Skip to content

Installation and Implementation Guide

Info

The document is available at here.

This document serves as a comprehensive guide for partners, technical stakeholders, and other professionals seeking to understand, implement, or optimize our solutions. It provides detailed information and best practices tailored for our two deployment models: on-premises and hybrid.

The content is designed to assist in planning, deploying, and maintaining these systems, ensuring seamless integration and operational efficiency. Whether you are a partner aiming to support end-users or a technical lead managing deployments, this document is crafted to address your and facilitate successful outcomes.

About Excalibur

At Excalibur, we lead by disruption, delivering a seamlessly integrated Privileged Access Management (PAM) and Multi-Factor Authentication (MFA) solution that is secure-by-design, easy to use, cost-effective, phone-centric and passwordless. 

Inspired by the legendary sword, with Excalibur the access to the “kingdom” is granted only to the rightful and chosen ones—eliminating unauthorized access with a zero-trust, identity-first approach.

Excalibur transforms the user’s smartphone to act as a secure hardware token, seamlessly replacing outdated authentication methods with a strong MFA solution.

Our ultimate goal is to move all forms of authentication and authorization away from passwords, replacing them easily with smartphone-based, strong but user-friendly, MFA and PAM.

And with every authentication, access request and action being cryptographically tied to the user, Excalibur ensures that only the rightful ones gain access to an organization’s most critical resources.

Pre-Requisites

To ensure a successful implementation of the Excalibur authentication system, the following prerequisites must be met. These requirements are designed to support high availability (HA), security, and seamless integration within your infrastructure.

Access Requirements

Administrator privileges are required on the application server to install and configure Excalibur.

Read and write permissions for target directories where the application and logs will be stored.

Licensing

On-Premises Deployment: Requires a valid license key, license file and token to download container images provided at purchase. The key and file must be applied during initial configuration.

Hybrid Deployment: Subscription-based licensing model. Ensure that the subscription details are available prior to deployment. Token to download container images will be provided as well.

Cloud

Access to targets: Proper network access and routing are required to reach designated PAM targets.

LDAP/LDAPS Access: Validate that the application server has connectivity to the Identity Management System using LDAP or LDAPS protocols.

On Premise

Cluster Setup: Ensure an OpenShift, Kubernetes (including k3s), Kubernetes as a Service, or OKD cluster is operational and running - needed only for high availability configurations. In non-HA deployments Docker engine running on Linux based OS (RHEL, CentOS, Ubuntu, …) is sufficient.

DNS Configuration: A public DNS A record must be configured and resolvable for the application server.1

HTTPS Port: Port 443 must be accessible from external networks for secure communication.1

SSL Certificate: Obtain and apply a commercial SSL certificate or one issued by a trusted CA. Ensure the certificate’s validity does not exceed 398 days to comply with iOS restrictions. Make sure that root CA certificate is trusted on mobile devices.

LDAP/LDAPS Access: Validate that the application server has connectivity to the Identity Management System using LDAP or LDAPS protocols.

Identity Management System: Confirm that Active Directory (AD) is available and accessible for integration. Create an appropriate service account to integrate Excalibur Application server with Active Directory.

SMTP Configuration: Ensure access to the mail server using the configured SMTP credentials.

Additional Requirements: Verify hardware and software prerequisites like CPU, RAM, storage and OS (See below). Confirm network bandwidth and connectivity.

System Requirements

Single node deployment requirements

  • CPU: 8 cores recommended for single node configurations.
  • RAM: Minimum 16 GB
  • Storage: Minimum 200 GB of available storage for installation, logs, application database and session recordings.
  • Operating Systems: Linux, Ubuntu, CentOS, Red Hat, Docker Engine

High Availability deployment requirements

  • CPU: 20 cores recommended for single node configurations.
  • RAM: Minimum 24 GB
  • Storage: Minimum 200 GB of available storage for installation and logs.
  • Operating Systems: Linux based Kubernetes (including k3s) / OpenShift / OKD or Kubernetes as a Service (AKS, GKE, EKS)

Architecture Overview

Excalibur leverages containerized deployments to provide flexibility and simplicity. By utilizing technologies like Docker for single-node deployments, the platform ensures rapid and straightforward setup. For high availability (HA), Excalibur relies on Kubernetes-based clusters (including k3s), offering robust and scalable environments that meet the demands of enterprise workloads.

