# PAM Install & config

# Installing PAM using Docker

How to install PAM using Docker

# PAM Jump Server Installation

The purpose of this tutorial is to show how to install Jump servers and configure PAM using Dockers, to use critical resources without knowing the password required.

### Jump Server

> A jump server, jump host or jump box is a system on a network used to access and manage devices in a separate security zone. A jump server is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. (\*)

<p class="callout info">From version **1.4.36 and higher,** Soffid PAM Launcher and Store installs allowing only **TLSv1.3 protocol.**</p>

## Prerequisites

Prerequisites to install PAM using Dockers:

1\. Install docker ( [https://docs.docker.com/install/](https://docs.docker.com/install/) )

2\. Create a Docker network(\*), that network allows you to connect containers to the same bridge network to communicate:

```
sudo docker network create -d bridge NETWORKNAME
```

*\* You can use the same network defined in the Console and Sync Server installation to avoid visibility problems.*

## Screen overview

<iframe allowfullscreen="allowfullscreen" height="314" src="//www.youtube.com/embed/3itVO7_J8ZQ?rel=0" width="560"></iframe>

## Installation

The steps required to install PAM are:

1. Create the storage server container.
2. Create the launcher container.
3. Register storage server in Soffid console.

### Fast path to create storage server and launcher containers

1\. To create both containers, you can download the following script: <span style="background-color: #ced4d9; color: #236fa1;">**[install-pam.sh](https://bookstack.soffid.com/attachments/15)**</span>

2\. Before installing, you have to edit the file and set the name of the new network you have created, and the latest versions of the store and launcher

```shell
.........
docker create \
  --network soffid \
  -v soffid-pam-store:/opt/soffid/tomee/data \
  -p 8081:8080 \
  --name soffid-pam-store \
  soffid/pam-store:1.3.0 >/dev/null
  
......
```

```shell
......
docker create \
  --network soffid \
  -v soffid-pam-launcher:/opt/soffid/tomee/launcher \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -p 8082:8080 \
  -e STORE_SERVER="http://$PUBLIC_IP:8081/" \
  -e STORE_USER="$userid" \
  -e STORE_PASSWORD="$pass" \
  --name soffid-pam-launcher \
  soffid/pam-launcher:1.3.0 >/dev/null

......
```

3\. Finally, you can execute the script

```
~/Downloads$ bash ./install-pam.sh
```

##### A brief description of the script

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">1. </span> Creates two volumes, one for the storage and the other for the launcher.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">2. </span>Creates a storage server container:

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">2.1.</span> In that container the files and videos recorded will be saved.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">2.2.</span> All the data will be saved using a key.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">2.3.</span> By default, it will use the 8081 port.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">3. </span>Starts the storage container.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">4.</span> Generates the user and password to connect the launcher.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">5.</span> Creates a launcher server container:

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">5.1.</span> That container will be in charge of recording and sending the recording files to the storage.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">5.2.</span> Soffid allows you to configure some environment variables:

<table border="1" id="bkmrk-variable-description" style="margin-left: 40px; height: 174px; width: 64.5238%;"><tbody style="padding-left: 40px;"><tr bgcolor="#ddd" style="padding-left: 40px;"><td align="center" style="padding-left: 40px; height: 29px; width: 38.2072%;">Variable</td><td align="center" style="padding-left: 40px; height: 29px; width: 69.7337%;">Description</td></tr><tr style="padding-left: 40px;"><td style="padding-left: 40px; height: 29px; width: 38.2072%;">STORE\_SERVER</td><td style="padding-left: 40px; height: 29px; width: 69.7337%;">Store URL</td></tr><tr style="padding-left: 40px;"><td style="padding-left: 40px; height: 29px; width: 38.2072%;">STORE\_USER</td><td style="padding-left: 40px; height: 29px; width: 69.7337%;">Store user</td></tr><tr style="padding-left: 40px;"><td style="padding-left: 40px; height: 29px; width: 38.2072%;">STORE\_PASSWORD</td><td style="padding-left: 40px; height: 29px; width: 69.7337%;">Store password</td></tr><tr style="padding-left: 40px;"><td style="padding-left: 40px; height: 29px; width: 38.2072%;">JAVA\_KEYSTORE</td><td style="padding-left: 40px; height: 29px; width: 69.7337%;">(optional) Key store path that contains the key SSL</td></tr><tr style="padding-left: 40px;"><td style="padding-left: 40px; height: 29px; width: 38.2072%;">KEYSTORE\_PASS</td><td style="padding-left: 40px; height: 29px; width: 69.7337%;">(optional) SSL key</td></tr><tr><td style="padding-left: 40px; width: 38.2072%;">NETWORK\_ID</td><td style="padding-left: 40px; width: 69.7337%;">(optional) Network ID for docker services</td></tr></tbody></table>

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">5.3.</span> By default, it will use the 8082 port.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">6.</span> Starts the launcher container.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">7.</span> Generates the encryption key to be used to store the recordings.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">8.</span> Generates the user and password that have to be registered on Soffid Console.

You will get something similar to this. When the process is complete, two docker containers should be created: soffid-pam-store and soffid-pam-launcher.

```
~/Downloads$ bash ./install-pam.sh
=====================
Creating store server
=====================
Waiting for store server
Creating launch server
=============================================================
Process completed
Notice: You must register the store server in Soffid console:
User name: bubu-thinkpad
Password : DRFoeOsD02yph7DERNcAZB8jp3b67bO3D/Ax3uS4PbzuBnPbQLhR1lyAu9PFqRJ0
~/Downloads$ docker ps
CONTAINER ID IMAGE                 COMMAND                  CREATED         STATUS         PORTS                    NAMES
854d7aff5c0a soffid/pam-launcher   "/bin/sh -c /opt/sof…"   4 minutes ago   Up 4 minutes   0.0.0.0:8082->8080/tcp   soffid-pam-launcher
7d66a3d3cfa1 soffid/pam-store      "/bin/sh -c /opt/sof…"   4 minutes ago   Up 4 minutes   0.0.0.0:8081->8080/tcp   soffid-pam-store
```

Next, you must open the Jump Server page in the Soffid console. On this page, you must register the store and launcher servers, using the user name and password displayed in the previous step. Visit the [Configure PAM session servers](https://bookstack.soffid.com/books/pam-installation/page/configure-pam-session-servers "Configure PAM session servers") on Soffid Console to finish the installation process.

[![image-1625145417983.png](https://bookstack.soffid.com/uploads/images/gallery/2021-07/scaled-1680-/image-1625145417983.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-07/image-1625145417983.png)

### Privileged Account Session Recording

Be in mind that you need to download the latest image of the required Privileged Account Session Recording that you need depending on the protocol.

- soffid-pasr-ssh
- soffid-pasr-rdp
- soffid-pasr-jdbc
- soffid-pasr-http
- soffid-pasr-https
- soffid-pasr-tn5250
- soffid-pasr-kube

##### Examples

Linux

```shell
docker pull soffid/soffid-pasr-ssh
```

Windows

```
docker pull soffid/soffid-pasr-rdp
```

---

To save a Web session you will need to add some parameters to the launcher system.properties (/opt/soffid/tomee/conf/system.properties)

Parameters to add:

```shell
SOFFID_PAM_PARAMS_http=--shm-size=1024m  --privileged -eVNCSERVER=yes
SOFFID_PAM_PARAMS_https=--shm-size=1024m  --privileged -eVNCSERVER=yes
```

---

*(\*) [https://en.wikipedia.org/wiki/Jump\_server](https://en.wikipedia.org/wiki/Jump_server)*

# PAM Jump Server Upgrade

## Upgrade 

To upgrade PAM you will need to run two scripts, one for the store and the other for the launcher.

### Upgrade store

To upgrade the storage container you can download and execute the following script: [upgrade-store.sh](https://bookstack.soffid.com/attachments/57)

```
~/Downloads$ bash ./upgrade-store.sh
```

##### A brief description of the script

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">1. </span>Gets the latest version of the PAM store.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">2. </span>Stops the store container.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">3. </span>Removes the store container.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">4. </span>Creates a new store container.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">5. </span>Starts a new store container.

### Upgrade launcher

To upgrade the launcher container you can download and execute the following script: [upgrade-launcher.sh](https://bookstack.soffid.com/attachments/59)

```
~/Downloads$ bash ./upgrade-launcher.sh
```

##### A brief description of the script

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">1. </span>Gets the latest version of the PAM launcher.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">2. </span>Gets environment variables of current docker to create the new docker with the same configuration

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">3. </span>Stops the launcher container.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">4. </span>Removes the launcher container.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">5. </span>Creates a new launcher container.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">6. </span>Starts a new launcher container.

