Gatekeeper

Introduction

The Gatekeeper is an Imprivata Customer Privileged Access Management component that you install on a Windows or Linux server within a customer network. A Gatekeeper:

  • Enables a secure connection between a CPAM Vendor and their customer environment by encrypting all traffic between the Gatekeeper and the CPAM server. All the Gatekeeper's components employ FIPS-validated cryptographic modules for all encryption activity. Users can increase encryption levels on some of these components and modules to meet additional security standards.

  • Gives a vendor secure access to a customer's systems and services to provide support, while also providing control and visibility over their vendor access and actions.

  • Provides a detailed audit of each vendor session. The Gatekeeper can also be configured to send email notifications when a vendor initiates and completes a connection to a Gatekeeper.

This guide is intended for users who are installing the Gatekeeper.

IMPORTANT:
Ensure that you comply with the requirements listed in the Installation page.

Windows Installation

You can install the CPAM Gatekeeper on Windows server.

NOTE:

The Gatekeeper does not require a dedicated host machine.

Step 1: Running the Installer

To install the Gatekeeper on a Windows server, you must locate your Gatekeeper's registration code and download the installation wizard. Depending on what user type you are, you can find the resources following different steps.

To locate your registration code and installation wizard, vendors/administrators must access the CPAM Administrator Console. From the top menu bar:

  1. Hover the Customers menu and click the List Customer option.

    The Customers page displays all your customers and specifies how many Gatekeepers each customer has.

  2. Click the name of the customer that is getting a Gatekeeper installed.

  3. Click the Gatekeeper you want to install to open the View Gatekeeper page.
    From this page, you can continue with two different installation methods:

    • Copy the long registration code from the Gatekeeper Information section.

    • Copy the short registration code from the Session Information section and copy the validation words from the Gatekeeper Registration Information section.

      • NOTE:

      The method that employs the short registration code and validation words provides an additional layer of entropy to the Gatekeeper installation process. Use whichever method you find most convenient.

  4. Download the installer from the Gatekeeper Information sections
    You can use Quick Connect or other methods to move the installation executable to the Gatekeeper host server.

  5. Open the installation executable that runs the installation wizard.

To install a Gatekeeper, customers must access their CPAM account using the credentials you received on your email. From the notification email:

  1. Click the Activate your account button to open your CPAM account.
    You might need to set a password before obtaining access to your account.

  2. Find the Gatekeeper you need to install and click Download.

  3. Copy the registration code from the Gatekeeper Information section.

  4. Download the installation executable.

  5. Run the installation wizard.

After vendors and customers have successfully downloaded and installed a Gatekeeper, the vendor and customer must continue to register the Gatekeeper.

Step 2: Registering the Gatekeeper

Registering the Gatekeeper with a CPAM server lets a vendor securely access customer systems and services to provide remote support.

After the installation process is complete, you can continue to register your Gatekeeper:

  1. Open your preferred web browser and type the following URL:

    localhost:4680

    The first time you access, the Register Gatekeeper page opens in the web browser.

  2. Select your registration method:

    • PASTE REGISTRATION CODE: Refers to the long registration code from Step 1: Running the Installer.

    • ENTER REGISTRATION VALUES: Refers to the short registration code method's validation words from Step 1: Running the Installer.

  3. Paste the long code or the registration values.

  4. Check the Allow registration to self-signed users option.

  5. Click SUBMIT REGISTRATION and wait for the Gatekeeper to load.

After your registration is complete, the Welcome To Imprivata Gatekeeper page loads. The Gatekeeper is now running on your Windows server.

Navigate additional documentation in the Help > User Manual option from the top menu.

Linux and Unix Installation

You can install the CPAM Gatekeeper on Linux server.

NOTE:

The Gatekeeper does not require a dedicated host machine.

Step 1: Locating the Installation Resources

To install the Gatekeeper on a Linux server, you must locate the Gatekeeper registration code and the installation package for your specific Linux distribution.

To locate your registration code and installation wizard, vendors/administrators must access the Customer Privileged Access Management Admin Console. From the top menu bar:

  1. Hover the Customers menu and click the List Customer option.
    The Customers page displays all your customers and specifies how many Gatekeepers each customer has.

