The Balabit’s Privileged Session Management 5 F6 Administrator Guide

Copyright © 2018 Balabit, a One Identity business. All rights reserved. This document is protected by copyright and is distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Balabit.

This documentation and the product it describes are considered protected by copyright according to the applicable laws.

The Balabit™ name and the Balabit™ logo are registered trademarks of Balabit SA.

The Balabit Shell Control Box™ name and the Balabit Shell Control Box™ logo are registered trademarks of Balabit.

Citrix®, ICA® and XenApp™ are trademarks or registered trademarks of Citrix Systems, Inc.

Linux™ is a registered trademark of Linus Torvalds.

Sun™, Sun Microsystems™, the Sun logo, Sun Fire 4140™, Sun Fire 2100™, Sun Fire 2200™, Sun Fire 4540™, and Sun StorageTek™ are trademarks or registered trademarks of Sun Microsystems, Inc. or its subsidiaries in the U.S. and other countries.

The syslog-ng™ name and the syslog-ng™ logo are registered trademarks of Balabit.

VMware™, VMware ESX™ and VMware View™ are trademarks or registered trademarks of VMware, Inc. and/or its affiliates.

Windows™ 95, 98, ME, 2000, XP, Server 2003, Vista, Server 2008, 7, 8, and Server 2012 are registered trademarks of Microsoft Corporation.

The Zorp™ name and the Zorp™ logo are registered trademarks of BalaSys IT Ltd.

All other product names mentioned herein are the trademarks of their respective owners.

DISCLAIMER. Balabit is not responsible for any third-party websites mentioned in this document. Balabit does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. Balabit will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( This product includes cryptographic software written by Eric Young ([email protected])

This product includes open source software components. For details on the licenses and availability of these software components, see Appendix E, Open source licenses.

May 02, 2018

Administrator Guide for Balabit’s Privileged Session Management (PSM)

