sion

Oracle Fusion Middleware : Oracle Identity and Access Management Suite 10g/11gR1/11gR2PS1,PS2,PS3 : OIM | OAM,OAAM,OIF | OID, OVD, DIP | OUD/ ODSEE | Microsft AD | OpenLDAP | ADF | EBS R12 | OECMCCR4 | Business Intelleigence - Bi Publisher | Banking | Demo Applications | Core Java | SQL | PLSQL | Web services | Weblogic | Tomcat | JBoss | OHS | WebGate | WebCenter | In any Queries please Contact Me : info@oratechsoft.com

Search This Blog

Sunday, 27 July 2025

CyberArk : HTML5 Gateway Installation Step by Step

CyberArk PSM HTML5 Gateway 14.4 Installation on Rocky Linux 8.10

This guide walks you through the steps to install the CyberArk PSM HTML5 Gateway (version 14.4) on Rocky Linux 8.10.

1. Install Required Packages and Libraries

Run the following command as root:

bash

dnf install -y cairo libpng libjpeg-turbo java-1.8.0-openjdk-headless openssl

2. Install Java JDK (v1.8)

If you require the full JDK (not just the headless version):

bash

dnf install -y java-1.8.0-openjdk-devel

Verify installation:

bash

java -version

Set JAVA_HOME if needed:

bash

echo "export JAVA_HOME=$(dirname $(dirname $(readlink -f $(which java))))" >> ~/.bashrc
source ~/.bashrc

3. Download HTML5GW14.4 and Import CyberArk RPM Signature

  • Download the HTML5 Gateway and unzip the package:

bash

cp /opt/HTML5Gateway-Rls-v14.4.zip
unzip HTML5Gateway-Rls-v14.4.zip
cd /opt/RHELinux-Intel64/

  • Import the CyberArk RPM GPG key:

bash

rpm --import RPM-GPG-KEY-CyberArk

  • Verify the RPM package:

bash

rpm -K -v CARKpsmgw-14.4.0-8.x86_64.rpm

4. Install Apache Tomcat (v9)

4.1 Create Tomcat User & Directory

bash

export CATALINA_HOME=/opt/tomcat
useradd -m -s /sbin/nologin -k /dev/null -d "$CATALINA_HOME" tomcat

4.2 Download and Extract Tomcat

bash

cd /opt
curl -O https://downloads.apache.org/tomcat/tomcat-9/v9.0.87/bin/apache-tomcat-9.0.87.tar.gz
mkdir -p $CATALINA_HOME
tar xf apache-tomcat-9.0.87.tar.gz -C $CATALINA_HOME --strip-components=1

4.3 Set Ownership & Permissions

bash

chown -R tomcat:tomcat $CATALINA_HOME
chmod 600 $CATALINA_HOME/conf/server.xml

5. Create Tomcat Systemd Service

Create the tomcat.service file:

bash

vi /etc/systemd/system/tomcat.service

Paste the following configuration:

ini

[Unit]
Description=Apache Tomcat Web Application Container
After=network.target

[Service]
Type=forking
Environment=JAVA_HOME=/usr/lib/jvm/jre
Environment=CATALINA_HOME=/opt/tomcat
Environment=CATALINA_BASE=/opt/tomcat
Environment='CATALINA_OPTS=-Xms128M -Xmx768M -server -XX:+UseParallelGC'
Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'

ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh

User=tomcat
Group=tomcat
[Install]
WantedBy=multi-user.target

Set the permissions and enable the service:

bash

chown root:root /etc/systemd/system/tomcat.service
systemctl daemon-reload
systemctl enable tomcat

6. Generate Self-Signed Keystore (Not Recommended)

For a self-signed certificate, generate a keystore:

bash

keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -keystore /opt/tomcat/keystore -validity 3650

Example values:

  • Keystore password: changeit

  • CN: Fully Qualified Domain Name (FQDN) of HTML5 GW (e.g., html5.corp.com)

7. Enable SSL in Tomcat

Edit the server.xml file:

bash

vi /opt/tomcat/conf/server.xml

Add or modify the following <Connector> element:

xml

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreFile="/opt/certs/keystore"
           keystorePass="changeit" />

8. Generate and Install Domain SSL Keystore

8.1 Create san_config.cnf

cp /opt/certs/
vi /opt/certs/san_config.cnf


[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no

[ req_distinguished_name ]
CN  = html5.corp.com
O   = NGT
OU  = IT
L   = Hyderabad
ST  = TS
C   = IN