---

*(\*) [https://en.wikipedia.org/wiki/Jump\_server](https://en.wikipedia.org/wiki/Jump_server)*

# PAM con TLS (Interno)

<p class="callout info">From version **1.4.36 and higher,** Soffid PAM Launcher and Store installs allowing only **TLSv1.3 protocol.**</p>

\-------------------------------------------------------------------------  
\--- CREAR VOLUMNES   
\-------------------------------------------------------------------------  
docker volume create certificados-2  
docker volume create soffid-pam-store-2  
docker volume create soffid-pam-launcher-2

docker volume create soffid-pam-store-conf-2  
docker volume create soffid-pam-launcher-conf-2

docker volume create soffid-pam-trustedcerts-2

\-------------------------------------------------------------------------  
\--- CREAR CERTIFICADOS JKS  
\-------------------------------------------------------------------------

sudo openssl genrsa -aes256 -out soffid-pam-store-2.key  
sudo openssl req -x509 -days 1000 -new -key soffid-pam-store-2.key -out soffid-pam-store-2.pem  
sudo openssl pkcs12 -export -in soffid-pam-store-2.pem -inkey soffid-pam-store-2.key -out soffid-pam-store-2.pfx

sudo openssl genrsa -aes256 -out soffid.pat.pam-2.key  
sudo openssl req -x509 -days 1000 -new -key soffid.pat.pam-2.key -out soffid.pat.pam-2.pem  
sudo openssl pkcs12 -export -in soffid.pat.pam-2.pem -inkey soffid.pat.pam-2.key -out soffid.pat.pam-2.pfx

  
sudo keytool -v -importkeystore -srckeystore soffid-pam-store-2.pfx -srcstoretype PKCS12 \\  
 -destkeystore soffid-pam-store-2.jks \\  
 -deststoretype JKS \\  
 -destkeypass 123456 -srcstorepass 123456 -deststorepass 123456

sudo keytool -v -importkeystore -srckeystore soffid.pat.pam-2.pfx -srcstoretype PKCS12 \\  
 -destkeystore soffid.pat.pam-2.jks \\  
 -deststoretype JKS \\  
 -destkeypass 123456 -srcstorepass 123456 -deststorepass 123456

\-------------------------------------------------------------------------  
\--- COPIAR CERTIFICADOS JKS EN EL VOLUMEN LOS CERTFICADOS  
\-------------------------------------------------------------------------  
cp \*.jks /var/lib/docker/volumes/certificados-2/\_data

\-------------------------------------------------------------------------  
\--- CREAR CONTENDOR STORE https://soffid-pam-store-2:8443  
\-------------------------------------------------------------------------  
docker stop soffid-pam-store-2  
docker rm soffid-pam-store-2

docker create \\  
-v certificados-2:/opt/soffid/tomee/certificados \\  
-v soffid-pam-store-conf-2:/opt/soffid/tomee/conf \\  
-v soffid-pam-trustedcerts-2:/opt/soffid/tomee/trustedcerts \\  
\--network netcompose \\  
-p 8081:8443 \\  
-v soffid-pam-store-2:/opt/soffid/tomee/data \\  
\--name soffid-pam-store-2 \\  
-e JAVA\_KEYSTORE=/opt/soffid/tomee/certificados/soffid-pam-store-2.jks \\  
-e KEYSTORE\_PASS=123456 \\  
soffid/pam-store:1.4.34

docker start soffid-pam-store-2 &gt;/dev/null

keytool -list -keystore keystore.jks

docker exec soffid-pam-store-2 cat /opt/soffid/tomee/data/passwd

docker exec soffid-pam-store-2 /opt/soffid/tomee/bin/add-user.sh soffid.pat.lab-launcher launcher

Pass: i8h3CLzYxIzRb6d4RRhjpuKF6MOmZIlF0aZBxu8Nk5aPJfkKDYegbiOyzUzSggn7

\-------------------------------------------------------------------------  
\--- CREAR CONTENDOR LAUNCHER  
\-------------------------------------------------------------------------  
docker stop soffid-pam-launcher-2  
docker rm soffid-pam-launcher-2

docker create \\  
-v certificados-2:/opt/soffid/tomee/certificados \\  
-v soffid-pam-launcher-conf-2:/opt/soffid/tomee/conf \\  
-v soffid-pam-trustedcerts-2:/opt/soffid/tomee/trustedcerts \\  
\--network netcompose \\  
-v soffid-pam-launcher-2:/opt/soffid/tomee/launcher \\  
-v /var/run/docker.sock:/var/run/docker.sock \\  
-p 8082:8443 \\  
-e STORE\_SERVER="https://soffid-pam-store-2:8443/" \\  
-e STORE\_USER="soffid.pat.lab-launcher" \\  
-e STORE\_PASSWORD="i8h3CLzYxIzRb6d4RRhjpuKF6MOmZIlF0aZBxu8Nk5aPJfkKDYegbiOyzUzSggn7" \\  
-e JAVA\_KEYSTORE=/opt/soffid/tomee/certificados/soffid.pat.pam-2.jks \\  
-e KEYSTORE\_PASS=123456 \\  
\--name soffid-pam-launcher-2 \\  
soffid/pam-launcher:1.4.35

docker start soffid-pam-launcher-2

keytool -list -keystore keystore.jks

keytool -list -keystore soffid.pat.pam-2.jks

\-------------------------------------------------------------------------  
\--- CERTIFICADOS DE CONFIANZA  
\-------------------------------------------------------------------------

openssl s\_client -connect sync-server.netcompose:1760 &lt; /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' &gt; sync-server.netcompose.crt

keytool -import -file sync-server.netcompose.crt -keystore cacerts -alias sync-server.netcompose

docker restart soffid-pam-store-2  
docker restart soffid-pam-launcher-2

  
\-------------------------------------------------------------------------  
\--- USUARIO EN STORE PARA CONSOLA  
\-------------------------------------------------------------------------

docker exec soffid-pam-store-2 /opt/soffid/tomee/bin/add-user.sh soffid.pat.lab-console console

Password: BWP0j7Ean8p0FrYVZsjnacYrYsDxs0UlG975HwJ3dYRGOF8YbuCnlUbHZnHlcw9c

\-------------------------------------------------------------------------  
\--- CERTIFICADOS DE CONFIANZA EN LA CONSOLA  
\-------------------------------------------------------------------------  
   
cd /opt/soffid/iam-console-4/trustedcerts

openssl s\_client -connect soffid-pam-store-2:8443 &lt; /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' &gt; soffid-pam-store-2.crt

openssl s\_client -connect soffid.pat.pam-2:8082 &lt; /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' &gt; soffid.pat.pam-2.crt

docker restart consola

\-------------------------------------------------------------------------  
\--- CERTIFICADOS DE CONFIANZA EN EL SYNC SERVER  
\-------------------------------------------------------------------------  
 cd /opt/soffid/iam-sync/conf/

openssl s\_client -connect soffid-pam-store-2:8443 &lt; /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' &gt; soffid-pam-store-2.crt

\-------------------------------------------------------------------------  
\--- CERTIFICADOS DE CONFIANZA EN EL LAUNCHER  
\-------------------------------------------------------------------------  
openssl s\_client -connect soffid-pam-store-2:8443 &lt; /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' &gt; soffid-pam-store-2.crt

keytool -import -file soffid-pam-store-2.crt -cacerts

  
\-------------------------------------------------------------------------  
soffid.pat.pam-2:192.168.122.1

# Installing PAM using Docker Compose

How to Install PAM using Docker Compose

# PAM Jump Server Installation

The purpose of this tutorial is to show how to install Jump servers and configure PAM using Docker compose, to use critical resources without knowing the password required.

### Jump Server

> A jump server, jump host or jump box is a system on a network used to access and manage devices in a separate security zone. A jump server is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. (\*)

## Installation

### 1. Execute the Store YAML

```YAML
version: '3.8'

services:
  pam-store:
    image: soffid/pam-store:1.4.48
    environment:
      JAVA_KEYSTORE: /opt/soffid/tomee/certificates/YOUR_soffid-pam-store.jks 
      KEYSTORE_PASS: YOUR_KEYSTORE
    ports:
      - "8081:8443"
    networks:
      - network
    volumes:
      - store-trustedcerts:/opt/soffid/tomee/trustedcerts
      - store-certificates:/opt/soffid/tomee/certificates
      - store-data:/opt/soffid/tomee/data

networks:
  network:
    name: YOUR_NETWORK
    driver: bridge

volumes:
  store-trustedcerts:
    name: soffid-pam-store-trustedcerts
  store-certificates:
    name: soffid-pam-certificates
  store-data:
    name: soffid-pam-store
```

Execute:

```
sudo docker compose up -d
```

### 2. Create a user in the Store to use it in the Launcher

Once, we are connected to the Store, we need to run a script to create the user. This script has two parameters, the user name, and the role. We have to type launcher in the role parameter.

```shell
docker exec YOUR_pam-store_CONTAINER /opt/soffid/tomee/bin/add-user.sh user-launcher launcher
```

Result:

```
/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
Password: cccccc/Qul9NFIqQnDU73gYccccVHThyew7Qt8Hqpf0rEzVq1Ft7azccccccc
```

As a result of the script, we receive the password for the created user. This password will be needed later when we create the launcher container.

### 3. Create a user in the Store to use it in the Console

Once, we are connected to the Store, we need to run a script to create the user. This script has two parameters, the user name, and the role. We have to type console in the role parameter.

```shell
docker exec YOUR_pam-store_CONTAINER /opt/soffid/tomee/bin/add-user.sh user-console console
```

Result:

```
/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
Password: asdadadasdads/Qul9NFIqQnDU73gYccccVHThyew7Qt8Hqpf0rEzVq1Ft7aadadadasd
```

As a result of the script, we receive the password for the created user. This password will be needed later when we configure PAM in the Soffid Console.

### 4. Execute the Launcher YAML

YAML example to create the Launcher using traefik as Ingress Controller

```YAML
version: '3.8'

services:
  pam-launcher:
    image: soffid/pam-launcher:1.4.36
    environment:
      JAVA_KEYSTORE: /opt/soffid/tomee/certificates/YOUR_soffid-pam-launcher.jks 
      KEYSTORE_PASS: YOUR_KESYSTORE
      STORE_SERVER: https://YOUR_pam-store_CONTAINER:8443
      STORE_USER: user-launcher
      STORE_PASSWORD: cccccc/Qul9NFIqQnDU73gYccccVHThyew7Qt8Hqpf0rEzVq1Ft7azccccccc
    ports:
      - "8082:8443"
    networks:
      - network
    volumes:
      - launcher-trustedcerts:/opt/soffid/tomee/trustedcerts
      - launcher-certificates:/opt/soffid/tomee/certificates
      - launcher-data:/opt/soffid/tomee/launcher
      - /var/run/docker.sock:/var/run/docker.sock
networks:
  network:
    name: YOUR_NETWORK
    driver: bridge

volumes:
  launcher-trustedcerts:
    name: soffid-pam-launcher-trustedcerts
  launcher-certificates:
    name: soffid-pam-certificates
  launcher-data:
    name: soffid-pam-launcher
 
```

Execute:

```
sudo docker compose up -d
```

### 5. Configure the Console

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2024-08/scaled-1680-/8Cn4v2ygTQZZjLXo-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2024-08/8Cn4v2ygTQZZjLXo-image.png)

### Privileged Account Session Recording

Be in mind that you need to download the latest image of the required Privileged Account Session Recording that you need depending on the protocol.

- soffid-pasr-ssh
- soffid-pasr-rdp
- soffid-pasr-jdbc
- soffid-pasr-http
- soffid-pasr-https
- soffid-pasr-tn5250
- soffid-pasr-kube

##### Examples

Linux

```
docker pull soffid/soffid-pasr-ssh
```

Windows

```
docker pull soffid/soffid-pasr-rdp
```

---

To save a Web session you will need to add some parameters to the launcher system.properties (/opt/soffid/tomee/conf/system.properties)

Parameters to add:

```shell
SOFFID_PAM_PARAMS_http=--shm-size=1024m  --privileged -eVNCSERVER=yes
SOFFID_PAM_PARAMS_https=--shm-size=1024m  --privileged -eVNCSERVER=yes
```

---

*(\*) [https://en.wikipedia.org/wiki/Jump\_server](https://en.wikipedia.org/wiki/Jump_server)*

# Full PAM installation using Docker Compose

## Introduction

This tutorial will describes **all the steps required to install and configure a basic PAM environment** for a local, demo or small production environment.

## Prerequisites

- We have a **Linux** machine; Ubuntu 24 has been used for this tutorial.
- **Docker** and the **Docker Compose** plugin are already installed.
- The **database**, **Console** and **Syncserver** have already been installed.
- The Linux administrator user has **sudo privileges**.

## Step 1: Prepare certificates

#### 1.1 Some initial steps

<p class="callout warning">This tutorial will use **self-signed certificates** generated for a lab environment.</p>

<p class="callout info">If you have your **own certificates**, follow the steps depending on the file type.</p>

<p class="callout success">For this tutorial, we will be using the following hostnames: **store.soffid4.local** and **launcher.soffid4.local**</p>

Go to the current Soffid 4 **directory** where the docker-compose.yaml is located.

```shell
cd /home/user/lab/soffid4/ ---> (this is an example)
```

Add the hostnames in your **hosts** file.

```shell
sudo vim /etc/hosts ---> (use vim or your favourite editor)
```

```shell
127.0.0.1 store.soffid4.local
127.0.0.1 launcher.soffid4.local
```

And now you will need **java**, confirm is you have it or not.

```shell
java -version
```

If you do not have it, for example **install java 17** (you can install another version).

```shell
sudo apt-get update
sudo apt-get install openjdk-17-jdk
java -version
```

#### 1.2 Generate .key files

<p class="callout warning">When you run the command, you will be prompted for a **password**. In this tutorial, we will always use the value **12345678**; please replace this with the password of your choice (minimum 8 characters) </p>

```shell
sudo openssl genrsa -aes256 -out store.soffid4.local.key
sudo openssl genrsa -aes256 -out launcher.soffid4.local.key
```

#### 1.3 Generate .pem files

<p class="callout warning">When you run the command, the prompt will ask for the **CN (Common Name)** attribute; use the values from our domains: **store.soffid4.local** or **launcher.soffid4.local**</p>

```shell
sudo openssl req -x509 -days 1000 -new -key store.soffid4.local.key -out store.soffid4.local.pem
sudo openssl req -x509 -days 1000 -new -key launcher.soffid4.local.key -out launcher.soffid4.local.pem
```

#### 1.3 Generate .pfx files

```
sudo openssl pkcs12 -export -in store.soffid4.local.pem -inkey store.soffid4.local.key -out store.soffid4.local.pfx
sudo openssl pkcs12 -export -in launcher.soffid4.local.pem -inkey launcher.soffid4.local.key -out launcher.soffid4.local.pfx
```

#### 1.4 Generate .jks files

```
sudo keytool -v -importkeystore -srckeystore store.soffid4.local.pfx -srcstoretype PKCS12 -destkeystore store.soffid4.local.jks -deststoretype JKS -destkeypass 12345678 -srcstorepass 12345678 -deststorepass 12345678
sudo keytool -v -importkeystore -srckeystore launcher.soffid4.local.pfx -srcstoretype PKCS12 -destkeystore launcher.soffid4.local.jks -deststoretype JKS -destkeypass 12345678 -srcstorepass 12345678 -deststorepass 12345678
```

## Step 2: Store configuration

#### 2.1 Add the store in the yaml file

**Edit** your docker-compose.yaml.

```
sudo vim docker-compose.yaml
```

**Add** the store service in your docker-compose.yaml.

<p class="callout info">For this tutorial, **ports 8090** and **8091** have been opened.</p>

```YAML
services:
  store:
    image: soffid/pam-store:1.4.88
    environment:
      JAVA_KEYSTORE: /opt/soffid/tomee/certificates/store.soffid4.local.jks
      KEYSTORE_PASS: 12345678
    ports:
      - "8090:8080"
      - "8091:8443"
    networks:
      - network
    volumes:
      - store-trustedcerts:/opt/soffid/tomee/trustedcerts
      - store-certificates:/opt/soffid/tomee/certificates
      - store-data:/opt/soffid/tomee/data

volumes:
  store-trustedcerts:
    name: soffid4-pam-store-trustedcerts
  store-certificates:
    name: soffid4-pam-store-certificates
  store-data:
    name: soffid4-pam-store-data
```

**Regenerate** the docker containers.

```
sudo docker compose up -d
```

#### 2.2 Create users

<p class="callout warning">The **console** and the **launcher** will need **users** to **connect** to the **store**.</p>

<p class="callout info">We have to **run** a **script** in the **store** container to **create the user**. This script has two parameters, the user name, and the role. The role opcions are "console" or "launcher".</p>

<p class="callout danger">When the user is created, its **password** is **generated** and displayed in the script’s output; please **copy and save it** for use in the next steps.</p>

Create the **user-console**.

```shell
docker compose exec store /opt/soffid/tomee/bin/add-user.sh user-console console
```

```
/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
Password: cccccc/Qul9NFIqQnDU73gYccccVHThyew7Qt8Hqpf0rEzVq1Ft7azccccccc
```

Create the **user-launcher**.

```shell
docker compose exec store /opt/soffid/tomee/bin/add-user.sh user-launcher launcher
```

```
/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
Password: asdadadasdads/Qul9NFIqQnDU73gYccccVHThyew7Qt8Hqpf0rEzVq1Ft7aadadadasd
```

#### 2.3 Add the certificate

Copy the **jks certificate** into the container.

```sqlite
docker compose cp store.soffid4.local.jks store:/opt/soffid/tomee/certificates
```

**Restart** the store.

```sqlite
docker compose restart store
```

#### 2.4 Monitoring the store

<p class="callout success">If the store has started successfully, we will be able to access the store’s **monitoring** page.</p>

[https://store.soffid4.local:8091/store/check](https://store.soffid4.local:8091/store/check)

<p class="callout info">You must use the **user-console** username to log in.</p>

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/Cg1rAopu5r0DnPWm-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/Cg1rAopu5r0DnPWm-image.png)

This is result.

