Server requirements - Hitachi ID Privileged Access Manager
Multiple, Load-Balanced Servers
Hitachi ID Privileged Access Manager supports multiple, load-balanced servers.
Each server can host multiple Privileged Access Manager instances, each with its own
users, managed systems, features and policies.
Privileged Access Manager must be installed on a Windows 2008R2 or 2012 server.
Installing on a Windows server allows Privileged Access Manager to leverage
client software for most types of target systems, which is available
only on the "Wintel" platform. In turn, this makes it possible for
Privileged Access Manager to manage passwords and accounts on target systems without
installing a server-side agent.
The Privileged Access Manager server must also be configured with a web server.
Since the Privileged Access Manager application is implemented as CGI executables,
any web server will work. The Privileged Access Manager installation program
can detect and automatically configure IIS or Apache
web servers, but other web servers can be configured manually.
Privileged Access Manager is a security application and should be locked down accordingly.
Please refer to the Hitachi ID Systems document about hardening Privileged Access Manager
servers to learn how to do this. In short, most of the native
Windows services can and should be removed, leaving a very small
attack surface, with exactly one inbound TCP/IP port (443):
- IIS is not required (Apache is a reasonable substitute).
- No ASP, JSP or PHP are used, so these engines should be disabled.
- .NET is not required on the web portal and in most cases can be
disabled on IIS.
- No ODBC or DCOM are required inbound, so these services should at
least be filtered.
- File sharing should be disabled.
- Remote registry services should be disabled.
- Inbound TCP/IP connections should be firewalled, allowing only port
443 and possibly terminal services (often required for some
Each Privileged Access Manager server requires a database instance. SQL 2008R2 or
SQL 2012 are the most common options, but Oracle database is also
Each Privileged Access Manager server is configured as follows:
- Hardware requirements or equivalent VM capacity:
- An Intel Xeon or similar CPU.
Multi-core CPUs are supported and leveraged.
- At least 8GB RAM -- 16GB or more is typical for a server.
- At least 500GB disk, preferably configured as RAID for reliability and
preferably larger for retention of more historical and log data.
More disk is always better, to increase log retention.
- At least one Gigabit Ethernet NIC.
- Operating system:
- Windows 2008 (or R2) Server, or 64-bit Windows 2012 (or R2) Server,
with current service packs.
- The server should not normally be a domain controller and in
most deployments is not a domain member.
- Installed and tested software on the server:
- TCP/IP networking, with a static IP address and DNS name.
- Web server (Apache/Windows or IIS).
- Client software: web browser, Acrobat reader (to read the manual)
native clients for the systems that Privileged Access Manager needs to interface
- SQL Server client or Oracle client to connect to the Privileged Access Manager
database. Please note that the SQL or Oracle client must include
32-bit client libraries as of the current release.
- If the Privileged Access Manager database is local (recommended as it lowers
hardware cost), add SQL Server or Oracle Database on each
Privileged Access Manager application server. Otherwise, provide access to one
of these databases per application server.
- SSL server certificate, to support HTTPS connections to the web
user interface and SOAP API.
In addition to a web/application server, Privileged Access Manager requires a database
server. In most environments, the database server software (Microsoft
SQL Server or Oracle Database Server) is installed on the same
hardware or VM as the Privileged Access Manager software, on each Privileged Access Manager server node.
This reduces hardware cost, eliminates network latency and reduces
the security surface of the combined solution.
Database I/O performance on a virtualized filesystem (e.g., VMDK or
equivalent) may not be ideal. If a VM is used to host the database
server software, please consider a NAS or SAN solution for disk I/O.
Privileged Access Manager can leverage an existing database server cluster. Hitachi ID Systems
recommends a dedicated database server instance, however, for a number
- The data managed by Privileged Access Manager is extremely sensitive, so it is
desirable to minimize the number of DBAs who can access it (despite
use of encryption).
- MSSQL and Oracle have almost zero ability to isolate workloads between
database instances on the same server. This means that a burst of
activity from Privileged Access Manager (as happens during nightly auto-discovery)
would cause slow responses in other applications. Conversely, other
applications experiencing high DB load would slow down Privileged Access Manager.
- Privileged Access Manager already includes real-time, fault-tolerant, WAN-friendly,
encrypted database replication between application nodes, each with
its own back-end database. Use of an expensive DB server cluster
is neither required nor beneficial.