Figure 1. Recommended Single Node Deployment Architecture

Figure 2. Recommended Hybrid Deployment Architecture

Supported Kubernetes Services for HA

To enhance scalability and reliability, Excalibur integrates seamlessly with major cloud-based Kubernetes services:

  • Azure Kubernetes Services (AKS)
  • Google Kubernetes Engine (GKE)
  • Amazon Elastic Kubernetes Services (EKS)

These managed Kubernetes platforms provide operational simplicity and ensure the platform can scale to meet evolving business needs.

Kubernetes and OpenShift

Both Kubernetes (including k3s) and OpenShift are supported as deployment environments, offering multitenancy features critical for managing diverse user bases. This contrasts with Docker, which does not support multitenancy but remains a valuable tool for simpler, non-clustered deployments.

Excalibur ensures that organizations can choose the deployment model that best suits their specific use case.

Multi-tenancy and Application Flexibility

Excalibur’s multitenancy architecture ensures that each tenant operates within a dedicated user interface, isolating their data and processes for enhanced security and customization. Key features include:

  • Dedicated Application Components: Each tenant utilizes its own set of selected application components, ensuring flexibility in deployment and configuration.
  • Scalable Design: The platform is designed to grow alongside enterprise needs, allowing seamless onboarding of additional tenants without compromising performance or security.

Flexibility and Scalability

Excalibur stands out as a flexible and scalable solution for enterprises of all sizes. Its modular architecture allows organizations to adopt the platform in stages, starting with Docker-based setups and scaling up to full Kubernetes (including k3s) or OpenShift clusters as needs evolve. This adaptability ensures that Excalibur can meet the requirements of small teams as well as large, globally distributed enterprises.

Key Benefits

  • Rapid Deployment: The platform’s containerized design enables quick setup using Docker or Kubernetes.
  • High Availability: Clustering through Kubernetes (including k3s) or OpenShift ensures resilience and minimizes downtime.
  • Cloud-Native Compatibility: Excalibur integrates seamlessly with major cloud providers, making it easy to deploy in hybrid or multi-cloud environments.
  • Tenant Isolation: Multitenancy provides each tenant with isolated environments, enhancing both security and configurability.

Excalibur Tunnel Architecture overview

Figure 3.1. Overview

Figure 3.2. Authentication

Figure 3. Excalibur Tunnel overview

The Excalibur Tunnel Client is a key component of the Excalibur Tunnel technology, designed to securely connect local networks to the Excalibur Cloud. This enables seamless access to SAM (Streamed Access Management) resources hosted in local networks from the cloud-hosted Excalibur environment.

It provides a secure and reliable connection between your local network and the Excalibur Cloud, leveraging mutual TLS (mTLS) for authentication and encryption to ensure that your data is always protected. The client is built with a focus on security, reliability, and ease of use, making it suitable for both developers and system administrators. Its simple installation and configuration process ensure a smooth user experience.

Key Takeaways

Excalibur’s innovative use of containerization and its ability to scale across Kubernetes (including k3s) and OpenShift clusters make it a standout solution for modern security challenges. Whether you need a simple deployment for a small team or a robust, high-availability setup for a global enterprise, Excalibur delivers the flexibility, scalability, and security required in today’s complex IT environments.

By supporting multitenancy and cloud-native technologies, Excalibur ensures that organizations can future-proof their security infrastructure with ease.

Before You Start

What is your primary environment for PAM deployment?

This section outlines various deployment strategies for Excalibur based on specific infrastructure requirements and organizational needs. It provides a decision-making framework to help partners determine the best approach for implementing PAM solutions across different environments, including on-premise servers, private clouds, hybrid setups, and Software as a Service (SaaS) models.

On-Premise Server

Do you require high availability (HA)?

  • Yes: Implement Excalibur’s high availability setup for on-premise servers, ensuring redundancy and fault tolerance to maintain continuous operations and minimize downtime. This requires an existing or newly deployed OpenShift, OKD, or Kubernetes (including k3s) cluster. Note: Other platforms are not supported for HA configurations.

  • No: Deploy Excalibur’s PAM solution on a single on-premise server, but ensure that robust backup and recovery plans are in place to safeguard against data loss. A single Docker node deployment is preferred for this configuration.

Private Cloud

Do you need scalability for a growing infrastructure?

  • Yes: Choose Excalibur's scalable PAM solution, specifically built for private cloud environments. This will ensure seamless expansion as your infrastructure grows. We recommend leveraging an existing or newly deployed OpenShift, OKD, or Kubernetes (including k3s) cluster for optimal performance.

