• Site Map
• Contact Us

• Home
• Our Company
  • Customers
  • Careers
  • Contact Us
  • RSS & Blogs
• Products
  • Identity Manager
  • Password Manager
  • Group Manager
  • Privileged Access Manager
  • Download evaluation
  • Releases
  • CCC
• Solutions
  • Security / GRC
  • Reducing IT support cost
  • Improve user service
• Support
  • Shipping products
  • Supported versions
  • Portal login
  • Report problem
• Services
  • Solution delivery
  • Methodology
  • Education
  • Upgrades
  • AdMax Program
  • Hitachi ID Systems-Managed IAM
  • Guarantee
• News &  Events
  • Press Releases
  • Press Coverage
  • Archived Webinars
• Resource Center
  • White Papers
  • Independent Reviews
  • Brochures
  • Slide Decks
  • Case Studies
  • Regulatory Compliance
  • Certifications
  • Community
• Partners
  • Technology Partners
  • Channel Partners
  • System Integrators and Consultants
  • Managed Service Providers
  • Public Sector
  • Partner Portal
  • Online partner application

Technology Server requirements

Server requirements - Hitachi ID Privileged Access Manager

Multiple, Load-Balanced Servers

Hitachi ID Privileged Access Manager supports multiple, load-balanced servers.

Each server can host multiple Privileged Access Manager instances, each with its own users, managed systems, features and policies.

Server Platform

Privileged Access Manager must be installed on a Windows 2008 or Windows 2008R2 server.

Installing on a Windows server allows Privileged Access Manager to leverage client software for most types of target systems, which is available only on the "Wintel" platform. In turn, this makes it possible for Privileged Access Manager to manage passwords and accounts on target systems without installing a server-side agent.

The Privileged Access Manager server must also be configured with a web server. Since the Privileged Access Manager application is implemented as CGI executables, any web server will work. The Privileged Access Manager installation program can detect and automatically configure IIS or Apache web servers, but other web servers can be configured manually.

Privileged Access Manager is a security application and should be locked down accordingly. Please refer to the Hitachi ID Systems document about hardening Privileged Access Manager servers to learn how to do this. In short, most of the native Windows services can and should be removed, leaving a very small attack surface, with exactly one inbound TCP/IP port (443):

1. IIS is not required (Apache is a reasonable substitute).
2. No ASP, JSP or PHP are used, so these engines should be disabled.
3. .NET is not required on the web portal and in most cases can be disabled on IIS.
4. No ODBC or DCOM are required inbound, so these services should at least be filtered.
5. File sharing should be disabled.
6. Remote registry services should be disabled.
7. Inbound TCP/IP connections should be firewalled, allowing only port 443 and possibly terminal services (if required for some configuration tasks).

Server Configuration

(1) Each Privileged Access Manager server is configured as follows:

• Hardware requirements:
  • An Intel or AMD X86 CPU. Multi-core CPUs are supported and leveraged.
  • At least 4GB RAM -- 8GB or more is typical for a server.
  • At least 100GB disk, preferably configured as RAID for reliability and preferably larger for retention of more historical and log data. More disk is always better, to increase log retention.
  • At least one Gigabit Ethernet NIC.

  A virtual machine with similar specifications and resources allocated may also be used.

• Operating system:
  • Windows 2003 or Windows 2008 (or R2) Server with current service packs.
  • 32-bit or 64-bit versions are both acceptable.
  • The server should not normally be a domain controller.

• Installed and tested software on the server:
  • TCP/IP networking, with a static IP address and DNS name.
  • Web server (Apache/Windows or IIS or).
  • Client software: web browser, Acrobat reader (to read the manual) native clients for the systems that Privileged Access Manager needs to interface with.
  • SQL Server client or Oracle client to connect to the Privileged Access Manager database. Please note that the SQL or Oracle client must include 32-bit client libraries.
  • If the Privileged Access Manager database is local (reduces hardware cost; not recommended on a VM), then SQL Server or Oracle Database.
  • SSL server certificate, to support HTTPS connections to the web user interface and SOAP API.

In addition to a web server, Privileged Access Manager requires a database server. In most environments, the database server software (Microsoft SQL Server or Oracle Database Server) can be installed on the same hardware as the Privileged Access Manager software. This reduces hardware cost, eliminates network latency and reduces the security surface of the combined solution.

In large deployments, a separate database server may be required, so as to distribute the processing load between application and data components. In these cases, the database server is typically configured similarly to the application server and co-located with the application.

If Privileged Access Manager is installed on a virtual machine, the database should be installed separately, on hardware, with minimum packet latency and maximum bandwidth available between the two.

© Hitachi ID Systems, Inc. . All rights reserved.