Table of Contents

1. Contact and support information
1.1. Sales contact
1.2. Support contact
1.3. Training
2. About this document
3. Summary of changes
4. Feedback
1. Introduction
2. The concepts of PSM
2.1. The philosophy of PSM
2.2. Policies
2.3. Credential Stores
2.4. Plugin framework
2.5. Indexing
2.6. Supported protocols and client applications
2.7. Modes of operation
2.7.1. Transparent mode
2.7.2. Single-interface transparent mode
2.7.3. Non-transparent mode
2.7.4. Inband destination selection
2.8. Connecting to a server through PSM
2.8.1. Connecting to a server through PSM using SSH
2.8.2. Connecting to a server through PSM using RDP
2.8.3. Connecting to a server through PSM using an RD Gateway
2.9. Archive and backup concepts
2.9.1. Configuration export
2.9.2. System backup
2.9.3. Connection backup
2.9.4. Connection archive
2.9.5. Debug bundle
2.9.6. Debug logs
2.9.7. Connection logs
2.9.8. Core dump files
2.10. Maximizing the scope of auditing
2.11. IPv6 in PSM
2.12. SSH hostkeys
2.13. Authenticating clients using public-key authentication in SSH
2.14. The gateway authentication process
2.15. Four-eyes authorization
2.16. Network interfaces
2.17. High Availability support in PSM
2.17.1. Firmware and high availability
2.18. Versions and releases of PSM
2.19. Accessing and configuring PSM
2.20. Licenses
2.20.1. Licensing benefits
2.20.2. Licensing model
2.20.3. License types
2.20.4. Licensing examples
3. The Welcome Wizard and the first login
3.1. The initial connection to PSM
3.1.1. Creating an alias IP address (Microsoft Windows)
3.1.2. Creating an alias IP address (Linux)
3.1.3. Modifying the IP address of PSM
3.1.4. Accessing the Welcome Wizard from a non-standard interface
3.2. Configuring PSM with the Welcome Wizard
3.3. Logging in to PSM and configuring the first connection
4. Basic settings
4.1. Supported web browsers and operating systems
4.2. The structure of the web interface
4.2.1. Elements of the main workspace
4.2.2. Multiple users and locking
4.2.3. Web interface timeout
4.2.4. Preferences
4.3. Network settings
4.3.1. Configuring user and administrator login addresses
4.3.2. Managing logical interfaces
4.3.3. Routing uncontrolled traffic between logical interfaces
4.3.4. Configuring the routing table
4.4. Configuring date and time
4.5. System logging, SNMP and e-mail alerts
4.5.1. Configuring system logging
4.5.2. Configuring e-mail alerts
4.5.3. Configuring SNMP alerts
4.5.4. Querying PSM status information using agents
4.5.5. Customize system logging in PSM
4.6. Configuring system monitoring on PSM
4.6.1. Configuring monitoring
4.6.2. Health monitoring
4.6.3. Preventing disk space fill up
4.6.4. System related traps
4.6.5. Traffic related traps
4.7. Data and configuration backups
4.7.1. Creating a backup policy using Rsync over SSH
4.7.2. Creating a backup policy using SMB/CIFS
4.7.3. Creating a backup policy using NFS
4.7.4. Creating configuration backups
4.7.5. Creating data backups
4.7.6. Encrypting configuration backups with GPG
4.8. Archiving and cleanup
4.8.1. Creating a cleanup policy
4.8.2. Creating an archive policy using SMB/CIFS
4.8.3. Creating an archive policy using NFS
4.8.4. Archiving or cleaning up the collected data
4.9. Splunk integration
5. User management and access control
5.1. Managing PSM users locally
5.1.1. Creating local users in PSM
5.1.2. Deleting a local user from PSM
5.2. Setting password policies for local users
5.3. Managing local usergroups
5.4. Managing PSM users from an LDAP database
5.5. Authenticating users to a RADIUS server
5.6. Authenticating users with X.509 certificates
5.7. Managing user rights and usergroups
5.7.1. Assigning privileges to usergroups for the PSM web interface
5.7.2. Modifying group privileges
5.7.3. Finding specific usergroups
5.7.4. How to use usergroups
5.7.5. Built-in usergroups of PSM
5.8. Listing and searching configuration changes
5.8.1. Using the internal search interface
5.9. Displaying the privileges of users and user groups
6. Managing PSM
6.1. Controlling PSM — reboot, shutdown
6.1.1. Disabling controlled traffic
6.1.2. Disabling controlled traffic permanently
6.2. Managing PSM clusters
6.2.1. Roles
6.2.2. Enabling cluster management
6.2.3. Building a cluster
6.2.4. Assigning roles to nodes in your cluster
6.2.5. Uploading a configuration synchronization plugin
6.2.6. Monitoring the status of nodes in your cluster
6.2.7. Deleting a node from the cluster
6.3. Managing a high availability PSM cluster
6.3.1. Adjusting the synchronization speed
6.3.2. Redundant heartbeat interfaces
6.3.3. Next-hop router monitoring
6.4. Upgrading PSM
6.4.1. Upgrade checklist
6.4.2. Upgrading PSM (single node)
6.4.3. Upgrading a PSM cluster
6.4.4. Troubleshooting
6.4.5. Exporting the configuration of PSM
6.4.6. Importing the configuration of PSM
6.5. Managing the PSM license
6.5.1. Updating the PSM license
6.6. Accessing the PSM console
6.6.1. Using the console menu of PSM
6.6.2. Enabling SSH access to the PSM host
6.6.3. Changing the root password of PSM
6.6.4. Firmware update using SSH
6.6.5. Exporting and importing the configuration of PSM using the console
6.7. Sealed mode
6.7.1. Disabling sealed mode
6.8. Out-of-band management of PSM
6.8.1. Configuring the IPMI interface from the console
6.8.2. Configuring the IPMI interface from the BIOS
6.9. Managing the certificates used on PSM
6.9.1. Generating certificates for PSM
6.9.2. Uploading external certificates to PSM
6.9.3. Generating TSA certificate with Windows Certificate Authority on Windows Server 2008
