Common Configuration

Prerequisites

To facilitate server configuration please gather the following information before starting.

For General Settings

public IP address or DNS name for the Mamori server

For SMTP Server Integration (required for email alerts & account notifications)

SMTP server IP address, port, username, password

Logo File

For AD Integration

IP Address, OU(s), AD Login users with Bind permission

For Adding Resources

Have connection details for the resources you would like to access via Mamori (RDP, VDI, SSH, HTTP/S & DB)

For Mobile 2FA configuration

Install the Mamori 2FA mobile app from the respective app store.

Configuration Steps

Prerequisites

Confirm General Server Settings

Step 1 - Integrate your email server (optional)

Step 2 - Configure 2FA Providers

Step 3 - Setup Directory Integration (optional)

Step 4 - Review Default Alerts

Step 5 - Review Default Roles

Step 6 - Review Default Resource Policies

Step 7 - Server SSL Certificates

Step 8 - Hardening Check List

SMTP server

Integrating an email server will enable the following features

Email alerts
User login account emails
User remote access key emails

If you don't have an email server, then you can use gmail or sendgrid.com. Both offer free SMTP service. Click here to register wth sendgrid

To integrate your email server

Click Server Settings

Click SMTP Settings

Next, enter SMTP server details

Field Description
Mamori Server URL defaults to https://[your mamori server ip]
From Address defaults to no-reply@mamori.com
Server Hostname your smtp server
Server Port defaults to 587
Use SSL defaults to false
Server Credentials
Logo File Logo attached to the bottom of an email.
Defaults to mamori logo

Click Update Settings

Click Send Test Email

Field	Description
Mamori Server URL	defaults to https://[your mamori server ip]
From Address	defaults to no-reply@mamori.com
Server Hostname	your smtp server
Server Port	defaults to 587
Use SSL	defaults to false
Server Credentials
Logo File	Logo attached to the bottom of an email. Defaults to mamori logo

2FA Providers

Mamori works with both built-in and supported external 2FA providers.

2FA providers can be assigned to a user or configured directory provider.

If a directory is assigned a 2FA provider, then all users that connect via that directory will use that 2FA.

Built-in Providers

Mamori server has 2 built-in 2FA providers

pushmobile - Uses the Mamori mobile app and Apple/Android notification services which require the Mamori server to acces https://fcm.googleapis.com/fcm/send
pushtotp - Uses a web browser, one time tokens and works without internet access. Ideal for Air Gap environments

To enable the providers ensure their Service URL property is set to the Mamori url that will be accessible from the mobile device.

Supported External Providers

Azure 2FA
Okta
Duo
PingId
Yubi Key
SASSPASS

Push Mobile

Click Server Settings > Authentication Providers

Edit the pushmobile provider

Fill in these fields in the dialog:

Field Description
Mamori Service URL Enter your Mamori server url
e.g., https://mymamori.com or https://10.0.0.2:1443
2FA Timeout How long a user has to respond.
Defaults to 180 seconds
2FA Cache Time How long a session can remain inactive before another 2FA request is issued.
Defaults to 15 minutes.

Click Update Provider

Field	Description
Mamori Service URL	Enter your Mamori server url e.g., `https://mymamori.com` or `https://10.0.0.2:1443`
2FA Timeout	How long a user has to respond. Defaults to 180 seconds
2FA Cache Time	How long a session can remain inactive before another 2FA request is issued. Defaults to 15 minutes.

Push TOTP

Click Server Settings > Authentication Providers

Edit the pushtotp provider

Fill in these fields in the dialog:

Field Description
Mamori Service URL Enter your Mamori server url
e.g., https://mymamori.com or https://10.0.0.2
2FA Timeout How long a user has to respond.
Defaults to 180 seconds
2FA Cache Time How long a session can remain inactive before another 2FA request is issued.
Defaults to 15 minutes.

Click Update Provider

Field	Description
Mamori Service URL	Enter your Mamori server url e.g., `https://mymamori.com` or `https://10.0.0.2`
2FA Timeout	How long a user has to respond. Defaults to 180 seconds
2FA Cache Time	How long a session can remain inactive before another 2FA request is issued. Defaults to 15 minutes.

External Provider

Click Server Settings > Authentication Providers

Click

Name the provider

Choose the external 2FA provider from the Authentication Provider list.

