Sync Session Manager Certificates

Synchronizing session manager certificates between two nodes.

The concept for this article is that each node (A and B) has the PAM WEB GUI (pammanager) and the PAM Session Manager (pamsession).

On Node A, pammanager communicates with pamsession using the certificate pair from itself, node A.

On node B, these components use a different cert pair from itself, node B.

So the plan outlined in this article is to bring the certificate bundle from Node A to Node B and then import it to pammanager and pamsession on Node B.

Node A will remain the same.

Windows Deployment

  1. Login to both the Node A and Node B host computers. You may need Administrator permissions to perform this procedure.
  2. On Node A, copy the certbundle.zip file located in $PAM_HOME. Paste this file to Node B.
  3. On Node B, extract this copied certbundle.zip file to a location within $PAM_HOME. We will use $PAM_HOME\ssl\ as an example to illustrate the procedure in this article.
  4. On Node B, from a command prompt, navigate to$PAM_HOME and execute the following command. This command will remove the current certificate from the PamManagement service.

    5. Copy 
    bin\PamKeytool.cmd -delete -keystore jre\lib\security\cacerts -alias pam-session.cert

  5. From the same Node B command prompt, we will now add the certificate copied from Node A to the Node B PamManagement service. Adjust the path accordingly to your specific file location.

    Copy 
    bin\PamKeytool.cmd -import -keystore jre\lib\security\cacerts -alias pam-session.cert -file ssl\pam-session.crt

  6. On Node B, restart the PamManagement service.

  7. On Node B, edit the file $PAM_HOME\guacd\etc\guacamole\guacd.conf in a text editor. Locate the line in this file that looks like the below. In this case, the key and cert files are located in the folder: $PAM_HOME\guac\etc\ssl.

    Copy 
    server_certificate = C:\xtam\guacd\etc\ssl\session.crt
    server_key = C:\xtam\guacd\etc\ssl\session.key

  8. Replace that line with the one that contains the full path to the session.crt and session.key you copied from the Node A. In our example for the path we used in step 2 it will look like this:

    Copy 
    server_certificate = C:\xtam\ssl\session.crt
    server_key = C:\xtam\ssl\session.key

  9. On Node B, after you update the .conf script, restart the PamSession service.

This completes the required host server configuration. You should now log out of both the Node A and Node B host servers.

Returning back to the PAM web, now you can have two named (not localhost) Session Manager nodes in the Administration > Proximity Groups for the default group and they both should be green (SSL connected). PAM will balance the traffic based on the number of sessions per node.

Linux Deployment

  1. Login to both the Node A and Node B host computers. You may need sudo or root permissions to perform this procedure.
  2. On Node A, copy the certbundle.zip file located in $PAM_HOME. Paste this file to Node B.
  3. On Node B, extract this copied certbundle.zip file to a location within $PAM_HOME. We will use /opt/pam/ssl/ as an example to illustrate the procedure in this article.
  4. On Node B, from your prompt, navigate to $PAM_HOME and execute the following command. This command will remove the current certificate from the pammanager service.
    5. Copy 
    bin/PamKeytool.sh -delete -keystore jre/lib/security/cacerts -alias pam-session.cert

  5. From the same Node B prompt, we will now add the certificate copied from Node A to the Node B pammanager service. Adjust the path accordingly to your specific file location.

    Copy 
    bin/PamKeytool.sh -import -keystore jre/lib/security/cacerts -alias pam-session.cert -file ssl/pam-session.crt

  6. On Node B, restart the pammanager service.

  7. On Node B, edit the file $PAM_HOME/bin/pamsession in a text editor. Locate the line in this file that looks like the below. In this case, the key and cert files are located in the folder: $PAM_HOME/guac/etc/ssl.

    Copy 
    guac_ssl_opts="-C $home/guac/etc/ssl/session.crt -K $home/guac/etc/ssl/session.key"

  8. Replace that line with the one that contains the full path to the session.crt and session.key you copied from the Node A. In our example for the path we used in step 2 it will look like this:

    Copy 
    guac_ssl_opts="-C $home/ssl/session.crt -K $home/ssl/session.key"

  9. On Node B, after you update the pamsession script as noted in the previous step, you will need to reload the service. How to reload services depends on the specific Linux distribution you are using so please review your O/S guidelines for the specific function. It may be a command like this:

    Copy 
    systemctl daemon-reload

  10. On Node B, restart the pamsession service.

This completes the required host server configuration. You should now log out of both the Node A and Node B host servers.

Returning back to the PAM web, now you can have two named (not localhost) Session Manager nodes in the Administration > Proximity Groups for the default group and they both should be green (SSL connected). PAM will balance the traffic based on the number of sessions per node.