose

## Introduction

This tutorial will describes **all the steps required to install and configure a basic PAM environment** for a local, demo or small production environment.

## Prerequisites

- We have a **Linux** machine; Ubuntu 24 has been used for this tutorial.
- **Docker** and the **Docker Compose** plugin are already installed.
- The **database**, **Console** and **Syncserver** have already been installed.
- The Linux administrator user has **sudo privileges**.

## Step 1: Prepare certificates

#### 1.1 Some initial steps

<p class="callout warning">This tutorial will use **self-signed certificates** generated for a lab environment.</p>

<p class="callout info">If you have your **own certificates**, follow the steps depending on the file type.</p>

<p class="callout success">For this tutorial, we will be using the following hostnames: **store.soffid4.local** and **launcher.soffid4.local**</p>

Go to the current Soffid 4 **directory** where the docker-compose.yaml is located.

```shell
cd /home/user/lab/soffid4/ ---> (this is an example)
```

Add the hostnames in your **hosts** file.

```shell
sudo vim /etc/hosts ---> (use vim or your favourite editor)
```

```shell
127.0.0.1 store.soffid4.local
127.0.0.1 launcher.soffid4.local
```

And now you will need **java**, confirm is you have it or not.

```shell
java -version
```

If you do not have it, for example **install java 17** (you can install another version).

```shell
sudo apt-get update
sudo apt-get install openjdk-17-jdk
java -version
```

#### 1.2 Generate .key files

<p class="callout warning">When you run the command, you will be prompted for a **password**. In this tutorial, we will always use the value **12345678**; please replace this with the password of your choice (minimum 8 characters) </p>

```shell
sudo openssl genrsa -aes256 -out store.soffid4.local.key
sudo openssl genrsa -aes256 -out launcher.soffid4.local.key
```

#### 1.3 Generate .pem files

<p class="callout warning">When you run the command, the prompt will ask for the **CN (Common Name)** attribute; use the values from our domains: **store.soffid4.local** or **launcher.soffid4.local**</p>

```shell
sudo openssl req -x509 -days 1000 -new -key store.soffid4.local.key -out store.soffid4.local.pem
sudo openssl req -x509 -days 1000 -new -key launcher.soffid4.local.key -out launcher.soffid4.local.pem
```

#### 1.3 Generate .pfx files

```
sudo openssl pkcs12 -export -in store.soffid4.local.pem -inkey store.soffid4.local.key -out store.soffid4.local.pfx
sudo openssl pkcs12 -export -in launcher.soffid4.local.pem -inkey launcher.soffid4.local.key -out launcher.soffid4.local.pfx
```

#### 1.4 Generate .jks files

```
sudo keytool -v -importkeystore -srckeystore store.soffid4.local.pfx -srcstoretype PKCS12 -destkeystore store.soffid4.local.jks -deststoretype JKS -destkeypass 12345678 -srcstorepass 12345678 -deststorepass 12345678
sudo keytool -v -importkeystore -srckeystore launcher.soffid4.local.pfx -srcstoretype PKCS12 -destkeystore launcher.soffid4.local.jks -deststoretype JKS -destkeypass 12345678 -srcstorepass 12345678 -deststorepass 12345678
```

## Step 2: Store configuration

#### 2.1 Add the store in the yaml file

**Edit** your docker-compose.yaml.

```
sudo vim docker-compose.yaml
```

**Add** the store service in your docker-compose.yaml.

<p class="callout info">For this tutorial, **ports 8090** and **8091** have been opened.</p>

```YAML
services:
  store:
    image: soffid/pam-store:1.4.88
    environment:
      JAVA_KEYSTORE: /opt/soffid/tomee/certificates/store.soffid4.local.jks
      KEYSTORE_PASS: 12345678
    ports:
      - "8090:8080"
      - "8091:8443"
    networks:
      - network
    volumes:
      - store-trustedcerts:/opt/soffid/tomee/trustedcerts
      - store-certificates:/opt/soffid/tomee/certificates
      - store-data:/opt/soffid/tomee/data

volumes:
  store-trustedcerts:
    name: soffid4-pam-store-trustedcerts
  store-certificates:
    name: soffid4-pam-store-certificates
  store-data:
    name: soffid4-pam-store-data
```

**Regenerate** the docker containers.

```
sudo docker compose up -d
```

#### 2.2 Create users

<p class="callout warning">The **console** and the **launcher** will need **users** to **connect** to the **store**.</p>

<p class="callout info">We have to **run** a **script** in the **store** container to **create the user**. This script has two parameters, the user name, and the role. The role opcions are "console" or "launcher".</p>

<p class="callout danger">When the user is created, its **password** is **generated** and displayed in the script’s output; please **copy and save it** for use in the next steps.</p>