6.9.4. Generating TSA certificate with Windows Certificate Authority on Windows Server 2012
7. General connection settings
7.1. Configuring connections
7.2. Modifying the destination address
7.3. Configuring inband destination selection
7.4. Modifying the source address
7.5. Creating and editing channel policies
7.6. Real-time content monitoring with Content Policies
7.6.1. Creating a new content policy
7.7. Configuring time policies
7.8. Creating and editing user lists
7.9. Authenticating users to an LDAP server
7.10. Audit policies
7.10.1. Encrypting audit trails
7.10.2. Timestamping audit trails with built-in timestamping service
7.10.3. Timestamping audit trails with external timestamping service
7.10.4. Digitally signing audit trails
7.11. Verifying certificates with Certificate Authorities
7.12. Signing certificates on-the-fly
7.13. Creating a Local User Database
7.14. Configuring cleanup for the PSM connection database
8. HTTP-specific settings
8.1. Limitations in handling HTTP connections
8.2. Authentication in HTTP and HTTPS
8.3. Setting up HTTP connections
8.3.1. Setting up a transparent HTTP connection
8.3.2. Enabling PSM to act as a HTTP proxy
8.3.3. Enabling SSL encryption in HTTP
8.3.4. Configuring half-sided SSL encryption in HTTP
8.4. Session-handling in HTTP
8.5. Creating and editing protocol-level HTTP settings
9. ICA-specific settings
9.1. Setting up ICA connections
9.2. Supported ICA channel types
9.3. Creating and editing protocol-level ICA settings
9.4. PSM deployment scenarios in a Citrix environment
9.5. Troubleshooting Citrix-related problems
10. RDP-specific settings
10.1. Supported RDP channel types
10.2. Creating and editing protocol-level RDP settings
10.3. Network Level Authentication (NLA) with PSM
10.3.1. Network Level Authentication (NLA) with domain membership
10.3.2. Using PSM across multiple domains
10.3.3. Network Level Authentication without domain membership
10.4. Verifying the certificate of the RDP server in encrypted connections
10.5. Enabling TLS-encryption for RDP connections
10.6. Using PSM as a Remote Desktop Gateway
10.7. Configuring Remote Desktop clients for gateway authentication
10.8. Inband destination selection in RDP connections
10.9. Usernames in RDP connections
10.10. Saving login credentials for RDP on Windows
10.11. Configuring RemoteApps
11. SSH-specific settings
11.1. Setting the SSH host keys and certificates of the connection
11.2. Supported SSH channel types
11.3. Authentication Policies
11.3.1. Creating a new authentication policy
11.3.2. Client-side authentication settings
11.3.3. Relayed authentication methods
11.3.4. Configuring your Kerberos environment
11.3.5. Kerberos authentication settings
11.4. Server host keys and certificates
11.4.1. Automatically adding the host keys and host certificates of a server to PSM
11.4.2. Manually adding the host key or host certificate of a server
11.5. Creating and editing protocol-level SSH settings
11.6. Supported encryption algorithms
12. Telnet-specific settings
12.1. Enabling TLS-encryption for Telnet connections
12.2. Creating a new authentication policy
12.3. Extracting username from Telnet connections
12.4. Creating and editing protocol-level Telnet settings
12.5. Inband destination selection in Telnet connections
12.6. Limitations of using TN5250 protocol with IBM iSeries Access for Windows
13. VMware Horizon View connections
13.1. PSM deployment scenarios in a VMware environment
14. VNC-specific settings
14.1. Enabling TLS-encryption for VNC connections
14.2. Creating and editing protocol-level VNC settings
15. Indexing audit trails
15.1. Configuring the internal indexer
15.2. Configuring external indexers
15.2.1. Prerequisites and limitations
15.2.2. Hardware requirements for the external indexer host
15.2.3. Configuring PSM to use external indexers
15.2.4. Installing the external indexer
15.2.5. Configuring the external indexer
15.2.6. Uploading decryption keys to the external indexer
15.2.7. Configuring a hardware security module (HSM) or smart card to integrate with external indexer
15.2.8. Customizing the indexing of HTTP traffic
15.2.9. Starting the external indexer
15.2.10. Disabling indexing on PSM
15.2.11. Managing the indexers
15.2.12. Upgrading the external indexer
15.2.13. Troubleshooting external indexers
15.3. Monitoring the status of the indexer services
15.4. HTTP indexer configuration format
16. Using the Search (classic) interface
16.1. Searching audit trails — the PSM connection database
16.1.1. Connection details
16.1.2. Replaying audit trails in your browser in Search (classic)
16.1.3. Replaying encrypted audit trails in your browser
16.1.4. Using the content search
16.1.5. Connection metadata
16.1.6. Using and managing search filters
16.1.7. The search and filter process
16.2. Displaying statistics on search results
17. Using the Search interface
17.1. Searching audit trails — the PSM connection database
17.1.1. Specifying time ranges
17.1.2. Using the connection search
17.1.3. Searching database fields
17.1.4. Using the content query
17.1.5. Displaying statistics on search results
17.1.6. Analyzing data using Privileged Account Analytics
17.1.7. The search and filter process
17.2. Viewing connection details
17.3. Replaying audit trails in your browser
17.4. Handling encrypted audit trails
18. Advanced authentication and authorization techniques
18.1. Configuring usermapping policies
18.2. Configuring gateway authentication
18.2.1. Configuring out-of-band gateway authentication