  • No: Deploy Excalibur’s standard PAM system, tailored to meet the specific needs of your current private cloud setup. This solution is designed for environments where scalability is not a primary concern. A single Docker node is ideal for this configuration.

Hybrid Environment

Which environment handles sensitive operations?

  • On-Premise: Deploy secure tunneling PAM components on-premise, while allowing primary modules to operate in the cloud. This ensures that sensitive operations are secured within your own infrastructure. One or more single docker node(s) are preferred.
  • Cloud: Implement a hybrid PAM setup with a primary focus on cloud-based PAM, ensuring seamless integration with on-premise systems for a cohesive security strategy.

Software as a Service (SaaS)

Are there regulatory or compliance concerns?

  • Yes: Choose an Excalibur SaaS offering for Privileged Access Management (PAM) that is fully compliant with relevant regulations, such as GDPR or NIS2. This ensures your organization meets legal requirements while effectively managing privileged access.

  • No: Leverage Excalibur’s SaaS PAM solution for its simplicity, ease of management, and minimal maintenance, allowing your team to focus on other critical areas without the overhead of complex infrastructure management.

In both scenarios One or more docker based Excalibur gateway(s) will be deployed in isolated networks.

Geographically distributed High Availability solution (HA)

Is your organization geographically distributed?

  • Yes: Implement Excalibur’s PAM system with geo-redundancy and failover mechanisms to ensure uninterrupted access management across multiple locations. For each individual branch subnet, Docker-based Excalibur gateways will be deployed to maintain seamless access control and operational resilience.

  • No: Deploy local High Availability (HA) PAM configuration using OpenShift/OKD/Kubernetes (including k3s) clusters to provide a reliable solution that meets your organization’s needs or consider the SaaS variant for ease of implementation and management.

Installation Steps

Deploying Excalibur’s system is a highly customizable process designed to adapt to the unique needs of each environment. To achieve a successful implementation, it is essential to conduct a detailed analysis of the existing infrastructure, operational requirements, and desired deployment type. This allows the partner to determine how, where, and what form of Excalibur PAM/MFA will be installed.

Partner-Led Analysis and Architecture Design

Before proceeding with installation, the environment should be evaluated to identify the most suitable architecture for the deployment. This includes determining whether the solution will be cloud-based, on-premises (perhaps using a full Kubernetes, k3s, or OpenShift cluster for HA, or Docker for single node), or hybrid, and designing the necessary infrastructure to support it. Key factors to address during this analysis include:

  • System Compatibility: Ensure the environment aligns with the prerequisites, such as public DNS records, SSL certificates, and LDAP/LDAPS integrations.

  • Scalability Needs: Plan for future growth, considering the ability to easily onboard new users or systems as needed.

  • Network and Security: Design secure communication channels including HTTPS and LDAP protocols to ensure robust security throughout the deployment.

Consultation and Validation

To ensure the proposed design aligns with Excalibur’s requirements, it is recommended to consult with Excalibur’s technical team. This collaborative process helps identify and resolve potential issues, ensuring that all prerequisites are met before implementation. By addressing any gaps early in the planning phase, the deployment process becomes smoother and quicker, reducing risks and helping to establish a secure environment.

Deployment Resources

Once the analysis is complete and the architecture validated, Excalibur provides all necessary resources for deployment, including:

  • Licenses: Appropriate licenses tailored to the chosen deployment type.
  • Installation Packages: Software packages for quick and efficient installation.
  • Documentation
  • Credentials: Access credentials for downloading container images required for containerized deployments.

Installation

To set up the environment, a few essentials are required. First, ensure you have obtained a GitHub Personal Access Token, which is required for accessing private repositories hosted on ghcr.io. Next, obtain the necessary manifests from Excalibur, whether for Docker, Kubernetes (including k3s), or OpenShift which define your application's configuration and deployment settings.

Info

Manifests for k3s would generally be the same as for standard Kubernetes.

Docker

Authorization to the repository where Docker images are stored is required to pull the necessary images. Access is granted by logging into ghcr.io using valid credentials, ensuring that all required containers can be downloaded for deployment.

docker login --username excalibur-enterprise --password provided-token ghcr.io

Preparing the .env file is essential for configuring the environment. This file contains key variables that define system behavior and connectivity. Example configuration:

EXC_ADMIN_USER=admin
EXC_ADMIN_EMAIL=admin@acme.com
EXC_CORE_CA_URL=https://ca.xclbr.com
EXC_SERVER_HOSTNAME=dev.xclbr.com

These values ensure proper authentication, email configuration, and connection to core services. Adjust them as needed based on your specific environment.

