Common Configuration

Prerequisites

To facilitate server configuration please gather the following information before starting.

For General Settings

  • public IP address or DNS name for the Mamori server

For SMTP Server Integration (required for email alerts & account notifications)

  • SMTP server IP address, port, username, password
  • Logo File

For AD Integration

  • IP Address, OU(s), AD Login users with Bind permission

For Adding Resources

  • Have connection details for the resources you would like to access via Mamori (RDP, VDI, SSH, HTTP/S & DB)

For Mobile 2FA configuration

  • Install the Mamori 2FA mobile app from the respective app store.

Configuration Steps

Prerequisites

Confirm General Server Settings

Step 1 - Integrate your email server (optional)

Step 2 - Configure 2FA Providers

Step 3 - Setup Directory Integration (optional)

Step 4 - Review Default Alerts

Step 5 - Review Default Roles

Step 6 - Review Default Resource Policies

Step 7 - Server SSL Certificates

Step 8 - Hardening Check List


SMTP server

Integrating an email server will enable the following features

  • Email alerts
  • User login account emails
  • User remote access key emails

If you don't have an email server, then you can use gmail or sendgrid.com. Both offer free SMTP service. Click here to register wth sendgrid

To integrate your email server

Click Server Settings

Click SMTP Settings

Next, enter SMTP server details

FieldDescription
Mamori Server URLdefaults to https://[your mamori server ip]
From Addressdefaults to no-reply@mamori.com
Server Hostnameyour smtp server
Server Portdefaults to 587
Use SSLdefaults to false
Server Credentials
Logo FileLogo attached to the bottom of an email.
Defaults to mamori logo

Click Update Settings

Click Send Test Email


2FA Providers

Mamori works with both built-in and supported external 2FA providers.

2FA providers can be assigned to a user or configured directory provider.

If a directory is assigned a 2FA provider, then all users that connect via that directory will use that 2FA.

Built-in Providers

Mamori server has 2 built-in 2FA providers

  • pushmobile - Uses the Mamori mobile app and Apple/Android notification services which require the Mamori server to acces https://fcm.googleapis.com/fcm/send
  • pushtotp - Uses a web browser, one time tokens and works without internet access. Ideal for Air Gap environments

To enable the providers ensure their Service URL property is set to the Mamori url that will be accessible from the mobile device.

Supported External Providers

  • Azure 2FA
  • Okta
  • Duo
  • PingId
  • Yubi Key
  • SASSPASS

Push Mobile

Click Server Settings > Authentication Providers

Edit the pushmobile provider

Fill in these fields in the dialog:

FieldDescription
Mamori Service URLEnter your Mamori server url
e.g., https://mymamori.com or https://10.0.0.2:1443
2FA TimeoutHow long a user has to respond.
Defaults to 180 seconds
2FA Cache TimeHow long a session can remain inactive before another 2FA request is issued.
Defaults to 15 minutes.

Click Update Provider

Push TOTP

Click Server Settings > Authentication Providers

Edit the pushtotp provider

Fill in these fields in the dialog:

FieldDescription
Mamori Service URLEnter your Mamori server url
e.g., https://mymamori.com or https://10.0.0.2
2FA TimeoutHow long a user has to respond.
Defaults to 180 seconds
2FA Cache TimeHow long a session can remain inactive before another 2FA request is issued.
Defaults to 15 minutes.

Click Update Provider

External Provider

Click Server Settings > Authentication Providers

Click

Name the provider

Choose the external 2FA provider from the Authentication Provider list.

Fill in the fields required by the provider in the dialog:

Click Save


Alert channels

Mamori deploys with a commonly used set of alerts that will notify users via emails and the mobile app.

Pre-configured Alerts:

  • default_intrusion
  • default_policy_denied
  • default_policy_endorsemet
  • default_policy_request

Alert Types

TypeDescription
EmailSend alert to a list of emails
Email a roleSend alert to all users with the specified Mamori role
NotificationSend alert to the Mamori Mobile App
HTTPSend alert to any custom web service like Slack or Line

Intrusion

Configure this alert if you will be configuring WireGuard. This alert will be triggered when Mamori detects an unauthorized scan of the network.

Click Server Settings > Alerts

Find default_intrusion & Double-click to edit

Next, enter the details

FieldDescription
Alert Nameintrusion
Alert Typeemail
Email addressenter a comma separated list of email addresses
Email SubjectMamori Alert! Device Blocked {{username}}
Email Bodyuser : {{username}}
client ip: {{source}}
device name : {{device}}

Click to add another alert in the channel

Click Create to save the channel

Policy Request

Configure this alert channel if you will be using on-demand access policies. This alert will be triggered when a user makes a policy requests. Alerting all relevant endorsers of the new request.

Click Server Settings > Alerts

Find default_policy_request & Double-click to edit

Next, enter the details

FieldDescription
Alert Namepolicy_request
Alert Typeemail_role
Email addressenter {{endorsing_role} }
Email SubjectAccess Request from {{applicant}} for {{procedure}}
Email Bodyapplicant : {{applicant}}
message: {{applicant_message}}
policy: {{procedure}}
status: {{status}}

Click to add another alert in the channel

Click Create to save the channel

Policy Endorsement

Configure this alert channel if you will be using on-demand access policies. This alert will be triggered when a request is approved or denied. Alerting the applicant of the outcome.

