TPAM DPA Virtual DPA and DPA Enrollment Failure

Sep. 1st 2014

TPAM DPA Virtual DPA and DPA Enrollment Failure

Virtual DPA

TPAM and its associated appliances historically have all been physical appliances, on Dell server hardware, with the exception of the SCPW client.  Earlier this year, Dell finally released the TPAM DPA software as a virtual appliance.  This virtual appliance is a viable replacement for the DPA physical appliance and is available from the Dell Software Support site http://support.software.dell.com.

If you have entitlement to the Virtual DPA software, to download the Virtual DPA appliance, navigate to the Dell Software support page.   When looking for the software, a common mistake is to enter TPAM Appliance as the software name.  While this does give access to the knowledge base and videos with many troubleshooting articles and tutorials, the only item within the download section is a link to the eDMZ site.

The virtual DPA software is actually available under the Privilege Password Manager section.  Once Privilege Password Manager has been entered as the product name, clicking on Download New Releases will expose Virtual DPA 3.38 as an option.  Clicking on the Virtual DPA 3.38 link or the Download link will give access to the Virtual Appliance and the documentation.  The virtual DPA is provided as an OVA package that is compatible with many virtualization systems.

This virtual appliance requires a minimum of 2GB of RAM, two processors, two NICs, and an initial hard drive of 12GB.  Prior to being utilized, the virtual disk needs to be extended to a minimum of 50GB to ensure there is enough space for the storage of session log recordings.  Once the appliance has been imported and the disk has been expanded, the configuration of the Virtual DPA is the same as the physical appliance.

Enrollment Failure

In working with the Virtual DPA, I came across an issue I had not encountered before.  Once I created the DPA in the TPAM cluster configuration and entered the enrollment string, TPAM reported that the Enrollment had succeeded, but the communication between the DPA and the TPAM Appliance was not working.  One indication of this is that, on the Cluster Status shows that the status in Unknown for the DPA.

1

Also, when connected to the DPA console, and option 1 is selected from the menu “Check TPAM connectivity”, the two results that could be seen are ‘Unable to identify TPAM Console connection information” or ‘Webservice is not running”.    The normal fix for this is to verify the SSH Keys on TPAM, usually when this issue arises, there are no SSH Keys installed on TPAM.

First, login to the TPAM Admin portal and mouse over keys and click on Manage SSH Keys.

2

On the Manage SSH Keys window, if the issue described above it occurring, this window should be empty.  This is the issue, which TPAM has no SSH Keys stored, and this key is what TPAM uses to communicate to the DPA.  What needs to be done is that TPAM needs to have at least one SSH key installed.

3

Click Add Key.

Enter a key name, enter a start date and click Save Changes.

4

Once the key has been done, proceed back to the Cluster Management and perform a re-enroll.

After the enrollment process complete, the TPAM connectivity test from the DPA should respond with details of the TPAM primary and any replicas joined to the cluster.

 

Author: Russ Burden, Technical Architect, LeadThem Consulting

Posted by LeadThem Consulting | in TPAM | Comments Off on TPAM DPA Virtual DPA and DPA Enrollment Failure

TPAM – Configuring an Archive Server

Feb. 16th 2014

TPAM – Configuring an Archive Server

 

TPAM uses Archive Servers for multiple purposes.  Backups, system logs, session recordings, and data extracts can all be offloaded to Archive Servers.  The purpose of this document is to provide instructions on how to configure an Archive Server within TPAM and how to redirect Backups, System Logs, Session Logs, and Data Extracts to an Archive Server.

First, we need a system with some storage that we can store the Backups, System Logs, Session Logs, and Data Extracts and the system has to be able to accept an SCP connection.  The typical system is a Linux system with a NFS share mounted to it.  An account is created that has permissions to write to the storage location where you wish to place the TPAM files.  Also, if the same host will be used to archive multiple items to it, different folder locations are recommended to keep items organized and separate on the host.  The size of the storage required is all dependent on how long your retention period is.

Within TPAM for this exercise, we will use the same host to save archives to, but three different file locations.  With this in mind, we will need to create three ‘Archive Servers’ within TPAM, they will all use to the same host, the same account, they will just be pointing to different locations to store data.

