Installing Hyper-scalable PAS

As a solution that you manage, the Hyper-scalable PAS replicates the infrastructure provided by the Privileged Access Service using your own servers. The installation procedures described in this section install the necessary software on Windows Servers to configure them for the following:

  • Management node
  • Web node
  • Background node
  • TCP Relay node (for relay)
  • TCP Relay node (for logging)

alt

You may choose from two installation scenarios:

  • Minimum installation suitable for evaluation only
  • Multiple server installation suitable for production

Minimum Installation for Evaluation Only

Before you Install

Before you install the IBM Security Hyper-scalable PAS software, ensure you have the following (refer to Prerequisites for details).

  • A license key

  • (Optional) Host certificate from a trusted certificate authority, issued for the hostname that you will access Hyper-scalable PAS through. For evaluation purposes, you can use an automatically generated certificate.

    Wildcard certificates can be used.

  • Windows server for your configuration

  • (Optional) Redis server

  • (Optional) PostgreSQL-compatible database with all required extensions installed. If you do not have a suitable database to use, one can be installed for you as part of the installation process.

  • Data connection information for the following:

    • Redis: server hostname, server port (default is 6379), SSL
    • (Optional) Database: user name, password, server hostname, server port (default is 5432). This is only required if your existing setup uses a database.
    • Hostname: this is the name of the Installation and must match the hostname used on the certificate
  • (Required for some services) Connector.

    Not all services require a Connector. See the Privileged Access Service online help and see Installing the Connector to determine if your configuration requires a connector.

Multiple Server Installation Suitable for Production

The scripts provided for installation have embedded help, which you can view using the Get-Help command; for example, from the script directory type, Get-Help .\Centrify-PAS-NewDeployment.ps1. More detailed help about the parameters is available using the -detail flag. For example, Get-Help .\Centrify-PAS-NewDeployment.ps1 -detail. Additional command output, useful for debugging or watching progress, is available using the -verbose switch.

All examples in this section, use pas.corpnet.com to refer to the Hyper-scalable PAS hostname.

Before you Install

Before you install the CentrifyHyper-scalable PAS software, ensure you have the following:

  • A license key

  • Host certificate from a trusted certificate authority issued for the hostname that you will access Hyper-scalable PAS through.

    Wildcard certificates can be used. <

  • Windows server for your configuration Prerequisites for this bullet and the three that follow)

  • Redis server

  • Load balancer

  • PostgreSQL-compatible database with all required extensions installed

  • Data connection information for the following:

    • Redis: server hostname, server port (default is 6379), SSL
    • Database: user name, password, server hostname, server port (default is 5432).
    • Hostname: this is the name of the Installation and must match the hostname used on the certificate
  • Computer designated for the Connector, if applicable. (Not all services require a Connector.) See the Privileged Access Serviceonline help and see Installing the Connector to determine if your configuration requires a connector.

Installing Using the Installer PowerShell Script

The following is an overview of the steps, organized into phases, required to install Hyper-scalable Privileged Access Service. Detailed procedures of each phase are described in subsequent sections.

Phase 1: Installing the Management Node

  • Download / copy the Hyper-scalable PAS zip package from IBM Security to the Windows server you have designated to be the Management node.

    You will need the following software components from the zip package:

    • install.ps1
    • CentrifyPlatform-[Build.Number].zip
  • Create the Management Node

    To create the Management node, open an elevated PowerShell session and run the install.ps1 script. This expands and installs theCentrifyPlatform-[Build.Number].zip. Once completed, the necessary scripts are available on the Management node for installation and deployment.

    The command can receive an optional target parameter, which indicates where to install the deployment. The default value is C:\centrify.

    Change to the target directory (C:\centrify or as specified on the install command line) for all subsequent Management node commands.

Phase 2: Creating a new Installation

  • Create a new installation using the Centrify-PAS-NewInstallation.ps1 command

    on the Management node. This will do the following:

    • Creates the configuration file
    • Verifies the configuration inputs
    • Checks for the Redis and database servers
    • Initializes the database
    • Checks for the required database extensions

Phase 3: Creating a Deployment Package

  • Create your deployment package using the Centrify-PAS-NewDeployment.ps1 command on the Management node.

    You can enter a unique Deployment ID using the -ID parameter; otherwise a GUID is used as the Deployment ID.