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = html5.corp.com
DNS.2 = html5
IP.1  = 10.0.0.50

8.2 Generate CSR:

bash

cp /opt/certs/
openssl genrsa -out html5.key 2048
openssl req -new -key html5.key -out html5.csr -config san_config.cnf

8.3 Submit CSR to CA and obtain the html5.crt and ca-chain.crt.

8.4 Create .p12 File:

bash

openssl pkcs12 -export -inkey html5.key -in html5.crt -certfile ca-chain.crt -out html5.p12 -name html5cert

8.5 (Optional) Convert to JKS Keystore:

bash

keytool -importkeystore -destkeystore html5.jks -srckeystore html5.p12 -srcstoretype PKCS12 -alias html5cert

9. Configure TLS in Tomcat’s server.xml

Edit /opt/tomcat/conf/server.xml to configure TLS:

xml

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true">
    <SSLHostConfig>
        <Certificate certificateKeystoreFile="/opt/certs/html5.p12"
                     type="RSA"
                     certificateKeystoreType="PKCS12"
                     certificateKeystorePassword="changeit" />
    </SSLHostConfig>
</Connector>

10. Set Permissions on Cert Files

bash

mkdir -p /opt/certs
cp html5.p12 /opt/certs/
chown -R tomcat: /opt/certs
chmod 600 /opt/certs/html5.p12

11. Start/Enable Tomcat Service

(Optional: Create systemd service for Tomcat)

bash

sudo systemctl daemon-reexec
sudo systemctl start tomcat
sudo systemctl enable tomcat

12. Open Firewall Port and Test Tomcat

bash

firewall-cmd --permanent --add-forward-port=port=443:proto=tcp:toport=8443
firewall-cmd --reload
systemctl start tomcat

Visit https://<HTML5GW-IP> to verify if the Tomcat page loads correctly.

13. Install CyberArk HTML5 Gateway

13.1 Prepare Parameters

Copy the sample configuration:

bash

cp /path/to/HTML5GW/psmgwparms.sample /var/tmp/psmgwparms
vi /var/tmp/psmgwparms

Sample config:

bash

AcceptCyberArkEULA=Yes
Hardening=Yes
WebAppsDir=/opt/tomcat/webapps
WebApplicationServerUser=tomcat
WebApplicationServerGroup=tomcat
EndPointAddress=https://<PVWA>/passwordvault
EnableScreenAutoResize=Yes

13.2 Install RPM

bash

cp /opt/RHELinux-Intel64/
rpm -ivh CARKpsmgw-14.4.0-8.x86_64.rpm

13.3 Start Services

bash

systemctl status guacd
systemctl restart tomcat

14. Secure guacd <-> WebApp

14.1 Import Cert to JVM Truststore

bash

keytool -import -alias webapp_guacd_cert \
 -keystore /usr/lib/jvm/java-1.8.0-openjdk*/jre/lib/security/cacerts \
 -trustcacerts -file /opt/certs/html5.cer



keytool -import -alias domain_cert \
 -keystore /usr/lib/jvm/java-1.8.0-openjdk*/jre/lib/security/cacerts \
 -trustcacerts -file /opt/certs/domainca.cer


keytool -import -alias domain_chain_cert \
 -keystore /usr/lib/jvm/java-1.8.0-openjdk*/jre/lib/security/cacerts \
 -trustcacerts -file /opt/certs/domainchain.cer

14.2 Configure SSL for guacd

bash

vi /etc/guacamole/guacd.conf

Uncomment and set:

ini

[ssl]
server_certificate = /opt/certs/html5.cer
server_key = /opt/certs/html5.key

Restart guacd:

bash

systemctl restart guacd

15. Final Configuration and Hardening

Update psmgw.conf in /etc/opt/CARKpsmgw/webapp/ to point to the correct configuration.

Restart services:

bash

systemctl restart guacd
systemctl restart tomcat

16. Add Gateway in PVWA

  • Log into PVWA as admin.

  • Go to Options > Privileged Session Management > Add Configured PSM Gateway Servers.

  • Add the FQDN of the gateway and set the port to 443.

Test the HTML5 connection.







Testing Via PVWA:


Official Ref : 

Installation : Install PSM HTML5 Gateway using an RPM package | CyberArk Docs

Configuration:Secure Access with an HTML5 Gateway | CyberArk Docs 


All the best!

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)