.png){kind=logo}
PIAM Deployment
- 20 May 2024
- 5 Minutes to read
- Print
- DarkLight
- PDF
PIAM Deployment
- Updated on 20 May 2024
- 5 Minutes to read
- Print
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
CPIAM Deployment
Our CPIAM solution is designed to help organization secure their privileged accounts, while also providing them with granular control and visibility over who has access to those accounts and how they are used. Our solution is designed to be easy to use, secure and cost-effective. We provide a single platform to manage and secure privileged accounts across multiple systems and accounts.
Our solution is designed to be highly scalable to meet the needs of “SMB” organizations, and we offer advanced identity governance capabilities to ensure that access is only granted to the right people. Our pricing model is designed to provide organizations with flexibility and cost savings. We are committed to providing the highest level of customer service and support.
Cross Identity is a powerful converged IAM solution it provides different modules within a single source of setup and customer do not require separate services to run on their environment.
System Architecture
The CPIAM is made up of several core components including:
• Apache CPIAM web application software
• Apache CPIAM "guacd" protocol service
• NGINX for SSL termination and reverse proxy
• Apache Tomcat services
• MySQL, PostgreSQL or other supported databases
CPIAM Deployment Single-Node
Our PAM solution supports a variety of protocols for connecting servers, including SSH, Telnet, VNC, and RDP We also support a variety of authentication methods, such as password-based authentication, public key authentication, and two-factor authentication.
CPIAM On Prem Architecture
Sr. No. | CI Solution Components | Description | Platform |
|---|---|---|---|
1. | CI Server Node | This module is the central component of the CI solution. It provides both User Interface logic as well as all business process logic. For HA - Multiple nodes can be configured with an LB. | Apache Tomcat on Ubuntu Server |
2. | CI DB Server Node | This is the persistent data store for Cross Identity. It includes the data from AM, IGA, and PAM modules. | MySQL Server (with Percona for cluster) |
3. | CI Cache Server | CI Cache Server:- CI caches the running data on this cache module. For HA, this will be set up as a cluster. | Hazelcast IDMG on Ubuntu Server |
4. | CI Scheduler & CI Recon service | CI Scheduler Server: CI scheduler and notification processes are used for running scheduled jobs and sending notifications. Also, it is recommended to deploy the same CIDSaas war file on this server. CI Recon Service: This war file reads the Recon data on RabbitMQ and updates that in CI DB. | Apache Tomcat on the Ubuntu Server |
5. | CI Recon & Audit Queue | Message Queue for Connector: The IGA Connectors write the recon data in this queue during the Recon process. CI Audit Message Queue: Message Queue for Auditing. | RabbitMQ on the Ubuntu server |
6. | CI PAM Node | This module provides the Privileged Access Management features. | Apache Tomcat on the Ubuntu Server |
7. | CI Agent | This module ensures the communication between the CI server and the AD and other IGA applications. | Apache Tomcat on the Ubuntu Server |
CPIAM Cloud Architecture
Sr. No. | CI Solution Components | Description | CI- Cloud Platform |
|---|---|---|---|
1. | CI Server Node | This module is the central component of the CI solution. It includes AM and IGA modules. It provides both User Interface logic as well as all business process logic. For HA - Multiple nodes can be configured with an LB. | Apache Tomcat on EC2 Ubuntu Server |
2. | CI DB Server Node | This is the persistent data store for Cross Identity. It includes the data from AM, IGA, and PAM modules. | AWS RDS |
3. | CI Cache Server | CI Cache Server:- CI caches the running data on this cache module. For HA, this will be set up as a cluster. | Hazelcast IDMG on EC2 Ubuntu Server |
4. | CI Scheduler & CI Recon service | CI Scheduler Server: CI scheduler and notification processes are used for running scheduled jobs and sending notifications. Also, it is recommended to deploy the same CIDSaas war file on this server. CI Recon Service: This war file reads the Recon data on RabbitMQ and updates that in CI DB. | Apache Tomcat on the EC2 Server |
5. | CI Agent Message Queue, CI Recon & Audit Queue | Meessage Queue for Agent Communication. Message Queue for Connector. The IGA Connectors write the recon data in this queue during the Recon process. CI Audit Message Queue: Message Queue for Auditing | AWS SQS |
6. | CI Storage | Used for storing static files (logs, certs etc) | RabbitMQ Service |
7. | CI PAM Node | This module provides the Privileged Access Management features. | Apache tomcat on EC2 |
8. | CI Passwordless Authentication | This module provides a Passwordless Authentication feature. | FIDO Server on EC2 Server |
Note:
CI On-Premise Agent (9) and CI SAG module (10) are deployed on the customer’s environment.ur content goes here.