  2. Click the name of the customer that is getting a Gatekeeper installed.

  3. Click the Gatekeeper you want to install to open the View Gatekeeper page.
    From this page, you can continue with two different installation methods:

    • Copy the long registration code from the Gatekeeper Information section.

    • Copy the short registration code from the Session Information section, and then copy validation words from the Gatekeeper Registration Informationsection.

      NOTE:

      The method that employs the short registration code and validation words provides an additional layer of entropy to the Gatekeeper installation process. Use whichever method you find most convenient.

  4. Navigate to the Gatekeeper Information section.

  5. Select Linux from the options below Download Gatekeeper for platform.

  6. Click the Linux distribution that you require below Linux Versions.

To install a Gatekeeper, customers must access their Customer Privileged Access Management account using the credentials you received on your email. From the notification email:

  1. Click the Activate your account button to open your Customer Privileged Access Management account.
    You might need to set a password before obtaining access to your account.

  2. Find the Gatekeeper you need to install and click Download.

  3. Copy the registration code from the Gatekeeper Information section.

  4. Select Linux from the options below Download Gatekeeper for platform.

  5. Click the Linux distribution that you require below Linux Versions.

Step 2: Installing the Gatekeeper

You can install the Gatekeeper on the different Linux distributions specified in the Supported Operating Systems section of the Installation page. Additionally, RedHat and Ubuntu servers enable you to install the Gatekeeper using an installation package.

For other supported Linux servers, you must install the Gatekeeper manually to a specific user.

To install the Gatekeeper using an RPM package:

  1. Download the Gatekeeper RPM package: gatekeeper.rpm

  2. Open your terminal.

  3. Navigate to the directory or folder that contains the RPM package.

  4. Run the following command to install the RPM package:

    Copy 
    sudo yum install ./securelink-gatekeeper-installer.rpm

If the security requirements of the organization prevent you from installing using an RPM package, you can scope the installation to a single user.

Creating a New User

To create the user:

  1. From the Red Hat Console, open the User Manager, and click Add User.

  2. Create a new user named rss.

    NOTE:

    Leave the suggested defaults.

Downloading the Gatekeeper Components

To download the Gatekeeper components:

  1. From the Red Hat Console, open the Terminal application.

  2. Switch to the rss user by running the following command:

    Copy 
    $ su - rss

  3. Enter the password.

  4. Change to the HOME directory by running the following command:

    Copy 
    $ cd ~
  5. Download the following installation resources:
    • rssclient.tar.gz
    • rssjava.tar.gz
NOTE:

The provided Java resources (rssjava.tar.gz) work best in the Supported Operating Systems. Read the Requirements section for more information.

Installing the Gatekeeper Components

To install the Gatekeeper components:

  1. From the terminal, be sure that you are logged in as the rss user.

  2. Extract and download the client resources by running the following command:

    Copy 
    $ gunzip -c rssclient.tar.gz | tar xvf -

  3. Extract and download the Java resources by running the following command:

    Copy 
    $ gunzip -c rssjava.tar.gz | tar xvf -

These commands extract and install the Gatekeeper into the appropriate directories.

Installing the Compatibility Libraries

Supported versions of Red Hat Linux require compatibility libraries for the Gatekeeper to run. Install these libraries by running the following commands in your terminal:

  1. Switch to the root user:

    Copy 
    $ su - root

  2. Install the required dependency:

    Copy 
    # yum install glibc.i686

  3. Exit the root shell and return to the rss user:

    Copy 
    # exit

Configure the Gatekeeper as a Service

Configuring the Gatekeeper as a service enables it to start automatically after the server is rebooted. To configure the Gatekeeper as a service, be sure that the user (rss) running the Gatekeeper has sudo privileges. From your terminal, run the following commands:

  1. Start the Gatekeeper:

    Copy 
    sh ~rss/slink/slinksc start

  2. Switch to the rss user:

    Copy 
    su - root

  3. Install the service unit file from the HOME directory of the rss user to /etc/init.d/slinksc:

    Copy 
    install -pm 755 -o root -g root ~rss/slink/slinksc /etc/init.d/slinksc

  4. Add the Gatekeeper service to the system's service management:

    Copy 
    chkconfig --add slinksc

  5. Enable the Gatekeeper service to start automatically:

    Copy 
    chkconfig --level 35 slinksc on

The Gatekeeper is now installed on your Red Hat Linux server. Read Step 3: Register the Gatekeeper to finish your Gatekeeper configuration.

