Skip to main content

PAM Jump Server Installation

The purpose of this tutorial is to show how to install Jump servers and configure PAM using Kubernetes, to use critical resources without knowing the password required.

Jump Server

A jump server, jump host or jump box is a system on a network used to access and manage devices in a separate security zone. A jump server is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. (*)

Prerequisites

Prereq


Screen overview


Installation

1. Execute the Store YAML

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  namespace: iam
  name: pam-storage
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: pam-store
  namespace: iam
  labels:
    app: pam-store
spec:
  strategy:
    rollingUpdate:
      maxSurge: 0
      maxUnavailable: 1
    type: RollingUpdate
  replicas: 1
  selector:
    matchLabels:
      app: pam-store
  template:
    metadata:
      labels:
        app: pam-store
    spec:
      restartPolicy: Always
      containers:
        - name: pam-store
          image: soffid/pam-store:1.4.31
          volumeMounts:
          - name: data
            mountPath: /opt/soffid/tomee/data
          ports:
          - containerPort: 8080
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: pam-storage
      imagePullSecrets:
      - name: regcred
---
kind: Service
apiVersion: v1
metadata:
  name: pam-store-service
  namespace: iam
spec:
  selector:
    app: pam-store
  ports:
    - name: http
      port: 8080
      protocol: TCP

2. Create a user in the Store to use it in the Launcher

3. Execute the Launcher YAML

4. Create a user in the Store to use it in the Console

5. Configure the Console


System Monitoring

??


Launcher

Soffid allows you to check the status of the launcher by browsing an URL:

Request
https://<your-host>/launch/status

For instance: http://demolab.soffid.pat.lab:8082/launch/status

Response
{
  "sessions":0,
  "status":"ok"
}
  • status → “ok” the process is active.
  • sessions → number of sessions the launcher is currently managing.

Store

In order to monitor the store, you will need the user and password with the appropriate permissions to view the status URL. This username and password come from the script executed to create the PAM containers.

image-1664796068870.png

To monitor the store you need to browse the following URL:

Request
https://<your-host>/store/check

For instance: http://demolab.soffid.pat.lab:8081/store/check

up.png

Response
{
  "usedSpace": 156933901,
  "freeSpace": 161442168832,
  "status": "OK"
}
  • status → “OK”  the process is active.
  • usedSpace → occupied bytes. 
  • freeSpace → free bytes.

Back to top