Create the **user-console**.

```shell
docker compose exec store /opt/soffid/tomee/bin/add-user.sh user-console console
```

```
/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
Password: cccccc/Qul9NFIqQnDU73gYccccVHThyew7Qt8Hqpf0rEzVq1Ft7azccccccc
```

Create the **user-launcher**.

```shell
docker compose exec store /opt/soffid/tomee/bin/add-user.sh user-launcher launcher
```

```
/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
Password: asdadadasdads/Qul9NFIqQnDU73gYccccVHThyew7Qt8Hqpf0rEzVq1Ft7aadadadasd
```

#### 2.3 Add the certificate

Copy the **jks certificate** into the container.

```sqlite
docker compose cp store.soffid4.local.jks store:/opt/soffid/tomee/certificates
```

**Restart** the store.

```sqlite
docker compose restart store
```

#### 2.4 Monitoring the store

<p class="callout success">If the store has started successfully, we will be able to access the store’s **monitoring** page.</p>

[https://store.soffid4.local:8091/store/check](https://store.soffid4.local:8091/store/check)

<p class="callout info">You must use the **user-console** username to log in.</p>

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/Cg1rAopu5r0DnPWm-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/Cg1rAopu5r0DnPWm-image.png)

This is result.

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/Y7bHklUUrXA3njKT-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/Y7bHklUUrXA3njKT-image.png)

Confirm the CN name (Not secure &gt; Certificate details).

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/09UPW3zn5SlDFRUH-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/09UPW3zn5SlDFRUH-image.png)

If something has gone wrong, you need to check the log.

```sqlite
sudo docker compose logs store
```

## Step 3: Launcher configuration

#### 3.1 Add the launcher in the yaml file

**Edit** your docker-compose.yaml.

```
sudo vim docker-compose.yaml
```

**Add** the launcher service in your docker-compose.yaml.

<p class="callout info">For this tutorial, **ports 8092** and **8093** have been opened.</p>

<p class="callout warning">Update the **STORE\_PASSWORD** value for the one generated previously.</p>

```YAML
services:
  launcher:
    image: soffid/pam-launcher:1.4.88
    environment:
      JAVA_KEYSTORE: /opt/soffid/tomee/certificates/launcher.soffid4.local.jks
      KEYSTORE_PASS: 12345678
      STORE_SERVER: http://store:8080
      STORE_USER: user-launcher
      STORE_PASSWORD: asdadadasdads/Qul9NFIqQnDU73gYccccVHThyew7Qt8Hqpf0rEzVq1Ft7aadadadasd
    ports:
      - "8092:8080"
      - "8093:8443"
    networks:
      - network
    volumes:
      - launcher-trustedcerts:/opt/soffid/tomee/trustedcerts
      - launcher-certificates:/opt/soffid/tomee/certificates
      - launcher-data:/opt/soffid/tomee/launcher
      - /var/run/docker.sock:/var/run/docker.sock

volumes:
  launcher-trustedcerts:
    name: soffid4-pam-launcher-trustedcerts
  launcher-certificates:
    name: soffid4-pam-launcher-certificates
  launcher-data:
    name: soffid4-pam-launcher-data
 
```

**Regenerate** the docker containers.

```
sudo docker compose up -d
```

#### 3.2 Add the certificate

Copy the **jks certificate** into the container.

```sqlite
docker compose cp launcher.soffid4.local.jks launcher:/opt/soffid/tomee/certificates
```

**Restart** the launcher.

```sqlite
docker compose restart launcher
```

#### 3.3 Monitoring the launcher

<p class="callout success">If the launcher has started successfully, we will be able to access the store’s **monitoring** page.</p>

[https://launcher.soffid4.local:8093/launch/status](https://launcher.soffid4.local:8093/launch/status)

This is result.

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/fRPor6qeHwFRzXk9-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/fRPor6qeHwFRzXk9-image.png)

Confirm the CN name (Not secure &gt; Certificate details).

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/f6SQiTaB4nERcfke-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/f6SQiTaB4nERcfke-image.png)

If something has gone wrong, you need to check the log.

```sqlite
sudo docker compose logs launcher
```

## Step 4: Register certificates

#### 4.1 In the Console

Add the PAM hostnames in the console service.

