Web Console

Overview


Use this access method if you want to
Provide remote or internal web access to resources (RDP, SSH, HTTP/S, DB & Secrets)
Multi-factor access to resources
Role based access to resources
On Demand access to resources
Provide 3rd party access to resources without VPN access
Provide database access without use of DBA database tools
Record/Audit RDP, SSH, HTTP/S, DB sessions & Secrets access
Protect admin access to devices like routers & switches


The Mamori web console is what administrators use to manage the Mamori server configuration and also what end users use to access their resources.

From the web console a non-admin user can

  • See active permissions
  • Request and endorse on-demand resources and policies
  • Connect to RDP, SSH, and HTTP/S resources
  • Access the secret vault
  • Run database commands in the Web SQL editor

Additionally administrators can

  • Configure the Mamori server
  • View logs
  • View monitoring dashboards

For remote access to the Mamori web console

  • Open tcp port 443 on your Mamori server's firewall
  • Forward tcp port 443 from your public firewall to the Mamori server



Web Console Access Security Layers

Enabling Modules

The web console menus will change based on the enabled modules.

To enable/disable modules do the following

Click Server Settings > General

Scroll to the module section and enable the desired module(s) relevant to the web console access

  • Database Access Controls (DBPAM)
  • Data Privacy Controls
  • SSH Access Management
  • Remote Desktop Access Management
  • Application Access Management
  • Secret Management



Configuration Steps

Prerequisites - Completed Common Configuration

If on-demand resources are going to be used

Step 1 - Configure Mamori data sources & datasource credentials

Step 2 - Configure Data Access Polices

Step 3 - Configure SSH, RDP, HTTP/S and secrets

Step 4 - Lockdown service accounts that will not be multi-factored



End user Web Access instructions

Manage Datasources

Add Datasources

Prerequisites

Ensure the appropriate drivers are installed

Click Datasources

Click

Next, edit the datasource details

FieldDescription
Datasource NameThe reference for this datasource

Database name in SQL tools.

Datasource TypeThe datasource type
Datasource GroupSet if you are going to push down db credentials via Mamori
For example, create SOMEUSER with these grants on all databases in this group.
Driverdefaulted to driver for datasource type
Connection DetailsEnter database connection information
Credential Reset DaysConverts the credential to a managed credential that is reset every X days

The periodinally generated password uses mix case text, numbers, punctuation and has a max lenght of what is allowable by the database. An example password is '8jh{IW}Dp#6cPPq2#6A}aoS.R(7t4}P

Important! This credential can't be retreived once it is Mamori managed.
Credential Role(Optional) The role that is linked to this managed crendential

Click Save


The credential used to create the datasource needs minimal permissions. It is only used to periodically check if the datasource is available.
Typically only ad-hoc user database connections are routed through Mamori. Application traffic is only routed through the Mamori server to implement gobal masking rules or apply SQL injection prevention policies.

If this is required for a critial application, then have one HA Mamori server for the application traffic and another for the ad hoc traffic

Special Datasource Instructions

Oracle Datasources

Drivers supported for datasource creation

DriverOracle VersionsJDBC SpecJDK
ojdbc6.jar (11.2.0.4)
pre-installed		7 to 21c4.0JDK8,11 & 17
ojdbc10.jar (19.18.0.0)21c, 19c, 18c, & 12.24.3JDK11-17
ojdbc8.jar (19.18.0.0)21c, 19c, 18c, & 12.24.2JDK8,11 & 17

Connection String for oracle RAC

If the target database is RAC or requires other special TNS options, then enter the TNS entry in the datasource advanced > connection string field

jdbc:oracle:thin:@(DESCRIPTION= ... (LOAD_BALANCE=yes)...)

