Installing PAM360 Agent

Before installing the agent, ensure that the account that you use to install the agent in the remote host has sufficient privileges to carry out password modifications.

Note: You need administrative privileges in the target system to execute the above commands.

In this section, you will learn about the follwoing in details:

  1. Downloading the PAM360 Agents
  2. Installing Windows/Windows Domain Agent in the Resources/User Devices
  3. Installing Linux Agent in the Linux Resources/User Devices
  4. Configuring Agent Settings

1. Downloading the PAM360 Agents

  1. Navigate to 'Admin >> PAM360 Agents' and select the agent packages available for the following operating systems:
    • Windows
    • Windows Domain
    • Linux
  2. In the pop-up that appears, copy the Agent Key using the copy icon beside it. This Agent Key is necessary to install the PAM360 agent in the target system and it can be used one time only. Once the Agent Key is supplied for an installation, it will become invalid.
    pmp-agent1
  3. To keep the agent key in active status for a longer period, select the option Allow the key to be active for: X hours and specify the number of hours. Now, the same Agent Key can be used for any number of agent installations within the specified time.

    Notes:
    1. Please do not share this key as it might cause the unauthorized use of the agent.
    2. Navigate to the <PAM360 Installation Folder>/conf/system_properties.conf directory and mention the following command to extend the key validity up to 999 hrs.
    - agent.gpo.time=999

  4. Click Download Agent to download the agent zip. Once the agent package zip file is downloaded, unzip the content in the respective resource/user device.

2. Installing Windows/Windows Domain Agent in the Resources/User Devices

2.1 Installation using Command Prompt

a. To Install the Agent in the Resources

  1. Open a command prompt and navigate to the PAM360 agent installation directory.
  2. Execute the following command as per your agent installation requirements:
    1. To install the agent as a service for password management, self-service privilege elevation, and zero trust implementation, execute the command AgentInstaller.exe install <Agent Key copied from the PAM360 UI> 1,2,3.
    2. To install the agent as a service for password management, execute the command AgentInstaller.exe install <Agent Key copied from the PAM360 UI> 1.
    3. To install the agent as a service for self-service privilege elevation, execute the command AgentInstaller.exe install <Agent Key copied from the PAM360 UI>2.
      To learn more about configuring Self-Service Privilege Elevation in Windows, click here.
    4. To install the agent as a service for zero trust implementation, execute the command AgentInstaller.exe install <Agent Key copied from the PAM360 UI>3.
      To learn more about zero trust implementation in PAM360, click here.
  3. Upon the respective action, the Windows/Windows Domain agent will be installed and the respective PAM360 agent service will start automatically.

b. To Install the Agent in the User Devices for Zero Trust Approach

  1. Execute the command - AgentInstaller.exe install <Agent Key copied from the PAM360 UI> userdevice <PAM360 username>.

    Note:
    If you install the agent as a service for a user device, it will be utilized to retrieve data from the user device for user trust score calculation. However, any device that has the agent configured in this manner will not be added as a resource in PAM360. Therefore, operations such as Self-Service Privilege Elevation and Password Management will not apply to those devices.

c. To Start the Agent Service in the Resources/User Devices

    1. Open a command prompt and navigate to the PAM360 agent installation directory.
    2. Execute the command AgentInstaller.exe start.
    3. The previously installed PAM360 agent service will start now.

d. To Update the Agent in the Resources

In case the PAM360 agent was previously installed by a different administrator, use this command to update the user account under which the agent server will be added as a resource. The agent server will be added as a resource under the new admin user without the need to uninstall and reinstall the agent. However, the new administrator will not have access to the accounts that were previously under the agent server. To gain access to the accounts, the previous admin has to transfer the ownership of the resource to the new admin.

  1. Open a command prompt and navigate to the PAM360 agent installation directory.
  2. Execute the following command as per your agent update requirements:
    1. To update the agent as a service for password management, self-service privilege elevation, and zero trust implementation, execute the command AgentInstaller.exe update <Agent Key copied from the PAM360 UI> 1,2,3.
    2. To update the agent as a service for password management, execute the command AgentInstaller.exe update <Agent Key copied from the PAM360 UI> 1.
    3. To update the agent as a service for self-service privilege elevation, execute the command AgentInstaller.exe update <Agent Key copied from the PAM360 UI>2.
      To learn more about configuring Self-Service Privilege Elevation in Windows, click here.
    4. To update the agent as a service for zero trust implementation, execute the command AgentInstaller.exe update <Agent Key copied from the PAM360 UI>3.
      To learn more about zero trust implementation in PAM360, click here.
  3. Upon the respective action, the Windows agent will be updated and the PAM360 agent service will start automatically.