<p class="callout warning">Check the **IP** of the **docker environtment**, in this tutorial 192.168.122.1.</p>

```sqlite
sudo vim docker-compose.yaml

    extra_hosts:
      - store.soffid4.local:192.168.122.1
      - launcher.soffid4.local:192.168.122.1

docker compose up -d
```

Created the PAM certificates for the Console.

```sqlite
docker compose exec -it console bash
cd /opt/soffid/iam-console-4/trustedcerts
openssl s_client -connect store.soffid4.local:8091 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > store.soffid4.local.crt
openssl s_client -connect launcher.soffid4.local:8093 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > launcher.soffid4.local.crt
exit
docker compose restart console
```

#### 4.2 Add a store certificate to the sync server  


Add the PAM hostnames in the syncserver service.

```sqlite
sudo vim docker-compose.yaml

    extra_hosts:
      - store.soffid4.local:192.168.122.1

docker compose up -d
```

Add a store certificate to the sync server

```sqlite
docker compose exec -it syncserver bash
cd /opt/soffid/iam-sync/conf
openssl s_client -connect store.soffid4.local:8091 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > store.soffid4.local.crt
keytool -import -file store.soffid4.local.crt -keystore cacerts -alias store.soffid4.local
password: changeit
exit
docker compose restart syncserver
```

#### 4.3 Add the store/syncserver certificate to the launcher  


Add hostnames in the launcher service.

```sqlite
sudo vim docker-compose.yaml

    extra_hosts:
      - store.soffid4.local:192.168.122.1

docker compose up -d
```

Add the store/syncserver certificate to the launcher.

```sqlite
docker compose exec -it launcher bash
cd /opt/soffid/tomee/trustedcerts
openssl s_client -connect store.soffid4.local:8091 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > store.soffid4.local.crt
openssl s_client -connect sync-server-version4.network:1768 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > sync-server-version4.network.crt
exit
docker compose restart launcher
```

## Step 5: Session types

#### 5.1 Introduction

<p class="callout warning">When starting a user session through the launcher, it requires images for each **session type**; you must **load** the **latest** docker **image** so that the launcher can start the session.</p>

#### 5.2 load images

Download only the session types that you need.


```sqlite
sudo docker pull soffid/soffid-pasr-ssh:latest
sudo docker pull soffid/soffid-pasr-rdp:latest
sudo docker pull soffid/soffid-pasr-http:latest
sudo docker pull soffid/soffid-pasr-https:latest
sudo docker pull soffid/soffid-pasr-jdbc:latest
sudo docker pull soffid/soffid-pasr-tn5250:latest
sudo docker pull soffid/soffid-pasr-kube:latest
sudo docker pull soffid/soffid-pasr-google-chrome:latest
sudo docker pull soffid/soffid-pasr-vnc:latest
sudo docker pull soffid/soffid-pasr-iaccess:latest
sudo docker pull soffid/soffid-pasr-sap:latest
sudo docker pull soffid/soffid-pasr-gke:latest
```

#### 5.3 Save web sessions

To **save a web sessions** you will need to add some parameters to the launcher **system.properties**.

If it already exists, do nothing.

```shell
docker compose exec -it launcher bash
cd /opt/soffid/tomee/conf/
apt-get update
apt-get install vim
vim system.properties

    SOFFID_PAM_PARAMS_http=--shm-size=1024m  --privileged -eVNCSERVER=yes
    SOFFID_PAM_PARAMS_https=--shm-size=1024m  --privileged -eVNCSERVER=yes

exit
docker compose restart launcher
```

## Step 6: Configure PAM in Console

#### 6.1 Introduction

We can now go to the **Configure PAM session servers** page.

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/2laHWFH7kCNicSM3-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/2laHWFH7kCNicSM3-image.png)

#### 6.2 Create the PAM group

Create a new group and you register the **store** with its **user** and **password**, along with the **launcher**.

<p class="callout success">If everything goes well, it will let you to save the changes!</p>

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/H5hsir5RfUy1rswQ-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/H5hsir5RfUy1rswQ-image.png)

## Step 7: Open a web session

#### 7.1 Password vault

Go to **Password vault** page.

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/PrYmSOqepcB0xhqa-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/PrYmSOqepcB0xhqa-image.png)

#### 7.2 Create an account

Create a new folder "Password vault accounts" with the button "Add new".

Now, on the "Password vault accounts", click the three poins icon and "Create new account".

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/84AWorlMkHSQfowV-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/84AWorlMkHSQfowV-image.png)

Add these values and click the dick button.

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/zTl1IFh7mpeXTmQp-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/zTl1IFh7mpeXTmQp-image.png)

Save a dummy password.

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/8t1AIWjTZX6loHH5-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/8t1AIWjTZX6loHH5-image.png)

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/Uw7cyNMlHlOwwSFF-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/Uw7cyNMlHlOwwSFF-image.png)

#### 7.3 Launch

Click the Launch button to confirm that the launcher can open the session type correctly.

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/rYCkXEkuU2HGvtxX-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/rYCkXEkuU2HGvtxX-image.png)

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/KnxwmN7Xxt3gOlTj-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/KnxwmN7Xxt3gOlTj-image.png)

<p class="callout success">Now you have the PAM environment ready to continu</p>