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/Y7bHklUUrXA3njKT-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/Y7bHklUUrXA3njKT-image.png)

Confirm the CN name (Not secure &gt; Certificate details).

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/09UPW3zn5SlDFRUH-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/09UPW3zn5SlDFRUH-image.png)

If something has gone wrong, you need to check the log.

```sqlite
sudo docker compose logs store
```

## Step 3: Launcher configuration

#### 3.1 Add the launcher in the yaml file

**Edit** your docker-compose.yaml.

```
sudo vim docker-compose.yaml
```

**Add** the launcher service in your docker-compose.yaml.

<p class="callout info">For this tutorial, **ports 8092** and **8093** have been opened.</p>

<p class="callout warning">Update the **STORE\_PASSWORD** value for the one generated previously.</p>

```YAML
services:
  launcher:
    image: soffid/pam-launcher:1.4.88
    environment:
      JAVA_KEYSTORE: /opt/soffid/tomee/certificates/launcher.soffid4.local.jks
      KEYSTORE_PASS: 12345678
      STORE_SERVER: http://store:8080
      STORE_USER: user-launcher
      STORE_PASSWORD: asdadadasdads/Qul9NFIqQnDU73gYccccVHThyew7Qt8Hqpf0rEzVq1Ft7aadadadasd
    ports:
      - "8092:8080"
      - "8093:8443"
    networks:
      - network
    volumes:
      - launcher-trustedcerts:/opt/soffid/tomee/trustedcerts
      - launcher-certificates:/opt/soffid/tomee/certificates
      - launcher-data:/opt/soffid/tomee/launcher
      - /var/run/docker.sock:/var/run/docker.sock

volumes:
  launcher-trustedcerts:
    name: soffid4-pam-launcher-trustedcerts
  launcher-certificates:
    name: soffid4-pam-launcher-certificates
  launcher-data:
    name: soffid4-pam-launcher-data
 
```

**Regenerate** the docker containers.

```
sudo docker compose up -d
```

#### 3.2 Add the certificate

Copy the **jks certificate** into the container.

```sqlite
docker compose cp launcher.soffid4.local.jks launcher:/opt/soffid/tomee/certificates
```

**Restart** the launcher.

```sqlite
docker compose restart launcher
```

#### 3.3 Monitoring the launcher

<p class="callout success">If the launcher has started successfully, we will be able to access the store’s **monitoring** page.</p>

[https://launcher.soffid4.local:8093/launch/status](https://launcher.soffid4.local:8093/launch/status)

This is result.

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/fRPor6qeHwFRzXk9-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/fRPor6qeHwFRzXk9-image.png)

Confirm the CN name (Not secure &gt; Certificate details).

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/f6SQiTaB4nERcfke-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/f6SQiTaB4nERcfke-image.png)

If something has gone wrong, you need to check the log.

```sqlite
sudo docker compose logs launcher
```

## Step 4: Register certificates

#### 4.1 In the Console

Add the PAM hostnames in the console service.

<p class="callout warning">Check the **IP** of the **docker environtment**, in this tutorial 192.168.122.1.</p>

```sqlite
sudo vim docker-compose.yaml

    extra_hosts:
      - store.soffid4.local:192.168.122.1
      - launcher.soffid4.local:192.168.122.1

docker compose up -d
```

Created the PAM certificates for the Console.

```sqlite
docker compose exec -it console bash
cd /opt/soffid/iam-console-4/trustedcerts
openssl s_client -connect store.soffid4.local:8091 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > store.soffid4.local.crt
openssl s_client -connect launcher.soffid4.local:8093 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > launcher.soffid4.local.crt
exit
docker compose restart console
```

#### 4.2 Add a store certificate to the sync server  


Add the PAM hostnames in the syncserver service.

```sqlite
sudo vim docker-compose.yaml

    extra_hosts:
      - store.soffid4.local:192.168.122.1

docker compose up -d
```

Add a store certificate to the sync server

```sqlite
docker compose exec -it syncserver bash
cd /opt/soffid/iam-sync/conf
openssl s_client -connect store.soffid4.local:8091 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > store.soffid4.local.crt
keytool -import -file store.soffid4.local.crt -keystore cacerts -alias store.soffid4.local
password: changeit
exit
docker compose restart syncserver
```

#### 4.3 Add the store/syncserver certificate to the launcher  


Add hostnames in the launcher service.

```sqlite
sudo vim docker-compose.yaml

    extra_hosts:
      - store.soffid4.local:192.168.122.1

docker compose up -d
```

Add the store/syncserver certificate to the launcher.

```sqlite
docker compose exec -it launcher bash
cd /opt/soffid/tomee/trustedcerts
openssl s_client -connect store.soffid4.local:8091 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > store.soffid4.local.crt
openssl s_client -connect sync-server-version4.network:1768 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > sync-server-version4.network.crt
exit
docker compose restart launcher
```

## Step 5: Session types

#### 5.1 Introduction

<p class="callout warning">When starting a user session through the launcher, it requires images for each **session type**; you must **load** the **latest** docker **image** so that the launcher can start the session.</p>

#### 5.2 load images

Download only the session types that you need.


```sqlite
sudo docker pull soffid/soffid-pasr-ssh:latest
sudo docker pull soffid/soffid-pasr-rdp:latest
sudo docker pull soffid/soffid-pasr-http:latest
sudo docker pull soffid/soffid-pasr-https:latest
sudo docker pull soffid/soffid-pasr-jdbc:latest
sudo docker pull soffid/soffid-pasr-tn5250:latest
sudo docker pull soffid/soffid-pasr-kube:latest
sudo docker pull soffid/soffid-pasr-google-chrome:latest
sudo docker pull soffid/soffid-pasr-vnc:latest
sudo docker pull soffid/soffid-pasr-iaccess:latest
sudo docker pull soffid/soffid-pasr-sap:latest
sudo docker pull soffid/soffid-pasr-gke:latest
```

#### 5.3 Save web sessions

To **save a web sessions** you will need to add some parameters to the launcher **system.properties**.

If it already exists, do nothing.

```shell
docker compose exec -it launcher bash
cd /opt/soffid/tomee/conf/
apt-get update
apt-get install vim
vim system.properties

    SOFFID_PAM_PARAMS_http=--shm-size=1024m  --privileged -eVNCSERVER=yes
    SOFFID_PAM_PARAMS_https=--shm-size=1024m  --privileged -eVNCSERVER=yes

exit
docker compose restart launcher
```

## Step 6: Configure PAM in Console

#### 6.1 Introduction

We can now go to the **Configure PAM session servers** page.

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/2laHWFH7kCNicSM3-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/2laHWFH7kCNicSM3-image.png)

#### 6.2 Create the PAM group

Create a new group and you register the **store** with its **user** and **password**, along with the **launcher**.

<p class="callout success">If everything goes well, it will let you to save the changes!</p>

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/H5hsir5RfUy1rswQ-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/H5hsir5RfUy1rswQ-image.png)

## Step 7: Open a web session

#### 7.1 Password vault

Go to **Password vault** page.

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/PrYmSOqepcB0xhqa-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/PrYmSOqepcB0xhqa-image.png)

#### 7.2 Create an account

Create a new folder "Password vault accounts" with the button "Add new".

Now, on the "Password vault accounts", click the three poins icon and "Create new account".

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/84AWorlMkHSQfowV-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/84AWorlMkHSQfowV-image.png)

Add these values and click the dick button.

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/zTl1IFh7mpeXTmQp-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/zTl1IFh7mpeXTmQp-image.png)

Save a dummy password.

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/8t1AIWjTZX6loHH5-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/8t1AIWjTZX6loHH5-image.png)

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/Uw7cyNMlHlOwwSFF-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/Uw7cyNMlHlOwwSFF-image.png)

#### 7.3 Launch

Click the Launch button to confirm that the launcher can open the session type correctly.

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/rYCkXEkuU2HGvtxX-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/rYCkXEkuU2HGvtxX-image.png)

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2026-05/scaled-1680-/KnxwmN7Xxt3gOlTj-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2026-05/KnxwmN7Xxt3gOlTj-image.png)

<p class="callout success">Now you have the PAM environment ready to continu</p>

# Installing PAM using Kubernetes

How to install PAM using Kubernetes

# PAM Jump Server Installation

The purpose of this tutorial is to show how to install Jump servers and configure PAM using Kubernetes, to use critical resources without knowing the password required.

