This post is to record the steps I used to install PTA. There are lots of mistakes I made during installing PTA and integrating it with Vault and PVWA.
I used VM Installation – Hyper-V image. During lab, I used 16G RAM and 8 vCPU.
Table of Contents
Architecture
PTA-PSM Integration Architecture
Web GUI: https://<IP>
Monitoring : https://<IP>/monitoring
Install Wizard
Install PTA using the Wizard. It will be ran a couple of times. First time it will be used to change root password and set up network configuration. We also are able to see Web GUI to load license but it won’t be able to integrate with PAS Vault and PVWA.
1.
On the system console, log in as the root user using the following password: DiamondAdmin123!
2.
Navigate to the prepwiz folder using the PREPWIZDIR command.
3.
At the command line, run the following command:
./run.sh
The installation wizard begins. Default values are displayed in brackets. For any optional tasks, chose no.
On the system console, log in as the root user using the password you specified during installation.
2.
Start the PTA utility by running the following command:
/opt/tomcat/utility/run.sh
3.
Select 14. Generating a Certificate Signing Request (CSR).
You can also generate a Certificate Signing Request by running the /opt/tomcat/utility/certificateSigningRequestGenerationUtil.sh command.
4.
Specify the certificate details.
PTA Host name
Organization
Department
City
State
Country Code
PTA Server shared FQDN (this is optional for disaster recovery mode)
Subject Alternative Names (SAN)
The Certificate Signing Request (CSR) is created in the pta_server.csr file located at /opt/tomcat/ca.
5.
Provide the CSR to your organization’s Certificate Authority (CA).
6.
The CA generates the Certificate and the Certificate Chain.
Paste CSR into CA Advanced Certificate Request page and generate certificate.
1. Download Certificate, not the certificate chain.
2. From CA http://localhost/certsrv/ page, download CA certificate, not certificate chain.
Imported Signed Certificate and CA Certificate
1.
Upload the Certificate and the Certificate Chain using WinSCP to the PTA Server machine.
2.
On the system console, log in as the root user using the password you specified during installation.
3.
Start the PTA utility by running the following command:
You can also install the Certificate Chain by running the /opt/tomcat/utility/sslCertificateInstallationUtil.sh command.
5.
Specify the SSL certificate chain details of the PTA Server.
This step requires Vault Admin credentials using CyberArk authentication, and a restart of PTA services.
Installing SSL Certificate Chain (Root, Intermediate(s), PTA Server certificates):
a.
Specify the PTA Server Certificate location:
Specify PTA Server Certificate full path:
Do you have a Root Certificate (y/n)?:y
c.
Specify the root certificate location:
Specify your Root Certificate full path (for example: /tmp/RootCertificate.crt):
d.
Specify the first intermediate certificate location, if it exists:
Do you have Intermediate certificate(s) (y/n)?:n
Specify Intermediate Certificate full path:
e.
Continue to specify each additional intermediate certificate location, in order.
