# Installing PAM using Docker How to install PAM using Docker # PAM Jump Server Installation The purpose of this tutorial is to show how to install Jump servers and configure PAM using Dockers, to use critical resources without knowing the password required. ### Jump Server > A jump server, jump host or jump box is a system on a network used to access and manage devices in a separate security zone. A jump server is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. (\*)

From version **1.4.36 and higher,** Soffid PAM Launcher and Store installs allowing only **TLSv1.3 protocol.**

## Prerequisites Prerequisites to install PAM using Dockers: 1\. Install docker ( [https://docs.docker.com/install/](https://docs.docker.com/install/) ) 2\. Create a Docker network(\*), that network allows you to connect containers to the same bridge network to communicate: ``` sudo docker network create -d bridge NETWORKNAME ``` *\* You can use the same network defined in the Console and Sync Server installation to avoid visibility problems.* ## Screen overview ## Installation The steps required to install PAM are: 1. Create the storage server container. 2. Create the launcher container. 3. Register storage server in Soffid console. ### Fast path to create storage server and launcher containers 1\. To create both containers, you can download the following script: **[install-pam.sh](https://bookstack.soffid.com/attachments/15)** 2\. Before installing, you have to edit the file and set the name of the new network you have created, and the latest versions of the store and launcher ```shell ......... docker create \ --network soffid \ -v soffid-pam-store:/opt/soffid/tomee/data \ -p 8081:8080 \ --name soffid-pam-store \ soffid/pam-store:1.3.0 >/dev/null ...... ``` ```shell ...... docker create \ --network soffid \ -v soffid-pam-launcher:/opt/soffid/tomee/launcher \ -v /var/run/docker.sock:/var/run/docker.sock \ -p 8082:8080 \ -e STORE_SERVER="http://$PUBLIC_IP:8081/" \ -e STORE_USER="$userid" \ -e STORE_PASSWORD="$pass" \ --name soffid-pam-launcher \ soffid/pam-launcher:1.3.0 >/dev/null ...... ``` 3\. Finally, you can execute the script ``` ~/Downloads$ bash ./install-pam.sh ``` ##### A brief description of the script 1. Creates two volumes, one for the storage and the other for the launcher. 2. Creates a storage server container: 2.1. In that container the files and videos recorded will be saved. 2.2. All the data will be saved using a key. 2.3. By default, it will use the 8081 port. 3. Starts the storage container. 4. Generates the user and password to connect the launcher. 5. Creates a launcher server container: 5.1. That container will be in charge of recording and sending the recording files to the storage. 5.2. Soffid allows you to configure some environment variables:
VariableDescription
STORE\_SERVERStore URL
STORE\_USERStore user
STORE\_PASSWORDStore password
JAVA\_KEYSTORE(optional) Key store path that contains the key SSL
KEYSTORE\_PASS(optional) SSL key
NETWORK\_ID(optional) Network ID for docker services
5.3. By default, it will use the 8082 port. 6. Starts the launcher container. 7. Generates the encryption key to be used to store the recordings. 8. Generates the user and password that have to be registered on Soffid Console. You will get something similar to this. When the process is complete, two docker containers should be created: soffid-pam-store and soffid-pam-launcher. ``` ~/Downloads$ bash ./install-pam.sh ===================== Creating store server ===================== Waiting for store server Creating launch server ============================================================= Process completed Notice: You must register the store server in Soffid console: User name: bubu-thinkpad Password : DRFoeOsD02yph7DERNcAZB8jp3b67bO3D/Ax3uS4PbzuBnPbQLhR1lyAu9PFqRJ0 ~/Downloads$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 854d7aff5c0a soffid/pam-launcher "/bin/sh -c /opt/sof…" 4 minutes ago Up 4 minutes 0.0.0.0:8082->8080/tcp soffid-pam-launcher 7d66a3d3cfa1 soffid/pam-store "/bin/sh -c /opt/sof…" 4 minutes ago Up 4 minutes 0.0.0.0:8081->8080/tcp soffid-pam-store ``` Next, you must open the Jump Server page in the Soffid console. On this page, you must register the store and launcher servers, using the user name and password displayed in the previous step. Visit the [Configure PAM session servers](https://bookstack.soffid.com/books/pam-installation/page/configure-pam-session-servers "Configure PAM session servers") on Soffid Console to finish the installation process. [![image-1625145417983.png](https://bookstack.soffid.com/uploads/images/gallery/2021-07/scaled-1680-/image-1625145417983.