Phase 4: Deploying Hyper-scalable PAS software to Web, Background, and TCP Relay Nodes

  • Copy the Deployment Package from the installations\<hostname>\Deployments subdirectory, to target systems.Once copied, uncompress the package and run the extractedCentrify-PAS-Deploy.ps1 command with the node type as the parameter for each node installation. For example:

    .\Centrify-PAS-Deploy.ps1 -BackgroundNode

    The command can receive the InstallPath parameter, which indicates where to install the deployment. The default value is C:\CentrifyNode.

    Install the logging node first, if applicable, and then at least one Web node, Background node and TCP Relay node per site installation.

Phase 5: Activating the Deployment

  • From the Management node, activate the deployment using the Centrify-PAS-SetActiveDeployment.ps1 command.

  • Pass in the Deployment ID that you either set as a parameter or received as output from the Centrify-PAS-NewDeployment.ps1 script.

  • From the Management node, you can run the command Centrify-PAS-NodeListbefore activating the deployment, to verify the installation and to ensure the nodes are recognized. This should show all of the deployed nodes with an Inactive status. If you run Centrify-PAS-NodeList again (after activating your deployment), you should see that the Web and Background node status is now Active.

    The scripts provided for this installation support the PowerShell switch-verbose which enables you to view additional data about the command.

Phase 1: Installing the Management Node

alt

To install the Hyper-scalable PAS, the first step is to create the Management node. Download the Hyper-scalable PAS software package to the computer designated as the Management node and then run the Hyper-scalable PAS installer (install.ps1). The software package contains a directory structure with the following items:

  • Documentation (PDF)
  • CentrifyPlatform-[Build.Number].zip (contains the Hyper-scalable PAS

    installation package)

  • install.ps1 (expands and installs the CentrifyPlatform-[Build.Number].zip file)

To Install the Management Node

  1. On the Management node, log in as a user with administrator rights.

  2. Download the Hyper-scalable PAS software package from IBM Security onto the Management node.

  3. Open a PowerShell session in elevated (RunAs Administrator) mode.

    All PowerShell sessions must be elevated; that is RunAs Administrator mode.

  4. If the installer package is a single zip file, expand it (Expand-Archive in PowerShell, or your preferred unzipping tool).

  5. At the PowerShell prompt, type .\install.ps1 to set up PowerShell cmdlets and tooling on the Management node for cluster installation, management, and deployments.

    alt

    See the additional parameters below.

Parameter Description
[-target <String>] Type in the location for the installation (for example, C:\ Centripas; if the target is not included the default is C:\centrify).

Type Get-help .\install.ps1 -detail to get information on parameters and switches.

  1. Once installed the following scripts are available in the specified target

    directory:

    • Centrify-PAS-ForceRemoveNode.ps1
    • Centrify-PAS-GetDeployment.ps1
    • Centrify-PAS-ModifyInstallation.ps1
    • Centrify-PAS-NewDeployment.ps1
    • Centrify-PAS-NewInstallation.ps1
    • Centrify-PAS-NodeList.ps1
    • Centrify-PAS-SetActiveDeployment.ps1
    • Centrify-PAS-WatchLogs.ps1

Phase 2: Creating a New Installation

alt

After creating the Management node, use the Centrify-PAS-NewInstallation.ps1 script, available on the Management node, to create a new Installation. An Installation is an instance of a cluster (all resources, nodes, configuration information, that together provide a single cluster), operating with a single hostname (for example, pas.corpnet.com). The number of systems that comprise the cluster depends on your environment (for minimum requirements, see Prerequisites.

Creating a new Installation requires a dedicated database; this is specified in the configuration or parameters. Each installation must have its own database on a dedicated PostgreSQL server.

The Centrify-PAS-NewInstallation.ps1 script

  • Creates a directory to hold the generated installation data (in <Centrify PAS Directory>\installations).
  • Creates a configuration in a config subdirectory (inside the installations

    directory for this installation). The command parameters are passed as

    individual parameters or configured in a prepared file.

  • Verifies the configuration inputs (makes sure the hostname resolves to the

    DNS, checks for the database and Redis servers, that the database

    credentials work, and that the proper database extensions are installed).

  • Verifies that the database does not have a current installation; if it does,

    the installation fails. To override this, either delete the database or use

    the -override switch (note you cannot recover your data after using the

    override switch).

  • Initializes the database (this destroys any data in the database).
  • Accepts the installation license key.