Below table provides the hardware specifications for deploying the CPIAM solution on the customer’s environment:
Hardware Specifications | |||||||
Sr. No. | OS and Hard-Drive Size | Core | RAM | Hard Disk | DB Server | UAT environment | Production Environment |
|---|---|---|---|---|---|---|---|
1. | Linux (Centos or RHEL) | 8 | 16GB | 200 | 1 | 1 | 1 |
Note:
Two servers are considered in UAT as well to test the High-availability and load-balancing scenarios.
Concurrent Connections | CPU | Memory |
|---|---|---|
0-25 | 2 | 2GB |
26-50 | 3 | 6GB |
51-100 | 4 | 8GB |
101-200 | 8 | 16GB |
Hardware Requirements
Server Hardware: A dedicated server machine with sufficient CPU, RAM, and storage to host the CI-PAM Server component.
Network Infrastructure: Reliable network connectivity with adequate bandwidth to handle remote desktop connections.
Client Devices: End-user devices such as laptops, desktops, or mobile devices with web browsers to access CI-PAM Clients.
Database Configuration
Database Backend: Apache CI-PAM can utilize databases like MariaDB for storing configuration data and connection details.
Configure Database Connection: Edit the guacd.conf file to specify the necessary configuration details, including the database hostname, port, database name, username, and password.
Pre-requisites to setup CPIAM
Below table provides the hardware specifications for deploying CPIAM solution on the customer’s environment:
Hardware Specifications | |||||||
|---|---|---|---|---|---|---|---|
Sr. No. | OS & Hard-Drive Size | Cores | RAM | Hard Disk | DB Server | UAT environment | Production environment |
1. | Linux (Ubuntu or RHEL) | 8 | 16GB | 200 | 1 | 1 | 1 |
Note:
Two servers are considered in UAT as well to test the High-availability and load-balancing scenarios.
Band | No. of Systems | Core | RAM | |
|---|---|---|---|---|
1. | 0-50 | 2 | 8GB | 500GB |
2. | 50-100 | 4 | 8GB | 500GB |
3. | 100-200 | 8 | 16GB | ITB |
Internet access should be provided to install cpam dependences.
JAVA, Tomcat and Mysql should be installed as part of pre-requisite components.
CPAM server should have root access.
The CPAM agent server should communicate to all the internal servers. For example, if RDP and SSH systems should integrate then the port should be enabled 22/3389.
Pre-requisites to setup CPAM Agent
Internet access should be provided to install fwknop-server (Please note, internet is required only to install fwknop-server)
CPAM Agent should have a public IP address. (behind the NLN and we need NLB Public IP)
These two ports should be allowed/added to the security group UDP (62201) and TCP (4022).
CPAM agent server should communicate to all the internal servers for example if RDP and SSH systems the port should be enabled 22/3389.
CPAM Agent server will have only inbound.
CPMA Agent must have root access.
Hardware Specifications
Sr.No.
OS & Hard-Drive Size
Cores
RAM
Hard Disk
DB Server
UAT
environment
Production environment
1.
Linux (Ubuntu or RHEL)
8
16GB
201
1
1
1
Was this article helpful?
.png)