After preparing the .env file, you can start the deployment process by running the Docker Compose command with the specified environment file and configuration. This command downloads the necessary images and starts the containers in detached mode:

docker compose --env-file .env --file <filename>.yml up --detach

To verify that the containers are running, use the following command:

docker ps

The server setup can be accessed locally. For public access, additional steps like setting up a load balancer or reverse proxy may be needed. These steps ensure secure and efficient access from outside your local network.

OpenShift Deployment

Create the OpenShift Project. Replace <project_name> with your project name:

oc new-project <project_name>

Create a ConfigMap to store non-sensitive environment variables required for the deployment. Customize the values for EXC_ADMIN_USER, EXC_ADMIN_EMAIL, EXC_CORE_CA_URL, and EXC_SERVER_HOSTNAME based on your environment:

oc create configmap environment-variables --from-literal=EXC_ADMIN_USER=admin --from-literal=EXC_ADMIN_EMAIL=admin@acme.com --from-literal=EXC_CORE_CA_URL=https://ca.xclbr.com --from-literal=EXC_SERVER_HOSTNAME=dev.xclbr.local

Create a secret to store the root database password securely. Replace <db-root-pwd> with your actual secure password. Create another secret to store the Grafana administrator credentials. Replace <root-pwd> with your secure password.

oc create secret generic database-root --from-literal=password=<db-root-pwd>
oc create secret generic grafana-admin --from-literal=password=<root-pwd>

Create a Docker registry secret to authenticate with your container registry. Replace <github_pat> with provided GitHub Personal Access Token and customize other fields as necessary.

oc create secret docker-registry ghcr-auth --docker-server=ghcr.io --docker-username=excalibur-enterprise --docker-password=<github_pat> --docker-email=""

Create a service account for managing permissions. Replace <serviceaccount> with the desired name of the service account.

oc create serviceaccount <serviceaccount>
oc adm policy add-role-to-user admin -z <serviceaccount>

Deploy the Excalibur product using the provided manifest file. Replace <filename>.yml with the name of the deployment file.

oc apply -f deploy/manifests/<filename>.yml

Check pod status:

oc get pods

If any pod is stuck in CrashLoopBackOff, manually restart it:

oc delete pod <pod_name>

Retrieve the proxy route URL:

oc get route proxy -o jsonpath={.spec.host}

Open the obtained URL in a browser to access the application and continue to part Server Setup.

Azure Kubernetes (k8s, k3s) deployment

This part provides the necessary steps to deploy the Excalibur product in an Azure Kubernetes environment, including distribution like k3s. Each command is explained to help you understand its purpose. At the end of the deployment, verify that all pods are running successfully.

Create a namespace to organize all the Kubernetes resources for the deployment. Replace <namespace> with the desired name for your namespace.

kubectl create namespace <namespace>

Create a ConfigMap to store non-sensitive environment variables required for the deployment. Customize the values for EXC_ADMIN_USER, EXC_ADMIN_EMAIL, EXC_CORE_CA_URL, and EXC_SERVER_HOSTNAME based on your environment:

kubectl create configmap environment-variables -n <namespace> --from-literal=EXC_ADMIN_USER=admin --from-literal=EXC_ADMIN_EMAIL=admin@xclbr.com --from-literal=EXC_CORE_CA_URL=https://ca.xclbr.com --from-literal=EXC_SERVER_HOSTNAME=dev.xclbr.local

Create a secret to store the root database password securely. Replace <db-root-pwd> with your actual secure password.

kubectl create secret generic database-root -n <namespace> --from-literal=password=<db-root-pwd>

Create another secret to store the Grafana administrator credentials. Replace <root-pwd> with your secure password.

kubectl create secret generic grafana-admin -n <namespace> --from-literal=password=<root-pwd>

Create a Docker registry secret to authenticate with your container registry. Replace <GITHUB_PAT> with provided GitHub Personal Access Token and customize other fields as necessary.

kubectl create secret docker-registry ghcr-auth -n <namespace> --docker-server=ghcr.io --docker-username=excalibur-enterprise --docker-password=<GITHUB_PAT> --docker-email=""

Create a secret for Google API credentials. Replace the file path deploy/google/play-integrity-api.key with the location of your private key file.