e. To update the Agent in the User Devices for Zero Trust Approach

  1. Execute the command - AgentInstaller.exe update <Agent Key copied from the PAM360 UI> userdevice <PAM360 username>.

    Note:
    If you update the agent as a service for a user device, it will be utilized to retrieve data from the user device for user trust score calculation. However, any device that has the agent configured in this manner will not be added as a resource in PAM360. Therefore, operations such as Self-Service Privilege Elevation and Password Management will not apply to those devices.

f. To Stop the Agent Service in the Resources/User Devices

    1. Open a command prompt and navigate to the PAM360 agent installation directory.
    2. Execute the command AgentInstaller.exe stop.
    3. Now the PAM360 agent service will stop and it will be uninstalled.

2.2 Installation using PAM360 Agent Installer


Prerequisite: Ensure that the agent-installed folder has complete permission for both the privileged account and the user account.

After downloading the agent, extract the folder and navigate to PAM360Agent >> bin.

a. To Install the Agent in the Resources/User Devices

  1. Right-click AgentInstaller.exe and select Run as administrator.
  2. The PAM360 Agent Installer wizard appears on the screen.
  3. Select the Install option.
  4. Enter the Installation Key and mention the  Installation Path. Click Next.
  5. In the Configurations page that opens:
    1. Enter/modify the fields, such as Resource Type, Server Name, Port, Schedule Interval, Resource Owner, etc., based on your agent installation requirements.
    2. Select the respective Usage Type of the agent. If you are installing the PAM360 agent in a user device to fetch user device data for user trust score calculation, select the Usage Type as User Device and enter the PAM360 user name to whom the user device is associated. If you are installing the PAM360 agent in an organization resource to fetch device data for resource trust score calculation, select the Usage Type as Resource.

      Notes:
      If you choose User Device as the Usage Type, the Modules section will automatically select Zero Trust by default. Any device that has the PAM360 agent installed with Usage Type - User Device will not be added as a resource in PAM360. The operations such as Self-Service Privilege Elevation and Password Management will not apply to those devices.

    3. Select the desired modules for your requirements from the PAM360 agent by enabling the corresponding checkboxes for 'Manage Passwords', 'Self-Service Privilege Elevation', and/or 'Zero Trust' in the Modules section.
      1. If you enable Manage Passwords, a service will be added that will request the server periodically to verify and/or reset the password of accounts.
      2. If you enable Self-Service Privilege Elevation, a Self-Service Privilege Elevation module will be added.
        To learn more about configuring Self-Service Privilege Elevation, click here.
      3. If you enable Zero Trust, a service will be added that will request the user devices or resources' system data periodically, as defined above in the Usage Type for the trust score parameter validation.
        To learn more about implementing the Zero Trust approach in an organization, click here.
    1. By default, the SSL Certificate Installed field will be selected with Yes. If there is no valid SSL certificate installed in the PAM360, change this SSL Certificate Installed field to No.
    2. Notes: The Test Server Connection status will be failed if selected Yes in the SSL Certificate Installed field, with no valid SSL certificate installed in the PAM360 server.

  6. On the Operations page, check if the first two conditions are met and click Install.

You have now successfully installed the Windows/Windows Domain agent.

Notes:

  1. By default, all the files/applications(.exe, .msc, .msi, .cmd, and .bat) will have "Run as PAM360 Privilege Account" in the right-click menu. But the privilege elevation works only for those files/applications that are configured in PAM360.
  2. When Self-Service Privilege Elevation is installed, the agent information will not be available in the services console.

b. To Start the Agent Service in the Resources/User Devices:

  1. Right-click AgentInstaller.exe and select Run as administrator.
  2. The PAM360 Agent Installer wizard appears on the screen.
  3. Click the Operations icon.
  4. Right-click the three dots beside Agent Service Status and click Start.
  5. From here, you can also Stop, Restart the agent and Go to the Service Console.

c. To Update the Agent in the Resources/User Devices

  1. Right-click AgentInstaller.exe and select Run as administrator.
  2. The PAM360 Agent Installer wizard appears on the screen.
  3. Select the Reinstall option.
  4. Enter the Installation Key and mention the Installation Path. Click Next.
  5. In the Configurations page that opens:
    1. Modify the fields, such as Resource Type, Server Name, Port, Schedule Interval, Resource Owner, etc., based on your agent installation requirements.
    2. Select the respective Usage Type of the agent. If you are updating the PAM360 agent in a user device to fetch user device data for user trust score calculation, select the Usage Type as User Device and enter the PAM360 user name to whom the user device is associated. If you are updating the PAM360 agent in an organization resource to fetch device data for resource trust score calculation, select the Usage Type as Resource.