To Create a New Installation

  1. If you are not already logged in to the Management node, log in as a user with administrator rights.

  2. At an elevated PowerShell prompt, run .\Centrify-PAS-NewInstallation.ps1.

    The script options can be provided on the command line. For example:

    Copy
     .\Centrify-PAS-NewInstallation.ps1 
     -Hostname pas.corpnet.com  -Certificate C:\corpnet.com.p12  -DBUser centrifyAccount  -DBPassword secretCode  -DBServer postgres.corpnet  -RedisServer cache.corpnet -AdministratorName PASAdmin -AdministratorPassword EvenM0reS3cret  -AdministratorEmail pasadmin@corpnet.com   -CompanyName Corpnet  -LicenseKey 234KL43

    Type Get-help .\Centrify-PAS-NewInstallation.ps1 -detail to get information on the command and parameters, or see Centrify-PAS-NewInstallation.

    alt

    You can also pass configuration parameters via config.json file. If you use this method, you need to populate the config.json file with the required data prior to running the script, see Configuration File.

    If the command is successful, a zip file is created and available in the installations directory (\Installations\Config\<hostname>.zip) on the Management node.

  3. Copy the newly-created configuration directory to a safe and secure location.

    The configuration directory contains the generated certificates and keys for your installation, so it is important that you do not lose the contents.

Phase 3: Creating a Deployment Package

alt

Once an Installation is defined, use the Centrify-PAS-NewDeployment.ps1 to create a Deployment package (a .zip file) that you can distribute to cluster nodes (Web nodes, Background nodes, and TCP Relay nodes). The Centrify-PAS-NewDeployment.ps1 script updates the database schema and creates a Deployment in a new folder under the Installations<hostname>\Deployments directory on the Management node, with the current date and the Deployment ID (as specified or as a GUID). Inside that directory is a single file called <Deployment ID>.zip that includes everything needed to create Web, Background, and TCP Relay nodes, including the configuration and certificate data.

An Installation must be created (see Phase 2: Creating a New Installation above prior to running the deployment package script.

To Create a Deployment Package

  1. If you are not already logged in to the Management node, log in as a user with administrator rights.

  2. Change to the target directory and at the PowerShell prompt, type Centrify-PAS-NewDeployment.ps1 [-Hostname][[-ID]]. See the following example:

    .\Centrify-PAS-NewDeployment.ps1 -Hostname pas.corpnet.com -ID NewDeploy1

    Type Get-help .\Centrify-PAS-NewDeployment.ps1 -detail to get information on the command and parameters or see Centrality-PAS-NewDeployment.

    alt

  3. Once complete the following file is available in the ...\installations\<hostname>\Deployments\<date-DeploymentID>\ directory:

    <deployment_id>.zip

Phase 4: Deploying Hyper-scalable PAS Software to Web, Background, and TCP Relay Nodes

alt

After you complete the steps in previous sections, you copy the Deployment file (<deployment_id>.zip) from the Management node to each target node (Web, Background, TCP Relay) and then run Centrify-PAS-Deploy.ps1 to build each node. The illustration above depicts the deployment process. The deployment process is the same for each node with the exception of the command node type parameter.

When deploying (via Centrify-PAS-Deploy.ps1) a new Deployment, in addition to Web and Background nodes, you can also deploy two types of TCP Relay nodes: Logging node and the regular Relay node.

IBM Security strongly recommends you install the Logging node first (if applicable), allowing the Web and Background nodes to see and log in to it.

To Install Each Node

You need to perform these procedures for each node (Web, Background, TCP Relay, and Logging node) in the Installation.

  1. Copy the deployment file, <deployment_id>.zip, from the Management node to the target node (the Windows servers designated as a Web, Background, TCP Relay, or Logging nodes).

    The <deployment_id>.zip file is created in \installations\<hostname>\Deployments\<date-DeploymentID>\ when you create the deployment package. See To Create a Deployment Package.

  2. On the target node, unzip the <deployment id>.zip file using the Expand-Archive commandlet or your preferred utility.

  3. On the target node, run the Centrify-PAS-Deploy.ps1 script with the appropriate parameter for the desired node type (see Centrify-PAS-Deploy for a list of parameters).

    IBM Security strongly recommends you install the Logging node first (if applicable), to allow the Web and Background nodes to see and log in to it.

    The command can receive the InstallPath parameter, which indicates where to install the deployment. The default value is C:\CentrifyNode.