 

 

Creating the Archive Servers for Backups and System Logs

1)      Log into the /admin interface to begin, https://tpamhost/admin

2)      Move the mouse over System Status/Settings, and click on Archive Servers

 

 

 

 

 

 

 

 

3)      Click Add Server to add an Archive Server

 

4)      Enter the Server Name (TPAM System Label), the network address (FQDN or IP), select the archive method (we will be using SCP using DSS Key for this example), the port to connect over (default is 22), the Account Name to connect to the host with, the Archive Server Path (Location to store items sent to this Archive Server, ensure this exists on the target host), and a Description. Click Save Changes.

 

 

5)      Now we need the Public Key to enable authentication.  Click Get Open SSH to retrieve the public key for this archive server instance.  Paste this key into the ~/.ssh/authorized_keys file on the Archve host to enable authentication.  Every time a new archive server instance that is utilizing the same host/account combination, the public key must be retrieved and pasted into the same authorized_keys file, this is because TPAM generates a new keypair for each archive server instance.

6)      Once the key has been copied, click the Test button at the bottom to test this Archive Server instance.  Review the output of this for a success or fail.  If a failure occurs, the reason will be in the output.  Troubleshoot the issue and retry.

Creating the Archive Server for Data Extracts

1)      Follow the same procedures as above for the Backup and System Logs Archive server, but for this example, we are going to name the Archive Server ‘Archive-Extract’ and change the Path to Storage to /Archive/Data_Extract (again ensure this path exists on the target host).  This is so that the Data Extract information is organized and segregated from all other archive data.

Configuring the Backups to utilize Archive Server

1)      In the /admin interface, mouse over Backup, and click on Modify Backup Settings.

 

2)      Click the dropdown next to ‘Transfer the backup to this Archive Server’.  Notice in the dropdown, you will see the two Archive Servers that were configured in the previous sections.  Select the one created for your Backup and Log Files (labeled Archive-Backups-Logs in our example).

 

3)      Click Save Changes

4)      To test the configuration, click Backup Now to initiate the backup process.  Once complete, you should see a backup package saved in the Archive Server location.

 

 

 

 

Configuring the System Logs to utilize Archive Server

1)      In the /admin interface, mouse over System Status/Settings and click on Archive Log Settings.

 

2)      Check the Enabled box and click the dropdown to select the Archive Server that was configured for Backups and System Logs (again, this example was named Archive-Backups-Logs).

 

3)      Click Save Settings

Creating the Archive Server for Session Logs

1)      Log into the TPAM interface to begin, https://tpamhost/tpam

2)      Move the mouse over Management, move down to Session Management and click on Archive Servers

 

 

 

 

 

 

 

 

 

3)      You will see that no Archive Servers have been defined, click on Add Server.

 

4)      Enter the Server Name (TPAM System Label), the network address (FQDN or IP), the port to connect over (default is 22), the Account Name to connect to the host with, the Archive Server Path (Location to store items sent to this Archive Server), a Description, and if you wish to make this server the default server.  In small deployments, select this to avoid confusion when configuring services to utilize an Archive Server.  Click Save Changes.

 

 

5)      Once the changes have been saved, the authentication method for the /tpam archive servers is only key based, so click on get ‘Get Open SSH’ to retrieve the public key.  This key will need to be pasted into the ~./ssh/authorized_keys file on your archive server host to allow authentication from TPAM

 

6)      Once the key has been copied, click the Test button at the bottom to test this Archive Server instance.  Review the output of this for a success or fail.  If a failure occurs, the reason will be in the output.  Troubleshoot the issue and retry.

Configure Session Logs to Save in the Archive Server

1)      In the /tpam interface, mouse over Management and click on DPAs

 

 

2)      On the DPA Management screen, if you have a DPA, select it and click Details to configure the Archive server for the DPA.  Otherwise, select your Local Server and click Details to configure the Archive Server for the TPAM Appliance.

 

3)      Check the Auto Archive Session Logs box and click Save Changes.  This will enable Session Log archival to the default Archive Server.  If the Archive Server created in the previous step was not enabled as the Default Archive Server, you will need to select the Archive Server from the dropdown list and click Save Changes again.

 

 

 

 

 

 

 

 

 

Configure Data Extracts to Save in the Archive Server

1)      In the /tpam interface, mouse over Reports, Scheduled Reports, and click on Data Extract Schedules.

 

2)      Select the Schedule you wish to enable for archiving and click Details

 

3)      Click the dropdown next to Transfer the data extract to Archive Server and select the desired Archive Server (Archive-Extract for this example).  Notice that eventhough we are working in the /tpam interface, the usable Archive Servers are from the /admin interface.  The Archive Server definition in the/tpam interface is only used for Session Logs.