### Jump Server

> A jump server, jump host or jump box is a system on a network used to access and manage devices in a separate security zone. A jump server is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. (\*)

## Installation

### 1. Execute the Store YAML

```YAML
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  namespace: iam
  name: pam-storage
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: pam-store
  namespace: iam
  labels:
    app: pam-store
spec:
  strategy:
    rollingUpdate:
      maxSurge: 0
      maxUnavailable: 1
    type: RollingUpdate
  replicas: 1
  selector:
    matchLabels:
      app: pam-store
  template:
    metadata:
      labels:
        app: pam-store
    spec:
      restartPolicy: Always
      containers:
        - name: pam-store
          image: soffid/pam-store:1.4.31
          volumeMounts:
          - name: data
            mountPath: /opt/soffid/tomee/data
          ports:
          - containerPort: 8080
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: pam-storage
      imagePullSecrets:
      - name: regcred
---
kind: Service
apiVersion: v1
metadata:
  name: pam-store-service
  namespace: iam
spec:
  selector:
    app: pam-store
  ports:
    - name: http
      port: 8080
      protocol: TCP

```

### 2. Create a user in the Store to use it in the Launcher

Once, we are connected to the Store, we need to run a script to create the user. This script has two parameters, the user name, and the role. We have to type launcher in the role parameter.

```shell
root@soffid-pam-store:/# /opt/soffid/tomee/bin/add-user.sh launcher001 launcher
Password: xxxxxx+JJnLlRtcBIGj+qQGyNHYR4zhkl7HucBsxxxx04zQ7ccccc3333
root@soffid-pam-store:/#
```

As a result of the script, we receive the password for the created user. This password will be needed later when we create the launcher container.

### 3. Create a user in the Store to use it in the Console

Once, we are connected to the Store, we need to run a script to create the user. This script has two parameters, the user name, and the role. We have to type console in the role parameter.

```shell
root@soffid-pam-store:/# /opt/soffid/tomee/bin/add-user.sh userconsole console
Password: dddddd+JJnLlRtcBIGj+qQGyNHYR4zhkl7HucBsxxxx04zQ7cccaaaawwwww
root@soffid-pam-store:/#
```

As a result of the script, we receive the password for the created user. This password will be needed later when we configure PAM in the Soffid Console.

### 4. Execute the Launcher YAML

YAML example to create the Launcher using traefik as Ingress Controller

```YAML
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: iam
  name: pam-launcher
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: pam-launcher
  namespace: iam
rules:
  - verbs:
      - get
      - update
      - create
      - delete
      - list
      - watch
    apiGroups:
      - ''
    resources:
      - pods/attach
      - pods/log
      - pods
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: pam-launcher
  namespace: iam
subjects:
  - kind: ServiceAccount
    name: pam-launcher
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pam-launcher
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: pam-launcher
  namespace: iam
  labels:
    role: pam-launcher
spec:
  strategy:
    rollingUpdate:
      maxSurge: 0
      maxUnavailable: 1
    type: RollingUpdate
  replicas: 1
  selector:
    matchLabels:
      role: pam-launcher
  template:
    metadata:
      labels:
        role: pam-launcher
    spec:
      serviceAccountName: pam-launcher
      restartPolicy: Always
      containers:
        - name: pam-launcher
          image: soffid/pam-launcher:latest
          imagePullPolicy: Always
          volumeMounts:
          - name: data
            mountPath: /opt/soffid/tomee/launcher
          ports:
          - containerPort: 8080
          env:
          - name: STORE_SERVER
            value: http://pam-store-service:8080
          - name: STORE_USER
            value: userLauncher
          - name: STORE_PASSWORD
            value: dddddddGf14+JJnLlRtcBIGj+ddddddddd4zhkl7HucBs9eVU6wQg044444444
      volumes:
        - name: data
          nfs: 
           # URL for the NFS server service
            server: "YOUR_SERVER_IP"
            path: /pam-launcher
      imagePullSecrets:
      - name: regcred
---
kind: Service
apiVersion: v1
metadata:
  name: pam-launcher
  namespace: iam
spec:
  selector:
    role: pam-launcher
  ports:
    # Open the ports required by the NFS server
    # Port 2049 for TCP
    - name: http
      port: 8080
      protocol: TCP
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: launcher
  namespace: iam
spec:
  entryPoints:                      # [1]
    - https
  routes:                           # [2]
  - kind: Rule
    match: Host("pam-launcher.deployment.com") 
    priority: 10                    # [4]
    services:                       # [8]
    - kind: Service
      name: pam-launcher
      namespace: iam
      passHostHeader: true
      port: 8080                      # [9]
      responseForwarding:
        flushInterval: 1ms
      scheme: http
      sticky:
        cookie:
          httpOnly: true
          name: srvrid
          secure: true
          sameSite: none
      strategy: RoundRobin
      weight: 10
  tls:
    secretName: SECRET_NAME
---
# Service to locate PASR containers
apiVersion: v1
kind: Service
metadata:
  name: pasr
  namespace: iam
spec:
  selector:
    type: pasr
  clusterIP: None
  ports:
  - name: vnc # Actually, no port is needed.
    port: 5900
    targetPort: 5900
---

```

### 5. Configure the Console

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2024-08/scaled-1680-/8Cn4v2ygTQZZjLXo-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2024-08/8Cn4v2ygTQZZjLXo-image.png)

### Privileged Account Session Recording

Be in mind that you need to download the latest image of the required Privileged Account Session Recording that you need depending on the protocol.

- soffid-pasr-ssh
- soffid-pasr-rdp
- soffid-pasr-jdbc
- soffid-pasr-http
- soffid-pasr-https
- soffid-pasr-tn5250
- soffid-pasr-kube

---

To save a Web session you will need to add some parameters to the launcher system.properties (/opt/soffid/tomee/conf/system.properties)

Parameters to add:

```shell
SOFFID_PAM_PARAMS_http=--shm-size=1024m  --privileged -eVNCSERVER=yes
SOFFID_PAM_PARAMS_https=--shm-size=1024m  --privileged -eVNCSERVER=yes
```

---

*(\*) [https://en.wikipedia.org/wiki/Jump\_server](https://en.wikipedia.org/wiki/Jump_server)*

# Configure PAM session servers

## Definition

Soffid provides the functionality that allows you to [Configure PAM session servers](https://bookstack.soffid.com/books/soffid-4-reference-guide/page/configure-pam-session-servers "Configure PAM session servers").

To configure that functionality is mandatory to install PAM following the instructions of the [PAM installation page](https://bookstack.soffid.com/books/pam/page/pam-installation "PAM installation").

<p class="callout info">A Jump server is the control point that forces users to log into that system first, then, they could traverse to other servers without having to log in again. The purpose of a jump server is to be the only gateway for access to your infrastructure reducing the size of any potential attack surface.</p>

## Screen overview

<iframe allowfullscreen="allowfullscreen" height="314" src="//www.youtube.com/embed/iABzqU40Pws?rel=0" width="560"></iframe>

## Related objects

- **soffid-pam-store**: storage server container
- **soffid-pam-launcher**: launcher container

## Standard attributes

- **Group name**: name to identify the configuration.
- **Description**: a brief description.
- **User name**: user name given at installation of PAM
- **Password**: password given at installation of PAM.
- **URL**: of the storage. The default port is 8081.
- **Jump servers**: list of jump servers. A URL of each jump server. The default port is 8082.

## Actions

<table border="1" id="bkmrk-apply-changes-allow-"><tbody><tr><td style="width: 139px;">**Add new**

</td><td style="width: 670px;">Allows you to add a new configuration of PAM. You can choose that option by clicking the add button (+).

You must fill in all the attributes to save a new configuration.

</td></tr><tr><td style="width: 139px;">**Delete**

</td><td style="width: 670px;">Allows you to delete one or more configuration PAM registers, you must select one or more records from the list and click the button with the subtraction symbol (-).

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

</td></tr><tr><td style="width: 139px;">**Apply chanages**

</td><td style="width: 670px;">Allows you to create a new configuration PAM or to update an existing one. To save the data it will be mandatory to fill in the required fields. Also, the password and user name should be correct to connect.

</td></tr><tr><td style="width: 139px;">**Undo**

</td><td style="width: 670px;">Allows you to quit without applying any changes made.

</td></tr></tbody></table>

# SSH gateway



# SSH Gateway Docker Installation

## Introduction

Soffid allows you to deploy a new docker container with the **ssh gateway**. The configuration is similar to the sync server configuration, the main difference is the ssh container is listening in ssh.