Mongo Datasource - If creating a mongo datasource, the authSource db and tls settings can be passed in under the advanced settings using either the Connection Properties:

authSource=admin;tls=true

or the Connection URL Suffix:

&authSource=admin&tls=true

MySQL 8 Datasource - For MySQL driver version 8 and a DB server without SSL, add the following to the datasource connection string properties.

useSSL=false

Azure Synapse - Dedicated Pool & Serverless

Microsoft Azure Synapse warehouse does not support the sys.sysdepends system view. To disable the lookup set the following property.

supportsObjectDependencies=false

Manage DB Credentials

Any number of credentials can be added to a datasource and then mapped to users and roles. End user connections will use the mapped credentials.

End users will use their identity logins to access databases, which means they will never have or require access to the actual database credentials.

Add Credential

Prerequisites

Added a datasource

Click Datasources

Select the target datasource and click

Click Manage Credentials

Click Add Credential

Next, set the credential details

FieldDescription
UsernameThe database login
PasswordThe database login password
Credential Reset DaysConverts the credential to a managed credential that is reset every X days

The periodinally generated password uses mix case text, numbers, punctuation and has a max lenght of what is allowable by the database. An example password is '8jh{IW}Dp#6cPPq2#6A}aoS.R(7t4}P

Important! This credential can't be retreived once it is Mamori managed.

Click Validate

Click Save


Manage Data Access Policies

To configure database access via the web console or proxies a user needs

  • Permission on a datasource credential
  • A session passthrough mode permission
Passthrough ModeDescription
PASSTHROUGHApplies connection policies, but does not apply statement, session or data policies.
MASKED PASSTHROUGHApplies connection, session & statement policies. Allows statements that can't be analyzed.
PROTECTED PASSTHROUGHSame as MASKED PASSTHROUGH, but blocks all unregistered statements that can't be analyzed.
  • At least SELECT permission on a object
  • For native DB Tool access grant the DB Object permissions the tools require
  • CALL, EXECUTE SQL BLOCK, EXECUTE DYNAMIC SQL
  • SELECT on respective catalogs. eg., SYS & SYSTEM for Oracle
  • For WebSQL Access grant the Mamori permissions
  • WEB SQL EDITOR - Enables WebSQL Editor access
  • WEB EXPORT DATA - Enables data extract from the WebSQL Editor
  • WEB AUTO COMMIT - Enables the WebSQL auto-commit toggle button. By default WebSQL sessions are auto-commit = false.
Mamori can't provide permissions that the database credential doesn't have. For example, if the database credential assigned to the user doesn't have EXECUTE DYNAMIC SQL, then statement will fail even if you grant it in Mamori.

Mamori allows for micro-segment a database credential's existing permissions. It can't add additional.
The built-in default db resource policy grants all the appropriate permissions; however, if you want to provision permanent access then grant them to a role or user.

Provision Access

Follow the steps bellow to manually grant permanent or temporary database access to a user or role.

Prerequisites

Add the credentials to the default_database_credentials role

  • Click Roles
  • Double click on the default_database_credentials role to edit it
  • Click Database & Data Access > Credentials
  • Click Add Credential and select the data source
  • Select an existing credential or add enter details for a new one
  • Click Add

Assign default_database_credentials to a user

  • Click Roles
  • Find default_database_credentials in the grid and click
  • Click Manager Assigned Users
  • For time grants toggled advanced options
  • Click on the user to add or remove the grant

Assign default_database_access_ro to a user

  • Click Roles
  • Find default_database_access_ro in the grid and click
  • Click Manager Assigned Users
  • For time grants toggled advanced options
  • Click on the user to add or remove the grant

The user will now be able to access the granted databases via WebSQL and database proxies

Manage On-Demand Access

Manage who has access to request a credential@datasource combination

Prerequisites

Added a datasource & Credential

Click Datasources

Select the target datasource and click

Click Manage Request Grants

Click Add Request Grant

Next, set the form details

FieldDescription
Grantee TypeUser or Role
GranteeA role, an Mamori user or an external directory user
Mamori Resource PolicySelect a DB resource policy. The grant will fail otherwise.
CredentialThe credential that will be granted via this request
DescriptionThe description that the user will see when making a request

Click Save

The user will see the datasource in the request resources grid

Manage Remote Desktops

To provision access to RDP or VDI on a windows server configure a remote deskop login and grant it to a user or role.

