InfoSec Memo

Learning, Sharing, Creating

CyberArk

CyberArk PAS Installation – Part 5 – PTA

Bynetsec

Jun 22, 2020

This post is to record the steps I used to install PTA. There are lots of mistakes I made during installing PTA and integrating it with Vault and PVWA.

I used VM Installation – Hyper-V image. During lab, I used 16G RAM and 8 vCPU.

Architecture

PTA-PSM Integration Architecture

Web GUI: https://<IP>
Monitoring : https://<IP>/monitoring

Install Wizard

Install PTA using the Wizard. It will be ran a couple of times. First time it will be used to change root password and set up network configuration. We also are able to see Web GUI to load license but it won’t be able to integrate with PAS Vault and PVWA. 
1. On the system console, log in as the root user using the following password: DiamondAdmin123!
2. Navigate to the prepwiz folder using the PREPWIZDIR command.
3. At the command line, run the following command:
./run.sh
The installation wizard begins. Default values are displayed in brackets. For any optional tasks, chose no. 

Log into Web GUI

https://<IP>

Username : administrator
Password : Administrator

You will need a license file to continue logging into Web GUI.

Generate CSR and Send to CA to Sign

Note:  Import your Organization’s SSL Certificate.

Generate a Certificate Signing Request for the PTA Server

The Certificate Signing Request (CSR) is created in the pta_server.csr file located at /opt/tomcat/ca.
5. Provide the CSR to your organization’s Certificate Authority (CA).
6. The CA generates the Certificate and the Certificate Chain.

Paste CSR into CA Advanced Certificate Request page and generate certificate.
1. Download Certificate, not the certificate chain.
2.  From CA http://localhost/certsrv/ page, download CA certificate, not certificate chain.

Imported Signed Certificate and CA Certificate

1. Upload the Certificate and the Certificate Chain using WinSCP to the PTA Server machine. 
2. On the system console, log in as the root user using the password you specified during installation.
3. Start the PTA utility by running the following command:
/opt/tomcat/utility/run.sh
4. Select 15. Installing SSL Certificate Chain (Root, Intermediate(s), PTA Server certificates).
You can also install the Certificate Chain by running the /opt/tomcat/utility/sslCertificateInstallationUtil.sh command.
5. Specify the SSL certificate chain details of the PTA Server.
This step requires Vault Admin credentials using CyberArk authentication, and a restart of PTA services.
Installing SSL Certificate Chain (Root, Intermediate(s), PTA Server certificates):
a. Specify the PTA Server Certificate location:
Specify PTA Server Certificate full path:

Do you have a Root Certificate (y/n)?:y

c. Specify the root certificate location:
Specify your Root Certificate full path (for example: /tmp/RootCertificate.crt):
d. Specify the first intermediate certificate location, if it exists:
Do you have Intermediate certificate(s) (y/n)?:n
Specify Intermediate Certificate full path:
e. Continue to specify each additional intermediate certificate location, in order.
f. The SSL Server Certificate is installed:
SSL Certificate Chain installed successfully

Run Install Wizard Again

YouTube Video:

References

By netsec

Related Post

CyberArk

CyberArk PAS Core Design and Deployment Considerations

Feb 28, 2021 Jon
CyberArk

Secure Access with an HTML5 Gateway

Nov 30, 2020 Nishant Srivastava
CyberArk Security

CyberArk EPM upgrade from V11.0 to V11.5

Nov 30, 2020 Nishant Srivastava

Leave a Reply

%d bloggers like this: