Common Configuration
Prerequisites
To facilitate server configuration please gather the following information before starting.
For General Settings
- public IP address or DNS name for the Mamori server
For SMTP Server Integration (required for email alerts & account notifications)
- SMTP server IP address, port, username, password
- Logo File
For AD Integration
- IP Address, OU(s), AD Login users with Bind permission
For Adding Resources
- Have connection details for the resources you would like to access via Mamori (RDP, VDI, SSH, HTTP/S & DB)
For Mobile 2FA configuration
- Install the Mamori 2FA mobile app from the respective app store.
Configuration Steps
Prerequisites
Step 1 - Integrate your email server (optional)
Step 2 - Configure 2FA Providers
Step 3 - Setup Directory Integration (optional)
Step 4 - Review Default Alerts
Step 5 - Review Default Roles
Step 6 - Review Default Resource Policies
Step 7 - Server SSL Certificates
Step 8 - Hardening Check List
SMTP server
Integrating an email server will enable the following features
- Email alerts
- User login account emails
- User remote access key emails
If you don't have an email server, then you can use gmail or sendgrid.com. Both offer free SMTP service. Click here to register wth sendgrid
To integrate your email server
Click Server Settings
Click SMTP Settings
Next, enter SMTP server details
Field Description Mamori Server URL defaults to https://[your mamori server ip] From Address defaults to no-reply@mamori.com Server Hostname your smtp server Server Port defaults to 587 Use SSL defaults to false Server Credentials Logo File Logo attached to the bottom of an email.
Defaults to mamori logoClick Update Settings
Click Send Test Email
2FA Providers
Mamori works with both built-in and supported external 2FA providers.
2FA providers can be assigned to a user or configured directory provider.
If a directory is assigned a 2FA provider, then all users that connect via that directory will use that 2FA.
Built-in Providers
Mamori server has 2 built-in 2FA providers
- pushmobile - Uses the Mamori mobile app and Apple/Android notification services which require the Mamori server to acces https://fcm.googleapis.com/fcm/send
- pushtotp - Uses a web browser, one time tokens and works without internet access. Ideal for Air Gap environments
To enable the providers ensure their Service URL property is set to the Mamori url that will be accessible from the mobile device.
Supported External Providers
- Azure 2FA
- Okta
- Duo
- PingId
- Yubi Key
- SASSPASS
Push Mobile
Click Server Settings > Authentication ProvidersEdit the pushmobile provider
Fill in these fields in the dialog:
Field Description Mamori Service URL Enter your Mamori server url
e.g.,https://mymamori.comorhttps://10.0.0.2:14432FA Timeout How long a user has to respond.
Defaults to 180 seconds2FA Cache Time How long a session can remain inactive before another 2FA request is issued.
Defaults to 15 minutes.Click Update Provider
Push TOTP
Click Server Settings > Authentication ProvidersEdit the pushtotp provider
Fill in these fields in the dialog:
Field Description Mamori Service URL Enter your Mamori server url
e.g.,https://mymamori.comorhttps://10.0.0.22FA Timeout How long a user has to respond.
Defaults to 180 seconds2FA Cache Time How long a session can remain inactive before another 2FA request is issued.
Defaults to 15 minutes.Click Update Provider
External Provider
Click Server Settings > Authentication ProvidersClick
Name the provider
Choose the external 2FA provider from the Authentication Provider list.
Fill in the fields required by the provider in the dialog:
Click Save
Alert channels
Mamori deploys with a commonly used set of alerts that will notify users via emails and the mobile app.
Pre-configured Alerts:
- default_intrusion
- default_policy_denied
- default_policy_endorsemet
- default_policy_request
- default_row_limit_violation
- default_error_alert
Alert Types
| Type | Description |
|---|---|
| Send alert to a list of emails | |
| Email a role | Send alert to all users with the specified Mamori role |
| Notification | Send alert to the Mamori Mobile App |
| HTTP | Send alert to any custom web service like Slack or Line |
Intrusion
Configure this alert if you will be configuring WireGuard. This alert will be triggered when Mamori detects an unauthorized scan of the network.
Click Server Settings > AlertsFind default_intrusion & Double-click to edit
Next, enter the details
Field Description Alert Name intrusion Alert Type Email address enter a comma separated list of email addresses Email Subject Mamori Alert! Device Blocked {{username}} Email Body user : {{username}}
client ip: {{source}}
device name : {{device}}Click to add another alert in the channel
Click Create to save the channel
Policy Request
Configure this alert channel if you will be using on-demand access policies. This alert will be triggered when a user makes a policy requests. Alerting all relevant endorsers of the new request.
Click Server Settings > AlertsFind default_policy_request & Double-click to edit
Next, enter the details
Field Description Alert Name policy_request Alert Type email_role Email address enter {{endorsing_role} } Email Subject Access Request from {{applicant}} for {{procedure}} Email Body applicant : {{applicant}}
message: {{applicant_message}}
policy: {{procedure}}
status: {{status}}Click to add another alert in the channel
Click Create to save the channel
Policy Endorsement
Configure this alert channel if you will be using on-demand access policies. This alert will be triggered when a request is approved or denied. Alerting the applicant of the outcome.