Remote desktop sessions have 3 possible authenticaltion modes

Authentication ModeAuthentication FlowLogin Recorded
OS AuthenticatedUser is multi-factored
User is challenged with the standard Windows login.		Yes
Mamori PromptUser is challenged with a web RDP login prompt
User is multi-factored.		No
No PromptUser is multi-factored
User is automatically logged in with a pre-configured credential.		No
Recorded RDP sessions are only available from the Mamori web portal.

Connecting via a native RDP client using the ZTNA solution will 2FA and record the TCP access, but it will not record the RDP session.

Create

Click Remote Desktops

Click

Click the GENERAL tab

Set the properties

FieldDescription
Connection NameYour reference for the remote desktop session
HostnameTarget server
PortTarget server port.
Defaults to 3389
Remote UsernameOS login name
Remote PasswordOS login password
Remote DomainOS login domain
SecurityServer session authentication mode.
Defaults to Any
Ignore TSL certificate validation errorsDefaults to true
Connect to system consoleDefaults to false

Click the FILE SHARING tab

Set the properties

FieldDescription
Enable file sharingCTRL-SHIFT-ALT will diplay the file sharing menu
Defaults to false
Disable downloadDisable download buton
Defaults false
Disable uploadDisable upload buton
Defaults false
Drive nameName of the mappped temporary drive
Defaults Shared

Click the ADVANCED tab

Set the properties

FieldDescription
Fill browser windowScales the RDP session to the browser windows
WidthDefaults to 1024
HeightDefaults to 768
DPIDefaults to 96
Clipboard Modemode for copy/paste from clipboard
Disable Clipboard CopyDefaults false
Disable Clipboard PasteDefaults false
Server Keyboard LayoutSession keyboard layout
Server Keyboard LayoutSession keyboard layout
Remote Application SettingsSelection option for VDI application
RDP Application Service Must be enabled on the server
VisualsFont Smoothing, Theming, Fill Window Drag & Lossles compression

Click OK



Manual Grant

  • Click Remote Desktops
  • Find the desired desktop definition in the grid and click
  • Click Manager Assigned Users or Manager Assigned Roles
  • For time grants toggled advanced options
  • Click on the grantee to add or remove the grant

Setup On-Demand

  • Click Remote Desktops
  • Find the desired desktop definition in the grid and click
  • Click Manage Request Grants
  • Click Add Grant
  • Enter the grant information
  • Click Save



Connecting

To connect to a remote desktop

  • Login to the Mamori portal
  • Click Remote Desktops
  • Find the remote desktop you want to access
  • Click the Connect button on the target desktop

Manage SSH

To provision access to a linux server configure an SSH login and grant it to a user or role.

SSH sessions have 3 possible authenticaltion modes

Authentication ModeAccess MethodAuthentication Flow
Public KeySSH Proxy
Web Console		SSH Session is launched with pre-configured key.
User is multi-factored
Enter CredentialsWeb ConsoleSSH Session is launched with pre-configured credentials.
User is multi-factored.
Login PromptWeb ConsolseUser is multi-factored
Linux login prompt presented.
Recorded SSH sessions are only available from the Mamori web portal and via SSH Proxy.

Connecting via a native SSH clients using the ZTNA solution will 2FA and record the TCP access, but it will not record the SSH session.

Create

Click SSH Logins

Click

Set the properties

FieldDescription
Connection NameYour reference for the resource
HostnameTarget server name or IP address
PortTarget server port.
Defaults to 22
Authentication ModeHow to authenticate the user
ThemeThe terminal's color theme

Click Save



Manual Grant

  • Click SSH Logins
  • Find the SSH Login in the grid and click
  • Click Manager Assigned Users or Manager Assigned Roles
  • For time grants toggled advanced options
  • Click on the grantee to add or remove the grant

Setup On-Demand

  • Click SSH Logins
  • Find the SSH Login in the grid and click
  • Click Manage Request Grants
  • Click Add Grant
  • Enter the grant information
  • Click Save



Connecting

To connect to a linux server

  • Login to the Mamori portal
  • Click SSH Logins
  • Find the SSH Login you want to access
  • Click the Connect button

Manage HTTP/S

To provision access to a web service configure a web resource and grant it to a user or role.