To install the Gatekeeper using an DEB package:

  1. Download the Gatekeeper DEB package: gatekeeper.deb

  2. Open your terminal.

  3. Navigate to the directory or folder that contains the DEB package.

  4. Run the following command to install the RPM package:

    Copy 
    sudo apt install ./securelink-gatekeeper-installer.deb

If the security requirements of the organization prevent you from installing using an RPM package, you can scope the installation to a single user.

Adding Support 32-bit Applications

If your version of Ubuntu is 64-bit, you must add support for 32-bit applications.

  1. Add support for the i386 architecture by running the following command in your terminal:

    Copy 
    $ sudo dpkg --add-architecture i386

  2. Update the packages list to include 32-bit packages by running the following command:

    Copy 
    $ sudo apt update

  3. Install the required 32-bit libraries by running the following command:

    Copy 
    $ sudo apt install libc6:i386 libncurses5:i386 libstdc++6:i386

Creating a New User

To create the new user:

  1. Log into the terminal with a non-root user account and run the following command to become the root user. When prompted, enter the password for your account (not the root user password)

    Copy 
    $ - su

  2. Create a user named rssby running the following command:

    Copy 
    $ /usr/sbin/useradd -s /bin/bash -m rss

  3. Set the password for the rss user by running the following command:

    Copy 
    $ passwd rss
    NOTE:

    The password does not echo to the screen.

  4. Add the rss user to the sudo group by running the following command:

    Copy 
    $ usermod -aG sudo rss

Downloading the Gatekeeper Components

To download the Gatekeeper components:

  1. Switch to the rss user by running the following command:

    Copy 
    $ su - rss
    NOTE:

    If you are using the graphical environment, log out of the X-windows session, and log in as the rss user.

  2. Change to the HOME directory by running the following command:

    Copy 
    $ cd ~

  3. Download the following installation resources:

    • rssclient.tar.gz

    • rssjava.tar.gz

Installing the Gatekeeper Components

To install the Gatekeeper components, be sure that you are logged in as the rss user and are in the HOME directory and follow these steps:

  1. Extract and download the client resources by running the following command:

    Copy 
    $ gunzip -c rssclient.tar.gz | tar xvf -

  2. Extract and download the Java resources by running the following command:

    Copy 
    $ gunzip -c rssjava.tar.gz | tar xvf -

These commands automatically extract and install the Gatekeeper into its appropriate directories.

Configure the Gatekeeper as a Service

Configuring the Gatekeeper as a service enables it to start automatically after the server is rebooted. To set the Gatekeeper to load when the system starts, be sure that you are logged in as the root user and follow these steps:

  1. Configure the Gatekeeper service to start when the system starts up by running the following command:

    Copy 
    # install -pm 755 -o root -g root ~rss/slink/slinksc.ubuntu /etc/init.d/slinksc.ubuntu
    /usr/sbin/update-rc.d slinksc.ubuntu defaults

  2. Start the Gatekeeper by running the following command:

    Copy 
    # /etc/init.d/slinksc.ubuntu start

The Gatekeeper log messages appear in ~rss/slink/bin/slstarter.log.

The Gatekeeper is now installed on your Ubuntu server. Read Step 3: Register the Gatekeeper to finish your Gatekeeper configuration.

The following details how to install the Gatekeeper on SUSE Linux Enterprise Server 9. SUSE Enterprise Sever

NOTE:

Desktop or openSUSE versions might require a separate installation of the Oracle Java Runtime Environment.

Creating a New User

To create a new user:

  1. Log into the terminal as the root user.

  2. Create a user named rss by running the following command:

    Copy 
    # /usr/sbin/useradd -m rss

  3. Set the password for the rss user by running the following command:

    Copy 
    # passwd rss
    NOTE:

    The password does not echo to the screen.

Downloading the Gatekeeper Components

To download the Gatekeeper components:

  1. Switch to the rss user by running the following command:

    Copy 
    $ su - rss
    NOTE:

    If you are using the graphical environment, log out of the X-windows session, and log in as the rss user.

  2. Change to the HOME directory by running the following command:

    Copy 
    $ cd ~

  3. Download the following installation resources:

    • rssclient.tar.gz

    • rssjava.tar.gz

Installing the Gatekeeper

To install the Gatekeeper, be sure that you are logged in as the rss user and then follow these steps:

  1. Extract and download the client resources by running the following command:

    Copy 
    $ gunzip -c rssclient.tar.gz | tar xvf -

  2. Extract and download the Java resources by running the following command:

    Copy 
    $ gunzip -c rssjava.tar.gz | tar xvf -

These commands will automatically extract and install the Gatekeeper into its appropriate directories.

Starting the Gatekeeper and Configuring it as a Service

Starting the Gatekeeper requires that you:

  • Manually start it as the rss user. This ensures that the files the Gatekeeper generates have the correct permissions.

  • User the root user to configure the service to start when the systems starts up.

To start the Gatekeeper, be sure that you are logged in as the rss user and then run the following commands:

  1. Start the Gatekeeper manually:

    Copy 
    $ sh ~rss/slink/slinksc.suse start

  2. Switch to the root user:

    Copy 
    $ su - root

  3. Install the service script from the HOME directory of the rss user to/etc/init.d/:

    Copy 
    # install -pm 755 -o root -g root ~rss/slink/slinksc.suse /etc/init.d/slinksc.suse

  4. Configure the Gatekeeper service to run when the system starts:

    Copy 
    # insserv -v /etc/init.d/slinksc.suse

The service log messages appear in ~rss/slink/slstarter.log.

The Gatekeeper is now installed on your SUSE Linux 9 server. Read Step 3: Register the Gatekeeper to finish your Gatekeeper configuration.

The following details how to install the Gatekeeper on SUSE Linux Enterprise Server 15.

NOTE:

Desktop or openSUSE versions may require separate installation of the Oracle Java Runtime Environment.

Creating a New User

To create a new user:

  1. Log into the terminal as the root user.

  2. Create a user named rss by running the following command:

    Copy 
    # /usr/sbin/useradd -m rss

  3. Set the password for the rss user by running the following command:

    Copy 
    # passwd rss
    NOTE:

    The password does not echo to the screen.

Downloading the Gatekeeper Components

To download the Gatekeeper components:

  1. Switch to the rss user by running the following command:

    Copy 
    $ su - rss
    NOTE:

    If you are using the graphical environment, log out of the X-windows session, and log in as the rss user.

  2. Change to the HOME directory by running the following command:

    Copy 
    $ cd ~

  3. Download the following installation resources:

    • rssclient.tar.gz

    • rssjava64.tar.gz

Installing the Gatekeeper

To install the Gatekeepe, be sure that you are logged in as the rss user and then follow these steps:

  1. Extract and download the client resources by running the following command:

    Copy 
    $ gunzip -c rssclient.tar.gz | tar xvf -

  2. Extract and download the Java resources by running the following command:

    Copy 
    $ gunzip -c rssjava64.tar.gz | tar xvf -

These commands will automatically extract and install the Gatekeeper into its appropriate directories.

Starting the Gatekeeper and Configuring it as a Service

To start the Gatekeeper:

  1. Switch to the root user by running the following command:

    Copy 
    $ su - root

  2. Let the rss user restart the Gatekeeper service without requiring root privileges or a password by running the following command:

    Copy 
    # echo "rss ALL=(ALL) NOPASSWD: /bin/systemctl restart universal-gatekeeper-suse-15" > /etc/sudoers.d/rss

  3. Install the service unit file from the HOME directory of the rss user to/etc/systemd/system/ by running the following command:

    Copy 
    # install -pm 755 -o root -g root ~rss/slink/universal-gatekeeper-suse-15.service /etc/systemd/system/universal-gatekeeper-suse-15.service

  4. Configure the Gatekeeper service to run when the system starts by running the following command:

    Copy 
    # systemctl enable universal-gatekeeper-suse-15

  5. Start the Gatekeeper service by running the following command:

    Copy 
    # systemctl start universal-gatekeeper-suse-15

The service log messages appear in the systemd journal. To view the log messages, run the following command:

Copy 
$ journalctl -u universal-gatekeeper-suse-15

The Gatekeeper is now installed on your SUSE Linux 15 server. Read Step 3: Register the Gatekeeper to finish your Gatekeeper configuration.

