UseCase1_InstallingPAMAgent - sandersdHES/PAMEmergingTech GitHub Wiki

6.1 Installing PAM Agent

What is PAM360 Agent ?

The PAM360 Agent is designed for systems that:

  • Do not have direct connectivity to the PAM360 server (e.g., behind firewalls or in isolated subnets)

  • Require secure communication using HTTPS

  • Need to perform credential rotation or remote actions without VPN or domain admin access

It supports both Windows and Linux platforms and enables a certificate-based trust model.

Official Documentation - PAM360 Agent

Objective

This use case demonstrates how to securely install and configure the PAM360 Agent to connect systems in isolated networks (e.g., DMZ, remote branch offices) with the PAM360 server, enabling remote password management and credential rotation over secure HTTPS.

Context

In our PAM360 project setup, we used an isolated virtual machine as the test environment for the PAM Agent installation. The agent VM had no direct access to the PAM360 server subnet, mimicking a real-world DMZ or branch-office scenario. This allowed us to test agent registration, secure certificate-based trust, and the ability to push credential operations remotely.

Prerequisites

  • PAM360 server is running and reachable via HTTPS from the agent VM (outbound).
  • PAM360 server SSL certificate available for import.
  • Agent installer downloaded from the PAM360 server UI.
  • Administrative rights on the agent machine (Windows/Linux).
  • Agent hostname configured to match the SSL certificate (or subject alternative name).

Step 1: Open PAM360 Web UI in a browser on the agent VM:

`https://<PAM360-IP>:8282`

Step 2: Export the Server SSL Certificate

  1. Click the padlock icon in the browser’s address bar
  2. Select View Certificate > Details > Copy to File
  3. Export the file as a .cer certificate (Base-64 encoded X.509 (.CER))

Step 3: Import the certificate into the agent VM

Open certmgr.msc on the agent machine and import the .cer file into the Trusted Root Certification Authorities store.

This establishes trust for outbound HTTPS communication between agent and server.

Step 4: Run the PAM360 Agent installer

  • Ensure you use the host name that matches the certificate subject (e.g. pam360.company.local)
  • Set SSL Certificate Installed = Yes
  • Use the Agent Key from the PAM360 Web UI under Admin β†’ PAM360 Agent

image.png

image.png

image.png

Step 7: Verify Agent Registration

After successful installation

  • The agent should appear under Admin β†’ PAM360 Agent with status "Connected".
  • You can now assign password reset tasks or perform remote actions on the target system.

Verifying pam agent into PAM360 console

image.png

image.png

image.png

Conclusion

The PAM360 Agent provides a secure and efficient way to manage remote or isolated systems, such as:

  • Servers in DMZ networks

  • Branch office systems

  • Machines without direct PAM360 server access

Using outbound HTTPS communication, the agent eliminates the need for VPN tunnels or domain-level trust. It supports both Windows and Linux systems, offers certificate-based trust, and enables auditable password management even in segmented infrastructures.

This makes it a vital component in any Zero Trust architecture involving privileged access in decentralized environments.

πŸ›‘οΈ Privileged Access Management (PAM360) & Admin Bastion Project
πŸ” Built with a focus on Zero Trust, credential security, and hands-on Azure lab architecture.
🧠 Created as part of the 2025 Emerging Technologies module at HES-SO.

πŸ‘¨β€πŸ’» Dylan Sanderson    πŸ‘¨β€πŸ’» Johann Von Roten    πŸ‘¨β€πŸ’» Maxime Bossi    πŸ‘©β€πŸ’» Nadja LΓΆtscher
πŸ“š Explore the Wiki β€’ πŸ“§ Contact us via GitHub if you have questions!

⚠️ **GitHub.com Fallback** ⚠️