Fill in the fields required by the provider in the dialog:

Click Save

Alert channels

Mamori deploys with a commonly used set of alerts that will notify users via emails and the mobile app.

Pre-configured Alerts:

default_intrusion
default_policy_denied
default_policy_endorsemet
default_policy_request
default_row_limit_violation
default_error_alert

Alert Types

Type	Description
Email	Send alert to a list of emails
Email a role	Send alert to all users with the specified Mamori role
Notification	Send alert to the Mamori Mobile App
HTTP	Send alert to any custom web service like Slack or Line

Intrusion

Configure this alert if you will be configuring WireGuard. This alert will be triggered when Mamori detects an unauthorized scan of the network.

Click Server Settings > Alerts

Find default_intrusion & Double-click to edit

Next, enter the details

Field Description
Alert Name intrusion
Alert Type email
Email address enter a comma separated list of email addresses
Email Subject Mamori Alert! Device Blocked {{username}}
Email Body user : {{username}}
client ip: {{source}}
device name : {{device}}

Click to add another alert in the channel

Click Create to save the channel

Field	Description
Alert Name	intrusion
Alert Type	email
Email address	enter a comma separated list of email addresses
Email Subject	Mamori Alert! Device Blocked {{username}}
Email Body	user : {{username}} client ip: {{source}} device name : {{device}}

Policy Request

Configure this alert channel if you will be using on-demand access policies. This alert will be triggered when a user makes a policy requests. Alerting all relevant endorsers of the new request.

Click Server Settings > Alerts

Find default_policy_request & Double-click to edit

Next, enter the details

Field Description
Alert Name policy_request
Alert Type email_role
Email address enter {{endorsing_role} }
Email Subject Access Request from {{applicant}} for {{procedure}}
Email Body applicant : {{applicant}}
message: {{applicant_message}}
policy: {{procedure}}
status: {{status}}

Click to add another alert in the channel

Click Create to save the channel

Field	Description
Alert Name	policy_request
Alert Type	email_role
Email address	enter {{endorsing_role} }
Email Subject	Access Request from {{applicant}} for {{procedure}}
Email Body	applicant : {{applicant}} message: {{applicant_message}} policy: {{procedure}} status: {{status}}

Policy Endorsement

Configure this alert channel if you will be using on-demand access policies. This alert will be triggered when a request is approved or denied. Alerting the applicant of the outcome.

Click Server Settings > Alerts

Find default_policy_endorsement & Double-click to edit

Next, enter the details

Field Description
Alert Name policy_endorsement_or_deny
Alert Type email
Email address enter {{applicant_email} }
Email Subject Access Request for {{procedure}} {{status}}
Email Body Status:{{status}}
Policy : {{procedure}}
comment: {{applicant_message}}
Endorser: {{agent}}
Endorser comment: {{agent_message}}

Click to add another alert in the channel

Click Create to save the channel

Field	Description
Alert Name	policy_endorsement_or_deny
Alert Type	email
Email address	enter {{applicant_email} }
Email Subject	Access Request for {{procedure}} {{status}}
Email Body	Status:{{status}} Policy : {{procedure}} comment: {{applicant_message}} Endorser: {{agent}} Endorser comment: {{agent_message}}

Alert Mobile, Slack & Line

See the link below for instructions on how to send alerts to Mamori Mobile, Slack, Line or another service.

Information on Alert Channels

Review commonly used roles

Mamori deploys with a commonly used set of roles.

Pre-configured roles:

default_api_catalog_access
default_network_scan_access
default_wireguard_user
default_policy_user
default_policy_endorser
default_database_credentials
default_wireguard_user
default_database_access_ro

Click here for role editor documentation

For Catalog Extracts

A role to access and extract log information via the Mamori API in the clear. By default all string literals in the SQL logs are masked.

Field Description
Role Id default_api_catalog_access
Mamori Permissions VIEW CLEAR SQL LOG, LOG SESSION, VIEW ALL USER

Field	Description
Role Id	default_api_catalog_access
Mamori Permissions	VIEW CLEAR SQL LOG, LOG SESSION, VIEW ALL USER

For Database Access

These sets of roles are commonly used to directly grant access databases.They are not required if on-demand data policies are used since the policies will provide the permissions.