      Notes:
      If you choose User Device as the Usage Type, the Modules section will automatically select Zero Trust by default. Any device that has the PAM360 agent updated with Usage Type - User Device will not be added as a resource in PAM360. The operations such as Self-Service Privilege Elevation and Password Management will not apply to those devices.

    3. Select the desired modules for your requirements from the PAM360 agent by enabling the corresponding checkboxes for 'Manage Passwords', 'Self-Service Privilege Elevation', and/or 'Zero Trust' in the Modules section.
      1. If you enable Manage Passwords, a service will be added that will request the server periodically to verify and/or reset the password of accounts.
      2. If you enable Self-Service Privilege Elevation, a Self-Service Privilege Elevation module will be added.
        To learn more about configuring Self-Service Privilege Elevation, click here.
      3. If you enable Zero Trust, a service will be added that will request the user devices or resources' system data periodically, as defined above in the Usage Type for the trust score parameter validation.
        To learn more about implementing the Zero Trust approach in an organization, click here.
    1. By default, the SSL Certificate Installed field will be selected with Yes. If there is no valid SSL certificate installed in the PAM360, change this SSL Certificate Installed field to No.
    2. Notes: The Test Server Connection status will be failed if selected Yes in the SSL Certificate Installed field, with no valid SSL certificate installed in the PAM360 server.

  6. On the Operations page, check if the first two conditions are met and click Next to reinstall the agent.

You have now successfully reinstalled the C# agent.

d. To Uninstall the Agent from the Resources/User Devices

  1. Right-click AgentInstaller.exe and select Run as administrator.
  2. In the wizard that appears, select Uninstall and click Next.
  3. In the Configurations page, select the Modules (Manage Passwords, Self-Service Privilege Elevation, and/or Zero Trust) you want to uninstall and click Next.
  4. In the Operations page, check if the first two conditions are met. Click Uninstall.

You have now successfully uninstalled the Windows/Windows Domain agent.

3. Installing Linux Agent in the Linux Resources/User Devices


Notes:

  1. You need root privileges in the target system to execute the above commands.
  2. PAM360 agents (32bit, 64bit) support the Linux flavors with the default OpenSSL library only.
  3. Go-Agent supports all Linux flavors.

3.1 To Install the Agent in the Resources

  1. Open a command prompt and navigate to the PAM360 agent installation directory.
  2. Refer to the below steps to install the agent as per your requirement (bash command applicable for Go Agent only):
    1. To install the agent as a service for password management, self-service privilege elevation, and zero trust implementation, execute the command sh installAgent-service.sh/bash installAgent-service.bash install <Agent Key copied from the PAM360 UI> 1,2,3.
    2. To install the agent as a service for password management, execute the command sh installAgent-service.sh/bash installAgent-service.bash install <Agent Key copied from the PAM360 UI> 1.
    3. To install the agent as a service for self-service privilege elevation, execute the command sh installAgent-service.sh/bash installAgent-service.bash install <Agent Key copied from the PAM360 UI>2.
      To learn more about configuring Self-Service Privilege Elevation in Linux, click here.
    4. To install the agent as a service for zero trust implementation, execute the command sh installAgent-service.sh/bash installAgent-service.bash install <Agent Key copied from the PAM360 UI>3.
      To learn more about zero trust implementation in PAM360, click here.
  3. The Linux agent will be installed and the PAM360 agent service will start automatically.

3.2 To Install the Agent in the User Devices for Zero Trust Approach

  1. Execute the command - installAgent-service.sh install <key> userdevice <PAM360 username>.

    Note:
    If you install the agent as a service for a user device, it will be utilized to retrieve data from the user device for user trust score calculation. However, any device that has the agent configured in this manner will not be added as a resource in PAM360. Therefore, operations such as Self-Service Privilege Elevation and Password Management will not apply to those devices.

3.3 To Start the Agent Service in the Resources/User Devices

    1. Open a command prompt and navigate to the PAM360 agent installation directory.
    2. Execute the command sh installAgent-service.sh/bash installAgent-service.bash start (bash command applicable for Go Agent only).
    3. The previously installed PAM360 agent service will start now.