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-07/image-1625145417983.png) ### Privileged Account Session Recording Be in mind that you need to download the latest image of the required Privileged Account Session Recording that you need depending on the protocol. - soffid-pasr-ssh - soffid-pasr-rdp - soffid-pasr-jdbc - soffid-pasr-http - soffid-pasr-https - soffid-pasr-tn5250 - soffid-pasr-kube ##### Examples Linux ```shell docker pull soffid/soffid-pasr-ssh ``` Windows ``` docker pull soffid/soffid-pasr-rdp ``` --- To save a Web session you will need to add some parameters to the launcher system.properties (/opt/soffid/tomee/conf/system.properties) Parameters to add: ```shell SOFFID_PAM_PARAMS_http=--shm-size=1024m  --privileged -eVNCSERVER=yes SOFFID_PAM_PARAMS_https=--shm-size=1024m  --privileged -eVNCSERVER=yes ``` --- *(\*) [https://en.wikipedia.org/wiki/Jump\_server](https://en.wikipedia.org/wiki/Jump_server)* # PAM Jump Server Upgrade ## Upgrade To upgrade PAM you will need to run two scripts, one for the store and the other for the launcher. ### Upgrade store To upgrade the storage container you can download and execute the following script: [upgrade-store.sh](https://bookstack.soffid.com/attachments/57) ``` ~/Downloads$ bash ./upgrade-store.sh ``` ##### A brief description of the script 1. Gets the latest version of the PAM store. 2. Stops the store container. 3. Removes the store container. 4. Creates a new store container. 5. Starts a new store container. ### Upgrade launcher To upgrade the launcher container you can download and execute the following script: [upgrade-launcher.sh](https://bookstack.soffid.com/attachments/59) ``` ~/Downloads$ bash ./upgrade-launcher.sh ``` ##### A brief description of the script 1. Gets the latest version of the PAM launcher. 2. Gets environment variables of current docker to create the new docker with the same configuration 3. Stops the launcher container. 4. Removes the launcher container. 5. Creates a new launcher container. 6. Starts a new launcher container. --- *(\*) [https://en.wikipedia.org/wiki/Jump\_server](https://en.wikipedia.org/wiki/Jump_server)* # PAM con TLS (Interno)

From version **1.4.36 and higher,** Soffid PAM Launcher and Store installs allowing only **TLSv1.3 protocol.**

\------------------------------------------------------------------------- \--- CREAR VOLUMNES \------------------------------------------------------------------------- docker volume create certificados-2 docker volume create soffid-pam-store-2 docker volume create soffid-pam-launcher-2 docker volume create soffid-pam-store-conf-2 docker volume create soffid-pam-launcher-conf-2 docker volume create soffid-pam-trustedcerts-2 \------------------------------------------------------------------------- \--- CREAR CERTIFICADOS JKS \------------------------------------------------------------------------- sudo openssl genrsa -aes256 -out soffid-pam-store-2.key sudo openssl req -x509 -days 1000 -new -key soffid-pam-store-2.key -out soffid-pam-store-2.pem sudo openssl pkcs12 -export -in soffid-pam-store-2.pem -inkey soffid-pam-store-2.key -out soffid-pam-store-2.pfx sudo openssl genrsa -aes256 -out soffid.pat.pam-2.key sudo openssl req -x509 -days 1000 -new -key soffid.pat.pam-2.key -out soffid.pat.pam-2.pem sudo openssl pkcs12 -export -in soffid.pat.pam-2.pem -inkey soffid.pat.pam-2.key -out soffid.pat.pam-2.pfx sudo keytool -v -importkeystore -srckeystore soffid-pam-store-2.pfx -srcstoretype PKCS12 \\ -destkeystore soffid-pam-store-2.jks \\ -deststoretype JKS \\ -destkeypass 123456 -srcstorepass 123456 -deststorepass 123456 sudo keytool -v -importkeystore -srckeystore soffid.pat.pam-2.pfx -srcstoretype PKCS12 \\ -destkeystore soffid.pat.pam-2.jks \\ -deststoretype JKS \\ -destkeypass 123456 -srcstorepass 123456 -deststorepass 123456 \------------------------------------------------------------------------- \--- COPIAR CERTIFICADOS JKS EN EL VOLUMEN LOS CERTFICADOS \------------------------------------------------------------------------- cp \*.jks /var/lib/docker/volumes/certificados-2/\_data \------------------------------------------------------------------------- \--- CREAR CONTENDOR STORE https://soffid-pam-store-2:8443 \------------------------------------------------------------------------- docker stop soffid-pam-store-2 docker rm soffid-pam-store-2 docker create \\ -v certificados-2:/opt/soffid/tomee/certificados \\ -v soffid-pam-store-conf-2:/opt/soffid/tomee/conf \\ -v soffid-pam-trustedcerts-2:/opt/soffid/tomee/trustedcerts \\ \--network netcompose \\ -p 8081:8443 \\ -v soffid-pam-store-2:/opt/soffid/tomee/data \\ \--name soffid-pam-store-2 \\ -e JAVA\_KEYSTORE=/opt/soffid/tomee/certificados/soffid-pam-store-2.jks \\ -e KEYSTORE\_PASS=123456 \\ soffid/pam-store:1.4.34 docker start soffid-pam-store-2 >/dev/null keytool -list -keystore keystore.jks docker exec soffid-pam-store-2 cat /opt/soffid/tomee/data/passwd docker exec soffid-pam-store-2 /opt/soffid/tomee/bin/add-user.sh soffid.pat.lab-launcher launcher Pass: i8h3CLzYxIzRb6d4RRhjpuKF6MOmZIlF0aZBxu8Nk5aPJfkKDYegbiOyzUzSggn7 \------------------------------------------------------------------------- \--- CREAR CONTENDOR LAUNCHER \------------------------------------------------------------------------- docker stop soffid-pam-launcher-2 docker rm soffid-pam-launcher-2 docker create \\ -v certificados-2:/opt/soffid/tomee/certificados \\ -v soffid-pam-launcher-conf-2:/opt/soffid/tomee/conf \\ -v soffid-pam-trustedcerts-2:/opt/soffid/tomee/trustedcerts \\ \--network netcompose \\ -v soffid-pam-launcher-2:/opt/soffid/tomee/launcher \\ -v /var/run/docker.sock:/var/run/docker.sock \\ -p 8082:8443 \\ -e STORE\_SERVER="https://soffid-pam-store-2:8443/" \\ -e STORE\_USER="soffid.pat.lab-launcher" \\ -e STORE\_PASSWORD="i8h3CLzYxIzRb6d4RRhjpuKF6MOmZIlF0aZBxu8Nk5aPJfkKDYegbiOyzUzSggn7" \\ -e JAVA\_KEYSTORE=/opt/soffid/tomee/certificados/soffid.pat.pam-2.jks \\ -e KEYSTORE\_PASS=123456 \\ \--name soffid-pam-launcher-2 \\ soffid/pam-launcher:1.4.35 docker start soffid-pam-launcher-2 keytool -list -keystore keystore.jks keytool -list -keystore soffid.pat.pam-2.jks \------------------------------------------------------------------------- \--- CERTIFICADOS DE CONFIANZA \------------------------------------------------------------------------- openssl s\_client -connect sync-server.netcompose:1760 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > sync-server.netcompose.crt keytool -import -file sync-server.netcompose.crt -keystore cacerts -alias sync-server.netcompose docker restart soffid-pam-store-2 docker restart soffid-pam-launcher-2 \------------------------------------------------------------------------- \--- USUARIO EN STORE PARA CONSOLA \------------------------------------------------------------------------- docker exec soffid-pam-store-2 /opt/soffid/tomee/bin/add-user.sh soffid.pat.lab-console console Password: BWP0j7Ean8p0FrYVZsjnacYrYsDxs0UlG975HwJ3dYRGOF8YbuCnlUbHZnHlcw9c \------------------------------------------------------------------------- \--- CERTIFICADOS DE CONFIANZA EN LA CONSOLA \------------------------------------------------------------------------- cd /opt/soffid/iam-console-3/trustedcerts openssl s\_client -connect soffid-pam-store-2:8443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > soffid-pam-store-2.crt openssl s\_client -connect soffid.pat.pam-2:8082 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > soffid.pat.pam-2.crt docker restart consola \------------------------------------------------------------------------- \--- CERTIFICADOS DE CONFIANZA EN EL SYNC SERVER \------------------------------------------------------------------------- cd /opt/soffid/iam-sync/conf/ openssl s\_client -connect soffid-pam-store-2:8443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > soffid-pam-store-2.crt \------------------------------------------------------------------------- \--- CERTIFICADOS DE CONFIANZA EN EL LAUNCHER \------------------------------------------------------------------------- openssl s\_client -connect soffid-pam-store-2:8443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > soffid-pam-store-2.crt keytool -import -file soffid-pam-store-2.crt -cacerts \------------------------------------------------------------------------- soffid.pat.pam-2:192.168.122.1