To access a database successfully a user needs

A credential permission
A session passthrough type permission
At least SELECT on the database objects

To access the Web SQL console a user additionaly needs

WEB SQL EDITOR
WEB EXPORT DATA (Optional)

A role to contain all the target database crentials

Field Description
Role Id default_database_credentials
Database & Data > Credentials Add the desired database credentials

Field	Description
Role Id	default_database_credentials
Database & Data > Credentials	Add the desired database credentials

A role that provides read only database access via WebSQL and DB Proxies

Field Description
Role Id default_database_access_ro
Mamori Permissions WEB SQL EDITOR, WEB EXPORT DATA (Optional)
Database & Data > Object Privileges > Datasource MASKED PASSTHROUGH
Database & Data > Object Privileges > DB Object SELECT

To use DB client tools also provide:
CALL, EXECUTE SQL BLOCK, EXECUTE DYNAMIC SQL

Field	Description
Role Id	default_database_access_ro
Mamori Permissions	WEB SQL EDITOR, WEB EXPORT DATA (Optional)
Database & Data > Object Privileges > Datasource	MASKED PASSTHROUGH
Database & Data > Object Privileges > DB Object	SELECT To use DB client tools also provide: CALL, EXECUTE SQL BLOCK, EXECUTE DYNAMIC SQL

For ZTNA Users

A role to identify WireGuard users. Users that login with this role will trigger the automatic device registration process.

Field Description
Role Id default_wireguard_user

A role allow network scans. Users with this role will not be blocked by the intrusion detection service.

Field Description
Role Id default_network_scan_access
Mamori Permissions IP SCAN

Field	Description
Role Id	default_wireguard_user

Field	Description
Role Id	default_network_scan_access
Mamori Permissions	IP SCAN

For On-Demand Policies

A role to assign resource grant permissions. Users with this role be able able to make resource requests.

Field Description
Role Id default_policy_user
Mamori Permissions REQUEST

Field	Description
Role Id	default_policy_user
Mamori Permissions	REQUEST

A role to set as the endorsing role for resource and access policies. Users with this role be able to endorse resource requests.

Field Description
Role Id default_policy_endorser
Mamori Permissions REQUEST

Field	Description
Role Id	default_policy_endorser
Mamori Permissions	REQUEST

Review default resource polices

The mamori server comes with the following default policies:

default_date_range_resource_policy

For requesting non DB resources based on a date range

default_resource_policy

For requesting non DB resources based on an amount of time

default_role_resource_policy

For requesting Mamori roles based on an amount of time

default_db_resource_policy

For requesting DB resources based on an amount of time

Mamori will preconfigure the resources policies with the following defaults.

Section Field New Value
Request Request Alert default_policy_request
Endorsement Endorsement Alert default_policy_endorsement
Endorsement Deny Alert default_policy_deny
Endorsement Endorsement Role default_policy_endorser
Endorsement Allow self endorsement false

Section	Field	New Value
Request	Request Alert	default_policy_request
Endorsement	Endorsement Alert	default_policy_endorsement
Endorsement	Deny Alert	default_policy_deny
Endorsement	Endorsement Role	default_policy_endorser
Endorsement	Allow self endorsement	false

Click here for policy editor documentation

Server SSL Certificate

The Mamori server uses Nginx for SSL termination.

All-in-one deployment - Set the server certificates via the web portal.
HA deployment - Manually place the certificate files on each application server node.

Web Portal

Click Server Settings > TLS Certificates

Add the private key contents

Add the certificate contents

Click Install Certificates

Manual

To setup the certificate for the Mamori server you need to copy the cert and key file into the nginx directory and then restart nginx. Use the commands below. If you have an extracted PEM file (begins with -----BEGIN PRIVATE KEY-----), then you that cp that file into nginx.key.

docker cp new.crt mamori:/etc/nginx/ssl/nginx.crt
docker cp new.key mamori:/etc/nginx/ssl/nginx.key
docker exec -it mamori sv restart nginx

If you have a PEM file, then you can extract your key and cert files with the commands below. Please confirm that your PEM file doesn't not begin with "-----BEGIN PRIVATE KEY-----".

openssl rsa -outform der -in your-file.pem -out private.key
openssl x509 -outform der -in your-file.pem -out your-file.crt

Hardening Check List

Ensure all items are completed before deploying to production.

Steps

Step 1 - Disable the bootstrap Mamori admin account

Step 2 - Enable the Mamori server firewall and open only used ports

Step 3 - Enforce 2FA for all logins

Step 4 - Executed the hardening guide for your Mamori server OS.
Click for basic hardening guide