kubectl create secret generic google-credentials -n <namespace> --from-literal=client_email='play-integrity-api@excalibur-enterprise-apps.iam.gserviceaccount.com' --from-file=private_key=deploy/google/play-integrity-api.key

Create a service account for managing permissions in Kubernetes. Replace <serviceaccount> with the desired name of the service account.

kubectl create serviceaccount <serviceaccount> -n <namespace>

Bind the service account to the admin role in the namespace, allowing it to manage all resources. Replace <serviceaccount> and <namespace> as appropriate.

kubectl create rolebinding <serviceaccount>-admin-binding -n <namespace> --role=admin --serviceaccount=<namespace>:<serviceaccount>

Deploy the Excalibur product using the provided manifest file. Replace <filename>.yml with the name of the deployment file.

kubectl apply -f deploy/manifests/<filename>.yml

Once all the commands have been executed, check the status of the pods to ensure the deployment is successful. All pods should show the Running status. Use the following command:

kubectl get pods -n <namespace>

If any pods are not running or show errors, inspect the logs and configurations to troubleshoot. This concludes the deployment process.

Open https://<your-instance-fqdn>/setup in a browser to access the application and continue to part Server Setup.

Server Setup

The initial Setup Guide accompanies the future System Administrator through the initial setup of the Excalibur system after installation. In this process, in addition to the initial configuration of the system, the first user - the System Administrator - is also registered. The steps in the setup guide on the "Excalibur Deployment Setup" screen follow each other, and you can only go to the next one after the previous one has been successfully completed.

For the initial configuration in the Setup Guide, the future System Administrator will need:

  • License key and License file
  • Dashboard publishing address, use a fully qualified domain name (FQDN)
  • Own SMTP server
  • Access to the email address of the System Administrator
  • Identity Store - Active Directory (AD) with the identity of the System Administrator
  • System Administrator identity credentials in the Identity Store (AD)
  • Excalibur mobile application (token)

Setup Guide steps

License

The screenshot illustrates a simple process for entering a license file and license key. The administrator can drag and drop the .lic file from their computer into a designated area on the screen. Below this area, there is a text box where you can manually input the license key, consisting of the format AAAAA-BBBBB-CCCCC-DDDDD-EEEEE (5 groups of 5 alphanumerical characters separated by a hyphen). After filling in all parts of the license key, the administrator can click a button labeled "NEXT" to validate the license.

Figure 4. Excalibur Deployment Setup: License

Server setup

In this step, the Dashboard URL is configured - the address on which the web application of the Information Panel (Dashboard) will be published (use a FQDN): <your-instance>.<your.domain>.com

Figure 5. Server setup: Enter the Dashboard URL and press the “Next” button.

SMTP Setup

In this step, the own SMTP server is configured, which ensures communication with users in various situations, such as sending invitations to future users.

Info

In the Setup Wizard, the SMTP setup step is optional. Users can skip this step during deployment and complete the SMTP configuration later, after the deployment is finished.

Info

Make sure that the selected SMTP server has the ability to send email communication to end users in their public or private domain - it is not blocked and its communication is ideally whitelisted by the end mail server, or has an exception in the (spam) filters of the end user's mail system.

Settings categories: General, Network, Authentication, Verification.

General

Sender email - choose the sender's email address (FROM) from which emails will be sent from the Excalibur system.

Network

Host and Port - enter address and port on which the SMTP server is available.

Authentication

Username and Password - enter authentication data against the SMTP server.

Verification

Administrator email address - enter and repeat the administrator email address to which an email will be sent for verification of email access and registration of the System Administrator.

Figure 6. SMTP Setup: Enter the configuration data of the SMTP server and press the "Next" button.

Info

To keep your communication secure and prevent interception, email tampering, or spoofing, always use a secure SMTP server with STARTTLS or SMTPS. Ensure access to the SMTP server is authenticated, such as through SASL, to prevent misuse. Since SMTP doesn't include these security features by default, using a server that supports them is essential for safely using the Excalibur system. NTLM Authentication method is not supported

Email verification

To verify the System Administrator's email, which was entered in the previous step, this address verification code with limited time validity will be sent.

Figure 7. Email verification: Email with a verification code.

In this step, enter the verification code from the email.

Figure 8. Email verification: Enter the verification code from the email and press the "Next" button.

Identity Store Setup

In this step, the primary identity source (Identity Store) of future Excalibur system users is set, including the identity of the first user - the System Administrator.