    For example, to create a Background node you enter:

    .\Centrify-PAS-Deploy.ps1 -BackgroundNode

    Type Get-help .\Centrify-PAS-Deploy.ps1 -detail to get information on the command and parameters, or see Centrify-PAS-Deploy.

    alt

Phase 5: Activating the Deployment

There are two steps to activating a new Deployment. From the Management node:

  • Ensure that the load balancer can send traffic to the Web nodes.

    Note that Web nodes fail the health check until they are set to active.

  • Activate new nodes (Web and Background) by switching to the new Deployment ID.

When the Web node deployment is completed, add the new Web nodes to the target list of your load balancer. The health check URI is /health/check. Verify that the hostname resolves to the load balancer on your DNS, and then you are ready to activate the deployment so that it can service requests.

The Background nodes should have the same Deployment ID, but the load balancer only points at Web nodes.

When creating a new deployment, a new Deployment ID is created or assigned. Once the deployment is created, new nodes can be created, but those nodes won't respond to traffic until the load balancer points to the new Web nodes, and the new Deployment is set to Active. To activate inactive nodes, you run the .\Centrify-PAS-SetActiveDeployment.ps1 script from the Management node, specifying the desired Deployment ID.

At this point, any nodes in a previous Deployment ID are inactive and show as unhealthy or down in your load balancer, while the new nodes with matching Deployment IDs are active and show as healthy or up. Depending on the load balancer settings there may be a delay.

Hyper-scalable PAS does not support deactivating and then reactivating a deployment directly. Whenever a node is deactivated via Centrify-PAS-SetActiveDeployment, it must be rebooted before reactivating it.

To Activate the Deployment

  1. From the Management node, type the following to set the Deployment to active:

    Centrify-PAS-SetActiveDeployment.ps1 [-Hostname] <String> [-ID] <String>

    Type Get-help .\Centrify-PAS-SetActiveDeployment.ps1 -detail to get information on the command and parameters or see Centrify-PAS-SetActiveDeployment.

  2. Once the installation is complete, you can start using the Privileged Access Service.

Configuration File

During installation and deployment of Hyper-scalable PAS, you populate a configuration file with installation details using a JSON formatted file (config.json). The Centrify-PAS-NewInstallation.ps1requires this information during installation (see Phase 2: Creating a New Installation above.

To automate the process, you can add the information to config.json file yourself. Using this method, you enter the data directly into the config.json file prior to running the Centrify-PAS-NewInstallation.ps1 script. The file is stored in the installations\Config\hostname subdirectory. Ensure you back up the configuration directory to a safe and secure location, as this has the generated certificates and keys for your installation.

The following is an example of using the config.json to pass parameters in the Centrify-PAS-NewInstallation.ps1 script.

alt

You must provide the following information for the config.json file:

  • Redis: server hostname, server port (default is 6379)
  • Database: user name, password, server hostname, server port (default is

    5432)

  • Hostname: this is the name of the installation and must match the hostname

    used on the certificate

Sample config.json File

alt

To Update Log locations Using config.json

Default log locations are already set, therefore you only need change the config.json if you want to change the default log locations.

Before running Create-Pas-NewDeployment, update the logging section. For example:

Copy
"Logging":  {
    "CloudFolder":"C:\\CentrifyLogs\\Cloud",
    "LintFolder":"C:\\CentrifyLogs\\Lint",
    "AnalyticsFolder":"C:\\CentrifyLogs\\Analytics",
    "RelayFolder":"C:\\CentrifyLogs\\Relay"
}

Hyper-scalable PAS Sizing Guidelines

The Hyper-scalable PAS platform has many features and use-cases. This page provides a baseline guide to use as a starting point.

Larger or smaller setups can be extrapolated from this guide.

The following key use cases have been tested and observed.

Testing is an ongoing process and specifications may need to be adjusted on a case-by-case basis.