Click Server Settings > AlertsFind default_policy_endorsement & Double-click to edit
Next, enter the details
Field Description Alert Name policy_endorsement_or_deny Alert Type Email address enter {{applicant_email} } Email Subject Access Request for {{procedure}} {{status}} Email Body Status:{{status}}
Policy : {{procedure}}
comment: {{applicant_message}}
Endorser: {{agent}}
Endorser comment: {{agent_message}}Click to add another alert in the channel
Click Create to save the channel
Alert Mobile, Slack & Line
Information on Alert Channels
Review commonly used roles
Mamori deploys with a commonly used set of roles.
Pre-configured roles:
- default_api_catalog_access
- default_network_scan_access
- default_wireguard_user
- default_policy_user
- default_policy_endorser
- default_database_credentials
- default_wireguard_user
- default_database_access_ro
For Catalog Extracts
A role to access and extract log information via the Mamori API in the clear. By default all string literals in the SQL logs are masked.
Field Description Role Id default_api_catalog_access Mamori Permissions VIEW CLEAR SQL LOG, LOG SESSION, VIEW ALL USER
For Database Access
These sets of roles are commonly used to directly grant access databases.They are not required if on-demand data policies are used since the policies will provide the permissions.
To access a database successfully a user needs
- A credential permission
- A session passthrough type permission
- At least SELECT on the database objects
To access the Web SQL console a user additionaly needs
- WEB SQL EDITOR
- WEB EXPORT DATA (Optional)
A role to contain all the target database crentials
Field Description Role Id default_database_credentials Database & Data > Credentials Add the desired database credentials
A role that provides read only database access via WebSQL and DB Proxies
Field Description Role Id default_database_access_ro Mamori Permissions WEB SQL EDITOR, WEB EXPORT DATA (Optional) Database & Data > Object Privileges > Datasource MASKED PASSTHROUGH Database & Data > Object Privileges > DB Object SELECT
To use DB client tools also provide:
CALL, EXECUTE SQL BLOCK, EXECUTE DYNAMIC SQL
For ZTNA Users
A role to identify WireGuard users. Users that login with this role will trigger the automatic device registration process.
Field Description Role Id default_wireguard_user A role allow network scans. Users with this role will not be blocked by the intrusion detection service.
Field Description Role Id default_network_scan_access Mamori Permissions IP SCAN
For On-Demand Policies
A role to assign resource grant permissions. Users with this role be able able to make resource requests.
Field Description Role Id default_policy_user Mamori Permissions REQUEST
A role to set as the endorsing role for resource and access policies. Users with this role be able to endorse resource requests.
Field Description Role Id default_policy_endorser Mamori Permissions REQUEST
Review default resource polices
The mamori server comes with the following default policies:
default_date_range_resource_policy
For requesting non DB resources based on a date range
default_resource_policy
For requesting non DB resources based on an amount of time
default_role_resource_policy
For requesting Mamori roles based on an amount of time
default_db_resource_policy
For requesting DB resources based on an amount of time
Mamori will preconfigure the resources policies with the following defaults.
Section Field New Value Request Request Alert default_policy_request Endorsement Endorsement Alert default_policy_endorsement Endorsement Deny Alert default_policy_deny Endorsement Endorsement Role default_policy_endorser Endorsement Allow self endorsement false
Server SSL Certificate
The Mamori server uses Nginx for SSL termination.
- All-in-one deployment - Set the server certificates via the web portal.
- HA deployment - Manually place the certificate files on each application server node.
Web Portal
Click Server Settings > TLS CertificatesAdd the private key contents
Add the certificate contents
Click Install Certificates
Manual
To setup the certificate for the Mamori server portal and proxies follow the steps below.
Step 1. Copy the key and certificate file on to the mamori server
Step 2. Create the install_certificate.sh script and chmod +x the file
#!/bin/sh KEY_FILE=$1 CERT_FILE=$2 curl -X POST --data-urlencode name=mamori --data-urlencode "certs[key]"@$KEY_FILE --data-urlencode "certs[crt]"@$CERT_FILE http:// > localhost:4000/api/local/v1/certsStep 3. Call the script
./install_cert.sh /home/user/myhost.key /home/user/myhost.crt
openssl rsa -outform der -in your-file.pem -out private.key
openssl x509 -outform der -in your-file.pem -out your-file.crt
Hardening Check List
Ensure all items are completed before deploying to production.
Steps
Step 1 - Disable the bootstrap Mamori admin account
Step 2 - Enable the Mamori server firewall and open only used ports
Step 3 - Enforce 2FA for all logins
Step 4 - Executed the hardening guide for your Mamori server OS.
Click for basic hardening guide