The following details how to install the Gatekeeper on SUSE Linux Enterprise Server Micro 6.

NOTE:

Desktop or openSUSE versions may require separate installation of the Oracle Java Runtime Environment.

Creating a New User

To create a new user:

  1. Log into the terminal as the root user.

  2. Create a user named rss by running the following command:

    Copy 
    # /usr/sbin/useradd -m rss

  3. Set the password for the rss user by running the following command:

    Copy 
    # passwd rss
    NOTE:

    The password does not echo to the screen.

Downloading the Gatekeeper Components

To download the Gatekeeper components:

  1. Switch to the rss user by running the following command:

    Copy 
    $ su - rss
    NOTE:

    If you are using the graphical environment, log out of the X-windows session, and log in as the rss user.

  2. Change to the HOME directory by running the following command:

    Copy 
    $ cd ~

  3. Download the following installation resources:

    • rssclient.tar.gz

    • rssjava64.tar.gz

Installing the Gatekeeper

To install the Gatekeeper, be sure that you are logged in as the rss user and then follow these steps:

  1. Extract and download the client resources by running the following command:

    Copy 
    $ gunzip -c rssclient.tar.gz | tar xvf -

  2. Extract and download the Java resources by running the following command:

    Copy 
    $ gunzip -c rssjava64.tar.gz | tar xvf -

These commands will automatically extract and install the Gatekeeper into its appropriate directories.

Starting the Gatekeeper and Configuring it as a Service

To start the Gatekeeper:

  1. Switch to the root user by running the following command:

    Copy 
    $ su - root

  2. Let the rss user restart the Gatekeeper service without requiring root privileges or a password by running the following command:

    Copy 
    # echo "rss ALL=(ALL) NOPASSWD: /bin/systemctl restart universal-gatekeeper-suse-micro-6" > /etc/sudoers.d/rss

  3. Install the service unit file from the HOME directory of the rss user to/etc/systemd/system/ by running the following command:

    Copy 
    # install -pm 755 -o root -g root ~rss/slink/universal-gatekeeper-suse-15.service /etc/systemd/system/universal-gatekeeper-suse-15.service

  4. Configure the Gatekeeper service to run when the system starts by running the following command:

    Copy 
    # systemctl enable universal-gatekeeper-suse-micro-6

  5. Start the Gatekeeper service by running the following command:

    Copy 
    # systemctl start universal-gatekeeper-suse-micro-6

The service log messages appear in the systemd journal. To view the log messages, run the following command:

Copy 
$ journalctl -u universal-gatekeeper-suse-micro-6

The Gatekeeper is now installed on your SUSE Micro 6 server. Read Step 3: Register the Gatekeeper to finish your Gatekeeper configuration.

The following details how to install the Gatekeeper on CentOS Linux running on an ARMv7 Processor.

Other distributions or "desktop" versions might require a separate installation of the Java Runtime Environment.

Creating a New User

The Gatekeeper runs as a restricted (non-root) user. While not required, Imprivata recommends that you:

  • Add a new user named rss to the system.

  • Complete the installation in the HOME directory of the rss user.

To create a new rss user:

  1. Log into the terminal with a non-root user account and run the following command to become the root user. When prompted, enter the password for your account (not the root user password)

    Copy 
    $ - su

  2. Create a user named rssby running the following command:

    Copy 
    $ /usr/sbin/useradd -s /bin/bash -m rss

  3. Set the password for the rss user by running the following command:

    Copy 
    $ passwd rss
    NOTE:

    The password does not echo to the screen.