Settings categories: General, Network, Authentication.

Network

Use of TLS - the option to use a secure communication method with the identity source via the LDAP protocol.

Certificate - certificate issued by the certification authority for the identity source server and secure communication with it; the certificate can be entered in text form or uploaded as a file.

Host and Port - address and port on which the LDAP server is available.

Authentication

BaseDN, BindDN and Password - for correct access to the identity source using the LDAP protocol, enter these identification parameters and the password for accessing the server.

Figure 9. Identity Store Setup: Enter the Identity Store configuration data and press the “Next” button.

Deployment finalization

This step finalizes the initial setup of a new Excalibur deployment, which includes all the necessary steps to start using the system. This step consists of 2 parts:

1. The System Administrator enters his login data (AD credentials - username & password), which he used to log in to the set identity source. The entered login data of the user is subsequently verified against the source of identities.

Figure 10. Deployment finalization 1: Enter your login information and press the "Authenticate" button.

2. Upon successful authentication, the user will receive a unique registration QR code, which will register them in the Excalibur system as the first user - System Administrator.

Figure 11. Deployment finalization 2: Register via the mobile application by scanning the registration QR code and setting the authentication factors.*

Registration is a process that creates a unique link between the phone (identity) and the Excalibur server (company). Registration also includes the initialization of security factors (such as PIN, biometric factors and location). This step therefore requires the Excalibur mobile app to be installed.

The registration process is the same for all users of the Excalibur system. It is implemented as self-registration with a unique link with limited time validity from the email invitation from the System / Administrator, which refers to the registration form of the Excalibur dashboard.

The latter prompts the user to enter login data against the chosen source of identities in the organization and, after verification, issues a unique registration QR code with which the user registers via the Excalibur mobile application (token). After successful registration, the user is automatically logged into the system.

Figure 12. Invitation: Invitation email from the System Administrator

Configuration and Integration

Target Systems Onboarding

Manage PAM Targets, including editing configurations, removing targets, and starting sessions. Access an overview of all PAM targets with basic and detailed configuration information. The detailed view provides additional information, such as a list of users with access to each PAM target, session recordings, and Typescript files.

Excalibur PAM considers all sessions "privileged" and recorded by default. Every action performed by the user is cryptographically signed to confirm that it was performed by an authenticated user. The effect is that there is a continuous match of every user action (because every user action and user PAM session is recorded and cryptographically signed) with a strongly multi-factor authenticated identity. There is no ability to delegate access or claim it was another user.

Figure 13.PAM: Targets

You can add targets in two ways: manually or by importing a CSV file.

Add PAM Target manually

With manual entry, you can input target details directly into the system, making it a convenient option for adding individual targets or making quick changes.

Figure 14.PAM: Add PAM target manually

Figure 15.PAM: Add RDP PAM Target

Import PAM Targets from CSV file

For bulk additions, the CSV import feature allows you to upload multiple targets at once. A CSV template is available for download, ensuring the correct format is used.

Figure 16.PAM: Import PAM Targets from CSV file

Figure 17.PAM: Download Template step 1

Figure 18.PAM: Download Template step 2

After downloading the template, fill in the necessary details, save the file in CSV format, and upload it through the import section. Once uploaded, review the data and confirm the import to finalize the process.

Make sure the CSV file follows the required structure to prevent any import errors.

Policy Configuration

Through Security Policies, administrators can specify which users are granted access to specific PAM Targets, thereby establishing clear and enforceable access controls. This capability is crucial for maintaining security and ensuring that sensitive resources are only accessible to authorized individuals.

Administrators have the ability to view existing policies, as well as edit, remove, or create new policies as required. This flexibility allows organizations to respond effectively to changing security needs and to implement best practices in access governance.

By utilizing the tools available in the "Security Policies" section, organizations can ensure that their access management framework is robust, compliant, and aligned with their security objectives.

Rule Sets

This section is dedicated to listing all Rule Sets associated with the Security Policy. Users can efficiently manage these Rule Sets from this interface, allowing for streamlined oversight and adjustments as needed. This functionality ensures that organizations can maintain effective access controls and adapt their security measures in alignment with evolving requirements.

Figure 19. Security Policies: Rule Sets

Network Policy

This section allows users to view all network policies linked to the system tenant. It provides a comprehensive overview of the policies in place, facilitating better understanding and management of network configurations associated with the tenant. The System Administrator can choose which networks PAM targets can be distributed to.