Use case Description
Cloud Agent - Back-channel traffic impact on TCPRelay, web, and background nodes
- Password management / reconciliation traffic
PAS - RDP web and native session traffic
- SSH web and native session traffic
- Password management / reconciliation traffic

On-premise Example

Below is a configuration for an on-premise Hyper-scalable PAS using VMware vSphere consisting of the following machines:

Name Specifications Server
2x Connector node 4 core 16GB RAM Windows Server 2016
2x TCPRelay nodes 4 core 16GB RAM Windows Server 2016
2x Worker nodes 4 core 16GB RAM Windows Server 2016
3x Web nodes 4 core 16GB RAM Windows Server 2016
Logger node 2 core 16GB RAM Windows Server 2016
Management node 2 core 8GB RAM Windows Server 2016
PostgreSQL DB 8 core 32GB RAM Centos 7, PostgreSQL 10.14 single node
Redis cache 8 core 32GB RAM Centos 7, Redis 6.0.8-1 single node

alt

Capabilities

This configuration is capable of the following concurrent sessions:

  • 50 (medium traffic) RDP web sessions

    Traffic was simulated by running the task manager which generates RDP traffic via periodic screen updates.

  • 350 (low-medium traffic) SSH sessions

    Traffic was simulated by running top, which generates SSH traffic via periodical screen updates.

  • 1000 - 1500 Cloud Agents (depending on activity)

    Traffic was simulated using an internal tool.

When using this example as a basis, keep in mind:

  • All of these numbers can be serviced via a single connector but we recommend

    having more than one for redundancy.

  • (Optional) Connectors may be configured to provide only specific services

    to isolate traffic / load.

  • (Optional) TCPRelays may also be configured to provide a dedicated

    BackChannel communications for Cloud Agent.

  • This example does not generate any consequential load on:

    • PostgreSQL database
    • Redis load. Latency was measured to be:
      • Minimum: 0 ms
      • Maximum: 1 ms (spiked up to 2-3 ms during agent enroll)
      • Average: .05 ms
  • Resource impact. See Load impact section below for use-case specifics.

Load Impact

The primary load on a Hyper-scalable PAS system is on the web nodes and primarily affects the CPU and RAM resources. This is due to external communications which require the web nodes, such as:

  • Web browser UI
  • REST
  • Agents
  • Data requiring backend (worker node)

The second critical component are the connectors. All web and direct session access without the Portal is directed through the connector machine. This load is primarily seen as total network traffic throughput and the number of concurrently open network sockets.

The TCPRelay load is seen as total network traffic throughput and the number of concurrently open network sockets. The CPU and RAM utilization will be very low.

There is no significant load on PostgreSQL or Redis.

Comparable Environments

Below is a comparable Amazon EC2 instance: Other machine requirements can be extrapolated from these baselines.

Name AWS EC2 instance vSphere
Management node t2.large 2 core 8 GB RAM
Logger node t3.xlarge 4 core 16 GB RAM
PostgreSQL db.r4.2xlarge 8 core 32 GB RAM
Redis cache.r4.large No direct comparison but you can use the PostgreSQL instance as a baseline.
TCPRelay nodes t3.xlarge 4 core 16 GB RAM
Web nodes t3.xlarge 4 core 16 GB RAM
Worker nodes t3.xlarge 4 core 16 GB RAM
Connector nodes t3.xlarge 4 core 16 GB RAM

The information in a sample setup only. You may require sizing adjustments based on your specific setup.

Cloud Agent

Cloud Agent generates a negligible load on Hyper-scalable PAS from login and MFA operations. The Cloud Agent has a back-channel communication path with Hyper-scalable PAS that enables IBM Security to provide features such as:

  • Agent-assisted account reconciliation

  • Workflow

  • On demand provisioning

  • HealthCheck

    This back-channel does not require customers to open additional ports. It provides a mechanism for various Platform components to invoke remote functionality on the Clients.

The Cloud Agent will register itself via the back-channel by default during the enrollment process or agent start-up.

The default settings are configurable.

Once the Cloud agent registration is complete, back-channel traffic may be generated for the following reasons:

  • Periodic HealthCheck (configurable) every hour per agent
  • cinfo -H will perform a HealthCheck
  • Feature management capability
  • Password reconciliation capability

On shutdown, the Cloud Agent unregisters itself from the back-channel.

These operations do not inherently constitute a large amount of traffic or load. However, when multiplied by a large number of enrolled Cloud Agents, this can present occasional spikes in the back-channel traffic, which can affect performance.

For example, the following may create a large spike in BackChannel registration traffic:

  • An automated / orchestrated provisioning of a large number of machine instances within a short period of time

  • Auto-enrolling Cloud Agents.

    TCPRelays can be configured to be dedicated for Cloud Agent use only.

Privileged Access Service

RDP and SSH access via a web browser is a key feature of Hyper-scalable PAS. This system was able to support:

  • 50 RDP web sessions
  • 350+ SSH web sessions