Click Server Settings > Alerts

Find default_policy_endorsement & Double-click to edit

Next, enter the details

FieldDescription
Alert Namepolicy_endorsement_or_deny
Alert Typeemail
Email addressenter {{applicant_email} }
Email SubjectAccess Request for {{procedure}} {{status}}
Email BodyStatus:{{status}}
Policy : {{procedure}}
comment: {{applicant_message}}
Endorser: {{agent}}
Endorser comment: {{agent_message}}

Click to add another alert in the channel

Click Create to save the channel

Alert Mobile, Slack & Line

See the link below for instructions on how to send alerts to Mamori Mobile, Slack, Line or another service.

Information on Alert Channels

Review commonly used roles

Mamori deploys with a commonly used set of roles.

Pre-configured roles:

  • default_api_catalog_access
  • default_network_scan_access
  • default_wireguard_user
  • default_policy_user
  • default_policy_endorser
  • default_database_credentials
  • default_wireguard_user
  • default_database_access_ro

Click here for role editor documentation


For Catalog Extracts

A role to access and extract log information via the Mamori API in the clear. By default all string literals in the SQL logs are masked.

FieldDescription
Role Iddefault_api_catalog_access
Mamori PermissionsVIEW CLEAR SQL LOG, LOG SESSION, VIEW ALL USER

For Database Access

These sets of roles are commonly used to directly grant access databases.They are not required if on-demand data policies are used since the policies will provide the permissions.

To access a database successfully a user needs

  • A credential permission
  • A session passthrough type permission
  • At least SELECT on the database objects

To access the Web SQL console a user additionaly needs

  • WEB SQL EDITOR
  • WEB EXPORT DATA (Optional)

A role to contain all the target database crentials

FieldDescription
Role Iddefault_database_credentials
Database & Data > CredentialsAdd the desired database credentials

A role that provides read only database access via WebSQL and DB Proxies

FieldDescription
Role Iddefault_database_access_ro
Mamori PermissionsWEB SQL EDITOR, WEB EXPORT DATA (Optional)
Database & Data > Object Privileges > DatasourceMASKED PASSTHROUGH
Database & Data > Object Privileges > DB ObjectSELECT

To use DB client tools also provide:
CALL, EXECUTE SQL BLOCK, EXECUTE DYNAMIC SQL

For ZTNA Users

A role to identify WireGuard users. Users that login with this role will trigger the automatic device registration process.

FieldDescription
Role Iddefault_wireguard_user

A role allow network scans. Users with this role will not be blocked by the intrusion detection service.

FieldDescription
Role Iddefault_network_scan_access
Mamori PermissionsIP SCAN

For On-Demand Policies

A role to assign resource grant permissions. Users with this role be able able to make resource requests.

FieldDescription
Role Iddefault_policy_user
Mamori PermissionsREQUEST

A role to set as the endorsing role for resource and access policies. Users with this role be able to endorse resource requests.

FieldDescription
Role Iddefault_policy_endorser
Mamori PermissionsREQUEST


Review default resource polices

The mamori server comes with the following default policies:

default_date_range_resource_policy

For requesting non DB resources based on a date range

default_resource_policy

For requesting non DB resources based on an amount of time

default_role_resource_policy

For requesting Mamori roles based on an amount of time

default_db_resource_policy

For requesting DB resources based on an amount of time



Mamori will preconfigure the resources policies with the following defaults.

SectionFieldNew Value
RequestRequest Alertdefault_policy_request
EndorsementEndorsement Alertdefault_policy_endorsement
EndorsementDeny Alertdefault_policy_deny
EndorsementEndorsement Roledefault_policy_endorser
EndorsementAllow self endorsementfalse

Click here for policy editor documentation



Server SSL Certificate

The Mamori server uses Nginx for SSL termination.

  • All-in-one deployment - Set the server certificates via the web portal.
  • HA deployment - Manually place the certificate files on each application server node.

Web Portal

Click Server Settings > TLS Certificates

Add the private key contents

Add the certificate contents

Click Install Certificates

Manual

To setup the certificate for the Mamori server you need to copy the cert and key file into the nginx directory and then restart nginx. Use the commands below. If you have an extracted PEM file (begins with -----BEGIN PRIVATE KEY-----), then you that cp that file into nginx.key.

docker cp new.crt mamori:/etc/nginx/ssl/nginx.crt
docker cp new.key mamori:/etc/nginx/ssl/nginx.key
docker exec -it mamori sv restart nginx

If you have a PEM file, then you can extract your key and cert files with the commands below. Please confirm that your PEM file doesn't not begin with "-----BEGIN PRIVATE KEY-----".
openssl rsa -outform der -in your-file.pem -out private.key
openssl x509 -outform der -in your-file.pem -out your-file.crt


Hardening Check List

Ensure all items are completed before deploying to production.

Steps

Step 1 - Disable the bootstrap Mamori admin account

Step 2 - Enable the Mamori server firewall and open only used ports

Step 3 - Enforce 2FA for all logins

Step 4 - Executed the hardening guide for your Mamori server OS.
Click for basic hardening guide

Edit this page on GitHub Updated at Fri, Jul 7, 2023