Figure 20. Network Policies: List of all network policies associated with system tenant

Mobile Token Deployment

The Excalibur mobile app serves as a security token for password-free authentication. It uses your mobile phone to verify authentication factors such as location, PIN code, fingerprint, Face ID, etc.

In order to use Excalibur, you must first install the Excalibur mobile app. The application is available for free in the Play Store and App Store. Store links are available on https://getexcalibur.com, as well as on the email registration screen.

Invitations

List of all invited users in the system and management of their invitations. From this screen, it is possible to add and invite new users from the Identity Store, to monitor the status of invited and related information, or delete existing ones. Invited users are immediately available in the users section in the dashboard for managing them - assigning them to groups, PAM resources, etc.

Figure 21. Invitations: List of invitations

From here, the administrator can perform the following actions

  • Copy the invitation link to the clipboard
  • Reinvite a user
  • Delete an invitation

The administrator can also create a new invitation by clicking the "+" button in the bottom right corner. Then, select the Identity Store (refer to the Identity Store section for more details) where the user is located.

Figure 22. Invitations: Add invitation

Figure 23. Invitations: Choose Identity Store

Then, select a user and assign the appropriate role(s).

Figure 24. Invitations: Assign role(s) to the user

After making the selection, a notification will appear in the bottom left corner confirming that the invitation has been successfully sent.

Figure 25. Invitations: Successfully sent invitation

Roles

We cannot switch multitap roles. The person will always see the console with their highest role.

Administrator

Administrator Is the role with the highest privileges in an Excalibur system deployment. It is also the role of the first created and registered user. There must always be at least one System Administrator on the system. The System Administrator has access to the general settings of the entire deployment, as well as the creation and management of individual tenants and all roles. It has access to all tenants, including the System Tenant. In addition to these responsibilities, the System Administrator is also authorized to send invitations to new users, allowing them to join the system and access its features. This enables the System Administrator to manage user access and control the growth of the system's user base. The System Administrator's comprehensive privileges and capabilities make them the central authority for managing and maintaining the Excalibur system.

Auditor

This role is designed to provide oversight and transparency within the Excalibur system. This role is primarily focused on monitoring and reviewing activities without the ability to make any modifications or changes to the system settings or user configurations. Auditors have comprehensive visibility into all information, including user activities and system actions, ensuring that compliance and operational integrity are maintained. However, it is important to note that they do not possess the privileges to alter any configurations or settings within the application. This role is essential for organizations that require an independent review process to ensure adherence to policies and regulations while safeguarding the integrity of the system.

User

User is an Excalibur system end user role. The user has access only to the tenant environment to which it belongs and to the individual PAM resources assigned to the given user, or user group to which it belongs. This role provides limited access to the system, allowing users to perform tasks and access resources that are specifically assigned to them, while maintaining the security and integrity of the system. The User role is ideal for individuals who need to access specific resources and perform tasks within a controlled environment, without requiring administrative privileges.

Excalibur Tunnel Client

Overview

The Excalibur Tunnel Client creates an encrypted link between your local network and the Excalibur Cloud, giving you secure access to on-premises PAM resources. To set it up:

  • Install the Excalibur Tunnel Client on a machine inside your local network.
  • Activate the tunnel to establish a secure connection to Excalibur Cloud.

For more information, please refer to the public github repository: https://github.com/excalibur-enterprise/excalibur-tunnel-client/

Prerequisites

Before installing the Excalibur Tunnel Client, ensure your system meets the following requirements:

  • Operating System: Linux (Debian/Ubuntu or Red Hat/CentOS). Supporting for window is on development and will be soon available
  • Privileges: Administrative (sudo) privileges
  • Network: Connectivity to the Excalibur Cloud
  • Activation Code: Provided by Excalibur Enterprise

Install Excalibur Tunnel Client

Refer to the github repository for installing the Excalibur Tunnel Client, activating the connection, verifying the installation, deactivating the connection, uninstall the Excalibur Tunnel Client application: https://github.com/excalibur-enterprise/excalibur-tunnel-client/.

The user can also see the commands to run to establish the tunnel connection in the Excalibur Dashboard Web application of an administrator. Here is an example of commands to run

Figure 26. Excalibur Tunnel Client: Commands to run in Dashboard

Running Excalibur Tunnel Client in the command line with flag --help also shows some information about the possible parameters: sudo excalibur-tunnel --help

Figure 27. Running Excalibur Tunnel Client in the command line with flag --help

Validation and Testing

This section outlines how to test the key functionalities of the system to ensure that all components are working properly.