## Prerequisites

The SSH Service is only released as a docker service.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">1.</span> Install docker ( [https://docs.docker.com/install/](https://docs.docker.com/install/) )

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">2.</span> Install Soffid PAM (store container and launcher container)

<p class="callout info">You can visit the [PAM Jump Server Installation page](https://bookstack.soffid.com/books/pam-install-config/page/pam-jump-server-installation) for more information about how to install PAM</p>

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">3.</span> Create a Docker network(\*), that network allows you to connect containers to the same bridge network to communicate:

```
sudo docker network create -d bridge NETWORKNAME
```

*\* You can use the same network defined in the Console and Sync Server installation to avoid visibility problems.*

## Installation

The steps required to install SSH container are:

### 1. Create a user

We need to create a user in the pam store container. To do this, we need to connect to the store container.

```shell
sudo docker exec -it soffid-pam-store /bin/bash
```

Once, we are connected to the container, we need to run a script to create the user. This script has two parameters, the user name, and the role. We have to type launcher in the role parameter

```shell
root@soffid-pam-store:/# /opt/soffid/tomee/bin/add-user.sh proxysshtest launcher
Password: c4ZRcmgemq3nMr1VQJCD1pJRhPbdX5hrmmrP6RX7zBE4HSs3RV3+cGwDdL1WaaqZ
root@soffid-pam-store:/#
```

As a result of the script, we receive the password for the created user. This password will be needed later when we create the container.

### 2. Create volume

We need to create a volume that will be used by the docker container

```shell
sudo docker volume create soffid-ssh
```

### 3. Create a docker container

Finally, we need to execute the command to create the ssh gateway container

```shell
docker run \
--name soffid-ssh \
-e SOFFID_SERVER=https://iam-sync.soffidnet:1760 \
-e SOFFID_USER=admin \
-e SOFFID_PASS=changeit \
-e SOFFID_HOSTNAME=ssh-gateway \
-e STORE_SERVER=http://soffid-pam-store:8080 \
-e STORE_PASSWORD=kDH0vh8MFWWn843Vhzmj0Np7uzMEfbqFYM1ELCQqOf++tF0xfd=Ve2eGq81OXvqy \
-e STORE_USER=proxysshtest \
-v soffid-ssh:/opt/soffid/iam-sync/conf \
--publish 2222:22 \
--network=soffidnet \
soffid/pam-ssh:1.4.2
```

#### Environment Variables

To create the new SSH container you need to set the following environment variables:

<table border="1" id="bkmrk-variable-description"><tbody><tr bgcolor="#ddd"><td class="align-center" style="width: 175px;">**Variable**</td><td class="align-center" style="width: 336px;">**Description**</td><td class="align-center" style="width: 290px;">**Example**</td></tr><tr style="padding-left: 40px;"><td style="width: 175px;">SOFFID\_SERVER

</td><td style="width: 336px;">Sync Server URL

</td><td style="width: 290px;">https://syncserver01.soffid.com:1760

</td></tr><tr style="padding-left: 40px;"><td style="width: 175px;">SOFFID\_USER

</td><td style="width: 336px;">Soffid user to join the security domain

</td><td style="width: 290px;">admin

</td></tr><tr style="padding-left: 40px;"><td style="width: 175px;">SOFFID\_PASSWORD

</td><td style="width: 336px;">Soffid user password

</td><td style="width: 290px;">changeit

</td></tr><tr style="padding-left: 40px;"><td style="width: 175px;">SOFFID\_HOSTNAME

</td><td style="width: 336px;">The hostname used to access the ssh gateway

</td><td style="width: 290px;">ssh-gateway

</td></tr><tr style="padding-left: 40px;"><td style="width: 175px;">STORE\_SERVER

</td><td style="width: 336px;">Store URL

</td><td style="width: 290px;">http://soffid-pam-store:8080

</td></tr><tr style="height: 29px;"><td style="width: 175px;">STORE\_PASSWORD

</td><td style="width: 336px;">Password received when you created the user in the store container.

</td><td style="width: 290px;">\*\*\*\*\*\*\*\*\*\*\*\*

</td></tr><tr style="height: 29px;"><td style="width: 175px;">STORE\_USER

</td><td style="width: 336px;">Store user

</td><td style="width: 290px;">proxyssh

</td></tr></tbody></table>

# SSH Gateway Docker Compose Installation

## Introduction

Soffid allows you to deploy a new docker container with the **ssh gateway**. The configuration is similar to the sync server configuration, the main difference is the ssh container is listening in ssh.

## Prerequisites

The SSH Service is only released as a docker service.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">1.</span> Install docker ([https://docs.docker.com/install/](https://docs.docker.com/install/))

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">2.</span> Install docker compose ([https://docs.docker.com/compose/install/](https://docs.docker.com/compose/install/))

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">3.</span> Install Soffid PAM (store container and launcher container)

<p class="callout info">You can visit the [PAM Jump Server Installation page](https://bookstack.soffid.com/books/pam-install-config/page/pam-jump-server-installation-u6p) for more information about how to install PAM</p>

## Installation

The steps required to install SSH container are:

### 1. Create a user

We need to create a user in the pam store container. To do this, we need to connect to the store container.

```shell
sudo docker exec -it soffid-pam-store /bin/bash
```

Once, we are connected to the container, we need to run a script to create the user. This script has two parameters, the user name, and the role. We have to type launcher in the role parameter

```shell
root@soffid-pam-store:/# /opt/soffid/tomee/bin/add-user.sh proxyssh-user launcher
Password: c4ZRcmgemq3nMr1VQJCD1pJRhPbdX5hrmmrP6RX7zBE4HSs3RV3+cGwDdL1WaaqZ
root@soffid-pam-store:/#
```

As a result of the script, we receive the password for the created user. This password will be needed later when we create the container.

### 2. Execute the YAML

```yaml
version: '3.8'

services:
  ssh-gateway:
    image: soffid/pam-ssh:1.4.47
    environment:
      SOFFID_SERVER: https://syncserver01.soffid.com:1760
      SOFFID_USER: soffidUser
      SOFFID_PASS: SoffidPassword
      SOFFID_HOSTNAME: ssh-gateway
      STORE_SERVER: https://soffid-pam-store:8443
      STORE_PASSWORD: c4ZRcmgemq3nMr1VQJCD1pJRhPbdX5hrmmrP6RX7zBE4HSs3RV3+cGwDdL1WaaqZ
      STORE_USER: proxyssh-user
    ports: 
      - "2222:22"
    networks:
      - network
    volumes:
      - ssh-gateway-data:/opt/soffid/iam-sync/conf
     
networks:
  network:
    name: netcompose
    driver: bridge

volumes:
  ssh-gateway-data:
    name: compose-ssh-gateway-data
```

Execute:

```shell
sudo docker compose up -d
```

#### Environment Variables

To create the new SSH container you need to set the following environment variables:

<table border="1" id="bkmrk-variable-description"><tbody><tr bgcolor="#ddd"><td class="align-center" style="width: 175px;">**Variable**</td><td class="align-center" style="width: 336px;">**Description**</td><td class="align-center" style="width: 290px;">**Example**</td></tr><tr style="padding-left: 40px;"><td style="width: 175px;">SOFFID\_SERVER

</td><td style="width: 336px;">Sync Server URL

</td><td style="width: 290px;">https://syncserver01.soffid.com:1760

</td></tr><tr style="padding-left: 40px;"><td style="width: 175px;">SOFFID\_USER

</td><td style="width: 336px;">Soffid user to join the security domain

</td><td style="width: 290px;">admin

</td></tr><tr style="padding-left: 40px;"><td style="width: 175px;">SOFFID\_PASSWORD

</td><td style="width: 336px;">Soffid user password

</td><td style="width: 290px;">\*\*\*\*\*\*\*\*\*

</td></tr><tr style="padding-left: 40px;"><td style="width: 175px;">SOFFID\_HOSTNAME

</td><td style="width: 336px;">The hostname used to access the ssh gateway

</td><td style="width: 290px;">ssh-gateway

</td></tr><tr style="padding-left: 40px;"><td style="width: 175px;">STORE\_SERVER

</td><td style="width: 336px;">Store URL

</td><td style="width: 290px;">http://soffid-pam-store:8080

</td></tr><tr style="height: 29px;"><td style="width: 175px;">STORE\_PASSWORD

</td><td style="width: 336px;">Password received when you created the user in the store container.

</td><td style="width: 290px;">\*\*\*\*\*\*\*\*\*\*\*\*

</td></tr><tr style="height: 29px;"><td style="width: 175px;">STORE\_USER

</td><td style="width: 336px;">Store user

</td><td style="width: 290px;">proxyssh

</td></tr></tbody></table>

# SSH Gateway Connection

## Introduction

We can establish a connection to the target system using the SSH remote access protocol.

