Hitachi ID Bravura Privilege can launch SSH and RDP sessions from a special web proxy and display the session in a user's browser, on an HTML5 canvas.

When users launch a login session via HTML5 proxy, there is no special client software footprint (installed or running) at all. Instead, the user interacts just with their web browser -- any modern browser on any OS will do. When a user launches a session, the Bravura Privilege UI opens a second browser tab, where an HTML canvas is displayed. JavaScript in the browser sends user input events (keystrokes, mouse clicks, copy buffer interaction) to an HTML5 proxy server, which sends back a series of very small PNG images, that the JavaScript layers onto the canvas.

The HTML5 proxy server runs Linux/Tomcat plus a combination of Hitachi ID Systems and third party, open source code (Guacamole). An SSH or RDP session is opened from the proxy to the managed endpoint, with credentials retrieved from the vault and injected. This is illustrated in Figure [link].

Keystroke, copy buffer and incremental video data are streamed from the proxy to the Bravura Privilege server(s), to record sessions. The Bravura Privilege server may instruct the proxy to terminate the connection at any time.

Launching privileged login sessions via a Linux/Tomcat/HTML5 proxy

Launching privileged login sessions via a Linux/Tomcat/HTML5 proxy

Architecture for Remote Access using HTTPS/HTML5 Proxy

Architecture for Remote Access using HTTPS/HTML5 Proxy

Smart phone access

Bravura Privilege is compatible with Hitachi ID Mobile Access, a smart phone app that can be activated by each Bravura Privilege user. The app supports three core use cases:
  • Requesting and approving privileged access.
  • Strong authentication into Bravura Privilege when the login is via PC and the phone acts as a second authentication factor.
  • Accessing an SSH or RDP login session, with display on the phone.

Session monitoring, search and playback

When users launch a login session via HTML5 proxy, there is no special client software footprint (installed or running) at all. Instead, the user interacts just with their web browser -- any modern browser on any OS will do. When a user launches a session, the Bravura Privilege UI opens a second browser tab, where an HTML canvas is displayed. JavaScript in the browser sends user input events (keystrokes, mouse clicks, copy buffer interaction) to an HTML5 proxy server, which sends back a series of very small PNG images, that the JavaScript layers onto the canvas.

The HTML5 proxy server runs Linux/Tomcat plus a combination of Hitachi ID and third party, open source code (Guacamole). An SSH or RDP session is opened from the proxy to the managed endpoint, with credentials retrieved from the vault and injected. This is illustrated in Figure (Screenshot:pam-disclosure-proxy-guacamole).

Keystroke, copy buffer and incremental video data are streamed from the proxy to the Bravura Privilege server(s), to record sessions. The Bravura Privilege server may instruct the proxy to terminate the connection at any time.

Launching privileged login sessions via a Linux/Tomcat/HTML5 proxy

Launching privileged login sessions via a Linux/Tomcat/HTML5 proxy