18.2.2. Performing out-of-band gateway authentication on PSM
18.2.3. Performing inband gateway authentication in SSH and Telnet connections
18.2.4. Performing inband gateway authentication in RDP connections
18.2.5. Troubleshooting gateway authentication
18.3. Configuring 4-eyes authorization
18.3.1. Configuring four-eyes authorization
18.3.2. Performing four-eyes authorization on PSM
18.4. Using credential stores for server-side authentication
18.4.1. Configuring local Credential Stores
18.4.2. Performing gateway authentication to RDP servers using local Credential Store and NLA
18.4.3. Configuring password-protected Credential Stores
18.4.4. Unlocking Credential Stores
18.4.5. Using Lieberman ERPM to authenticate on the target hosts
18.4.6. Using a custom Credential Store plugin to authenticate on the target hosts
18.5. Integrating external authentication and authorization systems
18.5.1. How Authentication and Authorization plugins work
18.5.2. Authorizing connections to the target hosts with a PSM plugin
18.5.3. Performing authentication with AA plugin in terminal connections
18.5.4. Performing authentication with AA plugin in Remote Desktop connections
18.5.5. Integrating ticketing systems
18.6. Ingesting logs with PSM
18.7. Creating a custom plugin
18.7.1. The available Python environment
18.7.2. File structure of a plugin
18.7.3. Plugin versioning
18.7.4. Troubleshooting plugins
19. Reports
19.1. Contents of the operational reports
19.2. Configuring custom reports
19.3. Creating reports from audit trail content
19.4. Creating statistics from custom database queries
19.5. Database tables available for custom queries
19.5.1. The alerting table
19.5.2. The aps table
19.5.3. The archives table
19.5.4. The audit_trail_downloads table
19.5.5. The channels table
19.5.6. The closed_connection_audit_channels view
19.5.7. The closed_not_indexed_audit_channels view
19.5.8. The connection_events view
19.5.9. The connection_occurrences view
19.5.10. The connections view
19.5.11. The events table
19.5.12. The file_xfer table
19.5.13. The http_req_resp_pair table
19.5.14. The indexer_jobs table
19.5.15. The occurrences table
19.5.16. The progresses table
19.5.17. The results table
19.5.18. The skipped_connections table
19.5.19. The usermapped_channels view
19.5.20. Querying trail content with the lucene-search function
19.6. Generating partial reports
19.7. Creating PCI DSS reports
19.8. Contents of PCI DSS reports
20.1. Requirements for using the RPC API
20.2. RPC client requirements
20.3. Locking PSM configuration from the RPC API
20.4. Documentation of the RPC API
20.5. Enabling RPC API access to PSM
22. PSM scenarios
22.1. Configuring public-key authentication on PSM
22.1.1. Configuring public-key authentication using local keys
22.1.2. Configuring public-key authentication using an LDAP server and a fixed key
22.1.3. Configuring public-key authentication using an LDAP server and generated keys
22.2. Organizing connections in non-transparent mode
22.2.1. Organizing connections based on port numbers
22.2.2. Organizing connections based on alias IP addresses
22.3. Using inband destination selection in SSH connections
22.3.1. Using inband destination selection with PuTTY
22.3.2. Using inband destination selection with OpenSSH
22.3.3. Using inband selection and nonstandard ports with PuTTY
22.3.4. Using inband selection and nonstandard ports with OpenSSH
22.3.5. Using inband destination selection and gateway authentication with PuTTY
22.3.6. Using inband destination selection and gateway authentication with OpenSSH
22.4. SSH usermapping and keymapping in AD with public key
23. Troubleshooting PSM
23.1. Network troubleshooting
23.2. Gathering data about system problems
23.3. Viewing logs on PSM
23.4. Changing log verbosity level of PSM
23.5. Collecting logs and system information for error reporting
23.6. Status history and statistics
23.6.1. Connection statistics
23.6.2. Memory
23.6.3. Disk
23.6.4. CPU
23.6.5. Network connections
23.6.6. Interface
23.6.7. Load average
23.6.8. Number of processes
23.6.9. Displaying custom connection statistics
23.7. Troubleshooting a PSM cluster
23.7.1. Understanding PSM cluster statuses
23.7.2. Recovering PSM if both nodes broke down
23.7.3. Recovering from a split brain situation
23.7.4. Replacing a HA node in a PSM cluster
23.7.5. Resolving an IP conflict between cluster nodes
23.8. Understanding PSM RAID status
23.9. Restoring PSM configuration and data
23.10. VNC is not working with TLS
23.11. Configuring the IPMI interface from the BIOS after losing IPMI password
23.12. Incomplete TSA response received
A. Configuring external devices
A.1. Configuring advanced routing on Linux
A.2. Configuring advanced routing on Cisco routers
A.3. Configuring advanced routing on Sophos UTM (formerly Astaro Security Gateway) firewalls
B. Using SCP with agent-forwarding
C. Security checklist for configuring PSM
D. Jumplists for in-product help
D.1. Basic Settings > Management
D.2. Basic Settings > Local Services
D.3. Basic Settings > System
D.4. <Protocol name> Control > Global Options
E. Open source licenses
E.1. GNU General Public License v2
E.1.1. Preamble
E.1.3. How to Apply These Terms to Your New Programs
E.2. GNU Lesser General Public License version 3
E.3. GNU Lesser General Public License v2.1
E.3.1. Preamble
E.3.3. How to Apply These Terms to Your New Libraries
E.4. GNU Library General Public License version 2
E.4.2. Preamble
E.4.5. How to Apply These Terms to Your New Libraries
E.5. License attributions
List of PSM web interface labels