### How to connect 1

You can establish the connection with the ssh gateway and then Soffid will ask your password and the target system parameters to connect:

- **Password**: password of your account to connect to Soffid.
- **Target server**: system to which you want to connect.
- **Account to use**: account to use to connect to the target system.
- **Account source system**

```shell
root@soffid:~# ssh -p 2222 dilbert@ssh-gateway
Password: 
Target server: 10.129.120.5
Account to use: patricia
Account source system [leave blank to use a target system local account]: 
 ________________________________________
|                 __                     |
|              __/       |               |
|   __   __  _/__|__o  __|               |
|  |__  /  \  |  |  | /  |               |
|   __| \__/  |  |  | \__/  SSH GATEWAY  |
|           __/                          |
|                                        |
| Hello dilbert                          |
| NOTICE: This session is being recorded |
|________________________________________|

Connecting to 10.129.120.5 as patricia
Last login: Fri Apr  8 08:39:23 2022 from 10.129.120.6
[patricia@forgecentos ~]$
```

### How to connect 2

You can establish the connection with the target system typing all the parameters to connect in one line AccountName\_\_HostName\_\_TargetAccount. At the end, Soffid will ask the password of your account to connect.

- **Account name**: account to connect to Soffid.
- **Host name**: target system to which you want to connect.
- **Target account**: account to connect to the target system.
- **Password**: password of your account to connect to Soffid.

```shell
root@soffid:~# ssh -p 2222 dilbert__10.129.120.5__patricia@ssh-gateway
Password: 
 ________________________________________
|                 __                     |
|              __/       |               |
|   __   __  _/__|__o  __|               |
|  |__  /  \  |  |  | /  |               |
|   __| \__/  |  |  | \__/  SSH GATEWAY  |
|           __/                          |
|                                        |
| Hello dilbert                          |
| NOTICE: This session is being recorded |
|________________________________________|

Connecting to 10.129.120.5 as patricia
Last login: Fri Apr  8 09:57:22 2022 from 10.129.120.6
[patricia@forgecentos ~]$ 

```

### How to connect 3

You can establish the connection with the target system typing all the parameters to connect in one line AccountName\_\_HostName\_\_TargetAccount and using a ssh key.

- **Account name**: account to connect to Soffid.
- **Host name**: target system to which you want to connect.
- **Target account**: account to connect to the target system.

You can generate an ssh key to connect or use your existing ssh key.

- Generate a new ssh key: `ssh-keygen -t rsa`
- Read an existing ssh key: `cat .ssh/id_rsa.pub`

Then you need to include it in Soffid Console in your user data.

Finally you can establish the connection.

```shell
pgarcia@soffid:~$ ssh -p 2222 pgarcia__10.129.120.5__patricia@ssh-gateway
 ________________________________________
|                 __                     |
|              __/       |               |
|   __   __  _/__|__o  __|               |
|  |__  /  \  |  |  | /  |               |
|   __| \__/  |  |  | \__/  SSH GATEWAY  |
|           __/                          |
|                                        |
| Hello pgarcia                          |
| NOTICE: This session is being recorded |
|________________________________________|

Connecting to 10.129.120.5 as patricia
Last login: Fri Apr  8 11:57:19 2022 from 10.129.120.6
[patricia@forgecentos ~]$ 

```

<p class="callout warning">Soffid needs the **ssh\_key** attribute in the user object metadata, please check the attribute is created properly, and the fill in with your public key.</p>

[![image-1649409347766.png](https://bookstack.soffid.com/uploads/images/gallery/2022-04/scaled-1680-/image-1649409347766.png)](https://bookstack.soffid.com/uploads/images/gallery/2022-04/image-1649409347766.png)

[![image-1650351248718.png](https://bookstack.soffid.com/uploads/images/gallery/2022-04/scaled-1680-/image-1650351248718.png)](https://bookstack.soffid.com/uploads/images/gallery/2022-04/image-1650351248718.png)

---

*[https://es.wikipedia.org/wiki/Secure\_Shell](https://es.wikipedia.org/wiki/Secure_Shell)*

# RDP gateway



# RDP Gateway Docker Installation

## Introduction

Soffid allows you to deploy a new docker container with the **RDP gateway**. The configuration is similar to the sync server configuration.

### Prerequisites

The RDP Service is only released as a docker service.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">1.</span> Install docker ( [https://docs.docker.com/install/](https://docs.docker.com/install/) )

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">2.</span> Install Soffid PAM (store container and launcher container)

<p class="callout info">You can visit the [PAM Jump Server Installation page](https://bookstack.soffid.com/books/pam-install-config/page/pam-jump-server-installation) for more information about how to install PAM</p>

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">3.</span> Create a Docker network(\*), that network allows you to connect containers to the same bridge network to communicate:

```
sudo docker network create -d bridge NETWORKNAME
```

*\* You can use the same network defined in the Console and Sync Server installation to avoid visibility problems.*

## Installation

The steps required to install RDP container are:

### 1. Create a user

We need to create a user in the pam store container. To do this, we need to connect to the store container.

```shell
sudo docker exec -it soffid-pam-store /bin/bash
```

Once, we are connected to the container, we need to run a script to create the user. This script has two parameters, the user name, and the role. We have to type launcher in the role parameter

```shell
root@soffid-pam-store:/# /opt/soffid/tomee/bin/add-user.sh proxyrdptest launcher
Password: c4ZRcmgemq3nMr1VQJCD1pJRhPbdX5hrmmrP6RX7zBE4HSs3RV3+cGwDdL1WaaqZ
root@soffid-pam-store:/#
```

As a result of the script, we receive the password for the created user. This password will be needed later when we create the container.

### 2. Create volume

We need to create a volume that will be used by the docker container

```shell
sudo docker volume create soffid-rdp
```

### 3. Create a docker container

Finally, we need to execute the command to create the rdp gateway container

```shell
docker run \
  --name soffid-rdp \
  -e SOFFID_SERVER=https://iam-sync.soffidnet:1760 \
  -e SOFFID_USER=admin \
  -e SOFFID_PASS=changeit \
  -e SOFFID_HOSTNAME=rdp-gateway \
  -e STORE_SERVER=http://soffid-pam-store:8080 \
  -e STORE_PASSWORD=/Dp77Kho5QB2vVKjNNGmXYLzVa6PoPWJ8p0E4O7EP++9/ZM+l3cieGKMRSgOnFCMc \
  -e STORE_USER=proxyrdp \
  -v soffid-rdp:/opt/soffid/iam-sync/conf \
  --privileged \
  --shm-size=1024m  \
  -p 3389:3389 \
  --network=soffidnet.intenal \
  soffid/pam-rdp:1.4.2
```

##### Environment Variables

To create the new SSH container you need to set the following environment variables:

<table border="1" id="bkmrk-variable-description"><tbody><tr bgcolor="#ddd"><td class="align-center" style="width: 175px;">**Variable**</td><td class="align-center" style="width: 336px;">**Description**</td><td class="align-center" style="width: 290px;">**Example**</td></tr><tr style="padding-left: 40px;"><td style="width: 175px;">SOFFID\_SERVER

</td><td style="width: 336px;">Sync Server URL

</td><td style="width: 290px;">https://syncserver01.soffid.com:1760

</td></tr><tr style="padding-left: 40px;"><td style="width: 175px;">SOFFID\_USER

</td><td style="width: 336px;">Soffid user to join the security domain

</td><td style="width: 290px;">admin

</td></tr><tr style="padding-left: 40px;"><td style="width: 175px;">SOFFID\_PASSWORD

</td><td style="width: 336px;">Soffid user password

</td><td style="width: 290px;">changeit

</td></tr><tr style="padding-left: 40px;"><td style="width: 175px;">SOFFID\_HOSTNAME

</td><td style="width: 336px;">The hostname used to access the ssh gateway

</td><td style="width: 290px;">ssh-gateway

</td></tr><tr style="padding-left: 40px;"><td style="width: 175px;">STORE\_SERVER

</td><td style="width: 336px;">Store URL

</td><td style="width: 290px;">http://soffid.pat.pam:8082

</td></tr><tr style="height: 29px;"><td style="width: 175px;">STORE\_PASSWORD

</td><td style="width: 336px;">Password received when you created the user in the store container.

</td><td style="width: 290px;">\*\*\*\*\*\*\*\*\*\*\*\*

</td></tr><tr style="height: 29px;"><td style="width: 175px;">STORE\_USER

</td><td style="width: 336px;">Store user

</td><td style="width: 290px;">proxyrdp

</td></tr></tbody></table>

# RDP Gateway Docker Compose Installation

## Introduction

Soffid allows you to deploy a new docker container with the **RDP gateway**. The configuration is similar to the sync server configuration.

### Prerequisites

The RDP Service is only released as a docker service.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">1.</span> Install docker ([https://docs.docker.com/install/](https://docs.docker.com/install/))

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">2.</span> Install docker compose ([https://docs.docker.com/compose/install/](https://docs.docker.com/compose/install/))

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">3.</span> Install Soffid PAM (store container and launcher container)

<p class="callout info">You can visit the [PAM Jump Server Installation page](https://bookstack.soffid.com/books/pam-install-config/page/pam-jump-server-installation-u6p) for more information about how to install PAM</p>

## Installation

The steps required to install RDP container are:

### 1. Create a user

We need to create a user in the pam store container. To do this, we need to connect to the store container.

```shell
sudo docker exec -it soffid-pam-store /bin/bash
```

Once, we are connected to the container, we need to run a script to create the user. This script has two parameters, the user name, and the role. We have to type launcher in the role parameter

```shell
root@soffid-pam-store:/# /opt/soffid/tomee/bin/add-user.sh proxyrdp-user launcher
Password: c4ZRcmgemq3nMr1VQJCD1pJRhPbdX5hrmmrP6RX7zBE4HSs3RV3+cGwDdL1WaaqZ
root@soffid-pam-store:/#
```

As a result of the script, we receive the password for the created user. This password will be needed later when we create the container.

