Hitachi ID Privileged Access Manager can launch SSH and RDP sessions from a special web proxy and display the session in a user's browser, on an HTML5 canvas.

When users launch a login session via HTML5 proxy, there is no special client software footprint (installed or running) at all. Instead, the user interacts just with their web browser -- any modern browser on any OS will do. When a user launches a session, the Privileged Access Manager UI opens a second browser tab, where an HTML canvas is displayed. JavaScript in the browser sends user input events (keystrokes, mouse clicks, copy buffer interaction) to an HTML5 proxy server, which sends back a series of very small PNG images, that the JavaScript layers onto the canvas.

The HTML5 proxy server runs Linux/Tomcat plus a combination of Hitachi ID Systems and third party, open source code (Guacamole). An SSH or RDP session is opened from the proxy to the managed endpoint, with credentials retrieved from the vault and injected. This is illustrated in Figure [link].

Keystroke, copy buffer and incremental video data are streamed from the proxy to the Privileged Access Manager server(s), to record sessions. The Privileged Access Manager server may instruct the proxy to terminate the connection at any time.

Launching privileged login sessions via a Linux/Tomcat/HTML5 proxy

Launching privileged login sessions via a Linux/Tomcat/HTML5 proxy

Architecture for Remote Access using HTTPS/HTML5 Proxy

Architecture for Remote Access using HTTPS/HTML5 Proxy

Smart phone access

Privileged Access Manager is compatible with Hitachi ID Mobile Access, a smart phone app that can be activated by each Privileged Access Manager user. The app supports three core use cases:
  • Requesting and approving privileged access.
  • Strong authentication into Privileged Access Manager when the login is via PC and the phone acts as a second authentication factor.
  • Accessing an SSH or RDP login session, with display on the phone.

Session monitoring, search and playback

When users launch a login session via HTML5 proxy, there is no special client software footprint (installed or running) at all. Instead, the user interacts just with their web browser -- any modern browser on any OS will do. When a user launches a session, the Privileged Access Manager UI opens a second browser tab, where an HTML canvas is displayed. JavaScript in the browser sends user input events (keystrokes, mouse clicks, copy buffer interaction) to an HTML5 proxy server, which sends back a series of very small PNG images, that the JavaScript layers onto the canvas.

The HTML5 proxy server runs Linux/Tomcat plus a combination of Hitachi ID and third party, open source code (Guacamole). An SSH or RDP session is opened from the proxy to the managed endpoint, with credentials retrieved from the vault and injected. This is illustrated in Figure (Screenshot:pam-disclosure-proxy-guacamole).

Keystroke, copy buffer and incremental video data are streamed from the proxy to the Privileged Access Manager server(s), to record sessions. The Privileged Access Manager server may instruct the proxy to terminate the connection at any time.

Launching privileged login sessions via a Linux/Tomcat/HTML5 proxy

Launching privileged login sessions via a Linux/Tomcat/HTML5 proxy