 

Author: Russ Burden, Technical Architect, LeadThem Consulting

 

________________________________________________________________________________________________________________

 

 

Posted by LeadThem Consulting | in TPAM | Comments Off on TPAM – Configuring an Archive Server

Enabling Active Directory User Authentication in TPAM

Nov. 14th 2013

 

The TPAM appliance can utilize External Authentication Sources to permit user access to the TPAM interface for management of the appliance, as an auditor, or just as a normal user wanting to request a password or session from the system.  This article will be focused on allowing users within TPAM to access the appliance with their Active Directory credentials.

First we need to gather some information about the environment and the user(s) that need to authenticate using AD credentials.

For my test lab, below are the requirements:

Domain Name(FQDN): target.local

User Information:

First Name: John

Last Name: Smith

LoginID (sAMAccountName): JSMITH

 

1)      Log into your appliances’ /admin interface with an administrator user (default is parmaster)

2)      Move the mouse to System Status/Setting, move down to External Authentication, then click on WinAD. (The TPAM interface does not require clicking on each option, these are mouse-over activated menus, and only the final option requires a mouse click)

TPAMb1

3)      Within the WinAD Window, Click New System

4)      Enter the System Name, this is a TPAM only reference name and can be anything you want.

5)      Enter Server Address, this can be an IP, a DC FQDN, or preferably, if DNS is working properly, the FQDN of the AD Domain Name.

6)      (Optional) Change the Timeout, the default is 4 hours, maximum is 8 hours.

7)      Click Save Changes and your newly configured System Name appears in the Configured Systems.

TAMb2

At this point, TPAM has a configured external system to authenticate against, but the user account within TPAM must be configured to utilize this External Authentication source.  For this example, I will add a new user to TPAM and configure the user to login with its AD credentials.

8)      Login to your appliances’ /tpam interface with an administrator user (default is paradmin)

9)      Move the mouse to Users & Groups, move to UserIDs, and click on Add UserID.

(The TPAM interface does not require clicking on each option, these are mouse-over activated menus, and only the final option requires a mouse click)

 

TPAMb3

 

 

 

 

2)      Once in the New UserID windows, you will notice a multitude of fields available.  Note the fields with a red asterisk (*).  These fields are mandatory when creating a user within TPAM.

TPAMb4

 

3)      Fill in the User Name field, this is the TPAM User Name and does not necessarily need to be the same as the AD login id, but to cut down on confusion, it is recommended to make them the same.

4)      Fill in the users first and last name in the fields provided.

5)      Fill in any other fields desired, but are not required.

6)      Select the User Type.  The default is Basic and this is what the majority of TPAM users should be configured as.  This selector is where you can define a user as an Auditor, Administrator, etc..

7)      At the bottom of the page is where we define how this user will authenticate to TPAM.  The default is for any new user to authenticate locally to TPAM, and that is what the password fields are for.  If you enter and confirm the password in these boxes, and save the user, this user will authenticate locally to the TPAM appliance.

8)      The User Authentication section right below the Password is how you define this user to utilize the External Authentication we created earlier.

9)      On the Primary, Click on the drop down next to Local. Select WinAD.  When this is done, notice the Select a System drop down enables and the password and confirm boxes go away.

10)   Click the drop down for Select a system, and select the External Authentication that was defined earlier.

11)   In the UserID box, enter the users AD sAMAccountName or UPN (if desired).

12)   Your new user window should look similar to the image below.  Click Save Changes.

TPAMb5

 

Now you have an External Authentication source and a new user configured to utilize that source.  Now we just need to test it.

1)      Log Out of TPAM and close all browser windows

2)      Launch your browser and open the /tpam interface and Login with your new user.

3)      If everything was configured properly and Active Directory is reachable, then your new user will receive the TPAM page below: (Note the user ID in the upper right corner)

TPAMb6

Notice that this window is pretty sparse, since this was a new user created only for demoing External Authentication, it has no access to anything else in the system, but that is for another day.

 

Author: Russ Burden LeadThem Consulting Architect

 

 

 ———————————————————————————————————————————————————————————————-

 

 

 

Posted by LeadThem Consulting | in TPAM | Comments Off on Enabling Active Directory User Authentication in TPAM