3.4 To Update the Agent in the Resources

In case the PAM360 agent was previously installed by a different admin user, use this command to update the user account under which the agent server will be added as a resource. The agent server will be added under the new admin user without the need to uninstall and reinstall the agent. However, the new admin will not have access to the accounts that were previously under the agent server. To gain access to the accounts, the previous admin has to transfer the ownership of the resource to the new admin.

  1. Open a command prompt and navigate to the PAM360 agent installation directory.
  2. Refer to the below steps to update the agent as per your requirement (bash command applicable for Go Agent only):
    1. To update the agent as a service for password management, self-service privilege elevation, and zero trust implementation, execute the command sh installAgent-service.sh/bash installAgent-service.bash update <Agent Key copied from the PAM360 UI> 1,2,3.
    2. To update the agent as a service for password management, execute the command sh installAgent-service.sh/bash installAgent-service.bash update <Agent Key copied from the PAM360 UI> 1.
    3. To update the agent as a service for self-service privilege elevation, execute the command sh installAgent-service.sh/bash installAgent-service.bash update <Agent Key copied from the PAM360 UI>2.
      To learn more about configuring Self-Service Privilege Elevation in Linux, click here.
    4. To update the agent as a service for zero trust implementation, execute the command sh installAgent-service.sh/bash installAgent-service.bash update <Agent Key copied from the PAM360 UI>3.
      To learn more about zero trust implementation in PAM360, click here.
  3. The Linux agent will be updated and the PAM360 agent service will start automatically.

3.5 To Update the Agent in the User Devices for Zero Trust Approach

  1. Execute the command - installAgent-service.sh update <key> userdevice <PAM360 username>.

    Note:
    If you update the agent as a service for a user device, it will be utilized to retrieve data from the user device for user trust score calculation. However, any device that has the agent configured in this manner will not be added as a resource in PAM360. Therefore, operations such as Self-Service Privilege Elevation and Password Management will not apply to those devices.

3.6 To Stop the Agent Service in the Resources/User Devices

    1. Open a command prompt and navigate to the PAM360 agent installation directory.
    2. Execute the command sh installAgent-service.sh/bash installAgent-service.bash stop (bash command applicable for Go Agent only).
    3. The Linux agent service will be stopped.

3.7 To Uninstall the Agent from the Resources/User Devices

    1. Open a command prompt and navigate to the PAM360 agent installation directory.
    2. Execute the command sh installAgent-service.sh/bash installAgent-service.bash remove (bash command applicable for Go Agent only).
    3. The Linux agent will be uninstalled and removed.

4. Configuring Agent Settings

Open the agent.conf file available in the downloaded agent package. The following are the parameters listed in the conf file, some of which can be modified to suit your needs:

  1. AgentType: This denotes the type of agent i.e., agent with PAM360 features.
  2. ServerName: This is the server/IP Address that the PAM360 agent will try to reach to contact the PAM360 server.
  3. ServerPort: This indicates the port in which the PAM360 server is running. If you have changed the default port of PAM360 to any other port such as 443, the same port number must be updated here.
  4. ScheduleInterval: By default, the agent pings the server once every 60 seconds. To configure the time interval at which the agent should ping the PAM360 web server, modify the time interval value in seconds.
  5. UserName: This is the admin user account under which the agent server will be added as a resource.
  6. OSType: Denotes the OS to which the agent belongs - Windows/Windows Domain/Linux.
  7. TrustedCertifcate: By default, this value will be 'yes'. If there is no valid SSL certificate installed in the PAM360 server, edit this value to 'no'.

PAM360 allows the restriction of user accounts that are added via agents (C# and Go) during account discovery, using regex patterns. To do the same, use the below UserQuery and accountFilter commands:

  • UserQuery: To filter the accounts in Linux (Go Agent).

    UserQuery = "awk -F: '$1 ~ /^admin.*/ {print$1}' /etc/passwd"

    //to discover accounts that starts with admin.


  • accountFilter: To filter accounts in Windows/Windows Domain (C# Agent).

    accountFilter=^admin.*

    // to discover accounts that starts with admin.

    Note: Windows Domain agent will not automatically add user accounts unless you specify the pattern in the account filter.


  • fetchDisabledAccount: To fetch disabled accounts in Windows/Windows Domain (C# Agent).

    fetchDisabledAccount=True

The commands UserQuery, accountFilter and fetchDisabledAccount are applicable from build 5301 and later only.

Once any of the above parameters are modified, restart the agent service.

Top