Verify Application Components

  • Access the system’s dashboard via a supported browser and ensure the login page/main interface loads correctly with no broken links or missing elements.
  • Navigate through sections to confirm responsiveness and accessibility.

Test Invitation Functionality

  • Send a sample invitation from the Invitations tab to a test email address.
  • Verify timely delivery, correct content, and that the link redirects to the correct registration page.

Check User Registration

  • Complete a test registration using the invitation link or directly through the web interface.
  • Confirm that the new user account is created and the system provides confirmation.

Test User Login

  • Log in to the system with a valid account to ensure proper login functionality.

Test PAM Target Addition

  • Add a new PAM target and confirm successful saving.
  • Test connection to the target to ensure interaction is possible.

End-to-End System Test

  • Perform a full cycle: invitation, registration, login, target addition, and interaction.
  • Monitor system logs for errors or unexpected behavior.

By following these steps, you can ensure that the system is functioning correctly and that all components are working as intended. Document any issues encountered during testing for further investigation and resolution.

Maintenance and Upgrades

Backup

Excalibur’s application includes a built-in module that performs database backups several times per day. It keeps 8 last hourly backups and 7 daily backups. This module is capable of backing up the application database, call recordings, session data, and transferred session files. Backups can be stored locally or on a mounted network drive. Each backup is encrypted. It is recommended that these backups are protected and managed through the customer’s own backup solution for additional security.

Maintenance

The application supports log export via the Syslog protocol, allowing logs to be processed and analyzed by a central log management system or a Security Information and Event Management (SIEM) solution.

Upgrades

For on-premises deployments, upgrades follow the same procedures as installation. Update packages incorporate all necessary upgrade mechanisms including automatic database migration. Updated manifests are provided by Excalibur and must be applied by the customer. For cloud deployments, updates are managed by Excalibur.

Troubleshooting

When troubleshooting issues, it is crucial to identify the root cause and gather all relevant information. Review system logs from the application, operating system, and network components to pinpoint errors or unusual behavior. Collect logs that contain specific details about the problem, which will assist in diagnostics

Error Characteristics

When diagnosing an issue, consider the following components:

  • User Role(s): The roles affected by the error and those that may be able to resolve it.
  • Source Component: The component where the error originates.
  • Destination Component: The component where the error is presented to the user.
  • Action(s): The specific actions that trigger the error.

Error Categories

Errors in Excalibur can be classified into the following categories:

User Action Errors

  • Description: Errors triggered by user actions, typically beginning on the Token.
  • Source Component: Any component involved in the user’s action.
  • Destination Component: Usually the Token where the action was initiated.

Administrative Action Errors

  • Description: Errors triggered by administrative actions, mostly in the Dashboard but occasionally on the admin's Token.
  • Source Component: Any component involved in the admin’s action.
  • Destination Component: Typically the Dashboard or Token (if the action was token-based).

Excalibur System Errors

  • Description: Errors triggered by internal issues within Excalibur’s components, networking, or platform interactions.
  • Source Component: Internal Excalibur component actions, interactions, or configurations.
  • Destination Component: These errors are logged on the server for review and generally cannot be resolved by the user.

Troubleshooting Steps

Identify the Type of Error

  • Determine if the error is related to User Action, Administrative Action, or an Excalibur System Error.
  • Review the Source Component and Destination Component to help pinpoint where the error originated and where it was presented.

Gather Relevant Information

  • Review System Logs: Check the application, operating system, and network logs for any errors or unusual behavior.
  • Look for Specific Details: Focus on logs that provide key information related to the issue.

Secure and Share Logs

  • Protect Sensitive Data: If necessary, password-protect logs containing sensitive information before sharing.
  • Provide Detailed Descriptions: Include a timeline of events and any relevant actions that may have led to the error. Share all logs and details with your partner or Excalibur’s support team for faster resolution.

Collaborate with Support

  • Share the collected information with your partner or Excalibur’s technical team to help expedite the resolution process.
  • Ensure that all required logs and context are included to facilitate quicker analysis.

Final Considerations

  • System Errors: These are typically non-resolvable by users and are logged on the server for review by Excalibur support.
  • Administrative Errors: If issues occur during installation or configuration, refer to the component-specific logs for direct error messages.

  1. When access to an application server is not required from the internet, private DNS A record and local network access from mobile app (Token) is a must.