Imprivata Privileged Access Management Product Update 2.3.202006072218

June 7, 2020

PAM Update: Added support for 64-bit ARM CPU, integration with AD HA, SSH ProxyJump support and variable size public key rotation option

This update adds support for application deployment on 64-bit ARM hardware platforms, integration with multi-server active directory controllers in high availability mode, SSH ProxyJump support for SSH Agent Forwarding scenarios and variable size public key rotation option.

Added support for application deployment on 64-bit ARM platform

The update adds support for application deployment on the 64-bit ARM platform.

This option allows choosing a more efficient hardware architecture for hosting system servers.

Specifically, the update added support for new Amazon AWS 64-bit ARM Graviton2 hardware using m6g EC2 instances providing up to 40% in cost savings or performance improvements while operating PAM solution as compared to other platforms.

Added integration with Active Directory in High Availability mode

The update adds support for an alternative LDAP or Active Directory connection to the user directory in high availability mode to provide better system stability in cases of failed integrated LDAP servers in user directory clusters.

To enable the option add alternateURL=”${ldap.alt}” attribute to AD Realm configuration in $PAM_HOME/conf/server.xml file; and define parameter ldap.alt-ldaps://server:port in the $PAM_HOME/conf/catalina.properties file.

For deployments using Federated Sign-In component list alternative LDAP URLs comma separated in cas.authn.ldap[1].ldapUrl parameter.

Added support for SSH ProxyJump option for SSH Proxy connections

The update adds the option to perform automatic jump for SSH Proxy connection made using native SSH clients through multiple bastion hosts creating a single end-to-end session when connecting to a configured record.

The option is useful for MSPs accessing client servers in isolated networks accessible through a chain of available bastion hosts.

To enable the option, use custom String field Command in the record definition in addition to SSH Agent Forwarding configuration to specify ProxyJump command through the chain of bastion hosts such as in the following example: ssh -J user@bastion:port,user@bastion2:port user@remote -P port.

For the simple one-host jump use the following command to jump to the destination server from the first connected host: ssh user@remote -P port.

When connecting to the record with SSH Agent Forwarding and ProxyJump enabled, the system will open a connection to the host and private key configured in the record and then immediately execute the configured command to establish an end-to-end terminal session from the user computer to the remote server through the chain of bastion hosts.

Added support for variable size public key rotation option

The update adds the option to specify a key size for the Unix account public key rotation routine allowing administrators to maintain stronger key encryption when accessing remote servers.

The option is configured by the record type custom field KeySize, display name Key Size, choice with possible values 1024, 2048, 4096, 8192.

The key rotation strategy will generate the key of the specified size during the rotation procedure.