Labs - Setting-up a Base Lab for Centrify Privilege Service On-Premises Installations

Home >

Labs - Setting-up a Base Lab for Centrify Privilege Service On-Premises Installations

Product:

Published:

11 April,19 at 11:50 AM

Rating:

In this article, we outline the steps to create the pre-requisite building-blocks of a test lab for Centrify Privilege Service customer-managed on-premises deployments.

Overview

Setup Active Directory, DNS and Certificate Services
Setup a Management Server (consoles)
Setup Shared Storage and Disks
   - Using FreeNAS
   - Using Microsoft File and Storage Services
   - Using NetApp Ontap
   - Formatting Disks
Configuring Cluster Nodes
Set up a Windows Cluster
Configure Connector Systems
Request an SSL Certificate (with the private key)
Download Centrify Privilege Service

Proposed Lab Diagram

I - Setting-up Active Directory and Basic Services
(with DNS and Certificate Services) and adding domain-joined systems

This is considered baseline infrastructure (and knowledge). We will defer this section to other resources:

II - Your Management Server

Typically you should not be running software in domain controllers or critical servers; however in Windows you need to have a management server; ideally a secure workstation. The administrative consoles required are:

Active Directory Users and Computers - used to perform AD operations.
DNS Management - used in this lab to create/delete a CNAME record.
Failover Cluster Manager - used for Windows Clustering operations.
To install the 3 consoles above with PowerShell
```
Install-WindowsFeature RSAT-DNS, RSAT-ADDS-Tools, RSAT-Clustering, GPMC
```
Centrify Access Manager - used to manage Centrify zone data in Active Directory.
Centrify Audit Analyzer - used to review SSH or Windows recorded sessions.
Group Policy Management - used to set up any relevant policies.

III - Setting-up Shared Storage

You need either a real NAS/SAN setup, or you can build it using iSCSI.

Sample PowerShell (for the Windows setup)

# Housekeeping
Import-Module -Name ServerManager

# Installing features (e.g. File and Storage Services, iSCSI and Clustering console)
Install-WindowsFeature FS-iSCSITarget-Server, iSCSITarget-VSS-VDS
Install-WindowsFeature RSAT-Clustering

# Create iSCSI Virtual Disks (e.g. disk path c:\CPS)
Import-Module -Name iSCSITarget
New-IscsiVirtualDisk -UseFixed -Path c:\CPS\cps-data.vhdx -Size 10GB
New-IscsiVirtualDisk -UseFixed -Path c:\CPS\cps-witness.vhdx -Size 520MB 

# Create iSCSI Targets (e.g. 2-node cluster with 192.168.81.21 and 22)
New-IscsiServerTarget -TargetName cps-target -InitiatorId IPAddress:192.168.81.21, IPAddress:192.168.81.22

# Associate Disks with Target (e.g. disk path c:\CPS)
Add-IscsiVirtualDiskTargetMapping -TargetName cps-target -Path c:\CPS\cps-data.vhdx
Add-IscsiVirtualDiskTargetMapping -TargetName cps-target -Path c:\CPS\cps-witness.vhdx

The setup consists in 2 disks:

- A data disk that will contain the Privilege Service database; the capacity has to be set based on the nature of your lab environment. The 100GB size has been chosen arbitrarily The data disk is formatted with NTFS and has two folders:

cps-db: the folder designated for the database.
backups: the folder designated for backups.

- A witness disk that will support the Windows Failover Cluster in establishing quorum.

This disk only needs to be formatted using NTFS.

Warning: Although you will be setting online, formatting and configuring the logical drives in one system, it's possible that the drive letters get changed after the Windows Cluster is set up. Keep this in mind.

IV - Cluster Nodes

Note: At the time of this writing, the cluster nodes must run Windows Server 2012 R2.

Log on to the first node using a domain user with local administrative rights.
Install the Windows Failover Cluster Feature (and management tools).
```
Install-WindowsFeature Failover-Clustering, RSAT-Clustering
```
Run a Windows Update
(this is to make sure your system is up-to-date).
Reboot if needed.
Open the iSCSI initiator application (answer Yes when prompted to start the service automatically).
Type the name of the system hosting your shared storage (e.g. freenas) and press connect.
Open Disk Management (you should see the two disks);
Right-click the first disk (on the left square), select Online (repeat for the second disk).
Right-click the first disk (on the left square), select Initialize Disk; Press OK.
Right-click the first disk and select New Simple Volume. Follow the wizard and:
Format: NTFS (quick format).
Size: Maximum
Volume Label: cps-disk
Drive Letter: E:\
Right-click the second disk and select New Simple Volume. Follow the wizard and:
Format: NTFS (quick format).
Size: Maximum.
Volume Label: cps-witness.
Drive Letter: F:\
Open Windows Explorer and in drive E:\ create two folders: cps-db and backups.
Log on to the 2nd cluster and repeat steps 1-4; repeat until all cluster members have confirmed iSCSI service automatic startup and verified access to the shared disks.

V - Setting-up a Windows Cluster

Sign-in to one of your cluster nodes, and open Windows Service Failover Cluster (as an Administrative Account).
Select Create Cluster on the right Actions pane. This starts the Create Cluster Wizard:
- Before you begin: Press next.
- Select servers: press Browse and select the cluster nodes; after these nodes are verified, press next.
At this point, you may have to run the validation tests on the cluster. Make sure you address any issues in this process.
- Access point for administering cluster: type the planned name for the cluster (e.g. cpsha) and IP address.
- Confirmation: make sure the "add all eligible storage to the cluster' check is set and press Next.
- Press finish when complete.
In your newly created cluster, navigate to Storage > Disks. Inspect the cluster Disks. Make sure the large capacity disk continues to be the E:\ drive. If this is not the case, in the bottom pane, right-click and select Change Drive Letter

VI - Centrify Connector Systems

Connectors can run on any current Windows 64-bit system.

Sign-in to Windows with an administrative account.
Run Windows Update.
Reboot if necessary.

VII - Requesting an SSL Certificate (with the private key)

Before you request the certificate to be used for privilege service, you must know the service address (FQDN to be used). For example: safe.example.com; When requesting your SSL cert, make sure you add the Subject Alternative Names/DNS entries for the service name, and servicename+zso (if planning SmartCard or YubiKey authentication).

The request process varies depending on what Certification Authority is being used.

Here are some useful links:

VIII - Download Centrify Privilege Service

Log on to the Customer Support Site.
Navigate to downloads.
Add your code to Privilege Service On-Premises.
Download (version 17.7 and above).

Videos

Storage

Consoles

SSL Certificate

Windows Cluster

Summary

Putting-it all together, this is what you should have so far:

A Windows cluster with no roles (ideally 3 nodes to maintain HA while maintaining one node).
The cluster has connected to shared storage:
E:\ for CPS database.
F:\ for the cluster witness.
At leatst 2 domain-joined Windows systems that will act as Centrify Connectors.
A utility server with the required consoles (ADUC, Failover Clustering, DNS Management, etc).
Centrify Privilege Service 17.7 (and above) downloaded.
A PFX file for the x.509 SSL certificate and the service name in the SAN (e.g. safe.example.com).
A network accessible location with all the files (installation bits, setup keys and SSL certificate).
A PFX file for the x.509 SSL certificate and the service name in the SAN (e.g. safe.example.com).