Web resources currently do not have authentication modes, but that is coming soon.

HTTP session are always recorded. HTTPS sessions are only recorded if the certificates for the target site are provided. SSL does not permit decryption without the appropriate private key and certificate.

Launching web sessions that are excluded from the PAC script are not recorded.

Create

Click HTTP Resources

Click

Set the properties

FieldDescription
Resource NameYour reference for the resource
URLTarget URL
Exclude from PACIf excluded the URL, then mamori will launch the site but traffic will not go through the proxy.
DescriptionYour description for the resource

Click Save



Web Resource Properties

Web resources can have additional properties to allow you to control how the resource is handled.

Resource Properties properties

FieldDescriptionDefault
datasourceThe datasource that is presented to event handlernone
launchThe url that will be launch.Remote URL
certificate_nameCertificate that is used when this url is proxiedMamori generated certificate
ca_certificate_nameCA of certificate that is used when this url is proxied. Typically required when certificate is not already trusted by clients.Mamori generated certificate
key_nameThe private key to use when this url is proxiedMamori generated key
pac_overrideThe name to put into the PAC scriptRemote URL
proxy_methodThe method to use in PAC scripthttps
domain_overrideRegex used in transparent parent proxy to determine if extra headers are required

Manual Grant

  • Click HTTP Resources
  • Find the resource in the grid and click
  • Click Manager Assigned Users or Manager Assigned Roles
  • For time grants toggled advanced options
  • Click on the grantee to add or remove the grant

Setup On-Demand

  • Click HTTP Resources
  • Find the resource in the grid and click
  • Click Manage Request Grants
  • Click Add Grant
  • Enter the grant information
  • Click Save



Connecting

To connect to a web resource

  • Login to the Mamori portal
  • Click HTTP Resources
  • Find the resource you want to access
  • Click the Connect button

Users can also just enter the URL in the browser.

Manage Secrets

Mamori allows you to store binary(file) or text secrets. Access to a secret can then be provided via a direct grant, a role or as an on-demand resource.

To provision access to a secret configure a secret resource and grant it to a user or role.

Secrets are any string or binary data that you would like to store and provision access to. If you need to store SSH or other encryption keys, then click here to go to manage keys

Create

Click Secrets

Click

Set the properties

FieldDescription
NameYour reference for the resource
TypeSecret, Multi-Secret or File

Common fields

FieldDescription
Username
Host
ProtocolSecret type
SecretSecret value
Expires AtDatetime of when this secret expires YYYY-MM-DD HH24:MM:SS
Expiry Alert AtDatetime of alert prior to expiry
Expiry AlertThe Alert to trigger
DescriptionYour description for the resource

Multi-Secret field

FieldDescription
SecretsSelect the secrets the multi-secret combines

File field

FieldDescription
SecretSelect the file (ascii or binary) that contains the secret

Click Save



Manual Grant

  • Click Secrets
  • Find the resource in the grid and click
  • Click Manager Assigned Users or Manager Assigned Roles
  • For time grants toggled advanced options
  • Click on the grantee to add or remove the grant

Setup On-Demand

  • Click Secrets
  • Find the resource in the grid and click
  • Click Manage Request Grants
  • Click Add Grant
  • Enter the grant information
  • Click Save



Connecting

To access a secret

  • Login to the Mamori portal
  • Click Secrets
  • Find the resource you want to access
  • Click the Connect button

Users can also just enter the URL in the browser.

Edit this page on GitHub Updated at Mon, Sep 30, 2024
Overview Proxy Access