### 2. Execute the YAML


```yaml
version: '3.8'

services:
  ssh-gateway:
    image: soffid/pam-rdp:1.4.47
    environment:
      SOFFID_SERVER: https://syncserver01.soffid.com:1760
      SOFFID_USER: admin
      SOFFID_PASS: admin123
      SOFFID_HOSTNAME: rdp-gateway-2
      STORE_SERVER: https://soffid-pam-store:8443
      STORE_PASSWORD: c4ZRcmgemq3nMr1VQJCD1pJRhPbdX5hrmmrP6RX7zBE4HSs3RV3+cGwDdL1WaaqZ
      STORE_USER: proxyrdp
    ports: 
      - "2222:22"
    networks:
      - network
    volumes:
      - rdp-gateway-data:/opt/soffid/iam-sync/conf
     
networks:
  network:
    name: netcompose
    driver: bridge

volumes:
  rdp-gateway-data:
    name: compose-rdp-gateway-data
```

Execute:

```shell
sudo docker compose up -d
```

##### Environment Variables

To create the new SSH container you need to set the following environment variables:

<table border="1" id="bkmrk-variable-description"><tbody><tr bgcolor="#ddd"><td class="align-center" style="width: 175px;">**Variable**</td><td class="align-center" style="width: 336px;">**Description**</td><td class="align-center" style="width: 290px;">**Example**</td></tr><tr style="padding-left: 40px;"><td style="width: 175px;">SOFFID\_SERVER

</td><td style="width: 336px;">Sync Server URL

</td><td style="width: 290px;">https://syncserver01.soffid.com:1760

</td></tr><tr style="padding-left: 40px;"><td style="width: 175px;">SOFFID\_USER

</td><td style="width: 336px;">Soffid user to join the security domain

</td><td style="width: 290px;">admin

</td></tr><tr style="padding-left: 40px;"><td style="width: 175px;">SOFFID\_PASSWORD

</td><td style="width: 336px;">Soffid user password

</td><td style="width: 290px;">changeit

</td></tr><tr style="padding-left: 40px;"><td style="width: 175px;">SOFFID\_HOSTNAME

</td><td style="width: 336px;">The hostname used to access the ssh gateway

</td><td style="width: 290px;">ssh-gateway

</td></tr><tr style="padding-left: 40px;"><td style="width: 175px;">STORE\_SERVER

</td><td style="width: 336px;">Store URL

</td><td style="width: 290px;">http://soffid.pat.pam:8082

</td></tr><tr style="height: 29px;"><td style="width: 175px;">STORE\_PASSWORD

</td><td style="width: 336px;">Password received when you created the user in the store container.

</td><td style="width: 290px;">\*\*\*\*\*\*\*\*\*\*\*\*

</td></tr><tr style="height: 29px;"><td style="width: 175px;">STORE\_USER

</td><td style="width: 336px;">Store user

</td><td style="width: 290px;">proxyrdp

</td></tr></tbody></table>

# RDP Gateway Connection

## Introduction

We can establish a connection to the target system using the RDP remote access protocol. You can use a remote desktop client.

### How to connect 

You can establish the connection with the ssh gateway using a desktop client and then Soffid will ask you the parameters to connect:

- **System name**: system to which you want to connect.
- **Account name**: Soffid's account.
- **Account system:** account to use to connect to the target system.

[![image-1650883256715.png](https://bookstack.soffid.com/uploads/images/gallery/2022-04/scaled-1680-/image-1650883256715.png)](https://bookstack.soffid.com/uploads/images/gallery/2022-04/image-1650883256715.png)

[![image-1650880075277.png](https://bookstack.soffid.com/uploads/images/gallery/2022-04/scaled-1680-/image-1650880075277.png)](https://bookstack.soffid.com/uploads/images/gallery/2022-04/image-1650880075277.png)


---

[*https://es.wikipedia.org/wiki/Remote\_Desktop\_Protocol*](https://es.wikipedia.org/wiki/Remote_Desktop_Protocol)

# 📢 To bear in mind

If you are working with Mozilla Firefox, it will be possible that this message will be displayed.  
To solve it, you must allow the pop-up windows

[![image-1681812413255.png](https://bookstack.soffid.com/uploads/images/gallery/2023-04/scaled-1680-/image-1681812413255.png)](https://bookstack.soffid.com/uploads/images/gallery/2023-04/image-1681812413255.png)

[![image-1681812548713.png](https://bookstack.soffid.com/uploads/images/gallery/2023-04/scaled-1680-/image-1681812548713.png)](https://bookstack.soffid.com/uploads/images/gallery/2023-04/image-1681812548713.png)

[![image-1681812585939.png](https://bookstack.soffid.com/uploads/images/gallery/2023-04/scaled-1680-/image-1681812585939.png)](https://bookstack.soffid.com/uploads/images/gallery/2023-04/image-1681812585939.png)

# Cannot retrieve password for account ... ...

## Error

### Description

Cannot retrieve the password for the account ... ...

<div class="pointer-container" id="bkmrk-%C2%A0"><div class="pointer anim is-page-editable"><svg class="svg-icon" data-icon="link" role="presentation" viewbox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"></svg><div class="input-group inline block"> <button class="button outline icon" data-clipboard-target="#pointer-url" title="Copy Link" type="button"><svg class="svg-icon" data-icon="copy" role="presentation" viewbox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"></svg></button></div><svg class="svg-icon" data-icon="edit" role="presentation" viewbox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"></svg></div></div>### Screen overview

[![image-1701165557518.png](https://bookstack.soffid.com/uploads/images/gallery/2023-11/scaled-1680-/image-1701165557518.png)](https://bookstack.soffid.com/uploads/images/gallery/2023-11/image-1701165557518.png)

### Log

```
es.caib.seycon.ng.exception.InternalErrorException: Cannot retrieve password for account MV - pgarcia - Ubuntu 2 --> Connect Grant Account
	
at com.soffid.iam.service.PamSessionServiceImpl.createJumpServerSession(PamSessionServiceImpl.java:189)	
at com.soffid.iam.service.PamSessionServiceImpl.handleCreateCustomJumpServerSession(PamSessionServiceImpl.java:802)	
at com.soffid.iam.service.PamSessionServiceImpl.handleCreateJumpServerSession(PamSessionServiceImpl.java:144)	
at com.soffid.iam.addon.admin.ServiceMetricsInterceptor.invoke(ServiceMetricsInterceptor.java:36)	
at com.soffid.iam.service.ejb.PamSessionServiceBean.createJumpServerSession(PamSessionServiceBean.java:77)	... 76 more

Throws exception javax.ejb.EJBException: es.caib.seycon.ng.exception.InternalErrorException: Cannot retrieve password for account MV - pgarcia - Ubuntu 2 --> Connect Grant Account
	
at com.soffid.iam.service.ejb.PamSessionServiceBean.createJumpServerSession(PamSessionServiceBean.java:84)	... 57 more

Throws exception javax.ejb.EJBException: The bean encountered a non-application exception; nested exception is: 
	javax.ejb.EJBException: es.caib.seycon.ng.exception.InternalErrorException: Cannot retrieve password for account MV - pgarcia - Ubuntu 2 --> Connect Grant Account
	
at com.soffid.iam.web.vault.LaunchHelper.launchPamAccount(LaunchHelper.java:69)	
at com.soffid.iam.web.vault.LaunchHelper.launchAccount(LaunchHelper.java:60)	
at com.soffid.iam.web.account.VaultHandler.launch(VaultHandler.java:649)	
at com.soffid.iam.web.interp.RefInterpreter.exec(RefInterpreter.java:75)	... 48 more

Throws exception org.zkoss.zk.ui.UiException: javax.ejb.EJBException: The bean encountered a non-application exception; nested exception is: 
	javax.ejb.EJBException: es.caib.seycon.ng.exception.InternalErrorException: Cannot retrieve password for account MV - pgarcia - Ubuntu 2 --> Connect Grant Account
	
at com.soffid.iam.web.interp.RefInterpreter.exec(RefInterpreter.java:101)	
at com.soffid.addons.xacml.pep.XACMLFilter.doFilter(XACMLFilter.java:210)	
at es.caib.bpm.filters.WorkflowInterceptor.doFilter(WorkflowInterceptor.java:183)	
at com.soffid.iam.filter.TenantFilter.doFilter(TenantFilter.java:79)
```

## How to solve it

You need to set the password to this account