  4. Add the rss user to the sudo group by running the following command:

    Copy 
    $ usermod -aG sudo rss

Downloading the Gatekeeper Components

To download the Gatekeeper components:

  1. Switch to the rss user by running the following command:

    Copy 
    $ su - rss
    NOTE:

    If you are using the graphical environment, log out of the X-windows session, and log in as the rss user.

  2. Change to the HOME directory by running the following command:

    Copy 
    $ cd ~

  3. Download the following installation resources:

    • rssclient.tar.gz

    • rssjava.tar.gz

Installing the Gatekeeper Components

To install the Gatekeeper components:

  1. Be sure that you are logged in as the rss user.

  2. Extract and download the client resources by running the following command:

    Copy 
    $ gunzip -c rssclient.tar.gz | tar xvf -

  3. Extract and download the Java resources by running the following command:

    Copy 
    $ gunzip -c rssjava.tar.gz | tar xvf -

These commands extract and install the Gatekeeper into the appropriate directories.

  • The client file creates the subdirectory slink/bin within the $HOME directory.

  • The java file creates the subdirectory slink/java within $HOME.

If you are not installing to the rss user, then you must modify the $HOME/slink/slinksc startup script. Modify the following line:

RSSUSER=rss

Set the RSSUSER variable to the user ID to which you installed.

Start the Gatekeeper

You can manually start the Gatekeeper using the rss or root user.

Start the Gatekeeper by running the following command:

Copy 
sh $HOME/slink/slinksc start

Configure the Gatekeeper as a Service

Configuring the Gatekeeper as a service enables it to start automatically after the server is rebooted. To configure the Gatekeeper as a service, be sure that the user (rss) running the Gatekeeper has sudo privileges. From your terminal, run the following commands:

  1. Start the Gatekeeper:

    Copy 
    sh ~rss/slink/slinksc start

  2. Switch to the rss user:

    Copy 
    su - root

  3. Install the service unit file from the HOME directory of the rss user to /etc/init.d/slinksc:

    Copy 
    install -pm 755 -o root -g root ~rss/slink/slinksc /etc/init.d/slinksc

  4. Add the Gatekeeper service to the system's service management:

    Copy 
    chkconfig --add slinksc

  5. Enable the Gatekeeper service to start automatically:

    Copy 
    chkconfig --level 35 slinksc on

The Gatekeeper is now installed on your Linux ARM server. Read Step 3: Register the Gatekeeper to finish your Gatekeeper configuration.

The following details how to install the Gatekeeper on generic (*nix) systems.

Creating a New User

The Gatekeeper runs as a restricted (non-root) user. While not required, Imprivata recommends that you:

  • Add a new user named rss to the system.

  • Complete the installation in the HOME directory of the rss user.

Installing the Gatekeeper

To install the Gatekeeper:

  1. Open a terminal or command prompt and log in as the rss user.

  2. Download the client resources to the $HOME directory.

  3. Change to the $HOME directory by running the following command:

    Copy 
    $ cd $HOME

  4. Install the Gatekeeper by running the following command:

    Copy 
    $ gunzip -c rssclient.tar.gz | tar xvf -

The client file creates the subdirectory slink/bin within the $HOME directory.

Starting the Gatekeeper

You can start the Gatekeeper as the rss or root user.

To start the Gatekeeper:

  1. Open your terminal.

  2. Start the Gatekeeper by running the following command:

    Copy 
    $ $HOME/slink/bin/slstarter

Configuring the Gatekeeper to Run as a Service

Imprivata does not provide the resources to run the Gatekeeper as a service.

You must configure service manually. Depending on your UNIX derivative, use either systemd or mkssys.

Step 3: Register the Gatekeeper

By default, the Gatekeeper Listener listens on port 4680 and is only accessible from localhost.

To activate a connection, just point a browser to http://localhost:4680/. If you do not have GUI/Browser access on the Gatekeeper machine, you can gain access by performing the following on your machine:

  • From Linux, Unix or OSX, run the following command: ssh -L 4680:localhost:4680 user@gatekeeper

  • From Windows: Use the equivalent Putty command for the above port forward, or access the remote machine via RDP.

Navigate to: http://localhost:4680/ on your local machine

If your Gatekeeper has not been set up with Access Enabled by default, then click the gray "status" button to Enable Access.